Specialists of the information security company Positive Technologies found out that foreign groups of hackers organized and motivated for targeted attacks, the so-called Advanced Persistent Threat (APT), began to use infrastructure elements located on the territory of the Russian Federation more often in attacks on Russian organizations.
APT is a complex targeted threat that is regularly organized by entire states. Positive Technologies registered three such incidents in the spring of 2021. This number of attacks has never happened before.
“Over the past year, we have mostly observed this behavior among hacker groups with Asian roots,” said Denis Kuvshinov, head of the information security threat research at the Positive Technologies security expert center.
As the expert explained, hackers need access to equipment on the territory of the Russian Federation primarily to mask their activity during attacks. By doing this, malicious traffic is passed off as local, that is, trusted. Local traffic is often less closely analyzed by security services than foreign traffic.
The victims of attackers can also be different, it depends on which group is working. For example, Asian hackers are most likely to target state-owned enterprises.
“We expect the attacks to target government facilities and critical infrastructure,” said Anastasia Tikhonova, Head of the Threat Intelligence Complex Threat Research Group at Group-IB.
According to Positive Technologies, Russian equipment can also be used by foreign hackers for attacks abroad. In this case, the infrastructure elements serve as a disguise for “Russian hackers”.
“The cases of “government Russian hackers” are taken by the CIA or the FBI, who have difficulties in relations with their Russian colleagues. The government allocates even more money for cybersecurity. Everyone is happy,” the expert explained.
Cybersecurity experts have discovered a new hacker group ChamelGang, which attacks institutions in ten countries around the world, including Russia. Since March, Russian companies in the fuel and energy sector and the aviation industry have been targeted, at least two attacks have been successful. Experts believe that pro-government groups may be behind the attacks.
According to Positive Technologies, the first attacks were recorded in March. Hackers are interested in stealing data from compromised networks.
India, the United States, Taiwan and Germany were also victims of the attacks. Compromised government servers were discovered in those countries.
The new group was named ChamelGang from the word chameleon, as hackers disguise malware and network infrastructure as legitimate services. The grouping tools include the new, previously undescribed ProxyT malware, BeaconLoader and the DoorMe backdoor, which allows a hacker to gain access to the system.
In one of the attacks, the hackers first attacked the subsidiary, and two weeks later, the parent company. They found out the password of the local administrator on one of the servers and penetrated the company's network using the Remote Desktop Protocol (RDP). Hackers remained undetected on the corporate network for three months and during that time gained control over most of the network, including critical servers and nodes.
In the second attack in August, attackers took advantage of a chain of related vulnerabilities in Microsoft Exchange to penetrate the infrastructure. Hackers were in the organization's infrastructure for eight days and did not have time to cause significant damage.
Kaspersky Lab cybersecurity expert Alexey Shulmin confirmed the targeted nature of the attack and the wide geography of victims. He added that some grouping utilities have an interface in Chinese.
Experts believe that attacks on strategically important industrial facilities, including the fuel and energy sector and the aviation industry, are often carried out by cyber mercenaries and pro-government groups.
A Russian hacker who collaborated with the well-known REvil group confirmed that cybercriminals returned to active work after a two-month break. He named political reasons the main reason for the temporary suspension of their activities. This refutes the claims of REvil members themselves, who explained this with precautions after the disappearance of one of the community members.
An anonymous cybercriminal said that the group initially planned only to suspend its activities, but not to end it completely. According to him, this step was due to the difficult geopolitical situation.
"They told key business partners and malware developers that there was no cause for concern and that cooperation would not be suspended for long," the hacker said. Answering the question about the influence of the Russian leadership on the decision of the most famous group of the country to hide for a while, the Russian hacker noted that such an option is hardly possible. According to him, there is no evidence to suggest any connection between REvil and the government or intelligence services of Russia or other countries. Moreover, no one discusses such a topic on a serious level on the darknet.
"It is not surprising that the hacker group responsible for high—profile attacks on American infrastructure took precautions after the conversation between the US and Russian presidents," the anonymous hacker stressed. "Geopolitical factors are always taken into account in a business of this level, although this is the first time I have encountered a situation where a group has been forced to curtail its activities relatively unexpectedly".
REvil's return was announced last week when the group's site on the darknet became active again after two months of downtime. Shortly after that, community members stated in messages on one of the Russian forums that the temporary suspension was dictated by precautionary measures. They were allegedly caused by the disappearance of one of the REvil members: "We backed up and disabled all the servers. We thought he had been arrested. We waited — he didn't show up, and we restored everything from backups."
Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.
In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.
In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.
Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.
In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.
In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.
The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.
“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.
The hackers posted an 809 GB archive with more than 1.3 million scans of passports of Russian citizens, which were stolen as a result of hacking the servers of the cosmetics company Oriflame, on the Cybercriminal Forum RaidForums.
The company's website reports that on July 31 and August 1, it was subjected to a series of cyberattacks, which led to unauthorized access to the company's information systems. At the same time, Oriflame assured that bank account numbers, phone numbers, passwords and commercial transactions of users were not affected by the attack.
The company admits that not only customers from Russia, but also from other CIS countries and Asia were affected. Oriflame has strengthened its cybersecurity measures and is investigating the incident with the participation of law enforcement agencies.
"Probably, the company refused to buy the data from the attackers, so now they are being put into public access," adds Ashot Oganesyan, the founder of the DLBI data leak intelligence service.
It is noted that earlier the seller posted on the Cybercriminal Forum scans of documents of Oriflame clients in Georgia and Kazakhstan and claimed that he has data of the participants of the system from 14 countries in his hands.
Experts speculate that the hackers got it as a result of an attack using vulnerabilities on a corporate site. The leak could have come from a backup copy of the file storage.
A database of 1.3 million copies of passport scans on the black market would cost hundreds of thousands of dollars. Fake documents can be used to take out a microloan, register domains in the .ru zone, SIM cards or wallets of payment systems.
Oriflame leak is not the first among the companies developing network marketing. In 2020, the data of 19 million customers and employees of Avon, including names, phone numbers, dates of birth, e-mail and addresses, became publicly available.
Part of the database of the forum and its owners is available free of charge, the hackers offered to purchase the rest for 1 bitcoin. Experts hope that the action will allow a series of arrests and deal a major blow to the drug trade.
According to the leaked data, the owner and developer of the forum is a citizen of Latvia Artem Shvedov, one of the former developers is Roman Kukharenko, registered in the Moscow region, and the current administrator is a citizen of Ukraine Alexander Prokhozhenko.
Cybersecurity experts pointed out that in 99% of cases a person, whose name domain and hosting such resources are registered, may not even know about it.
According to Blockchair, a total of 20.57 bitcoins (about $1 million) went through the Legalizer forum's cryptocurrency wallet. At the same time, it is associated with larger wallets. More than 5.3 thousand bitcoin (about $248 million) passed through one of them.
In addition, the email address given by the hacker who hacked Legalizer matches the contact whose user calls himself a Russian-speaking hacker and an information security specialist at the shadow site o3shop.
An analyst of the operational monitoring group Angara Professional Assistance said that usually shadow forums are hacked "because of competition or partner revenge." In his opinion, the attack on Legalizer may be related to the redistribution of the drug market or extortion.
The expert admitted that hacking Legalizer can lead to arrests.
State borders may also become an obstacle for law enforcement agencies. Although the forum is oriented at the Russian-speaking audience from the CIS, it may be physically located on servers hosted in a country where drugs are legal.
The Copilot service developed by Microsoft and GitHub specialists, designed to simplify the work of programmers, can be used by hackers to create malicious software
Copilot, created by GitHub based on artificial intelligence, acts like keyboards on mobile devices.
GitHub introduced this service at the end of June, and its development required the help of OpenAI. Copilot is expected to make life easier for developers.
So, during the development of the service, specialists trained it on billions of lines of code. And now, when a developer writes code, GitHub Copilot gives suggestions that can be used for more productive coding.
Russian cybersecurity experts believe that innovation of GitHub may be useful not only for software developers, but also for cybercriminals.
According to experts, the new program may make it easier for hackers to write code, and they will be able to do it faster. Consequently, the number of authors of such code may increase.
Denis Legezo, a senior cybersecurity expert with Kaspersky Lab, noted that any technology, including Copilot, cannot be good or bad in itself. It is important for what purposes a person uses it. The expert did not rule out that the new program, as a convenient and accessible development tool, can also be used by cybercriminals.
The GIS expert Nikolay Nashivochnikov told about the danger of using a new bot for programmers by hackers.
"As we can see, new services simplify the life of not only white hat hackers, but also black hat. If the hackers manage to introduce a dangerous design into the Copilot system, and it starts offering developers to insert this vulnerability into their code, as a result, we can get a more widespread vulnerability," said Mr. Nashivochnikov.
Experts also talk about the possibility of banal theft of someone else's code. In about 0.1% of cases, the code will be literally taken from the training sample. In the remaining 99.9% of cases, the service uses a training sample as a basis for synthesizing something new.
Kaspersky said that the most professional, most aggressive espionage attacks are carried out by those who speak English, Russian and Chinese.
As for the most professional cybercrime groups, they almost all speak Russian, "because the best programmers in the world also speak Russian," he noted, explaining the difference between cybercrime and cyber espionage, that is, hackers who work for the state.
"The Soviet, Russian education system produces the most intelligent programmers in large numbers. The most malicious cybercriminals graduated from the same universities as the most professional programmers who work as white hat hackers," Kaspersky said.
The second factor explaining the abundance of Russian-speaking cybercrime groups is that English-speaking cybercriminals are quickly found and punished in the United States.
"There were criminal groups in the United States, in other countries, but they were almost liquidated. This is explained very simply. Where is the most money? In the USA. Who are the American criminals attacking? Their own. And they are immediately taken on their own territory. Who are the Russian-speaking groups attacking? Again, America. All. It's just the economy," Kaspersky said.
According to Mr. Kaspersky, that is why it is completely ineffective to fight cybercrime by the forces of disunited cyber police units.
"Cybercriminals commit crimes on the Web, where there are no borders. Police units act only in their own territory," Kaspersky added.
He believes that cooperation at the international level is needed, which is currently working very poorly to solve this problem.
Kaspersky recalled that cooperation between different countries on cybersecurity issues has been built for several years, its peak occurred in 2015-2016. Then there was a fairly successful joint police operation of Russia, the U.S. and some European countries against the high-profile international cyber gang Carbanak.
The Dutch newspaper Volkskrant on the day of the start of the hearing on the crash of the Malaysian Boeing in Ukraine published a material in which, citing anonymous sources, it claims that hackers allegedly connected with the Russian Foreign Intelligence Service (SVR) gained access to the Dutch police system in 2017 when the investigation into the crash of Flight MH17 was conducted.
According to the newspaper, the hacking was not noticed by the police, but it was the information of the Security Service (AIVD) that helped to detect it.
The hack led to a "great panic" over the MH17 investigation. The information was provided to the newspaper by people with knowledge of the incident, but the police and the AIVD refused to confirm or deny the hacking.
Sources told the newspaper that the hack detected by the AIVD came from the Dutch IP address of the police academy's server. "Traces of hackers were found in several places," Volkskrant reports, citing four sources. It is unclear if the hackers were able to gain access to any information relevant to the MH17 investigation, or what information they might have obtained.
Recall, a Malaysian Boeing flying from Amsterdam to Kuala Lumpur on flight MH17 crashed near Donetsk in 2014. All 298 people on board were killed. Kiev blamed the militia for the crash, but they said they did not have the means to shoot down an aircraft at such a height.
During the investigation of the joint investigation group (JIT) under the leadership of the Prosecutor General of the Netherlands, the investigation concluded that the Boeing was shot down from the Buk anti-aircraft missile system belonging to the Russian Armed Forces.
The Russian Foreign Ministry said that the accusations of Russia's involvement in the crash of the Malaysian Boeing are unfounded and regrettable, the investigation is biased and one-sided. President Vladimir Putin noted that Russia is not allowed to investigate the crash of the airliner in eastern Ukraine, and Moscow can recognize the results of the investigation if it takes a full part in it.
Not only a programmer but also just a specialist with a good knowledge of mathematics can become a hacker in Russia, said the head of Group-IB Ilya Sachkov. The entrepreneur believes that for such people money is a priority.
"This is a talented young man, whose task is to earn money and that's all. He is not always well-educated in the humanities, not someone who will cause you sympathy. The priority is money, expensive cars, expensive watches, holidays abroad," said Sachkov.
Ten years ago, the career of a hacker was chosen exclusively by students, mostly children from disadvantaged families. However, the situation has changed: this profession is now chosen by those who "live in very rich families, with normal relations between parents".
A typical Russian hacker "tries to play Don Corleone", communicates with former or current law enforcement officers, and also looks for political assistants who will explain to him that real Russian hackers steal money from foreigners because of the "war with America".
He noted that the creators of viruses are often people with special needs, autistic children who have fallen into an aggressive environment. At the same time, the opinion that Russian-speaking hacker groups are leading in the world is already outdated. Today, all of them are mixed by nationality, although in the 90s, it was people from the post-Soviet space who were among the first to engage in such things, who communicated among themselves in Russian.
Group-IB specializes in products that help protect against cyber attacks and fight online fraudsters. In particular, the company investigates cybercrimes and helps to monitor attacking hackers. The group cooperates with Europol and Interpol.
A Russian-speaking hacker under the pseudonym Byte leaked passwords from the personal profiles of managers of many large companies in the world
Data for accessing the personal accounts of Microsoft's online services and the email addresses of several hundred senior executives are put up for sale on a Russian-language hacker forum. This was done by a Russian-speaking hacker under the pseudonym Byte. The seller claims that he has hundreds of passwords of different top managers from all over the world. He is ready to confirm the authenticity of the data to the buyer.
Offer to sell credentials appeared on a private forum Exploit.in for Russian-speaking cybercriminals. The description states that you can purchase email addresses and passwords to access the accounts of Office 365 and other Microsoft services of presidents, their deputies, CEOs, and other high-ranking executives of companies from around the world.
Byte asks for each address from $100 to $1500, the price directly depends on the size of the company and the position held by the account owner.
An information security specialist entered into negotiations with the seller to confirm how relevant the database offered for sale is. For verification, he received the credentials of two accounts: the CEO of an American software development company and the CFO of a chain of retail stores in one of the EU countries. As a result of verification, he got access to the data of these people.
The attacker did not disclose the source of the data but claims that it can provide access to hundreds of accounts.
Analysts at KELA reported that the person selling these credentials previously tried to purchase information collected from computers infected with the Azorult malware. It usually contains usernames and passwords that the program extracts from victims' browsers.
This incident once again highlights the need for better data protection. Two-factor authentication or 2FA is often recommended.
The company Group-IB, which specializes in the disclosure of IT crimes, listed the countries from which cyber attacks are most often committed. This list includes China, Iran, North Korea, and Russia
Hacker attacks are most often carried out from China, Iran, North Korea and Russia, according to the report Hi Tech Crime Trends 2020 of the company Group-IB. The Asia-Pacific region was the most attacked in the second half of 2019 and the first half of 2020.
Groups of hackers associated with the security services are mainly concentrated in China, where they counted 23, in Iran — 8 groups, in North Korea and Russia — 4 groups, in India-3 groups, in Pakistan and the Gaza Strip-2 groups. Another one is in Vietnam, Turkey and South Korea. At the same time, their main area of interest is the Asia - Pacific region, as well as Europe.
According to a report, Russia and the United States were less likely to be attacked. So, 15 campaigns were conducted in the United States and 9 in Russia. They were attacked by groups from China, North Korea and Iran. Russia also recorded one attack by Kazakhstan's security services and the United States - from the Gaza Strip and Pakistan.
Experts note that the attacking teams are actively replenished with tools for attacks on physically isolated networks. So, this year, incidents occurred at nuclear facilities in Iran and India.
Another high-profile attack was a sabotage attempt in Israel, where water supply systems were targeted, where hackers tried to change the level of chlorine content.
The Federal court for the Northern District of California in San Francisco sentenced Russian Yevgeny Nikulin to seven years and four months in prison for computer fraud. According to the Americans, Nikulin hacked the databases of LinkedIn, Dropbox and Formspring, as a result of which about 117 million account login codes were stolen.
One of his lawyers, Arkady Bukh, informed the Russian about the verdict. According to him, the four years spent in prison after the arrest of Yevgeny Nikulin in Prague in October 2016 at the request of the FBI will be counted in the sentence.
The Prosecutor's Office recommended that the court appoint Nikulin 12 years in prison after the jury ruled guilty on all nine counts. The Russian did not admit his guilt and refused the last word before sentencing.
The judge, determining the punishment, noted the mind, abilities and sense of humor of Nikulin, but considered that these qualities only aggravate the guilt of the Russian.
Yevgeny Nikulin was extradited to the United States in March 2018. He was accused of hacking the databases of LinkedIn, Dropbox and Formspring, as a result of which about 117 million login codes were stolen, causing damage to computer devices, and transferring stolen personal data to third parties. The prosecution materials are classified as "secret", their volume is six terabytes of information.
Recall that in Prague, Nikulin claimed that an FBI employee during interrogation put pressure on him to get information about Russian interference in the US presidential election in 2016.
The Russian Foreign Ministry previously called the Nikulin case an example of how American intelligence agencies are hunting for Russians around the world.
A group of hackers threatens to bring down the tax, energy and banking systems of Belarus if the head of state Alexander Lukashenko does not comply with the ultimatum
The union of hackers and IT-developers of Belarus has threatened President Alexander Lukashenko to bring down the tax, energy and banking systems if security forces continue to detain protesters.
The statement of attackers was published in the Telegram channel "Cyber Partisans". They demand that Lukashenko stop the arrests by September 13, go out with a loudspeaker and publicly apologize to the population, as well as leave his post. And if this does not happen, "Belarus will forget what taxes are."
"Alexander Lukashenko, we are addressing you personally. It will be very painful, first, the tax system will break down, then the electricity in the country will run out, then the banking system will break down… Do you need it?" the hackers asked the President of the Republic. In addition, the hackers stressed that they are able to "kill the ruble" and start blocking the bank accounts of people from Lukashenko's inner circle.
Recall that after the announcement of the election results in Belarus, mass protests began. The protesters are demanding Lukashenko's resignation and new fair elections. In addition, citizens report violence by the security forces.
The European Union refused to recognize the victory of Lukashenko, and the Kremlin, on the contrary, congratulated the permanent leader of the Republic on the next term.
An interesting fact is that during the elections and in the following days, the Internet stopped working several times in the country. The Belarusian authorities called the cause of the failure a cyberattack from abroad, but later it became known that the equipment for blocking local state security agencies was provided by the American company Sandvine.
According to the Georgian Ministry of Internal Affairs, the purpose of infiltrating the Ministry of Health's database was to get hold of important medical records
The Ministry of Internal Affairs reported that the Cyber Crimes Department of the Criminal Police Department of the Ministry of Internal Affairs of Georgia has begun an investigation into the fact of unauthorized entry into the computer system of the Ministry of Health of Georgia.
Recall that the Ministry of Internal Affairs established that on September 1, 2020, a cyberattack was carried out from one foreign country on the computer system of the Ministry of Labor, Health and Social Protection of Georgia in order to obtain and use important medical records from the database.
"According to the evidence collected at this stage, this cyberattack was carried out by a special service of a foreign country," stated the Georgian Interior Ministry.
The department claims that some original documents obtained as a result of illegal penetration into the computer system are currently uploaded to one of the foreign websites and are available to the mass user. In addition, clearly fabricated documents are uploaded to the website, which are deliberately fabricated in order to intimidate the public.
"The Ministry of Internal Affairs of Georgia will appeal to the relevant services of the partner countries with a request to provide effective assistance in a quick and effective investigation of this complex and specific crime,” said the ministry in a statement.
It is interesting to note that Yuri Shvytkin, Deputy Chairman of the State Duma Defense Committee, stated that there are laboratories in Georgia and the United States that produce Novichok, a Soviet-era chemical weapon.
Recall that Russian opposition leader Alexey Navalny, who is one of Russian President Vladimir Putin's fiercest critics, was poisoned with a nerve agent Novichok. Currently, he is in Charite hospital in Germany. This caused a violent reaction in the West.
The Sverdlovsk Regional Clinical Center was hacked. Svetlana Lavrova, a neurophysiologist, told about this on her Facebook page.
“The data of 400 patients who were operated on from the 10th to the 21st were encrypted," said Alexander Dorofeev, Deputy chief physician at the Sverdlovsk Regional Cancer Center.
The Department of information policy of the Sverdlovsk region said that the hack occurred on August 21 at the time of installation and integration of the laboratory information system.
Hackers chose the moment when the system was most vulnerable, during the installation of new software. A specially designed virus encrypted data on test results - information that is so necessary to prescribe an effective treatment. They became unreadable without a special key.
Then the hackers demanded one thousand dollars for the decoder. The management agreed to pay, but the hackers stopped communicating.
As a result, a lot of work had to be done in a few days: manually restore medical reports, re-enter them into the database.
"Especially for those who doubt confidentiality: the missing data was not transferred to someone, no one found out who had what kind of tumor, just hackers "broke" our access to them," wrote a neurophysiologist Svetlana Lavrova on Facebook.
As a result, a statement to the police has not yet been written, since there was no time. Now, when all the data has been restored and the patients received the necessary treatment, a check will be carried out. Police need to find out who these scammers are who tried to sell the lives of 400 people for a thousand dollars. And most importantly, how they managed to find out at what point the system will be vulnerable.