Analyzing the Growth of Russia-based Ransomware Attacks on Election Day: The Case of Turla, Andromeda, and Double-Extortion
The project analyzed a data set of over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. Led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, the analysis showed a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most total ransomware attacks per year in the data set, about three-quarters of all the attacks.
The data was used to compare the time of attacks for groups that are based out of Russia and groups that are based everywhere else. “Our model looked at the number of attacks on any given day, and what we find is this interesting relationship where for these Russia-based groups, we see an increase in the number of attacks starting four months before an election and moving three, two, one month in, up to the event.”
The data set was culled from the dark-web sites that ransomware gangs maintain to name and shame victims and pressure them to pay up. Double extortion is the term used for an attack in which hackers break into a network and steal data, before planting a piece of software to cause a system to shut down. The attackers want a high amount of money for the key to be released so that they can keep the data secret. The researchers may not have captured data from every single double-extortion actor out there, and attackers may not post about all of their targets, but Nershi says the data collection was thorough and that the groups typically have an interest in publicizing their attacks.
That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. It shows the evolution of the Russian group’s methods, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. They can use someone else’s device, instead of using their own. “They’re piggybacking on other people’s operations. It is a very clever way of doing business.
Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.
When you run a major app, all it takes is one mistake to put countless people at risk. Such is the case with Diksha, a public education app run by India’s Ministry of Education that exposed the personal information of around 1 million teachers and millions of students across the country. The data, which included things like full names, email addresses, and phone numbers, was publicly accessible for at least a year and likely longer, potentially exposing those impacted to phishing attacks and other scams.
The LockBit War on Mac, Windows, and the Domain of Criminals: Why ElonJet and Jetnet have Solved Out
Speaking of cybercrime, the LockBit ransomware gang has long operated under the radar, thanks to its professional operation and choice of targets. But over the past year, a series of missteps and drama have thrust it into the spotlight, potentially threatening its ability to continue operating with impunity.
Encrypting everything on your machine isn’t just the domain of criminals, however. This week, we explained how to protect your files under digital lock and key on both macOS and Windows. What’s the domain of criminals? Money laundering, which a Chainalysis report published this week says is primarily facilitated by only five crypto exchanges, four of which helped scofflaws cash out $1.1 billion in 2022.
It is possible that billionaires like Musk have reason to celebrate. The flight-tracking platform ADS-B Exchange, which provided data for the @ElonJet account that tracked the Tesla and Twitter CEO’s private plane, has sold out. Jetnet is owned by private equity. The creator of ElonJet is one of many people who are jumping ship on the assumption that the new owner will bow to requests from Musk and the Saudi royal family.
Roundup on Meduza in Latvia: What have we learned in the last few years? The case of a recent cryptocurrency hacking hacking scandal
But there is more to come. We don’t cover the stories in-depth ourselves, but we round them up each week. Click on the headlines to read the full stories. And stay safe out there.
While Meduza has always been based in Latvia, the new measure made it a crime for Russians to work for the news outlet, speak to it, post a link to its website, or even “like” it. A first violation of the restrictions is guilty of a small offense that can be punished with a fine but can also lead to jail time.
The FBI officially pointed the finger at a usual suspect in the cryptocurrency world’s ongoing plague of massive breaches and thefts: North Korea. In its investigation of a heist that stole $100 million in cryptocurrency last year, the Bureau accused two hacker groups long believed to be associated with the regime of Kim Jong Un, known as APT38 or Lazarus—the latter of which is sometimes used as a broader umbrella term for multiple North Korean hacker units. The bridge used to allow transfers from one currency to another was the target of the hackers. Thieves have taken hundreds of millions of dollars worth of digital currency from bridges in recent years. Aside from its name-and-shame announcement, the FBI also says some portion of the stolen currency was seized when the hackers attempted to launder it, and the agency pointed to crypto addresses where about $40 million of the stolen loot is still stored.
MSG Entertainment Shouldn’t have Banned Lawyers from Madison Square Garden’s Face Recognition Technology to Ensure the Security of the Hackney Council
If Madison Square Garden didn’t want to create a legal scandal from using face recognition technology to ban people, maybe it shouldn’t have started banning lawyers. Following revelations that MSG had used facial recognition to prevent attorneys from multiple firms involved in lawsuits against the venue from attending its events—and then enforced that ban with controversial facial recognition technology—New York attorney general Letitia James sent a letter to MSG’s owners demanding more information about its surveillance practices. The letter asks about the reliability of the facial recognition technology that is used by MSG and whether it has safeguards against bias. “Anyone with a ticket to an event should not be concerned that they may be wrongfully denied entry based on their appearance,” James wrote in a statement, “and we’re urging MSG Entertainment to reverse this policy.”
Two days later, leaders of Hackney Council, one of London’s 32 local authorities and responsible for the lives of nearly 300,000 people, revealed it had been hit by a cyberattack. The council did not have the ability to look after the people who depend on it because of the bad systems it had. The Pysa ransomware gang later claimed responsibility for the attack and, weeks later, claimed to be publishing data it stole from the council.
You can think of local governments as complex machines. Thousands of people run hundreds of services that affect almost every part of a person’s life. Most of this work is not noticed until something goes wrong. The machine stopped working as a result of the ransomware attack.
Among the hundreds of services Hackney Council provides are social and children’s care, waste collection, benefits payments to people in need of financial support, and public housing. Many of the services run in-house, using technical systems. In many ways, these can be considered critical infrastructure, making the Hackney Council not dissimilar to hospitals or energy providers.
“The attacks against public sector organizations, like local councils, schools, or universities, are quite powerful,” says Jamie MacColl, a cybersecurity and threat researcher at the RUSI think tank who is researching the societal impact of ransomware. It’s not like the energy grids going down or the water supply being disrupted, but it is things that are crucial to the day-to-day existence.
Russian intelligence services vs. Trickbot group: US Treasury and New Jersey indictments of Vitaly Kovalev with bank fraud and eight counts of bank fraud
The seven gang members named by the two governments are: Vitaly Kovalev, Maksim Mikhailov, Valentin Karyagin, Mikhail Iskritskiy, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski. They used to communicate without their real-world identities because they have online handles, such as Baget.
The US Department of the Treasury made a determination that the Trickbot Group members are associated with Russian Intelligence Services. It added that the group’s actions in 2020 were aligned with Russia’s international interests and “targeting previously conducted by Russian Intelligence Services.”
According to the US Treasury, these members were involved in malware and ransomware development, money laundering, fraud, injection of malicious code into websites to steal login details, and managerial roles. As part of the sanctions, the UK froze assets belonging to the ransomware actors and imposed travel bans on them. The US District Court for the District of New Jersey has indicted Vitaliy Kovalev with a conspiracy to commit bank fraud and eight counts of bank fraud against US financial institutions.