Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label US Military. Show all posts

North Korean Hacker Indicted for Cyber Attacks on U.S. Hospitals, NASA, and Military Bases

 

Federal prosecutors announced the indictment of Rim Jong Hyok, a North Korean military intelligence operative, for his role in a conspiracy to hack into American healthcare providers, NASA, U.S. military bases, and international entities. 

The indictment, unveiled on July 25, 2024, in Kansas City, Kansas, details Hyok’s involvement in stealing sensitive information and deploying ransomware to fund further cyberattacks. Rim Jong Hyok is accused of laundering money through a Chinese bank, using the proceeds to acquire computer servers and finance additional cyberattacks targeting defense, technology, and government entities globally. The indictment highlights his connection to the Andariel Unit of North Korea’s Reconnaissance General Bureau, a state-sponsored group responsible for these malicious activities. 

The cyberattacks on American hospitals and healthcare providers disrupted patient care, underscoring the severe impact of such crimes on public health. Prosecutors allege that Hyok targeted 17 entities across 11 U.S. states, including NASA and U.S. military bases. Defense and energy companies in China, Taiwan, and South Korea were also among the victims. Over three months, Hyok and his team infiltrated NASA’s computer systems, extracting over 17 gigabytes of unclassified data. They also accessed systems of defense companies in Michigan and California and breached Randolph Air Force Base in Texas and Robins Air Force Base in Georgia. 

The malware used by the Andariel Unit enabled them to transmit stolen information to North Korean military intelligence, aiding the country’s military and nuclear ambitions. The stolen data included details of fighter aircraft, missile defense systems, satellite communications, and radar systems, according to a senior FBI official. Stephen A. Cyrus, an FBI agent based in Kansas City, emphasized that North Korea uses cybercrimes to circumvent international sanctions and fund its political and military goals. The impact of these attacks is felt directly by citizens, as evidenced by the disruption of hospital operations in Kansas and other states. 

A reward of up to $10 million has been offered for information leading to his capture or that of other foreign operatives targeting U.S. infrastructure. The Justice Department has a history of prosecuting North Korean hackers. In 2021, three North Korean programmers were charged with a range of cybercrimes, including an attack on an American movie studio and the attempted theft and extortion of over $1.3 billion from banks and companies worldwide. The FBI’s involvement in this case began when a Kansas medical center reported a ransomware attack in May 2021. 

Hackers had encrypted the hospital’s files and servers, blocking access to patient records and critical equipment. A ransom note demanded Bitcoin payments, threatening to leak the files online if the demands were not met. Investigators traced the Bitcoin transactions to two Hong Kong residents, eventually converting the funds to Chinese currency and transferring them to a Chinese bank. The money was accessed from an ATM near the Sino-Korean Friendship Bridge. 

In 2022, the Justice Department announced the seizure of approximately $500,000 in ransom payments, including the entire ransom paid by the Kansas hospital. While Hyok’s arrest is unlikely, the indictment may lead to sanctions that could hinder North Korea’s ability to collect ransoms, potentially reducing the motivation for future attacks on critical infrastructure. 

Cybersecurity analyst Allan Liska from Recorded Future notes that although sanctions may not stop North Korea’s cyber activities entirely, they could deter attacks on hospitals by making ransom payments more difficult to collect. This incident also raises questions about China’s stance on being targeted by its ally, North Korea.

DoD Claims: China’s ICS Cyber Onslaught Aims at Gaining Strategic Warfare Advantages


According to the US Department of Defense (DoD), China's relentless cyberattacks on vital infrastructure are likely a precautionary measure intended to obtain a strategic advantage in the event of violent warfare.

The Cyber Strategy released earlier this week by DoD has mentioned an increase in the state-sponsored cybercrime from People's Republic of China (PRC), particularly against sensitive targets that could affect military responses. 

According to the agency, this is done in order to "to counter US conventional military power and degrade the combat capability of the Joint Force."

The DoD claims in their report that the PRC "poses a broad and pervasive cyberespionage threat," monitoring movements of individual beyond its borders, and further acquiring technology secrets, and eroding the capabilities of the military-industrial complex. However, the NSA cautioned that the operation goes beyond routine information collecting.

"This malicious cyber activity informs the PRC's preparations for war[…]In the event of conflict, the PRC likely intends to launch destructive cyberattacks against the US Homeland in order to hinder military mobilization, sow chaos, and divert attention and resources. It will also likely seek to disrupt key networks which enable Joint Force power projection in combat," the report stated.

An Increasing Chinese Focus on Military Degradation

The notion that cyber activities can signal impending military action is consistent with predictions made earlier this year in the wake of the Volt Typhoon attacks by Microsoft and others. With a series of compromises that targeted telecom networks, power and water controls, US military bases at home and abroad, and other infrastructure whose disruption would interfere with actual military operations, the Beijing-backed advanced persistent threat (APT) made national headlines in the US in May, June, and July.

However, the operational technology (OT) used by the victims has not yet been impacted by the compromises. But, CISA Director Jen Easterly warned at Black Hat USA in August that if the US gets involved in a potential invasion of Taiwan, the Chinese government may be positioning itself to launch disruptive attacks on American pipelines, railroads, and other critical infrastructure.

"This APT moves laterally into environments, gaining access to areas in which it wouldn't traditionally reside[…]Additionally, this threat actor worked hard to cover their tracks by meticulously dumping all extracted memory and artifacts, making it difficult for security teams to pinpoint the level of infiltration," says Blake Benson, cyber lead at ABS Group Consulting.

Taking into account the military-focused cyber activities that can potentially entail collateral damage to bystander business, there could also be a sort of ‘anti-halo effect’ at work, according to John Gallagher, vice president of Viakoo Labs at Viakoo.

"Virtually all exploits launched by nation-states 'leak' over to non-nation-state threat actors[…]That means organizations who depend on IoT/OT systems will be direct targets at some point to the same threats being launched against national critical infrastructure," warns Gallagher.  

U.S. Hunts Chinese Malware Halting Military Operations

 

The Biden administration is looking for malware that may jeopardise military and civilian power grids, communications systems, and water supplies, the New York Times reported. 

The malware, which is believed to have been installed by Chinese hackers linked to the People's Liberation Army, could try to sabotage and delay any response by the U.S. military should China take action against Taiwan, according to U.S. officials, who spoke to the Times. 

One congressional representative called the malware "a ticking time bomb" that might allow China to cut off communications, water, and power to military outposts. 

The official also stated that the malware may have an equivalent impact on ordinary Americans' homes and companies. 

The White House sent a statement last week in response to inquiries from the Times prior to the report's publication, but it avoided addressing China or the military bases specifically.

“The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others,” stated Adam Hodge, acting spokesperson for the National Security Council. 

The report was published just two months after Microsoft revealed that the alleged Chinese hacking group Storm-0558 had gained access to email accounts belonging to approximately 25 organisations, including government agencies, in the United States in addition to official government email accounts in Western Europe. 

U.S. Secretary of State Antony Blinken and Wang Yi, China's top diplomat, met on the sidelines of the ASEAN Foreign Ministers' Meeting in Jakarta. Wang Yi brought up the Chinese cyber espionage attack that targeted emails from the U.S. government. 

Chinese hackers are believed to have targeted email accounts at the State Department and other government organisations in May. They were found right before Blinken's trip to Beijing in June, and they included Gina Raimondo's account. 

Since the normalisation of relations half a century ago, relations between the U.S. and China have never been worse. The two superpowers are at odds over Taiwan, access restrictions to high-tech semiconductor chips for China, and accusations of malicious online behaviour from both sides. 

The U.S. frequently accuses Beijing of cyber attacks against its agencies and infrastructure, and earlier this year, in a high-profile incident, it shot down a bus-sized balloon off the coast of South Carolina.

Typo Delivers Millions of US Military Emails to Russia's Ally Mali

 

Due to a small typing error, millions of emails from the US military were unintentionally forwarded to Mali, a Russian ally. For years, emails meant for the US military's ".mil" domain have been transmitted to the west African nation with the ".ml" extension. 

According to reports, some of the emails contained private information including passwords, medical information, and high officers' travel schedules. The Pentagon claimed to have taken action to resolve the situation.

The Financial Times, which broke the story, claims that Dutch internet entrepreneur Johannes Zuurbier discovered the issue more than ten years ago. He has held a contract to handle Mali's national domain since 2013 and has apparently collected tens of thousands of misdirected emails in recent months. 

None were tagged as classified, but they included medical data, maps of US military bases, financial records, and planning documents for official trips, as well as some diplomatic letters, according to the newspaper. 

This month, Mr Zuurbier issued a letter to US officials to raise the alarm. He stated that his contract with the Mali government was about to expire, implying that "the risk is real and could be exploited by US adversaries." On Monday, Mali's military administration was set to take control of the domain.

According to current and former US officials, "classified" and "top secret" US military communications are routed through separate IT networks, making it unlikely that they will be accidentally compromised. 

However, Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, believes that even seemingly innocuous material could be beneficial to US adversaries, especially if it includes specifics on individual employees. 

"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Mr Stransky explained. "It's certainly information that a foreign government can use." 

Lee McKnight, a Syracuse University professor of information studies, believes the US military was lucky that the issue was brought to its attention and that the emails were directed to a domain used by Mali's government rather than cyber criminals.


He went on to say that "typo-squatting" - a sort of cybercrime that targets individuals who misspell an internet domain - is rampant. "They're hoping that a person will make a mistake, and that they can lure you in and make you do stupid things," he noted. 

Both Mr. McKnight and Mr. Stransky believes that human errors are a major concern for IT professionals working in government and the private sector alike.

Block KillNet's DDoS Bots Using These Proxy IP Addresses

 


The US government has issued a warning about the Russian cybercrime gang stepping up its attacks against hospitals and health clinics by flooding their networks and using, as part of its warning, a free tool that is designed to help organizations defend against KillNet distributed-denial-of-service (DDoS) bots. 

Currently, tens of thousands of proxy IP addresses are listed on the KillNet open proxy IP blocklist. These IP addresses are being used by Russian hackers in their attempts to flood networks with traffic. Following the investigation that SecurityScorecard's threat researchers conducted on Killnet and other network spamming miscreants, the security company built this list of threats.

Although DDoS attacks are relatively unsophisticated, like many other attacks, they can still take a serious toll, especially when they disrupt hospitals, according to a recent blog post by the security firm using KillNet as an example. 

A website taken down by the Russian gang toward the end of January was one of 14 hospitals targeted in the United States. The University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai Medical Center, among others, were some of the hospitals. There are several reasons for using DDoS attacks, one of which is to mask more intrusive activities. 

A report released by the US Department of Health and Human Services (HHS) on Wednesday confirmed that KillNet is a threat to the healthcare sector and prompted DHS to issue a second warning. A similar security alert has been issued by the Department of Homeland Security twice in the last few months.  

It is common for pro-Kremlin supporters to attach an ideological bent to their attacks - sometimes using empty threats to convey their message. "Killmilk, one of the leading members of the KillNet group, has threatened the US Congress with the sale of the health and personal information of American citizens to attack US policies concerned with Ukraine," according to the December security alert from HHS. According to the US, the planned attack has not yet been carried out. 

In a similar vein, the gang threatened to attack ventilators and other technical devices in British hospitals if another alleged KillNet criminal arrested in London in May was not released as soon as he was arrested. 

Although KillNet may claim to have carried out attacks on the US military, it is wise to take its claims with a pinch of salt, according to HHS. Given the fact that the group tends to exaggerate, there is a possibility that some of these operational and development announcements may simply be meant to garner attention, both publicly and within the cybercrime underground. According to the FBI and private security researchers, the group's DDoS campaigns have been viewed as publicity stunts, which, as annoying as they have been, have had "limited success." 

A Public Relations Stunt That Could Turn Wrong   

KillNet claimed responsibility on October 10 for deactivating more than a dozen websites associated with US airports as part of an attack aimed at knocking the websites offline. Although the large-scale DDoS attack was disruptive, it did not disrupt air travel or harm the operation of the airports. 

As soon as someone claimed to have unleashed a second bot army against JPMorgan Chase a day later, the same criminals saw similarly feeble results. In my opinion, some PR agency is trying to increase their budget for PR. 

It was then that at the beginning of November, a US Treasury official announced that the department had halted a "pretty low-level" DDOS attack designed to disrupt critical infrastructure nodes in the department, also attributed to Killnet.  

KillNet's DDoS attacks usually do not cause major damage but they have the potential to disrupt healthcare organizations and the millions of patients they serve for hours, days, or even weeks - and this can be especially damaging to organizations and patients in the healthcare sector.  

It has been reported that these bots are flooding the network traffic of patients and doctors, preventing them from sending and receiving health information online and making it harder for patients to schedule appointments in the future.  

Furthermore, sometimes miscreants use DDoS attacks as a distraction for their security teams to keep their attention while they work on more dangerous attacks, including the theft of sensitive information or the deployment of ransomware. 

According to HHS, it is likely that pro-Russian ransomware groups, including those that were part of the defunct Conti group, will respond to KillNet's appeal and offer support. These results will most likely lead to KillNet targeting entities that will be victimized by extortion or DDoS attacks as a means of extortion, a tactic that several ransomware groups have employed.