The Biden administration sought Tuesday to choke the finances of criminal ransomware gangs, announcing sanctions against a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency.
The Treasury Department sanctions are aimed at kneecapping the economic infrastructure of a ransomware threat that has surged over the last year, crippling corporations, schools, hospitals and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal is to go after the “financial enablers” of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters. “Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks.”
The blacklisted brokerage is SUEX OTC, a so-called “nested exchange” that conducted transactions from accounts on major, legal global cryptocurrency exchanges. Such operations process a disproportionate amount of illicit transactions, Adeyemo said. In the case of SUEX, officials said, more than 40% of its known transactions have been associated with illicit actors. That’s more than $370 million, according to the cryptocurrency-tracking firm Elliptic.
Through its Office of Foreign Assets Control, the Treasury Department has previously sanctioned ransomware developers and distributors — though periodic retirements and rebrandings of ransomware strains have complicated those efforts. Officials say more such designations are possible.
SUEX is among the biggest and most active of a small group of illicit services that handle most money laundering for cybercriminals including scammers and darknet market operators, another crypto transaction-tracking firm, Chainalysis, said in a blog post. Such firms work closely with law enforcement to track criminal money laundering online.
Although legally registered in the Czech Republic, SUEX has no known physical presence there and operates out of branches in Moscow and St. Petersburg, Russia, where users can cash out their virtual currency, said Chainalysis, adding that it also has operations in the Middle East.
Chainalysis said SUEX claims it can convert cryptocurrency holdings into cash and even real estate, cars and yachts.
Most ransomware gangs operate out of reach of Western law enforcement in Russia and allied states. President Joe Biden has repeatedly told Vladimir Putin that he expects the Russian president to crack down on the gangs, but administration officials say they have seen no signs that Moscow is cooperating.
Chainalysis said SUEX was laundering money from the illicit cryptocurrency exchange BTC-e, which U.S. authorities shut down, perhaps on behalf of administrators, associates or former users. BTC-e’s operator, arrested on holiday in Greece, was sentenced to five years in prison by a French court in December.
“SUEX largely communicated with its clients on the Telegram app and accepted new customers on a system of referrals from trusted intermediaries. This was not the kind of business where a random person on the internet could open an account,” another crypto-tracking firm, TRM Labs, said in a blog post. “Transactions were only completed in-person at SUEX’s offices.”
TRM Labs CEO Esteban Castaño said SUEX is what is known as a “parasite exchange.” They are difficult to detect by the legitimate exchanges whose infrastructure they exploit because they open accounts using fraudulent or stolen credentials to meet know-thy-customer requirements and then fly under the radar.
Chainalysis said SUEX deposit addresses hosted at large exchanges have received over $160 million in Bitcoin alone from cybercriminals since the brokerage opened in early 2018, including nearly $13 million from ransomware operators including Ryuk, Conti and Maze. Ethereum and Tether are among other cryptoassets SUEX handled.
The Treasury Department said it is also updating guidance for ransomware victims that it first issued last year. The advisory strongly discourages victims from paying ransomware, reminding them that some transactions are against the law, and urges victims to report attacks to law enforcement.
“The reality is that the thing we know about this ecosystem is the way that we prevent ransomware attacks is by making sure that we get law enforcement engaged as soon as possible,” Adeyemo said.
Supernational fronts retaliate against cybercrime group REvil
Cybercrime group REvil was infiltrated by U.S. governmental agencies and obliged to go dark after cybercrime operation attacking from supernational fronts, reported by Reuters.
Speculations circulating the group’s recent absence following Recorded Future security specialist Dimitry Smilyanets went to Twitter to reveal various messages from the account of a famous REvil operator, ‘0_neday.’
The messages displayed on the microblogging platform elaborated the events that led to the cybercriminal forum XSS, alleging that someone took charge of the cyber group’s Tor payment portal and was controlling sites’ data leaks.
In the message, the account revealed how he and ‘Unknown, ’chief representative of the cyber entity, were the only group members with REvil’s domain keys. Then, the group’s representative’s absence left other members to predict that he was dead.
In September, REvil proceeded with its cybercrime activities. A factor that led to the realization that the group’s domain name was being reached by Unknown’s decryption key.
“The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I’m off,” 0_neday wrote in a message.
After REvil’s Kaseya cybercrime, the FBI acquired a universal decryption key initiating file recovery to those exposed to Kaseya’s breach, without the need to pay a ransom.
Now, with the news message surfacing on Twitter, it seems that that law enforcement officials concealed the fact that they had the key for weeks as it was stealthily going after REvil’s staff, according to Reuters.
In reference to individuals familiar with the topic, law enforcement and intelligent cyber experts managed to compromise the criminal group’s network infrastructure and security management over some of its servers.
Following Unknown’s vanish, other group members re-obtained control over the websites last month. By doing so, REvil unintentionally restarted some intermetal systems, including the ones already powered by law enforcement.
“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” deputy head of the forensics lab at the Russian-led security company Group-IB, Oleg Skulkin said in a statement.
“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin added.
Even though trust-worthy backups are perceived as a fundamental defense tactic to counteract ransomware activities, its vitality lies in remaining unconnected with other main networks. Otherwise, those too will be encrypted by cybercrimes groups similar to REvil.
One spokesperson close to the matter revealed that a foreign ally of the U.S. led the hacking mission that managed to infiltrate REvil’s network, while another anonymous former U.S. official commented on the mission saying the operation has not been finalized.
VMWare’s head of cybersecurity strategy, Tom Kellermann, told Reuters that the victory of federal operations immerges from a deep rigidity led by U.S. Deputy Attorney General Lisa Monaco, under the belief that cyberattacks on vital governmental ecosystems should be perceived as a threat to the country’s national security, and falls under the same umbrella as terrorist attacks.
The Kesaya and SolarWinds ransomware attacks are the two main cases that paved the way for harsher approaches to navigate this counterattack – and similar future ones – pushed in June the Justice Department to authorize harsher examinations of cyberthreats to much more paramount priority.
REvil’s attacks provided the Justice Department and different government agencies to consider cybercrimes a legal basis to inquire support from other federal organizations, such as the U.S. intelligence and the Department of Defense.
Both the FBI and the White House National Security Council refrained from commenting on the operation.
Google nabs phishing attacks from state-sponsored cybercrimes
In a world where everyone is exposed to infiltration on their devices, Google sent Thursday approximately 50,000 alerts to users whose accounts were exposed to breaches by state-sponsored cybercrimes executing phishing and malware campaigns.
“Countering threats from Iran” is the label the Big Tech giant gave to its latest blog post, addressing Google’s Threat Analysis Group’s (TAG) latest tracking of disinformation campaigns, governmental backed hacking, and financially driven abuse.
“We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2011, we’ve sent over 50,000 warnings, nearly a 33 percent increase from this time in 2020,” the blog post stated.
While receiving the warning does mean an account could be exposed to potential cyber threats, not all those who have received the warning have been breached.
The search engine elaborated that the company’s analytical branch directs these distressing warnings to accounts it perceives as a potential target to governmental-sponsored phishing attempts, brute-force attacks, malware delivery efforts initiated from a state-backed hacking ecosystem.
Google’s cybercrime statistics revealed that TAG has managed to identify more than 270 targets or hacker groups supported by governmental entities from more than 50 countries. Meaning, some of these accounts are targeted by more than one threat, expanding all around the globe.
Fending off cyberattacks from Iran
Iran’s hacking group, APT35, known for pursuing U.S. politicians before the 2020 Presidential elections, seems to have set its mind to proceed with its mission to creep into governmental representatives’ devices and accounts.
The tech mogul’s report not only highlighted that the group is still actively aiming to infiltrate some of the biggest bureaucratic personnel, but it appears that it allocated its goal to developing devious tricks to deter itself from being detected by security tools, then deceiving targets to submit accounts credentials, or into installing spyware on their devices.
APT35’s main line of specialty is indulging in account theft activities that allow it to spy on journalists, activists, government workers, academics, and anyone that might stimulate the Iranian regime’s curiosity.
Wielding Telegram for threat reports
According to one TAG researcher, Ajax Bash, the attackers’ most adopted tactic is exploiting an API for Telegram scripts, a messaging service, by creating bots in the chat app to facilitates accounts’ theft, alongside bank fraud.
In parallel, the messaging platform was informed by Google of the misleading activities accruing on its app, resulting in the bots being netted and eliminated by Telegram.
The governmentally supported group implements this tactic to send device-based data back to the channel, unveiling to hackers sensitive details such as IP, user-agent, and any local visitor to their phishing sites in real-time.
The implementation of Spyware Apps to optimize access
TAG’s systematic outcomes also featured that in May 2020, the company unearthed that APT35 tried to install malicious spyware to Google Play Store via an app masquerading as VPN software. If successfully uploaded, the cybercriminals could have obtained critical data, ranging from call logs, text messages, contacts, location data, and much more.
Once detected, Google eliminated the app from its store before any user installation.
Even though the app was extracted from the store, TAG caught additional attempts by the group to dispense the malicious VPN on other platforms as of July 2021.
Conference-themed phishing emails
ATP35’s most outstanding feature is the parody of conference officials to indulge in phishing attacks. By employing the Munich Security and the Think-20 (T20) Italy conference, attackers allure non-malicious contracts first as email messages for users to answer to. Once they receive a response, hackers then send phishing links in an email as a correspondent follow-up.
Usually, after responding, users would sail through at least one redirect before reaching a phishing domain that will give APT35 access to their email.
For this purpose, the adaptation of link shorteners and click trackers is heavily implemented, and they typically come implanted with PDF files.
In this case, Google broke down attempted cybercrimes using Google Drive, App Scripts, and site pages for specific campaigns as the cybercriminal entity made an effort to break down the tech giant’s embedded defense mechanisms.
If cybercrimes are measured on a governmental scale, once successful, malicious attacks are set to cause irreversible damage. For that reason, cybersecurity enterprises are expecting cyber intrusion rates to heighten in the upcoming years, with the U.S. being its main target. A scheme that could be detrimental to a country recovering its infrastructure from the pandemic’s crippling aftermath that broke its backbone in the past two years.
US talks global cybersecurity without a key player: Russia
Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.
The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.
White House national security adviser Jake Sullivan called it a gathering of “like-minded” governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. “No one country, no one group can solve this problem,” he said in opening remarks.
The virtual discussions will focus in part on efforts to disrupt and prosecute ransomware networks like the one that attacked a major U.S. pipeline company in May, a senior administration official said. The attack on Colonial Pipeline, which led to gas shortages along the East Coast, was attributed to a Russia-based gang of cybercriminals.
The exclusion of a country so closely tied to the global ransomware phenomena reflects the overall poor relations between Moscow and Washington.
Despite that, the U.S. has used a “dedicated channel” to address cybersecurity with Russia, said the official, who briefed reporters on the condition of anonymity to preview this week’s meeting with around 30 countries and the European Union.
Since President Joe Biden raised the issue directly with President Vladimir Putin this summer in a summit and later phone call, there have been “candid discussions” about cybercriminals operating within Russia’s borders, the official said.
“We’ve had several, and they continue, and we share information regarding specific criminal actors within Russia, and Russia has taken initial steps,” the official said.
It is unclear what steps Putin’s government has taken. Russia does not extradite its own citizens, and FBI Deputy Director Paul Abbate told a security forum last month that he has seen “no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”
The issue was expected to be on the agenda this week in Moscow as Undersecretary of State Victoria Nuland met for talks with Russian Deputy Foreign Minister Sergei Ryabkov.
The Biden administration took office amid a massive cyberespionage campaign known as the SolarWinds attack, which U.S. officials have linked to Russian intelligence operatives. Ransomware attacks, perpetrated generally by criminal hacker gangs rather than state-sponsored groups, have caused tens of billions of dollars in losses to businesses and institutions and become a major source of tension between the two nations.
Ransomware payments reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021, according to the U.S. government.
Actions taken by the Biden administration include imposing sanctions on a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency and issuing security directives that require pipeline companies to improve their cyber defenses.
In addition, the State Department has announced rewards of millions of dollars for information on people who engage in state-sponsored malicious cyber activities aimed at transnational criminal networks that Sullivan said operate “across multiple countries, multiple jurisdictions to carry out their attacks.”
Most of this week’s ransomware meeting is expected to be private as participants attend sessions led by India, Australia, Britain and Germany and will focus on themes such as developing resilience to withstand ransomware attacks.
Other participants include Israel, the United Arab Emirates, Bulgaria, Estonia, France, the Dominican Republic, Mexico, New Zealand, Singapore and Kenya.
Facebook personnel were asked to restrain news
Chinese tech regulations morph U.S. firms’ course of action
China’s 5G smartphone rollout hits 70% in 2021
Vodafone adds 7,000 software engineers to target digital services
NEOM: A $500 Billion smart-city to be built in Saudi Arabia
5 Reasons Why… Telecoms is Important in Society
Advantages and drawbacks of Voice Recognition Technology
Telecom Sales Strategies that will Bring You Success in 2020
- Press Releases3 weeks ago
Comium Gambia workers are begging the president to interfere and save their families!
- Press Releases3 weeks ago
Comium surprised of PURA’s decision to suspend the network despite dues settlement and promising negotiations
- Press Releases4 days ago
Will Comium case be taken to another level, expose corruption and take authority heads to court?
- News3 weeks ago
In California, some buy machines that make water out of air
- Telecoms4 weeks ago
India’s relief package may not resurrect Vodafone Idea
- News3 weeks ago
Outage highlights how vital Facebook has become worldwide
- Ethical Tech4 weeks ago
Take a look at Facebook’s internal research over mental health on teens
- Views from the Inside4 weeks ago
Improving customer retention in telecoms: A digital-first mindset