Alexander Anosov, the general director of the satellite company Dozor-Teleport CJSC and the first deputy general director of its parent company, Amtel-Svyaz, told a Russian information technology news outlet that the company was indeed infiltrated, and that preliminary information suggested that “infrastructure on the side of the cloud provider was compromised,” according to a Google translation.

ComNews, the publication that reported Anosov’s confirmation, reported that it “may take up to to weeks to restore the network to full operation.” The story did not offer additional detail to the severity or scale of the attack but said more information would be published on Monday.

News emerged late Wednesday into Thursday that the company had been targeted by a group claiming affiliation to the PMC Wagner, the private military company run by Victor Prigozhin. Along targeting the company and leaking nearly 700 files, the hackers defaced several websites and put up Wagner-related messages and a video.

Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, tweeted Thursday that “Wagner’s involvement is very unlikely,” and that it looked “like Ukrainian false flag trolling.”

The Wagner group did not respond to a request for comment and has not posted about the alleged connection to the hack in its widely followed Telegram channel. In the days since Prigozhin led his private military on an uprising and threatened to kill the head of the Russian military, his company, which includes the notorious Internet Research Agency troll factory, has faced major setbacks. Prigozhin announced the “liquidation” of Patriot Media, his company that had “dozens” of “news” sites, Meduza reported Friday.

The article also implied that the company was targeted because it uses a Latin-alphabet “Z” in its name, rather than the Cyrillic “З”. Anosov said that the company’s use of the “Z” could lead some to think that it works with the Russian Ministry of Defense. The symbol “Z” has become a symbol of the Russian invasion of Ukraine.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, tweeted screenshot of text from one of the files dumped by the hackers shows multiple references to its work with the Ministry of Defense.

The file, which is a spreadsheet titled “stations,” also shows that the Moscow-based company has infrastructure in the occupied areas of Ukraine, including near the Zaporizhzhia Nuclear Power Station, Townsend told CyberScoop Friday.

The post Russian telecom confirms hack after group backing Wagner boasted about an attack appeared first on CyberScoop.

“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”

The hackers also claimed to have defaced four seemingly unconnected Russian websites with messaging supportive of the Wagner private military company, the Russian mercenary group that made international headlines last weekend as it marched toward Moscow in an astonishing uprising that challenged the power of Russian President Vladimir Putin, before the group stopped short.

The group’s leadership was relocated to Belarus, a staunch Russian ally. Yevgeny Prigozhin, the head of Wagner, also created and funded the Internet Research Agency, a troll farm that the U.S. government sanctioned for its role in the sweeping Russian election interference operations targeting the 2016 U.S. presidential elections and then the 2018 elections.

Belarusian President Aleksandr Lukashenko said he argued against Putin’s contemplation of killing Prigozhin for leading the uprising, and instead brokered the deal to send Prigozhin to Belarus.

The message posted to the defaced websites showed the Wagner insignia, along with a message about the uprising and its results. “We agreed to a peaceful solution because we achieved the main thing — we showed our capabilities and full social approval of our actions,” the message read, according to a Google translation. “But what do we see instead? The current military leadership has not been removed from office, criminal cases have not been closed … You kicked us out of the NWO zone, out of Russia, but you can’t kick us out of the network.”

“We take responsibility for hacking,” the message continued. “This is just the beginning, more to come.”

The group posted a link to a zip file containing 674 files, including pdfs, images and documents. On Thursday morning, the group also posted three files that appear to show connections between the FSB and Dozor, and the passwords Dozor employees were to use to verify that they were dealing with actual FSB representatives, with one password valid for every two months in 2023, according to a Google translation.

Doug Madory, the director of internet analysis for Kentik, told CyberScoop Thursday that Dozor’s connection to the internet went down at about 10 p.m. ET Wednesday and remains unreachable. One of the routes the company uses was switched to Amtel-Svyaz, Dozor’s Moscow-based parent company.

Amtel-Svyaz could not be reached for comment.

The Wagner Group could not be reached for comment.

Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, tweeted Thursday that “Wagner’s involvement is very unlikely,” and that it looked “like Ukrainian false flag trolling.”

Shakirov told CyberScoop in an online message that “the whole hack and leak looks very real, but it’s not something Wagner does. They don’t have a motive now & no history of such attacks.”

The post Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group appeared first on CyberScoop.

Within minutes, images of top Mujahedeen-e-Khalq leaders appeared on the channel, along with the message of “Death to Khameni Raisi,” the supreme leader of Iran. The Iranian exile group commonly known as MEK has long opposed the Iranian government and advocated for its overthrow. Within a half hour of the original message, a screenshot of an internal presidential document was also posted on Telegram, the first of what has grown to more than 100 related to the office of the president of Iran and other major government agencies.

The documents include diplomatic correspondence, floor plans Iranian president’s office and other officials’ offices and detailed network topology diagrams of various government networks along with associated IP addresses. The leak also included documents that appeared to be related to the country’s nuclear program and reportedly details of officials routing money through Chinese banks and other apparent sanctions-evasions activities. In addition to defacing multiple government websites, the hackers claimed to have gained control over 120 servers and databases, the government’s server management networks and access to more than 1,300 computers connected to the presidency’s internal network, according to a post on the MEK website in the hours after the attack went public.

The group claimed to have stolen “tens of thousands of classified, top secret and secret documents,” according to the post from the MEK, which has not officially claimed any connection to the GhyamSarnegouni. Likewise, the hackers have not claimed to have ties to MEK or any other political group or organization.

The Iranian government called the hack “fake,” and said website updates and maintenance — caused as the defaced sites were returned to the previous content — was the reason for any site outages. But outside experts agreed the documents, and the hack, were likely legitimate.

The scale of intrusion and leak would present a major national security dilemma for any country and send officials and politicians scrambling to find the culprits, identify the vulnerabilities and prosecute the hackers. But, so far, the Iranian government’s reaction — other than saying the leaked documents are fake — isn’t public.

Over the past several years in Iran, a patchwork of hacking groups have sprung up with various aims, political motives and ambitions — and it’s nearly impossible to know for certain who is behind each one of them. Some operations appear to be designed to expose Iranian government secrets or support opposition groups, while others target Israel and the U.S. While Iran has long been an active participant in the cyber domain, in the past few years its internal and external attacks have gained new potency and become more public visible since 2020, such as when hackers with suspected links to the Iranian government targeted water treatment systems in Israel.

Looking to stir up trouble inside Iran, a growing number of groups have taken aim at the current government. These include groups such as Black Reward, Tapandegan and Lab Dookhtegan. Another group known as Predatory Sparrow, which has possible ties to Israel, targeted steel mills with alleged ties to the Islamic Revolutionary Guard Corps (IRGC), posting a video after an apparent breach that showed what appeared to be the inside of an industrial facility.

The U.S. government and American tech companies have long accused the Iranian government of hiding behind hacktivist personas to carry out hack and leak operations and destructive attacks on targets around the world. A May 2023 report from Microsoft details more than a dozen hacktivist personas with links to either the IRGC or the Iranian Ministry of Intelligence, many thought operated by Emennet Pasargad, a U.S. government-sanctioned Iranian cyber group. That same organization is thought to have been involved with a sprawling plan to interfere with the 2020 U.S. election, according to the U.S. Department of Justice.

Homeland Justice, an Iranian front group according to researchers with Mandiant and also multiple western governments, hacked multiple Albanian government systems in July 2022, stealing data and wiping systems with faux ransomware, in response to Albania’s hosting of the MEK. Albania, a NATO member, cut diplomatic ties with Iran over the attack. The U.S. government sanctioned Iran’s Ministry of Intelligence over the attacks, and the U.S. Cyber National Mission Force deployed what it said was its first-ever defensive cyber operation in response to the Iranian-linked attacks.

“We’ve observed multiple cyber groups in action,” said Nariman Gharib, a U.K.-based Iranian opposition activist and independent cyber espionage investigator. “One focuses on human rights, unmasking the darker side of the regime, while another specializes in cyber operations, exposing the regime’s cyber tactics. There’s also a group dedicated to sabotage. They execute their task with efficiency in executing disruptive attacks and [GhyamSarnegouni] is that group.”

Indeed, the latest hack claimed by GhyamSarnegouni involving highly sensitive government documents takes the role that hackers and hacktivists are playing in Iran’s internal politics to a new level, experts say, given the depth of information accessed, which touches on aspects of not only the office of Iranian President Ebrahim Raisi, and correspondence related to multiple sensitive agencies.

The hack is “one of the worst cases that has been publicly discussed and people are aware of about the compromise of classified documents and information from a government network,” said Hamid Kashfi, an independent security consultant originally from Iran, formerly a consultant for Trail of Bits and Immunity, who has uncovered multiple malicious Iranian government cyber activities over the years.

“What’s scary, if I was an Iranian government entity, or someone in charge of [assessing the situation] is what they’re not releasing and what they’re not exposing,” he said. “Because that’s a huge pile of A-plus grade intel and very interesting and very useful information for any government to be able to access.”

The attack is the fourth major hack and leak operation claimed by GhyamSarnegouni, a group that seemed to come out of nowhere in January 2022 when it claimed to have been behind the hacking and disruption of Iran’s national broadcast service. The attack included the broadcast of the faces of the long-missing Massoud Rajavi, and his wife Maryam Rajavi — the leaders of the MEK, which has been variously characterized by detractors as a cult and was, until 2012, deemed a terrorist organization by the U.S. government — and calls for the murder of Iran’s supreme leader, as well as destructive malware to damage equipment.

The MEK sharply disputes that it’s anything other than an opposition political movement, and has said the Iranian government is taking active steps to discredit the group, including by, in some cases, fabricating stories about members’ treatment.

Subsequent attacks tied to the group include the June 2022 hack of more than 5,000 municipal CCTV cameras in Tehran, and the early May 2023 hack of the Iranian Ministry of Foreign Affairs, which included more than 200 defaced websites and the publication of a trove of sensitive internal government files.

GhyamSarnegouni did not respond to a message sent via Instagram, where it also posts images of documents and other messages.

The recently leaked government documents are appearing against the backdrop of the U.S. and Iran getting closer to an agreement that the New York Times reported would ease sanctions on the country, release some imprisoned Americans, cease attacks on American contractors in Syria and Iraq and cap uranium refinement at 60% purity. After the presidential office hack first became public, an expert in Iranian cybersecurity told CyberScoop that embarrassing breaches of this nature seem to mirror major geopolitical developments, including progress on the nuclear deal.

“Any time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,” said Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization.

Kashfi said whoever is behind the hack has “demonstrated access to communications [letters] between different government agencies and the presidential office.” The purpose of the system that the posted materials are coming from, he said, is to have secure, encrypted communications between disparate agencies and offices for a particular purpose, not mundane communications.

“If they have access and dumped one classified letter from that system, it means that they have had access to dump all of it,” he said.

He doesn’t expect whoever is behind the attack to post everything they have, given the immense intelligence and operational value at stake. Although the attackers are so far displaying technical abilities beyond the reach of any “random activist group,” it’s not clear whether it’s a state intelligence service, a hired mercenary group, or unaffiliated individuals are behind the attack.

Kashfi noted that it’s far too early to tell who is behind the group. But one data point, he said, supports the idea that it is not MEK. Some of the file names, and even some of the way certain words are used in the messaging “is not in a way that a native [Farsi] speaker would use.”

“Non-native speakers would easily overlook this,” he said. “But if you look at the context of it, you would notice that if it’s actually someone from MEK that’s supposed to be Iranian or a native speaker, they wouldn’t name files like this. It more looks like someone is receiving and processing this information and then doing the PR for the group through this Telegram channel.”

Simin Kargar, a doctoral researcher at Johns Hopkins University who tracks human rights and cybersecurity matters related to Iran, views the group’s activity in the context of the larger cyber tit-for-tat involving Iran and its adversaries, whether Israel, the U.S. or others in the region. The group has aggressively promoted MEK symbols and messaging from its inception, she said, and over time, the MEK “has come to own this, whether or not there is an actual relation between the MEK as an organization and this hacktivist group.”

MEK has a history of exposing highly sensitive Iranian secrets, she added, most notably revealing Iran’s nuclear program in a press conference in 2002. While not directly cyber related, the revelations foreshadowed a scenario whereby MEK gained supporters among hawkish American policy makers looking to find ways to undermine the Iranian government, most notably during the Trump years when several officials interacted directly with MEK.

During that period Kargar’s research showed a “surge of MEK activities” on social media promoting some of the Trump administration’s most hawkish anti-Iran messaging. Fast forward to the current era with a plethora of hacktivist groups sharing Iranian data, some of whom also promote MEK messaging, and it’s clear that something is going on, she said.

“Speculations in the background about who these groups might be, and who they might be connected to, has always involved some sort of connection with the MEK,” she said. “Because they definitely have the motivation and interest to either pull something like this off independently, or being fed with intelligence in this domain, and then kind of using that, packaging that in a way that serves their purposes.”

In a statement provided to CyberScoop, the MEK said there’s no proof any hack occurred from its camp in Albania, “let alone that it is naive to hack from a known center.” 

Additionally, the materials seem to be the work of insiders in Iran, the statement said, with access to them “possible only with direct access to the regime’s devices inside the country. Many documents revealed are way outside the Internet domain.”

Whether the group is connected to the MEK or not, its activities are having consequences for the exiled group. Albanian police raided MEK camp Ashraf-3 June 20 in an action that left dozens injured and one man dead. The police seized 150 “computer devices allegedly linked to prohibited political activities,” the Associated Press reported.

Authorities raided the camp as part of an Albanian government investigation into alleged provocation of war, illegal interception of computer data, interference in data and computer systems, equipment misuse, and for the MEK being a “structured criminal group,” the Albanian news outlet Politiko reported the next day. The investigation began May 18 based on news articles reporting on the early May hack of the Iranian Ministry of Foreign Affairs, according to the story. Albanian authorities also cited the June 2022 hack on the Tehran municipal CCTV system in the search warrant.

“In July 2022, Albania was subjected to the most serious cyber-attack sponsored by the Islamic Republic of Iran, which caused massive damage to Albania’s digital infrastructure and interrupted the provision of public services and documents — 95% of which are offered only online — for months,” the Albanian embassy wrote in an email to CyberScoop. “In response, the Albanian Government severed diplomatic relations with the Islamic Republic of Iran and since then, we have received numerous threats, always related to the MEK presence in Albania.”

Albania “cannot tolerate that our territory be used to engage in illegal, subversive and political activity against other countries, as has allegedly been the case with the MEK,” the email read. “Humanitarian protection does not provide the MEK with special immunity before the law. MEK members are just as liable to be investigated and prosecuted for crimes committed in the territory of the Republic of Albania as any other individual, be they citizens, residents, refugees, or — as is the case with the MEK — individuals enjoying humanitarian protection from the Government of Albania.”

According to the MEK’s statement, roughly 1,200 Albanian police arrived at the camp the morning of June 20, and the majority of the people at the camp were unaware of the court order related to the hack investigation. Aggressive police actions caused “residents to protest,” the statement read, resulting in Albanian police injuring more than 100 people and leading to the death of one man after he was pepper sprayed, according to the statement. 

Albanian authorities seized 200 computers, the statement added. “There is nothing illegal in them; we are apprehensive that the information contained in these computers fall into the hands of the Iranian regime, with families and relatives of the residents in Iran put in danger.”

Updated June 27, 2023: This story has been updated to include comment provided to CyberScoop by the MEK after publication, and to reflect that the MEK disputes any characterization implying it is a “cult.”

The post The potent cyber adversary threatening to further inflame Iranian politics appeared first on CyberScoop.

The vulnerabilities in question, first revealed on June 1, appeared to have led the main Russian intelligence agency to make unusually public claims that Apple intentionally left the flaws in its iOS so the National Security Agency and other U.S. entities could compromise “thousands” of iPhones in Russia. Apple has denied those claims.

The charges from the Federal Security Service, or FSB, came the same day that researchers with cybersecurity firm Kaspersky published a report detailing what they said was an “ongoing” zero-click iMessage exploit campaign dubbed “Operation Triangulation” targeting iOS that allowed attackers to run code on phones with root privileges, among other capabilities. Kaspersky published an additional analysis Wednesday, saying that after roughly six months of collecting and analyzing the data, “we have finished analyzing the spyware implant and are ready to share the details.”

Researchers with the cybersecurity firm that’s headquartered in Moscow said in the June 1 report they found the exploit “while monitoring the network traffic of our own corporate Wi-Fi network dedicated for mobile devices.”

Both Kaspersky analyses did not attribute the operators behind the campaign. A Kaspersky spokesperson told CyberScoop on Wednesday that the company had “nothing to provide” on attribution or in response to the FSB using Kaspersky’s work to backstop its claims of Apple collusion with the NSA and “American intelligence services.”

Kaspersky researchers “proactively collaborated with the Apple Security Research team by sharing information about the attack and reporting the exploits,” the spokesperson told CyberScoop in an email. “As of now, Apple has publicly confirmed them as zero-day vulnerabilities that received the designation of CVE-2023-32434 and CVE-2023-32435 respectively, and announced the patching of those as part of the Security Updates release on June 21, 2023. We would like to thank Apple for taking action promptly to address and resolve the identified issues to keep users safe.”

Apple said in its security update that the fixes would address an app that “may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.”

In response to the June 1 claims from the FSB, an Apple spokesperson told CyberScoop that “[we] have never worked with any government to insert a backdoor into any Apple product and never will.”

The post Apple issues emergency patch to address alleged spyware vulnerability appeared first on CyberScoop.

The National Security Cyber Section — NatSec Cyber, for short — has been approved by Congress and will elevate cyberthreats to “equal footing” with other major national security issues, including counterterrorism and counterintelligence, Assistant Attorney General for National Security Matt Olsen said in remarks at the Hoover Institution in Washington.

The new section enables the agency to “increase the scale and speed of disruption campaigns and prosecutions of nation-state cyberthreats as well as state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security,” Olsen said.

The NatSec Cyber center arrives at time of growing concern about nation-state cyberattacks especially originating from Russia and China. Last week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, warned Americans to be prepared for a major Chinese cyberattack. “This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” she said at an event in Washington.

However, the section has been many months in the making. It comes out of Deputy Attorney General Lisa Monaco’s July 2022 Comprehensive Cyber Review meant to review the agency’s approach to cyber-related matters and develop “actionable recommendations to enhance and expand the Department’s efforts.” It also tracks with a main theme of President Biden’s cybersecurity strategy, which calls for cross-agency collaboration to fight cybercrime.

The DOJ has taken a more proactive and aggressive approach to cyber-related prosecutions over the past two years, even when the agency’s actions preclude traditional prosecutions and convictions. Monaco described the shift in strategy in April on stage at the RSA Conference in San Francisco, saying that there is now “a bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing,” with the goal “to take that action to prevent that next victim.”

The first major example of the policy shift was the April 2021 FBI action to proactively disable web shells related to Chinese-aligned efforts to exploit vulnerable Microsoft Exchange Servers, Monaco said. Another example of the proactive nature of DOJ actions was the April 2022 FBI operation that hobbled a Russian military intelligence-directed botnet that the FBI and DOJ determined could have enabled follow-on malicious activity.

The new unit within the DOJ will “give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena,” Olsen said. “NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat and to support investigations and disruptions from the earliest stages.”

The post DOJ establishes cybercrime enforcement unit as U.S. warnings mount over Chinese hacking appeared first on CyberScoop.

“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.

Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.

But it is far from clear that these operations are making a meaningful difference to Russian forces in Ukraine, and some of these operations appear geared toward creating the impression of widespread hacking activity even when they aren’t successful.

On Friday morning, the pro-Russian hacktivist group Killnet claimed to have hit key European financial institutions, including IBAN and SWIFT, which are used to facilitate banking transactions. But there was no indication that they had actually disrupted them.

By midday Friday there was no evidence that any attacks had taken place. The European Central Bank noted that its systems were running normally. A representative for Swift told CyberScoop that it, too, was running without issue. IBAN did not immediately respond to a request for comment.

Separately on Friday, a pro-Russian hacking group claiming to operate out of Ukraine and known as Beregini, posted what appeared to be a document prepared in April by U.S. Defense Department officials describing efforts by the international coalition supporting Ukraine to speed up deliveries of air defense systems.

The document bore the “CUI” classification, denoting that it was “controlled, unclassified information,” and appears to have been prepared for the Ukraine Defense Contact Group, which coordinates international assistance for the defense of Ukraine.

Though CyberScoop could not verify the document’s authenticity, its publication by Beregini is indicative of how hack-and-leak operations — or creating the appearance of them — has become a key tool in the information domain of the conflict.

A Defense Department spokesperson told CyberScoop the agency could not confirm the veracity of the document.

Against this backdrop, state-backed Russian hackers continue to conduct operations in Ukraine. On Wednesday, Microsoft identified what it described as a new hacking unit within Russia’s military intelligence (GRU) that it dubbed “Cadet Blizzard,” which carries out a range of cyber operations, including destructive malware attacks, hack-and-leak operations and intelligence collection.

On Thursday, researchers with the Symantec Threat Hunter Team, detailed attacks carried out by a group it tracks as Shuckworm — also known as Gamaredon – targeting Ukrainian security services, military and government organizations. “The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more,” Symantec said.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, told CyberScoop this week that since the Russian invasion the GRU has made “noticeable changes in tactics,” including greater coordination and attention given to hacking groups serving as fronts, such as Zarya, Hacknet and Solntsepek.

Groups such as these are either fronts for state activity or conduits through which government-operated hacking campaigns push information to the wider world.

In the run-up to and during the Russian invasion, Ukraine has been the site of prolific cyber operations as a means for intelligence collection, information operations, and, occasionally, in conjunction with kinetic attacks. The recent flurry of activity is just the latest in this busy cyber operations space — made up of hackers working for governments, in support of governments and, at times, on their own.

Over the course of the conflict, these groups have shifted their targeting, Townsend said. Last summer, for instance, many pro-Russian hacking groups sought to intercept the exchange of intelligence between Ukraine and its allies. Over the winter, their operations focused more on targets in Central Europe. Starting this spring, they’ve shifted more toward utilizing front groups.

“They apparently realize that their usual method of communication simply doesn’t work,” Townsend said.

Fifteen months into the current phase of the war, government intelligence agencies and private sector research teams are getting better at distinguishing between the various pro-Russian hackers at work in Ukraine, said Tom Hegel, a senior threat researcher with SentinelLabs. Activity that might have been lumped under a wider umbrella in the early days of the war can be better parsed and analyzed now, he said.

While pro-Russian hacking operations during the early days of the conflict had what Hegel called a “spray and pray” quality to them, today’s operations are more strategic while the pace of activity remains consistent. As operations are increasingly carried out through front groups, high-powered and deeply resourced actors— known as APTs within the cybersecurity industry — may be supporting those efforts.

The post Pro-Russian hackers remain active amid Ukraine counteroffensive appeared first on CyberScoop.

While it’s unclear who infiltrated the DOE agencies, a ransomware group known as Cl0P has used the flaw in the widely used software to attack hundreds of organizations in recent weeks, including universities, banks and major multinational corporations. The group publicized online that it has victimized “hundreds of companies” and gave a June 14 deadline to negotiate a ransom price before they released stolen data.

So far, CLoP is the only threat group linked to the MOVEit vulnerability by the Cybersecurity and Infrastructure Security Agency and the FBI.

At a media briefing Thursday afternoon, CISA Director Jen Easterly said that “we are not tracking significant impact on civilian .gov enterprise but are continuing to work with our partners on this.” Additionally, she said, no federal agency has received extortion demands and no federal data has been leaked so far.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” she said, adding that the attack appears to be largely opportunistic and not “like SolarWinds that presents a systemic risk to our national security or our nation’s network.”

CNN first reported that “several federal agencies” had been victims as a result of the file transfer flaw at the Cybersecurity and Infrastructure Security agencies was urgently working with them to remediate the problem.

A Department of Energy spokesperson told CyberScoop on Thursday afternoon that “upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA).”

DOE considers an entity any facility, office, or laboratory run by DOE or a DOE contractor. The agency is home to the national laboratories such as Sandia and Los Alamos National Labs that conduct nuclear power and weapons research.

The Federal News Network reported that Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located around Carlsbad, New Mexico were the two DOE entities impacted by the vulnerability.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said.

Speaking on background, an official at the briefing said that they are not aware of any federal agency that has not placed mitigations against the vulnerability.

CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

The group added 27 victim organizations to its leak page since June 14, according to data collected by eCrime.ch, however it’s not clear whether all of those entities were MOVEit users or that they were targeted by CL0P in separate extortion attacks.

Censys, a company that tracks internet-connected devices, said on Tuesday that government and military organizations represent 7.56% of the visible MOVEit hosts, with more than 80% of those being in the U.S.

CISA acknowledged on Thursday that several federal agencies were impacted as a result of the MOVEit compromise.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. We are working urgently to understand impacts and ensure timely remediation.”

CyberScoop asked multiple federal departments and agencies if they were impacted as part of the MOVEit compromise. Only the Department of Energy reported any kind of compromise. Other agency officials responded their departments had taken steps to patch the vulnerability.

A Veterans Affairs official told CyberScoop that the department had “three systems that were running software susceptible to the MOVEit vulnerability. These systems were immediately remediated and there was no impact to VA or Veteran data.

“We have network blocks in place at their perimeters to prevent port connections, secure protocols, and safeguard inbound data, and VA has installed the latest patches to the systems that used the MOVEit Transfer software. We have also worked with security technology vendors to develop more robust detection capabilities for the vulnerability.” 

The post Two Energy Department entities breached as part of massive MOVEit compromise appeared first on CyberScoop.

Ruslan Magomedovich Astamirov, 20, was taken into custody on Wednesday, a spokesperson for U.S. Attorney Philip Sellinger, from the District of New Jersey, told CyberScoop after the DOJ unsealed a criminal complaint in the case.

LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site, U.S. cybersecurity officials said in a June 14 advisory. Known LockBit attacks accounted for 16% of state, local, tribal and tribunal government ransomware attacks reported in the U.S. in 2022, as well as roughly 20% of known government ransomware attacks in Australia, Canada and New Zealand, the advisory said. Since January 2020 the group is associated with approximately $91 million in ransoms paid in the U.S., the advisory said.

Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities. Matveev, a Russian national, remains at large.

“Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” U.S. Attorney Sellinger said in a statement. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice.”

The announcement comes a day after the joint advisory from top cybersecurity officials in the U.S. and their counterparts in multiple countries detailing the threat from LockBit, which the advisory said was the most deployed ransomware variant in 2022. The variant is associated more than 1,400 attacks in the U.S. and around the world, according to the Department of Justice.

According to the complaint filed by prosecutors, Astamirov owned and controlled email addresses, an IP address and a cloud services account associated with the deployment of LockBit attacks. Astamirov “executed” attacks on victims in Florida, Tokyo, Virginia, France and Kenya dating back to August 2020, according to the complaint. Astamirov received at least 80 percent of the ransom payment made in Bitcoin with one of the attacks, the complaint alleges.

FBI agents interviewed Astamirov in May and searched several devices, including his phone and a laptop computer, according to the complaint.

The post Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks appeared first on CyberScoop.

Posing as ransomware, the malware worked in two stages: First, it would overwrite the master boot record with a ransom note, pointing victims to a bitcoin wallet and demanding a relatively paltry $10,000 to recover corrupted files. Then it would download and deploy file corrupter malware, targeting files in particular directories to be overwritten. But the operation was a ruse: There was no way to recover the files.

Two days after the malware was deployed, Microsoft researchers published an analysis of the destructive tool, dubbing it WhisperGate. By May, officials in Ukraine, the United States and the United Kingdom attributed the attack to units working under Russian Main Intelligence Directorate (GRU).

A year later, Microsoft researchers have determined that the unit behind that attack is an active and distinct group within the GRU, responsible for website defacements, destructive attacks, cyber espionage and hack-and-leak operations. In a report published Wednesday, Microsoft concludes that a group it is calling “Cadet Blizzard” is behind a wave of attacks since February 2023 targeting not only Ukraine, but also NATO member states providing military assistance to Ukraine.

Wednesday’s report for the first time identifies the activity as distinct and novel from other GRU-affiliated cyber operations, which includes the group widely tracked as Sandworm and believed to be responsible for multiple attacks on Ukraine’s electric grid in recent years. Hacking operations linked to the GRU are considered among the most destructive and potent in the Russian-affiliated hacking ecosystem.

“The emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” the researchers said Wednesday, while noting that the group’s attacks are generally less successful than more sophisticated and prolific Russian hacking groups, such as Sandworm.

Russian hacking groups have either refrained from or failed to carry out spectacular cyber attacks targeting Ukrainian critical infrastructure as part of the Kremlin’s attempt to overthrow the government in Kiev. But Russian hacking groups have nonetheless remained active in the conflict, carrying out attacks to wipe Ukrainian computer systems and carry out information operations — the type of action that is emblematic of Cadet Blizzard.

Dating to at least 2020, Cadet Blizzard’s activity includes attacks around the world — in Europe, Latin America and Central Asia — with a particular focus on government services, law enforcement, nonprofits/NGOs, IT service providers and emergency services, the researchers said. The group has consistently targeted IT and software providers, the researchers added, given that one successful attack can lead to multiple downstream compromises.

Microsoft characterizes the group as a conventional network operator that works without bespoke malware or tooling. “Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation,” the researchers noted.

Cadet Blizzard’s activity overlaps with other cyber operations that “may have a broader scope or a nexus outside of Russia,” including connections to a group Microsoft tracks as Storm-0587, denoting an unattributed activity. That group is linked to malware known as SaintBot, a downloader that can be configured to deliver nearly any other payload. Cadet Blizzard also has support from “at least one private sector enabler organization within Russia,” the researchers noted.

The group uses a hacktivist front called “Free Civilian” to publish and share stolen data, according to the report. Free Civilian posted and leaked stolen Ukrainian government data from various sources on its website in January 2022 ahead of the invasion. The organizations whose data was leaked “strongly correlated to multiple Cadet Blizzard compromises earlier in 2022,” the researchers said, suggesting “that this forum is almost certainly linked to Cadet Blizzard.”

On Feb. 21, 2023, the Free Civilian launched a Telegram channel. The next day, a post in Russian began: “Hello, long time no see,” followed by promises of data from a range of Ukrainian government agencies and a message mocking Ukraine’s Cyber Police and its security service.

The channel has continued to post stolen data and references to stolen data, including as recently as April 26. The channel had just more than 1,300 subscribers as of Wednesday, with most posts “getting at most a dozen reactions as of the time of publication,” the researchers said, “signifying a low user interaction.”

A separate private channel likely operated by the group offers access to stolen data. The administrators of that channel have to manually approve requests to join, and as of Wednesday the channel had 779 members.

The post Microsoft identifies new hacking unit within Russian military intelligence appeared first on CyberScoop.

The hackers would compromise an email account of an employee for a given company, bypass Microsoft Office 365 authentication, and gain persistent access to the account. Then, they would use that account to to go after other targets.

“The phishing mails spread in a worm-like fashion from one targeted company to others and within each targeted company’s employees,” researchers with the Israeli cybersecurity firm said in a report published Tuesday. “All analyzed emails contain the same structure, only differing in their title, senders’ account and company, and attached link.”

Sygnia’s investigation revealed that the attack was part of a broad campaign that potentially impacted dozens of organizations — the company would not say exactly how many — around the world in a sprawling campaign of business email compromise, or BEC.

The report comes on the heels of a recent FBI public service announcement estimating that BEC compromises were linked to more than $50 billion in actual and attempted losses across more than 275,000 attacks between 2013 and 2022. The FBI reported that between December 2021 and December 2022 there was a 17% increase in identified actual and attempted losses worldwide, with a particular focus on the real estate sector.

“In the past few years, Sygnia’s IR teams have engaged in numerous incidents in which world-wide organizations were targeted by BEC attacks,” Sygnia’s researchers wrote in their report. “While some of these attacks were focal and concentrated, some were widely spread and affected massive number of cross-sectors victims.”

In the campaign detailed on Thursday, targets were sent an email with a link to a “shared document,” leading to a file sharing website with a previously compromised legitimate company name in the URL. Trying to view the document brought up a page showing that the contents were protected by Cloudflare, a tactic likely designed to prevent proactive analysis of the site showing where it would lead, the researchers said.

Getting through the Cloudflare wall led to a fraudulent Microsoft authentication site generated by a phishing kit, which was being hosted on a domain with varying IP addresses over time, with the most recent dating to January 2023. Records associated with the domain itself had been updated on June 2, suggesting an ongoing campaign.

In all, the investigation revealed more than 170 domains and subdomains connected to the attacker’s infrastructure, with further analysis revealing nearly 100 malicious files communicating back to the infrastructure, some of which were related to the FormBook infostealer malware family, the researchers said.

The post Researchers unpack massive email scam targeting dozens of companies appeared first on CyberScoop.