This was H1 2022 – Part 1 – The Fight Against Cybercrime
After many long lockdowns, the information technology industry woke up to a new reality. Cyber crime was too widespread and heavily resourced. Hybrid architectures had grown too complex to be able to provide adequate defense, resulting in new larger threat surfaces.
To make matters worse, there was a lack of skilled security professionals who could pick up the pieces and close the gaps quickly. Cybercrime was the new pandemic, and it was growing year after year. Fortunately, parties that fight against cybercrime have formed an unseen alliance, without borders, across public and private partnerships, and governments and law enforcement agencies. Their actions might not always be as visible as the next record ransom payment or data breach, but they are making waves, sending messages, and getting noticed by the criminals.
This blog emphasizes the increased efforts and successes of law enforcement and the global security community in their fight against cybercrime. It’s the first post in a three-part series that takes a thematic look at cyber activities from the first half of 2022. The second post focuses on the cyber events leading up to and occuring as a consequence of the invasion of Ukraine by Russia. The third and final post in our series will cover events, attacks and heists beyond the cyber war.
Our first post starts in January 2022 with an arrest of one of cybercrimes most notorious gangs.
On January 14, Russian authorities announced the arrest of 14 members of the REvil ransomware gang, confiscating over $6,5 million, 20 luxury cars, computer equipment and cryptocurrency wallets. REvil emerged in April 2019 from the void left behind by the shutdown of the GandCrab operation. In less than a year, the gang became the most prolific ransomware group, collecting some of the highest ransoms from its victims. REvil’s most publicized hit was the Kaseya supply-chain attack that crippled almost 1,500 businesses globally. The group, unable to negotiate with all victims individually, made a one-time offer for a universal decryption key to decrypt all organizations for a single sum of $70 million in Bitcoin. The Kaseya attacks prompted a harsh response from the US, with President Biden asking President Putin to take action against cybercriminals residing in Russia; if not, the US would take action on its own. After the Kaseya attack, REvil suspended its operations, only to resume two months later. The operators, however, were not aware of law enforcement breaching their servers before they suspended operations, and as they restored their systems from backup, the criminals also restored machines controlled by US law enforcement. The Russian FSB’s action against REvil came after the US and international law enforcement organizations joined forces to identify and arrest members of ransomware operations. In November 2021, the US announced the arrest of Ukrainian national Yaroslav Vasinskyi, the REvil affiliate responsible for the Kaseya attack. The US authorities also seized over $6 million from another REvil partner, Russian national Yevgeniy Polyanin, who was believed to have deployed about 3,000 ransomware attacks. The same month, authorities in Romania arrested two REvil ransomware affiliates responsible for 5,000 attacks that brought them 500,000 euro from collected ransoms.
On January 17, the UK National Crime Agency (NCA) and Schools Broadband, part of the Talk Straight Group, launched a new initiative to educate students who search for terms associated with cyber crime on school computers. The new initiative aims to divert young people away from criminality and was launched after cyber attacks designed to block access to schools’ networks or websites more than doubled during the Covid-19 pandemic. Data from the National Crime Agency’s National Cyber Crime Unit (NCCU) shows a 107% increase in reports, of students as young as nine, deploying DDoS attacks between 2019 to 2020. When students search for terms associated with cyber crime on school computers, students will get a warning message and will be redirected to the Cyber Choices website (www.cyberchoices[.]uk). The website aims to educate children of all ages about the Computer Misuse Act, cyber crime and its consequences.
On January 17, Europol announced that law enforcement authorities seized and disrupted 15 servers hosted by VPNLab.net in a coordinated action in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. VPNLab.net offered encrypted communications and internet access to support criminal acts such as ransomware deployment and other cybercrime activities. VPNLab.net was first established in 2008.
On January 22, the Russian Federal Security Service (FSB) arrested the administrator of the UniCC carding forum and one of the members of the Infraud cybercrime cartel. Three other suspects were also detained and placed under house arrest. Andrey Sergeevich Novak was the administrator of UniCC, a forum where threat actors gathered to buy or sell stolen payment card data. On January 12, the site announced that it would voluntarily close down, citing the administrators’ intention to retire, and advised users to withdraw their funds within ten days. At the time, blockchain analysis company Elliptic estimated that the site had made at least $358 million in cryptocurrency, from the sale of stolen cards, since 2013 when it launched.
In February, the master decryption keys for Maze, Egregor and Sekhmet ransomware operations were leaked on BleepingComputer’s forums. A forum member, claiming to be the developer for all three operations, pointed out that it was a planned leak and not linked to recent arrests of affiliates by law enforcement. The alleged ransomware developer added that none of the team members will ever return to ransomware and that all source code for their ransomware was destroyed. The Maze group was considered one of the most prominent ransomware operations since it began operating in May 2019. The group quickly rose to fame as they were the first to use data theft and double-extortion tactics. After Maze announced its shutdown in October 2020, they resurfaced soon, rebranded as Egregor. In February 2021, several affiliates of Egregor were arrested in Ukraine and the group disappeared. The Sekhmet operation launched in March 2020, while Maze was still active. Fourteen months later, the decryption keys for these operations were leaked.
In May 2018, the FBI sinkholed an alleged Russian state-sponsored DDoS botnet comprised of hundreds of thousands of routers and network storage devices named VPNFilter. The botnet was attributed to Sandworm, the alleged Russian cyber military unit of the GRU, the organization in charge of Russian military intelligence. On February 23, CISA published an alert covering a new Sandworm botnet, Cyclops Blink, replacing the previous VPNFilter botnet. Cyclops Blink was discovered in June 2019, targeting WatchGuard Firebox firewalls through professionally developed malware that used a modular structure and was believed to be capable of launching DDoS attacks. The command and control infrastructure (C2) consisted of 26 servers, 13 residing inside the US. In March, the FBI conducted a court-authorized operation to disrupt the two-tiered global botnet by issuing a series of commands to its C2 servers that would wipe bots from compromised devices and take down the C2 servers themselves.
On March 23, the Lapsus$ hacking gang announced on their Telegram channel that a few members were on vacation until March 30, 2022. One day later, the City of London Police announced the arrest of seven people between the ages of 16 and 21 in connection with an investigation into the notorious extortion gang Lapsus$. They had all been released under investigation as inquiries remained ongoing. Amongst them was a 16-year-old boy from Oxford, England, operating under the pseudonym White, and he was accused of being one of the crew leaders. Lapsus$ was a group of criminals that leaked several high profile victims’ source code and internal documents. During the first three months of 2022, the group leaked the source code, code-signing certificates and employee credentials from Nvidia; breached Microsoft and leaked 37GB of source code from an Azure dev ops server, including 90% of the source code for the Bing search engine; breached Mercado Libre, an e-commerce company; released the source code of Samsung Galaxy phones and Samsung company data; breached Ubisoft, Okta and T-Mobile’s systems; and dumped 70 GB of sensitive data from Globant. The group was first noted in December 2021 after they breached the Brazilian Health Ministry computer systems. The group’s Telegram channel was used to announce data dumps and to recruit accomplices. As of March 2022, the channel had nearly 50,000 subscribers. The group also posted polls asking their channel members about which organizations they should target next. The group’s tactics to obtain access to victims’ corporate networks included acquiring credentials from privileged employees. These credentials were obtained through recruitment or hacking victims’ employees, leveraging methods such as SIM swapping. Subsequently, Lapsus$ would then use a remote desktop to obtain and exfiltrate sensitive data, followed by extortion of the victim organization with threats of disclosing the data. A rival and former associate allegedly disclosed the identity of the group’s mastermind. On March 30, the Lapsus$ Telegram account announced that they were officially back from vacation, leaking 70GB of data from Globant as well as the admin passwords for the company’s Confluence, Crucible, Jira and Github. The group also announced a new chat group on Matrix in case their Telegram account was to be seized or banned.
On April 5, the Central Office for combating Cybercrime (Zentralstelle zur Bekämpfung der Internetkriminalität or ZIT) and the General Criminal Police Office (Bundeskriminalamt or BKA) seized the servers of the world’s largest illegal darknet maketplace, “Hydra Market,” located in Germany. Hydra was a Russian-language platform selling narcotics, documents and data since 2015. Approximately 17 million customer accounts and over 19,000 seller accounts were registered on the marketplace. Its sales amounted to at least 1.23 billion euros in 2020 alone.
On April 9, the Russian FSB detained a hacker in Crimea for launching DDoS attacks, on the order of Ukraine, against Russian media outlets and financial institutions. The 29-year-old Yalta resident, who worked as a systems administrator, installed a program on his work computer that conducted DDoS attacks against the websites of Sberbank, RBC, Interfax, Lenta.ru, RIA Novosti and Rossiyskaya Gazeta. The detainee faces five years in a Russian prison.
On April 12, the US Department of Justice announced the seizure of the RaidForums website on February 25 and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, aged 21, of Portugal. RaidForums was a popular marketplace for cybercriminals to buy and sell hacked data. Coelho was arrested in the UK on January 31. When RaidForums went offline in February, it caused confusion in the community as it was unclear why it was taken down or who was responsible. Just three weeks after RaidForums was seized, on March 16, an actor named pompompurin, who was previously highly active on RaidForums, launched a new community called BreachForums. BreachForums aims to be an alternative to RaidForums. “If RaidForums does ever return in any official capacity,” pompompurin wrote, “[BreachForums] will be closed and its domain will redirect to [RaidForums].”
On April 13, Microsoft’s Digital Crimes Unit (DCU) announced it has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader was made up of devices found in businesses, hospitals, schools and homes around the world, and run by a global internet-based organized crime group, operating a malware-as-a-service platform designed to steal and extort money. Ryuk was one of the ransomwares that was distributed through the platform. Ryuk is known for targeting health care institutions and extorting payment without any regards to the patients put at risk. Microsoft obtained a court order to take control of sinkhole 65 domains that were used to grow and control the botnet, as well as an additional 319 domains that were dynamically generated by the malware through a domain generation algorithm (DGA) and leveraged as a fallback, in case the hardcoded domains would be compromised. Microsoft identified Denis Malikov, living in the city of Simferopol on the Crimean Peninsula, as the developer of a component to distribute ransomware in the ZLoader botnet.
On April 29, in an interview, Doug Witschi, the assistant director for cybercrime and threat response and operation at Interpol, told The Register: “We’re not going to be able to arrest ourselves out of this problem. We need to work as a global community on this challenge.” As cybercriminals become more sophisticated and their attacks more destructive and costly, private security firms and law enforcement need to work together, adding that “Cybercrime is such a global threat, unlike transnational organized crime.”
“We’re not going to be able to arrest ourselves out of this problem. We need to work as a global community on this challenge.”
On May 2, the British police, at the request of the Romanian authorities, arrested a UK teen for his involvement in Russian attacks on websites in Romania. The suspected person, a Romanian resident in the UK, was found to be supporting the activities of a Russian crime group, allegedly Killnet, by providing translation services for criminal material from Russian into Romanian.
On May 12, Glib Oleksandr Ivanov-Tolpintsev, a 28-year-old from Chernivtsi, Ukraine, was sentenced to four years in federal prison for conspiring to traffic in unauthorized access devices and computer passwords. Tolpintsev was taken into custody by the Polish authorities in Poland on October 2, 2020, and extradited to the United States. Tolpintsev pleaded guilty on February 22, 2022. Between 2017 and 2019, Tolpintsev sold thousands of server credentials via a dark web site “Marketplace” and made at least $82,648 from the sales. Tolpintsev controlled a botnet to conduct brute-force attacks and boasted that his botnet was capable of breaking the login credentials of at least 2,000 devices per week.
On May 16, a criminal complaint was unsealed in federal court in New York, charging Moises Luis Zagala Gonzales, a citizen of France and Venezuela, also known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar.” Zagala, a 55-year-old cardiologist residing in Venezuela, was the creator of the ransomware software “Thanos.” As alleged, the multi-tasking doctor treated patients; created and named his cyber tool after death; profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks; trained the attackers about how to extort victims; and then boasted about successful attacks, including attacks by malicious actors associated with the government of Iran.
On May 19, the United States Department of Justice announced the revision of its policy regarding charging violation of the Computer Fraud and Abuse Act (CFAA). The policy, for the first time, directs that good-faith security research should not be charged. Good faith security research means “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
The United States Department of Justice announced a major policy change under the Computer Fraud and Abuse Act and directs that good-faith security research should not be charged.
In May, an international law enforcement operation involving 11 countries resulted in the takedown of one of the fastest-spreading mobile malware to date. Known as FluBot, the Android malware was spreading through fake SMS messages sent on behalf of parcel delivery services. After a victim clicked the link, they were redirected to download an Android app disguised as the app from the parcel delivery service. The malicious Android application leveraged the phone’s contacts to spread further and was known for stealing banking and cryptocurrency credentials. First spotted in December 2020, FluBot gained traction in 2021 and compromised a vast number of devices worldwide, including significant outbreaks in Spain and Finland. Members of the FluBot crew had been arrested in the past, but FluBot persevered and its center of gravity moved to other countries. This time, the authorities announced that the FluBot infrastructure is under the control of law enforcement, putting a stop to the destructive spiral.
On May 28, the Večer newspaper reported that Matjaž Škorjanc, who already served his almost five year prison sentence for creating the Butterfly Bot, will go on trial again after the Constitutional Court annulled the 2013 guilty ruling and two higher-instance court rulings, returning the case to the Maribor District Court for retrial. The malware program Butterfly (mariposa in Spanish) Bot, created and sold by Škorjanc to various individuals and groups, was leveraged by the Días de Pesadilla (DDP) Team to create the Mariposa botnet. The Mariposa botnet, first discovered in December 2008, was mainly involved in password stealing and denial-of-service attacks. Before the botnet was dismantled in December 2009, it consisted of 12.7 million devices, making it one of the largest known botnets. After the authorities seized the botnet in 2009, the operators were able to take back control. In February, 2010, the members of DDP team were arrested. In July 2010, Škorjanc was arrested for the first time but subsequently released due to lack of evidence. Škorjanc was arrested again in October 2011 and found guilty in December 2013. The FBI issued new charges and warrants against Škorjanc in 2019.
On May 31, the FBI and the U.S. Department of Justice announced that they had seized the domain weleakinfo[.]to and two related domain names IPStress[.]in and ovh-booter[.]com. The WeLeakInfo website provided its subscribers a search engine to query a database filled with information, illegally obtained from over 10,000 data breaches and containing a total of seven billion indexed records with names, email addresses, usernames, phone numbers, and passwords. IPStress and ovh-booter offered denial-of-service attack services, also known as booter or stresser services. Until the day of the announcement, IPStress[.]in figured as the (only) official partner on the website of the IT Army of Ukraine. After May 31, IPStress.in was replaced on the website by a new partner, “Hosting Ukraine.”
On June 7, the U.S. Department of Justice announced the seizure and dismantling of SSNDOB Marketplace by the IRS and FBI in cooperation with authorities in Cyprus and Latvia. SSNDOB Marketplace consisted of a series of websites (ssndob[.]ws, ssndob[.]vip, ssndob[.]club and blackjob[.]biz) that listed more than 20 million social security numbers for sale, generating more than $19 million usd in sales revenue.
On June 13, the operator behind the ‘DownThem’ DDoS-for-Hire service was sentenced to two years in prison. Matthew Gatrel, a 33-year-old man from Illinois, was convicted last year for running the downthem[.]org and ampnode[.]com services. The services allowed thousands of paying customers to launch more than 200,000 DDoS attacks. DownThem sold subscriptions allowing customers to launch DDoS attacks. AmpNode, on the other hand, provided bulletproof server hosting running servers that could be pre-configured with attack scripts and lists of vulnerable reflection and amplification services that were leveraged to launch volumetric DDoS attacks.
On June 15, BleepingComputer reported on an International law enforcement operation codenamed ‘First Light 2022.’ The operation, led by Interpol with the assistance of the police in 76 countries, focused on social engineering crimes involving telephone deception, romance scams, business email compromise (BEC) scams, and related money laundering. The operation lasted two months between March and May 2022. It resulted in 1,770 locations being raided worldwide; 3,000 suspects identified; 2,000 operators, fraudsters, and money launderers arrested; 4,000 bank accounts frozen and $50 million worth of illicit funds intercepted. Amongst the highlights were a Chinese national who defrauded 24,000 victims out of $35,700,000.
On June 16, the US Department of Justice, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, announced the takedown of the infrastructure of a Russian botnet known as RSOCKS. The RSOCKS botnet provided proxy services that would anonymize the origin of internet traffic. The RSOCKS botnet initially targeted Internet of Things (IoT) devices, but later expanded into compromising additional types of devices, including Android devices and conventional computers. The Russian cybercriminals operating the botnet claimed that it comprised millions of devices worldwide. There were legitimate proxy services that provided IP addresses to their clients for a fee. Typically, these proxy service would use IP addresses leased from internet service providers (ISPs). RSOCKS, however, offered its clients access to IP addresses assigned to devices that had been hacked. A cybercriminal who wanted to utilize the RSOCKS platform could navigate to a web-based storefront to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies up to $200 per day for access to 90,000 proxies. Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. It is believed that the users of the RSOCKS proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages.
On June 18, Paige Thompson, also known as “erratic,” was convicted and found guilty of wire fraud, unauthorized access to a protected computer, and damaging a protected computer. The jury acquitted her of other charges, including access device fraud and aggravated identity theft. Thompson, a former Amazon software engineer, obtained the personal information of more than 100 million people from AWS hosted servers in a data breach that prompted Capital One to reach a tentative $190 million settlement with affected customers and was fined $80 million by the Treasury Department for failing to protect sensitive data. Thompson’s lawyers claimed that she was looking for vulnerabilities to patch. Still, the Federal prosecutors noted that she did not just steal the data, but also planted software on the servers which she unlawfully accessed to steal computing power to mine cryptocurrency.
Don’t miss the second blog in our three-part series.