Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Russian Aerospace. Show all posts

Tasmanian Hit by Big Data Breach Confirmed by Minister

 

The Tasmanian Department of Education, Children, and Young People experienced a cyber attack where hackers targeted and breached the third-party file transfer service GoAnywhere MFT. The breach took place last month and the state government confirmed on March 31 that its data had been accessed. Despite applying a patch to fix vulnerabilities, the government continues to use the software as part of "best practice." 

The breach lasted for four days, during which information was transferred. As a result, documents including invoices, bank statements, and personal information of individuals connected to the department were accessed by the ransomware group Cl0p. Investigations are ongoing, and there may be more affected documents. 

Tasmanian schools have been notified, and a hotline (1800 567 567) has been established for individuals to report any concerns about their data. Additionally, 16,000 Tasmanian education department documents, including personal information of school children, were released on the dark web by hackers. Science and Technology Minister Madeleine Ogilvie confirmed the breach, revealing that financial statements and invoices containing names and addresses of students and parents were accessed. 

Ms. Ogilvie expressed concern for affected students and parents, urging them to report any unusual activity on their bank statements to authorities, such as the Australian Cybersecurity Centre or the provided hotline. She acknowledged the global nature of cybercrime and expressed sympathy for those whose data was released. 

According to the data, Crown Resorts and Rio Tinto are also believed to be victims of the same cyber attack. Labor's Jen Butler called on the premier to manage the crisis, as potentially every primary school in Tasmania and anyone associated with the Department of Education may be compromised, posing a risk. 

Other organizations, including Rio Tinto, have been contacted for ransom by the same Russian hackers. Labor leader Rebecca White has requested a briefing from the government, acknowledging the seriousness of the situation and parental concerns. 

Furthermore, Ogilvie confirmed that as of now the demands for ransom have not been made by the hackers. However, the federal government advises against paying any ransom if demanded. Earlier, the state opposition urged Tasmanian Premier Jeremy Rockliff to intervene and address the escalating situation. 

The ransomware group known as "CL0P" is believed to be a Russian-language cybercriminal gang responsible for notorious "big game hunter" ransomware attacks since at least 2019. They have been associated with other cybercriminal groups such as 'FIN11' and 'UNC2546'. CL0P follows the common tactic of stealing, encrypting, and leaking data, and victims who fail to meet their ransom demands are publicly named and shamed on their leak site called "CL0P LEAKS" hosted on Tor.

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”