Hacking & Cyberwarfare News and Discussions

[caltrek]

The Cyber Apocalypse Never Came. Here’s What We Got Instead.
by Jacquelyn Schneider
July 27, 2021

https://www.politico.com/news/magazine/ ... are-500787

Introduction:

(Politico) Even for those of us who watch cyber warfare closely, the seeming barrage of cyber-related headlines in 2021 has felt remarkable. This spring, the Biden administration sanctioned Russia for last year’s breach of network software firm SolarWinds, which allowed Russian hackers to access major U.S. government agencies and over 18,000 companies. A few months later, Russian cyber attacks were back in the news, with purported Russian criminals extorting oil distributor Colonial Pipeline and meatpacking firm JBS for millions of dollars in ransomware payouts. Ransomware attacks have become so widespread that exhausted cybersecurity firms are turning away desperate customers.

Meanwhile, last week, the United States, NATO and the EU pointed the finger at China for a massive breach of a Microsoft exchange server, propagated by cyber mercenaries hired by the Chinese Ministry of State Security. The countries’ joint statement is all the more remarkable given both NATO and the EU’s unwillingness to brand China an “adversary.” And on the same day, researchers revealed a multi-state effort to hack and monitor presidents, monarchs, journalists and more, using spyware created not by the Russian government, China’s security apparatus or the National Security Agency—but by a private Israeli company called the NSO Group.

So what is going on in cyberspace, and did anyone see this coming? In 2011, hot off a social media-propelled democracy movement dubbed the Arab Spring, a cyber document released by the Obama administration waxed almost poetic about the promise of digital openness for the international order. But only a year later, then-Secretary of Defense Leon Panetta warned of “cyber Pearl Harbor,” followed in 2015 by Director of National Intelligence James Clapper’s “cyber Armageddon” warning.

What we got was neither the unbridled promise of digital cooperation nor a fiery cyber apocalypse. Instead, today’s cyber reality seems simultaneously less scary and more of a hot mess—a series of more frequent, less consequential attacks that add up not to a massive Hollywood disaster but rather to a vaguer sense of vulnerability. This can make it hard to understand what’s going on and how bad it really is. Are all these high-visibility cyber events more of the same, or are we living through a new era of cyber warfare?

caltrek's comment: Those that complain that not enough conservative sources are cited in this forum should note that Jacquelyn Schneider is a Hoover Fellow at the Hoover Institution. That institution is a decidedly conservative think tank. Politico frequently features such conservative commentators.

[weatheriscool]

In 1st visit to intel agency, Biden warns of cyber conflict
Source: AP

By NOMAAN MERCHANT and ALEXANDRA JAFFE

MCLEAN, Va. (AP) — President Joe Biden used his first visit with rank-and-file members of the U.S. intelligence community — a part of government that was frequently criticized by his predecessor Donald Trump — to make a promise that he will “never politicize” their work.

Biden waited more than six months to make the short drive across the Potomac River on Tuesday to the Office of the Director of National Intelligence, giving analysts and national security leaders — often derided by Trump as the “deep state” — some breathing room.

The president in his remarks to about 120 ODNI employees and senior leadership officials sought to make clear that he understood the complexity and critical nature of their work. The agency oversees the 17 other U.S. intelligence organizations.

“You have my full confidence,” he said. “I know there’s no such thing as 100% certainty in the intelligence world. Occasionally that happens. Rarely, rarely, rarely.”

Read more: https://apnews.com/article/joe-biden-go ... 2e18dd14c9

[caltrek]

According to the Department of Justice, Russian Hackers Had Access to Top U.S. Prosecutors’ Emails
by AJ Vicens
July 31, 2021

https://www.motherjones.com/mojo-wire/2 ... rs-emails/

Introduction:

Russian hackers broke into email accounts in 27 US attorneys’ offices over the course of seven months in 2020, the US Department of Justice announced Friday. It had been previously reported that multiple US federal government agencies had been breached through a third-party IT contractor called SolarWinds, including the Department of Justice. But on Friday the department offered more detail, including the districts where one or more employees’ email accounts were accessed.

While every US attorney could make the case that their office handles sensitive case work, Friday’s update included offices that deal with some of the most complex financial and international criminal prosecutions, including the Southern District of New York, the Western District of Pennsylvania, and the Eastern District of Virginia. The Southern District of New York, for example, has handled past prosecutions related to former President Donald J. Trump, and is reportedly investigating Trump ally and former attorney Rudy Giuliani related to his efforts in Ukraine and his dealings with Russian figures to dig up dirt on President Biden and his family.

“The Department is responding to this incident as if the Advanced Persistent Threat (APT) (group or group backed by a nation state)… responsible for the SolarWinds breach had access to all email communications and attachments” within the breached accounts between May 7, 2020, and Dec. 27, 2020, the agency said in a statement. This includes “all sent, received, and stored emails and attachments found within those accounts during that time.” Especially hard hit were the Eastern, Northern, Southern, and Western Districts of New York, where “at least 80 percent” of employees’ email accounts were breached, the agency said.

[weatheriscool]

U.S. Taps Amazon, Google, Microsoft, Others to Help Fight Ransomware, Cyber Threats

Creation of the Joint Cyber Defense Collaborative follows high-profile cyberattacks on critical U.S. infrastructure

By Robert McMillan
Aug. 5, 2021 9:00 am ET

The U.S. government is enlisting the help of tech companies, including Amazon.com Inc., Microsoft Corp. and Google, to bolster the country’s critical infrastructure defenses against cyber threats after a string of high-profile attacks.

The Department of Homeland Security, on Thursday, is formally unveiling the initiative called the Joint Cyber Defense Collaborative. The effort will initially focus on combating ransomware and cyberattacks on cloud-computing providers, said Jen Easterly, director of the DHS’s Cybersecurity and Infrastructure Security Agency. Ultimately, she said, it aims to improve defense planning and information sharing between government and the private sector.

“This will uniquely bring people together in peacetime, so that we can plan for how we’re going to respond in wartime,” she said in an interview. Ms. Easterly was sworn in as CISA’s director last month. She was previously a counterterrorism official in the Obama White House, and the commander of the Army’s first cyber operations unit at the National Security Agency, America’s cyberspy agency.

Over the past year, ransomware attacks have disrupted large parts of daily life in the U.S. They have diverted ambulances, caused long lines at gas stations in the southeast, and disrupted the production of hot dogs and other meat products.

Following a ransomware attack last month on cloud services provider Kaseya Ltd., President Biden warned Russian President Vladimir Putin that the U.S. would take “any necessary action” to protect its infrastructure from these incidents. Just days later, the administration blamed hackers affiliated with China’s Ministry of State Security for a separate set of attacks on users of Microsoft Exchange Server software.

TO READ THE FULL STORY
SUBSCRIBE
SIGN IN

Read more: https://www.wsj.com/articles/u-s-taps-a ... 1628168400

[wjfox]

Hackers steal $600m in major cryptocurrency heist

12 hours ago

Hackers have stolen some $600m (£433m) in what appears to be one of the largest cryptocurrency heists ever.

Blockchain site Poly Network said hackers had exploited a vulnerability in its system and taken thousands of digital tokens such as Ether.

In a letter posted on Twitter, it urged the thieves to "establish communication and return the hacked assets".

In scale, the hack is on par with huge recent breaches at exchanges such as Coincheck and Mt Gox.

In its letter Poly Network said: "The amount of money you have hacked is one of the biggest in defi [decentralised finance] history.

"Law enforcement in any country will regard this as a major economic crime and you will be pursued.

"The money you stole are [sic] from tens of thousands of crypto community members, hence the people."

https://www.bbc.co.uk/news/business-58163917

[weatheriscool]

Hackers claim to breach 100 million T-Mobile accounts
Source: Fortune

T-Mobile appears to be the victim of a massive data breach, with the hackers looking to sell personal data online for 100 million people.

In a forum post, the hackers say they collected phone numbers, physical addresses, and driver’s license information for the larger group, as well as roughly 30 million Social Security numbers. Motherboard, which first reported the hack, says it has confirmed the authenticity of the data, noting it matches the information of T-Mobile customers.

T-Mobile did not respond to Fortune’s request for comment.While the initial post does not mention the cellular company, the hackers told Motherboard the data came from T-Mobile.

The asking price for a subset of the personal information (the Social Security and driver’s license data) is six Bitcoin, roughly $270,000. The remainder of the accounts are reportedly being sold privately.

Read more: https://fortune.com/2021/08/16/tmobile- ... -t-mobile/

[weatheriscool]

Howard Cancels Tuesday Classes After University Hit With Ransomware Attack

Martin Austermuhle https://twitter.com/maustermuhle

Howard University canceled classes and closed off the campus to all but essential employees on Tuesday in the wake of a ransomware attack on the university’s computer network.

In a statement posted on the university’s website on Monday evening, Howard vice president Tashni-Ann Dubroy and provost Anthony K. Wutoh said that university employees detected unusual activity on the network on Friday, prompting them to shut it down “to mitigate potential criminal activity.” The shutdown continued over the weekend, impacting campus computers, WiFi, and cloud-based storage and apps.

“[R]emediation, after an incident of this kind, is a long haul — not an overnight solution,” said the university in its statement. “We are currently working with leading external forensic experts and law enforcement to fully investigate the incident and the impact. To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”

The university says it is working with the FBI and D.C. government to address the situation. The two dining halls on campus will remain open on Tuesday, but otherwise the university will be closed to all but non-essential employees.

{snip}

Read more: https://dcist.com/story/21/09/07/howard ... re-attack/

[caltrek]

Horrifying Leaks are Coming from School Ransomware Attacks
by Mitchell Clark
September 10, 2021

https://www.theverge.com/2021/9/10/2266 ... tity-theft

Introduction:

(The Verge) Ransomware has been a hot-button topic in 2021 due to its impact on critical infrastructure, hospitals, and computer manufacturers. However, a recent report from NBC News may be one of the more heartbreaking accounts of the effects hackers can have: it details how data leaks from attacks on schools can put student’s most sensitive information out onto the internet, available to anyone who knows how to find it and is willing to pay. It’s a story that’s well worth a read for all the details it goes into and edge cases it explores.

According to NBC’s report, one school district had an Excel sheet called “Basic student information” posted to the dark web after it refused to pay a ransom, according to the FBI’s instructions. The article’s author, Kevin Collier, breaks down the shocking information it contains:

• It lists students by name and includes entries for their date of birth, race, Social Security number and gender, as well as whether they’re an immigrant, homeless, marked as economically disadvantaged and if they’ve been flagged as potentially dyslexic.

The school knew about the attack and informed parents about it — making it potentially one of the better scenarios. Insurance covered identity theft protection for staff, but it’s unclear whether that benefit extends to students even after getting lawyers involved. In other cases, when NBC News asked some schools about their leaks, they seemed “unaware of the problem.”

CREDIT AND IDENTITY THEFT IS ONE OF THE OBVIOUS PROBLEMS

It’s hard even to comprehend how it could affect a student’s social life if their grades, medical info, or free or reduced-price lunch benefit status leaked online. What’s easier to understand is the impact of having their SSNs, birthdays, and names sold to unscrupulous people: NBC tells the story of a student whose info was used in attempts to get a credit card and car loan.

[caltrek]

The Extreme Right’s Favorite Web Provider Just Got Hacked
by AJ Vicens
September 15, 2021

https://www.motherjones.com/politics/20 ... ab-parler/

Introduction:

(Mother Jones) Epik, the domain registrar known for hosting far-right websites and social media services, was recently hacked, according to a release from someone claiming to be associated with the online collective known as Anonymous.

As first reported Monday by journalist Steven Monacelli, the hacker claims that “a decade’s worth of data from the company” has been obtained, including all domain purchases, domain transfers, and unredacted website registration data that could shed light on individuals and groups behind extremist or hate sites.

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody,” the hacker boasted in announcing the attack.

The company has called itself the “Swiss Bank of Domains,” with company CEO Rob Monster joking earlier this year to NPR that he’s “the Lex Luthor of the internet.” In that story, Monster likened white supremacist leaders to “shock jocks,” and claimed that while he does not personally think such content needed “to be available to people on the internet” publishing it remained “the decision of our client organizations.” Epik’s clients include Gab, the social networking platform where a user boasted about targeting a Pittsburgh synagogue just before carrying out his deadly assault, and Parler, whose links to the January 6 attack on the US Capitol got it booted by major tech providers.

Emma Best, a key figure with DDoS Secrets, a web archive with a public interest mission of hosting hacked and leaked data, tweeted Tuesday morning that the site was working to obtain the materials and share them with researchers and journalists. The group says it is preparing 180 gigabytes of data from “Epik, known for hosing fascist, white supremacist and other right-wing content.” In a separate tweet, Best noted the group’s history with the hacked-domain registrar, noting that Epik’s services “were used to defame, stalk, and threaten #DDoSSecrets” members after the site hosted data obtained from Gab. “Epik knew. Gab’s CEO knew. They all enabled it,” Best wrote.

[caltrek]

Section of Donald Trump's Website Appears to Have Been Hacked
by Sean Lyngaas
October 18, 2021

https://www.cnn.com/2021/10/18/politics ... index.html

Extract:

(CNN) A hacker appears to have compromised a section of former President Donald Trump's website and replaced it with a slogan and a speech from Turkish President Recep Tayyip Erdogan.

Visitors to a subdomain of Trump's website were greeted Monday with a message from someone claiming to be a Turkish hacktivist. "Do not be like those who forgot Allah, so Allah made them forget themselves," the message read. Below was a link to an Erdogan speech in which the Turkish president quoted from the Quran.

The section of the Trump website was compromised as early as Oct. 8, according to internet archives.
…
It appears to be a type of hack known as a defacement, in which an attacker gains access to a website and replaces it with their own content. These hacks aren't sophisticated and don't involve accessing an organization's sensitive computer systems.

The same Turkish hacker appeared to claim responsibility for defacing Joe Biden's campaign website in late November, weeks after Biden was declared President-elect. US intelligence agencies described the incident in a March 2021 report as one of a "handful of unsuccessful hacktivist attempts to influence or interfere in the 2020 US elections."

[caltrek]

Iran Says Cyberattack Closes Gas Stations Across Country
by Jon Gambrell
October 26, 2021

https://www.courthousenews.com/iran-say ... s-country/

Introduction:

DUBAI, United Arab Emirates (AP) — A cyberattack crippled gas stations across Iran on Tuesday, leaving angry motorists stranded in long lines.

No group immediately claimed responsibility for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.

It bore similarities to another attack months earlier that seemed to directly challenge Iran's Supreme Leader Ayatollah Ali Khamenei as the country's economy buckles under American sanctions. Those economic problems worsen as the U.S. and Iran have yet to jointly re-enter Tehran's tattered nuclear deal with world powers.

State television quoted an unnamed official in the country's National Security Council acknowledging the cyberattack, hours after it aired images of long lines of cars waiting to fill up in Tehran. Associated Press journalists also saw lines of cars at Tehran gas stations, with the pumps off and the station closed.

“I have been waiting a couple of hours for the gas stations to reopen so that I can fill up," said a motorcyclist who gave his name only as Farzin. "There is no fuel wherever I go.”

[caltrek]

Europol Detains Hackers Behind 2019 Norsk Hydro Ransomware Attack
by Carly Page
October 29, 2021

https://techcrunch.com/2021/10/29/europ ... rsk-hydro/

Introduction:

(TechCrunch) Europol and its law enforcement partners have disrupted a network of organized cybercriminals behind a string of ransomware attacks that has claimed more than 1,800 victims across 71 countries since 2019.

The EU’s police agency said on Friday that 12 individuals had been “targeted” in raids in Ukraine and Switzerland this week following a two-year investigation. The agency didn’t say whether these individuals had been arrested or charged, and has yet to respond to our request for more information.

The unnamed individuals were “known for specifically targeting large corporations, effectively bringing their business to a standstill,” Europol said. One of the ransomware strains the group used was LockerGoga, the same strain used in the attack against Norwegian aluminum processor Norsk Hydro in March 2019. The cyberattack forced the company’s plants across two continents to stop production for almost a week and cost Norsk Hydro more than $50 million.

In a separate press release, Norway’s National Criminal Investigation Service, commonly known as Kripos, confirmed that the targeted individuals were responsible for the Norsk Hydro attack.

Europol said the hackers also deployed the ransomware MegaCortex and Dharma, as well as malware like TrickBot and post-exploitation tools including Cobalt Strike and PowerShell Empire, to stay undetected and gain further access. “The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetizing the infection by deploying a ransomware,” Europol said.

[caltrek]

Robinhood Says Millions of Customer Names and Email Addresses Taken in Data Breach
by Zack Whittaker
November 9, 2021

https://techcrunch.com/2021/11/09/robin ... ta-breach/

Introduction:

(TechCrunch) Online stock trading platform Robinhood has confirmed it was hacked last week with more than five million customer email addresses and two million customer names taken, as well as a much smaller set of more specific customer data.

The company said in a blog post that a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers.

Robinhood said that 10 customers had “more extensive account details revealed.” Robinhood did not say what information specifically, though no Social Security numbers, bank account numbers or debit card numbers were exposed and caused no immediate financial loss to customers.

But it’s precisely that kind of information that malicious hackers can use to facilitate further attacks against victims, like targeted phishing emails, since names and dates of birth can often be used to verify a person’s identity.

The company said once it secured its systems the hacker then “demanded an extortion payment.” Robinhood instead notified law enforcement and security firm Mandiant to investigate the breach.

[caltrek]

What is Log4j? A Cybersecurity Expert Explains the Latest Internet Vulnerability, How Bad It is and What’s at Stake
by Santiago Torres-Arias

https://theconversation.com/what-is-log ... ake-173896

Introduction:

(The Conversation) Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems.

Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the most serious vulnerability she’s seen in her career. There have already been hundreds of thousands, perhaps millions, of attempts to exploit the vulnerability.

[caltrek]

How to Avoid Falling into China's 'Data Trap"
Dr. Samantha Hoffman
December 26, 2021

https://techcrunch.com/2021/12/26/how-t ... data-trap/

Introduction:

(TechCrunch) Recent prominent data breach incidents, such as hacks of the Office of Personnel Management, airline passenger lists and hotel guest data have made clear how vulnerable both public and private systems remain to espionage and cybercrime. What is less obvious is the way that a foreign adversary or competitor might target data that is less clearly relevant from a national security or espionage perspective. Today, data about public sentiment, such as the kinds of data used by advertisers to analyze consumer preferences, has become as strategically valuable as data about traditional military targets. As the definition of what is strategically valuable becomes increasingly blurred, the ability to identify and protect strategic data will be an increasingly complex and vital national security task.

This is particularly true with regards to nation-state actors like China, which seeks access to strategic data and seeks to use it to develop a toolkit against its adversaries. Last month, MI6 chief Richard Moore described the threat of China’s “data trap”: “If you allow another country to gain access to really critical data about your society,” Moore argued, “over time that will erode your sovereignty, you no longer have control over that data.” And most governments are only just beginning to grasp this threat.

In testimony to Congress last month, I argued that in order to defend democracy now, we need to better understand how particular datasets are collected and used by foreign adversaries, especially China. And if we’re to properly defend strategic data (and define and prioritize just which datasets should be protected) in the future, we need to get creative about imagining how adversaries might use them.

The Chinese state’s use of technology to enhance its authoritarian control is a topic that has received considerable attention in recent years. The targeting of the Uyghur people in Xinjiang, aided by invasive and highly coercive use of surveillance technology, has been a focal point of this discussion. So, understandably, when most people think about the risks of China’s “tech authoritarianism” going global, they think about how similarly invasive surveillance can go global. But the real problem is far more significant and far less detectable because of the nature of the digital and data-driven technologies concerned.

[caltrek]

Finalsite Ransomware Attack Forces 5,000 School Websites Offline
by Carly Page
January 7, 2022

https://techcrunch.com/2022/01/07/final ... s-offline/

Introduction:

(TechCrunch) Finalsite, an internet software house that provides school districts with website design, hosting and content management solutions, has been hit by a ransomware attack.

Earlier this week, school districts whose websites are hosted by Finalsite discovered that they were no longer accessible or displayed errors. While at the time Finalsite blamed the issues on “performance difficulties” across different services, the Glastonbury, Connecticut-based company has since confirmed the outage was caused by ransomware.

“On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment,” the company said in a statement. “We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.”

Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 global customers — including school districts in Kansas City, Illinois and Missouri — are affected by the incident. In addition to website outages, one Reddit user claimed the incident also prevented some schools from sending email notifications about school closures due to COVID-19 outbreaks.

In its latest status update, Finalsite says the “vast majority of front-facing websites are online,” though notes that “some sites may still lack proper styling, admin log-in functionality, calendar events, or constituent directories.” One Finalsite customer, the Holy Ghost Preparatory School in Pennsylvania, said on Friday that while its website is back online, registration forms and the email system remain unavailable.

[caltrek]

A Ransomware Attack Took a New Mexico Jail Offline, Leaving Inmates in Lockdown
by Corin Faife
January 11, 2022

https://www.theverge.com/2022/1/11/2287 ... llo-county

Introduction:

(The Verge) A ransomware attack last week has left an Albuquerque area jail without access to its camera feeds and rendered automatic door mechanisms unusable. Inmates have been confined to their cells as a result, while technicians struggled to bring systems back online.

As first reported by the Albuquerque Journal, visitor access to the Metropolitan Detention Center was completely suspended as the jail was put into lockdown. All internet services at the jail were also knocked offline, leaving staff unable to look up inmate records.

Based on the lack of camera coverage, all inmates within the facility were placed on lockdown from the morning of January 5th. Further, according to an emergency notice filed by the county, the incident tracking database containing all reports of fighting, use of force, and allegations of sexual assault was not available and is believed to be corrupted by the attack.

“In the early morning of January 5, 2022, the automatic door mechanisms at MDC were unusable, meaning that staff had to use keys to manually open facility doors,” wrote Taylor Rahn, an attorney for the county, in a court notice related to the lockdown. “One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras. As of the evening of January 5th, there was no access to cameras within the facility.”

The detention center was just one point of impact in a larger ransomware attack that struck Bernalillo County, the most populous county in New Mexico, on January 5th. County employees were left unable to access any local government databases, and all public offices were temporarily closed. A press release dated January 10th noted that county office headquarters were still only partially re-opened.

[wjfox]

Ukraine hit by ‘massive’ cyber-attack on government websites

Fri 14 Jan 2022 08.45 GMT

Ukraine has been hit by a “massive” cyber-attack, with the websites of several government departments including the ministry of foreign affairs and the education ministry knocked out.

Officials said it was too early to draw any conclusions but they pointed to a “long record” of Russian cyber assaults against Ukraine, with the attack coming after security talks between Moscow and the US and its allies this week ended in stalemate.

Suspected Russian hackers left a message on the foreign ministry website, according to reports. It said: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”

The message reproduced the Ukrainian flag and map crossed out. It mentioned the Ukrainian insurgent army, or UPA, which fought against the Soviet Union during the second world war. There was also a reference to “historical land”.

https://www.theguardian.com/world/2022/ ... an-hackers

[caltrek]

^^^^Ahhh, kleptocrats. You have got to love them...or not. See also vvvv.

North Korea Hacked Nearly $400 Million in Cryptocurrency in Last Year

https://techcrunch.com/2022/01/14/north ... last-year/

Introduction:

(TechCrunch) North Korean hackers launched at least seven attacks on cryptocurrency platforms last year to steal almost $400 million worth of digital assets, according to a report by blockchain analysis firm Chainalysis.

“From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” the report said.

The attacks primarily targeted investment firms and centralized exchanges.

The report stated that the hackers siphoned the funds from the organizations’ internet-connected “hot wallets” into DPRK-controlled addresses by using complex tactics including phishing lures, code exploits, malware, and advanced social engineering.

“Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out,” the report said

[caltrek]

Russia’s FSB Says it Has Taken Down REvil Hacker Group at US Request
by Corin Faife
January 14, 2022

https://www.theverge.com/2022/1/14/2288 ... st-fbi-doj

Introduction:

(The Verge) Russia’s domestic security service, the FSB, has arrested numerous members of the REvil hacking group at the request of the US government, the FSB said on Friday. The move, which marks an unusual degree of cooperation between Russian and US agencies, comes amid increasingly aggressive Russian military activity on the Ukrainian border and tense diplomacy as the United States attempts to prevent armed conflict.

Reporting by the Russian Interfax news agency claimed that the FSB seized 426 million rubles ($5.6 million) in a raid against 14 members of the group, along with more than $600,000 worth of cryptocurrency and 20 luxury cars. The FSB told Interfax that it was acting at the request of US authorities and had informed them of the results of the operation. The operation effectively dismantled REvil as an entity, the FSB said.

The Biden administration has long called on Russia to do more to crack down on ransomware gangs operating within the country, though with limited success until now. Analysts have tied Russian groups to extensive ransomware operations in Europe and the US, often without interference from local law enforcement. With no extradition treaty in place, the Russian government has been accused of sheltering cybercriminals provided they do not attack domestic targets.

US agencies have intensified their pursuit of REvil after the FBI linked it to the hack that shut down the Colonial Pipeline in May 2021. REvil was also behind a cyberattack against meat supplier JBS, also in May 2021, which shut down the company’s meat processing plants across the US.

One alleged member of REvil was arrested by Polish authorities in November 2021 after being indicted by the US. According to reporting in Reuters, a source close to the case said that the FSB would not hand over REvil group members with Russian citizenship to the United States after the latest arrests.

caltrek comment: Well, I suppose if this keeps up, will have to start posting these kinds of articles in the Police and Law Enforcement Thread as "cyberwarfare" will no longer be quite apt.