AXEL.org

cybersecurity

The Empire Strikes Back Against Ransomware

The number of ransomware attacks increased by over 700% year-over-year for 2020[1]. While this may make the situation seem hopeless for businesses, two recent high-profile busts show that law enforcement agencies are taking notice and attempting to keep up with hackers.

Netwalker dark web sites seized

The Netwalker ransomware is one of the more prolific variants today. From March to August 2020, it pulled in over $25 million in ransoms from its victims[2]. The developers employ a Ransomware-as-a-Service (RaaS) model, where other hackers can gain access to the malicious toolset in return for a percentage of their illicit spoils. RaaS widens the net for developer groups, allowing their programs to infect networks they may never have been able to crack or had no time to try.

On January 27th, the U.S. Department of Justice, in league with the FBI and the Bulgarian National Investigation Service, seized Netwalker’s dark web sites[3].  The ‘Dark Web’ allows for anonymous internet browsing, so it is rife with hackers, drug traffickers, and other shady entities. The Netwalker group regularly posted news about ransoms and, starting in March 2020, affiliate requests. This was when the group moved from an in-house to a RaaS model.

The United States DoJ charged one such affiliate, Canadian national Sebastien Vachon-Desjardins, with conspiracy to commit computer and wire fraud[4]. Authorities claim the man has made $27.6 million from the scheme. The fact he is Canadian likely played a significant role in his indictment. Often, the perpetrators of these types of computer fraud reside in countries that do not extradite cybercriminals, such as Russia, making filing charges pointless. So, while this bust is very encouraging, there are undoubtedly other affiliates in the network who will not stop their activities. It will be interesting to see if the Netwalker group starts a new Dark Web site any time soon.

Netwalker’s victims

The University of California, San Francisco. In June 2020, the Netwalker ransomware infected networks at UCSF. While the university claimed it used mitigation techniques to isolate the malware and prevent its spread, it still encrypted ‘important’ academic work. This led to the school paying a $1.14 million ransom, down from the initial $3 million asking price[5]. Still quite an expensive experience!

Toll Group

In late January of 2020, the Australian shipping logistics company, Toll Group, suffered a massive Netwalker attack that affected over 1000 servers[6]. It got so bad that they had to suspend operations for days while they scrambled to assess and contain the issue. This led to unsatisfied customers and a tarnished reputation. In fact, over nine months after the incident, the company was still dealing with the aftermath[7]. It is unclear if the organization paid out anything.

Crozer-Keystone Health System

Sadly, hackers are pretty unscrupulous when it comes to selecting their targets. In June of 2020, a Philadelphia-based health center, the Crozer-Keystone Health System, was attacked. It’s unknown exactly how much data was encrypted, but the healthcare provider publicly announced they would not cooperate with the culprits and no ransom would be paid. This resulted in the Netwalker group offering the data it stole up for auction via the now-defunct Dark Web site mentioned earlier[8]. Details are scarce, but officials from Crozer-Keystone don’t believe the hackers gained access to any patient medical data.

Emotet botnet taken down

The other big news in the world of cybercrime is that a coalition of international government agencies joined forces to take down the dreaded Emotet botnet. Responsible for 30% of malware attacks[9], the Emotet botnet isn’t ransomware itself but lays the foundation for malicious agents to install it.

A botnet is a massive group of computers automated to carry out specific malicious tasks. In the case of Emotet, it sent out hundreds of thousands of phishing emails to unsuspecting people. The emails contained Microsoft Word documents that required the viewer to ‘Enable Macros.’ If the victims complied, a backdoor was installed, leaving their computers susceptible to all sorts of attacks, including dangerous ransomware.

On January 27th, the news broke that law enforcement agencies in the United States, Germany, Canada, France, the U.K., the Netherlands, Lithuania, and Ukraine, brought down the enormous botnet[10]. In even better news, on April 25th, the Emotet malware is scheduled to uninstall itself[11].

So, it’s nice to see some good news after months of successful hacks, ransomware attacks, and COVID-19 phishing. While hackers won’t stop because of these stories, it’s good to know that law enforcement agencies worldwide are stepping up and doing something about the problem.

Protect your data

These developments are heartening, but organizations and individuals can’t rely on the government to protect them from hackers. They must be proactive and use secure solutions whenever possible.

If you need to store and share files online, AXEL Go provides industry-leading privacy features that keep sensitive documents away from malicious agents. AXEL Go utilizes distributed, decentralized servers along with AES-256 bit encryption and file sharding to ensure your files stay safe. Sign up for our full-featured Basic account and receive 2GB of secure online storage and enough fuel for thousands of typical shares. If you are a business or power user, we have different options to fit all needs and budgets. It’s time to get serious about protecting your data before it’s too late.

 

[1] “Mid-Year Threat Landscape Report 2020”, Bitdefender, 2020, https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf

[2] Lawrence Abrams, “Netwalker ransomware earned $25 million in just five months”, Bleeping Computer, Aug. 3, 2020, https://www.bleepingcomputer.com/news/security/netwalker-ransomware-earned-25-million-in-just-five-months/

[3] Brian Krebs, “Arrest, Seizures Tied to Netwalker Ransomware”, Krebs on Security, Jan. 27, 2021, https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware/

[4] Kevin Collier, “Justice Department issues rare charges against ransomware operator”, NBC News, Jan. 27, 2021, https://www.nbcnews.com/tech/security/justice-department-issues-rare-charges-against-ransomware-operator-n1255899

[5] Lindsey O’Donnell, “UCSF Pays $1.14M Aftter NetWalker Ransomware Attack”, threatpost, June 30, 2021, https://threatpost.com/ucsf-pays-1-14m-after-netwalker-ransomware-attack/157015/

[6] Ry Crozier, “Toll Group tight-lipped on alleged ransomware attack”, itnews, Feb. 4, 2020, https://www.itnews.com.au/news/toll-group-tight-lipped-on-alleged-ransomware-attack-537437

[7] K&L Gates LLP, “Continuing to take its Toll: Toll Group still feeling impacts nine months after experiencing Ransomware Attack”, Lexology, Nov. 2, 2020, https://www.lexology.com/library/detail.aspx?g=002dc678-4d08-4782-88bb-1e4a9e188a7b

[8] Jackie Drees, “Ransomware group auctions Crozer-Keystone Health System data on darknet”, Beckers Hospital Review, June 22, 2020, https://www.beckershospitalreview.com/cybersecurity/ransomware-group-auctions-crozer-keystone-health-system-data-on-darknet.html

[9] Danny Palmer, “Emotet: The world’s most dangerous malware botnet was just disrupted by a major police operation”, ZDNet, Jan. 27, 2021, https://www.zdnet.com/article/emotet-worlds-most-dangerous-malware-botnet-disrupted-by-international-police-operation/

[10] “Emotet botnet taken down by international police sweoop”, BBC News, Jan. 27, 2021, https://www.bbc.com/news/technology-55826258

[11] Lawrence Abrams, “Europool: Emotet malware will uninstall itself on April 25th”, Bleeping Computer, Jan. 27, 2021, https://www.bleepingcomputer.com/news/security/europol-emotet-malware-will-uninstall-itself-on-april-25th/

China Hacks the Planet – Part II

Part I of our series on China’s state-sponsored hackers summarized the motivations, methods, and underlying structure of their cyber divisions. In Part II, we delve into some of China’s well-known Advanced Persistent Threat (APT) groups and their high-profile attacks.

APTs

China employs (or has employed) dozens of APT groups over the past decade. They’re so prolific, to cover them all would be outside the scope of this blog. However, here are a few noteworthy examples:

APT 1

As one could guess from its name, APT 1 was the first Advanced Persistent Threat group ever named. The group began operations in 2006 (a year before Apple released the first iPhone). Part of the People’s Liberation Army (PLA) Unit 61398, they were linked directly to the communist government of China. In fact, according to an in-depth report on APT 1 by the cybersecurity firm Mandiant, they received fiber-optic infrastructure provided by a state-owned corporation under the auspices of national defense[1]. This was no two-Yuan hacking unit. Hundreds of hackers worked in the group from 2006-2014.

The majority of their attacks targeted the United States. They stole sensitive information from the country’s IT, aerospace, and engineering sectors, among many others. Using advanced techniques, they infected networks, pilfered data, and left with only small traces of evidence they were ever there. Specialists in phishing, APT 1 hackers disguised .exe and zip files as common Adobe PDF files to avoid suspicion.

High-profile APT 1 attacks

  • The first known attack attributed to the group was against a Japanese wing of the cybersecurity company Symantec. It was unknown at the time, but in 2012 new outlets reported the hackers stole the source code to the Norton antivirus software[2]. With the source code, APT 1 had what they needed to find all the program’s vulnerabilities and exploit them as necessary.
  • In 2012, APT 1 infiltrated Telvent’s network. Telvent was a multinational energy company with operations in the United States, Canada, and Europe[3]. This fits the group’s modus operandi of targeting infrastructure-related organizations. It served as a great way to spy on other country’s energy grids and allowed China to steal proprietary smart grid technology.
  • One of the most interesting cases is the 2011 hacks by the group Anonymous. Anonymous is a famous hacker gang that rose to prominence by carrying out DDoS attacks against the Church of Scientology in 2008. In 2011, the Guy Fawkes mask-donning hacktivists attacked the cybersecurity firm HBGary Federal in retaliation for its investigations into the group. Strangely, the Mandiant report linked above ties APT 1 to these hacks[4]. Is China a significant part of Anonymous? It seems possible.

APT 1 was extremely prolific, with hundreds if not thousands of victims over its active years. After the aforementioned Mandiant report released, the group slunk back into the cyber shadows. Analysts believe it broke up, and its assets distributed to other, more contemporary hacker groups.

In 2018, malware code associated with APT 1 resurfaced in an attack[5]. Most cybersecurity experts do not believe it was the old hacker gang, however. Most likely, a different Chinese APT group used the old code after APT 1 disbanded.

Mustang Panda

Coincidentally, 2014 wasn’t only the year APT 1 went silent; it’s also when Mustang Panda became active. They weren’t noticed until three years later when the cybersecurity firm, Crowdstrike, observed them targeting a U.S. think tank[6].

At first, they mostly set their sights on international non-governmental organizations and targets within the Mongolian government. They soon moved on to bigger fish, however. Recently cybersecurity professionals deemed them responsible for two major incidents.

Coronavirus-based Phishing

The global COVID-19 pandemic provided hacker groups such as Mustang Panda the opportunity to phish unsuspecting victims. While unfortunate, it has proven to be an effective tactic. By using emails with malware attachments and links related to the coronavirus, people are more likely to open them. Mustang Panda is targeting Taiwan and Vietnam specifically with fake emails intended to lure victims wanting information about the pandemic.

The Vatican gets attacked

Unapproved religions are not looked at kindly by the Chinese government. The Catholic Church cut off diplomatic ties with China in 1951, and only recently are the frosty relations beginning to thaw. While dialogue between the Holy See and Chinese officials has started, Mustang Panda recently hacked Vatican officials to gather intel about the Church’s intentions[7]. Not exactly establishing new relationships built on trust.

APT 41

APT 41 is well-known for targeting video game companies in their attacks. Active since at least 2012, they differ from other Chinese hacking groups in that they use custom malware tools typically reserved for espionage for financially-motivated attacks[8]. For example, in 2014, they hacked the Southeast Asian distributor of video games such as League of Legends, FIFA Online, and Path of Exile. They infiltrated their production environments and inserted malware to accumulate millions of dollars in virtual currency. Then, they used money laundering techniques to cash out. Besides video game companies, they also target healthcare, pharmaceuticals, retail, telecoms, education, and other related sectors.

In September of 2020, the United States Department of Justice charged five Chinese citizens affiliated with APT 41 with multiple felonies[9]. They are still at large and are now and thought to be in China.

The tip of the iceberg

There are many more Chinese APT groups out there worth mentioning. There may even be more hacker codename Panda groups than actual pandas in the wild! It’s got to be close. China has the most resources and money out of any of the big state-sponsored hacking institutions. With the amount of success they’ve had, they probably won’t be stopping their activities any time soon. That’s why companies and government organizations worldwide need to be aware of their systems’ dangers and vulnerabilities. Investment in robust cybersecurity protections needs to be standard, not a secondary priority. Protect your data. Protect your company.

Securing data in motion and at rest

AXEL specializes in providing file transfer and storage solutions that prioritize security. Our platform, AXEL Go, utilizes blockchain technology, the InterPlanetary File System (IPFS), and password encryption to keep your important files safe and out of the reach of hacker groups. You can sign up for a free, full-featured Basic account and try it out with 2GB of storage and enough AXEL Tokens to fuel thousands of ordinary shares. Those needing more storage can pay for one of our reasonably-priced premium plans. Stop putting your organization’s sensitive information at risk and use AXEL Go.

 

 

[1] “APT 1 Exposing One of China’s Cyber Espionage Units”, FireEye, 2014, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

[2] Jim Finkle, “Symantec Hack: Company Admits Hackers stole Norton Source Code in 2006”, The Huffington Post, Jan. 17, 2020, https://www.huffpost.com/entry/symantec-hack-norton-source-code_n_1211043

[3] Brian Krebs, “Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent”, Krebs on Security, Dec. 26, 2012, https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/

[4] Pierluigi Paganini, “Mandiant report links Anonymous 2011 hacks to APT1 campaign”, Security Affairs, Feb. 22, 2013, https://securityaffairs.co/wordpress/12525/hacking/mandiant-report-links-anonymous-2011-hacks-to-apt1-campaign.html

[5] Brian Barrett, “The Mysterious Return of Years-Old Chinese Malware”, Wired, Oct. 10, 2018, https://webcache.googleusercontent.com/search?q=cache:axHpd0d7GZMJ:https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1/+&cd=1&hl=en&ct=clnk&gl=us

[6] “Threat Group Cards: A Threat Actor Encyclopedia”, Thailand Computer Emergency Response Team, https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Mustang%20Panda%2C%20Bronze%20President&n=1

[7] Shannon Vavra, “Suspected Chinese hackers impersonate Catholic news outlets to gather intel about Vatican diplomacy”, cyberscoop, Nov. 23, 2020, https://www.cyberscoop.com/chinese-hacking-catholic-church-vatican/

[8] “APT41, a dual espionage and cyber crime operation”, FireEye, https://content.fireeye.com/apt-41/rpt-apt41/

[9] Catalin Cimpanu, “US charges five hackers from Chinese state-sponsored group APT41”, ZDNet, Sept. 16, 2020, https://www.zdnet.com/article/us-charges-five-hackers-part-of-chinese-state-sponsored-group-apt41/

China Hacks the Planet – Part I

China has modernized and become extremely competitive on the world stage over the page half-century. As the most populous country continues to dominate many global manufacturing sectors, the Chinese Communist Party grows eager to become a legitimate superpower. Here, we look into the CPP’s aspirations and current cyber activities to see how they intend to achieve such status.

A transition of power?

Historically, up-and-coming nations attained superpower designation through winning wars. However, the proliferation of nuclear weapons and the Mutually Assured Destruction doctrine take this path off the table. So, China must engage in different tactics, such as cyber warfare. Military officials and security experts believe the globe is already at war in cyberspace[1]. As the battlefield expands, China represents the largest threat to the United States and other Western democracies. They operate more known Advanced Persistent Threat groups than the next top three (Russia, Iran, and North Korea) combined[2].

Methods for progress

Although China’s military spending ranks 2nd in the world, it still pales compared to the United States  (as of 2019, $261 billion vs. over $730 billion[3]). Knowing it can’t compete on sheer military might, China employs “asymmetric” warfare tactics that include powerful cyber attacks. To support the IT infrastructure necessary for this, China has implemented strategies to spur greater tech capabilities.

Bridging the tech gap

In 2013, officials enacted the ‘Made in China’ plan. This comprehensive policy set ambitious goals to improve China’s tech manufacturing capacity and foster domestic innovation. According to the program, China wanted to produce 40% of their own mobile phone chips, 70% of the nation’s industrial robots, and 80% of their renewable energy equipment domestically by 2025[4].  A portion of the engineering and production gaps have closed due to legal initiatives such as[5]:

  • Encouraging joint ventures between Chinese and Western companies to facilitate knowledge transfer.
  • Promoting the education of Chinese students abroad at highly-advanced tech research universities.
  • Allowing and partaking in direct foreign investment projects.
  • Recruiting skilled foreign talent for domestic companies.
  • Utilizing open-source information to catalog and analyze global technology innovation.

Unfortunately, China doesn’t use legal means exclusively. Malicious activities also fuel their aggressive agenda.

Espionage and IP theft

China differs from other state actors in that the number one priority is usually espionage and Intellectual Property theft. In fact, over 80% of international cases involving economic espionage involve China[6]. It is a driving force behind the country’s rapid technological evolution.

According to the director of the National Counterintelligence and Security Center, William Evanina, IP theft costs the United States up to $600 billion a year[7]. That’s nearly 3% of the most prosperous nation’s total GDP!

This results in a two-pronged effect that simultaneously strengthens China and weakens the United States. Chinese hackers infiltrate U.S. networks, steal IP and trade secrets, form business operations in China’s domestic market using the IP, then disrupt global markets by undercutting United States’ companies. This brazen activity led to FBI Director Christopher Wray’s assertion that “no country poses a greater threat [to the United States] than Communist China.[8]

For its part, Beijing continues to claim its commitment to cracking down on IP theft[9]. So far, this purported dedication is questionable at best. According to a 2019 CNBC CFO survey, over 20% of organizations had IP stolen by China within the past year[10].  Seeing as the percentage only increased to 31% in the past decade, you can make the argument that the theft frequency is increasing.

Structure

The scope of China’s cyber Army is rather massive. The most recent report in 2016 estimated China employs over 30,000 military hackers and up to 150,000 “private” cyberspies[11]. Given the communist nature of the country’s government, the term “private” is nebulous and blends confusingly into their official government-backed activities. During Congressional testimony in 2018[12], a senior researcher at The Heritage Foundation, Dean Cheng, defined three distinct categories under which China’s cyber forces fall.

Specialized military units

There are units within the People’s Liberation Army (China’s armed regular armed forces) that deal in cyber warfare. These are highly trained professionals that carry out strategic missions throughout the globe. The most publicized of these groups are Unit 61398 (APT1) and Unit 61486 (APT2). In Part II of our blog series on Chinese threat actors, we’ll go into more detail about these groups and their high-profile attacks.

Specialist units with military permission

These units aren’t permanent fixtures within the Chinese military. The hackers may be local province cybersecurity experts called to duty within a military region or war zone for tactical purposes. Typically, they are put into action by officials from the state intelligence agency (Ministry of State Security) or the state police force (Ministry of Public Security).

Civilians

These are voluntary participants who can be mobilized to conduct network operations that further China’s goals. Examples include corporate espionage or ransomware deployments. Such activities can provide crucial IP information or illicit funding to military groups. Though not affiliated with the military under normal circumstances, the CCP has an official “Military-Civil Fusion” policy[13]. This strategy blurs the lines and renders distinctions between the two classes nearly moot.

When active, these all work within the People’s Liberation Army, under the SSF (Strategic Support Force). The SSF, established in 2015, is China’s overarching military unit that oversees space, cyber, and electronic warfare strategy and implementation.

Just the beginning

Hopefully, our brief overview has provided a better understanding of China’s emphasis on cyberwarfare and its importance to their geopolitical endeavors. It is a serious matter that democratic governments need to address soon. In Part II, we’ll delve into some of the various threat groups operating in the country and detail their known hacking campaigns. You’ll see exactly what kind of damage they can inflict.

 

 

[1] Zak Doffman. “Cyber Warfare: U.S. Military Admits Immediate Danger Is ‘Keeping Us Up At Night’, Forbes, Jul. 21, 2019, https://www.forbes.com/sites/zakdoffman/2019/07/21/cyber-warfare-u-s-military-admits-immediate-danger-is-keeping-us-up-at-night/?sh=7dc846411061

[2] Naushad K. Cherrayil, “Chinese-speaking hackers increase activity and diversify cyberattack methods”, Tech Radar, Aug. 5, 2020, https://www.techradar.com/news/chinese-speaking-hackers-increase-activity-and-diversify-cyberattack-methods

[3] The 15 countries with the highest military spending worldwide in 2019, Statista, Dec. 1, 2020, https://www.statista.com/statistics/262742/countries-with-the-highest-military-spending/

[4] Jost Wubbeke, Mirjam Meissner, Max J. Zenglein, Jacqueline Ives, Bjorn Conrad, “Made In China 2025: The making of a high-tech superpower and consequences for industrial countries”, Merics, Dec. 2016, https://merics.org/sites/default/files/2020-04/Made%20in%20China%202025.pdf

[5] Michael Brown, Pavneet Singh, “China’s Technology Transfer Strategy: How Chinese Investments in Emerging Technology Enable A Strategic Competitor to Access the Crown Jewels of U.S. Innovation”, Defense Innovation Unit Experimental, Jan. 2018, https://admin.govexec.com/media/diux_chinatechnologytransferstudy_jan_2018_(1).pdf

[6] David H. Laufman, Joseph M. Casino, Michael J. Kasdan, “The Department of Justice’s National Security Division Chief Addresses China’s Campaign to Steal US. Intellectual Property”, The National Law Review, Aug. 24, 2020, https://www.natlawreview.com/article/department-justice-s-national-security-division-chief-addresses-china-s-campaign-to

[7] “China theft of technology is biggest law enforcement threat to US, FBI says”, The Guardian, Feb. 2020, https://www.theguardian.com/world/2020/feb/06/china-technology-theft-fbi-biggest-threat

[8] “China theft of technology is biggest law enforcement threat to US, FBI says”, The Guardian, Feb. 2020, https://www.theguardian.com/world/2020/feb/06/china-technology-theft-fbi-biggest-threat

[9] Joe McDonald, “China announces trade secrets crackdown to assure investors”, AP News, Sept. 20, 2017, https://apnews.com/article/e7e6d8cf62d94542b2554c1f6c56f8f6

[10] Eric Rosenbaum, “1 in 5 corporations say China has stolen their IP within the last year: CNBC CFO survey”, CNBC, Mar. 1, 2019, https://www.cnbc.com/2019/02/28/1-in-5-companies-say-china-stole-their-ip-within-the-last-year-cnbc.html#:~:text=01%2C%202018.&text=There%20are%20no%20exact%20statistics,U.S.%20economy%20from%20these%20actions.

[11] Michelle Van Cleave, “Chinese Intelligence Operations and Implications for U.S. National Security”, U.S.-China Economic and Security Review Commission, June 9, 2020, https://www.uscc.gov/sites/default/files/Michelle%20Van%20Cleave_Written%20Testimony060916.pdf

[12] Dean Cheng, “China’s S&T and Innovation Efforts”, Congressional testimony, Jan. 9, 2020, https://docs.house.gov/meetings/AS/AS26/20180109/106756/HHRG-115-AS26-Wstate-ChengD-20180109.pdf

[13] “The Chinese Communist Party’s Military-Civil Fusion Policy”, The U.S. Department of State,

A Look into North Korea’s Legion of Cyber Criminals

When it comes to infamous hacker gangs, Russian ones seem to garner the most attention. However, North Korea’s state-sponsored group is just as formidable. Here, we attempt to break down the rogue nation’s cyber army and see how it operates.

Bureau 121

The Reconnaissance General Bureau (RGB) of North Korea is the country’s intelligence agency, consisting of six different “bureaus.” Formed in 1998, Bureau 121 is the cyber warfare sector of the RGB. According to an intelligence report from the United States Army, this branch consists of four subgroups[1]. These include:

The Andarial Group: Andarial members assess targeted computer systems and identify vulnerabilities to use in future attacks.

The Bluenoroff Group: This group focuses on financial crime. Cyber theft is one of North Korea’s biggest revenue streams.

Electronic Warfare Jamming Regiment: They are in charge of jamming enemy computer systems during actual, on-the-ground war scenarios.

The Lazarus Group: The most notorious part of Bureau 121, The Lazarus group is an agent of social chaos. They infiltrate networks and deliver malicious payloads.

The Lazarus Group is often synonymous with the other three units, especially the financial crime division. It is unknown how many individuals comprise Bureau 121, but it is estimated to be thousands. Members often reside in other countries like Russia, China, Belarus, India, and Malaysia. This helps obscure the true origin of attacks and provides more robust electronic infrastructure to the malicious agents. Due to worldwide economic sanctions and a generally low industrial capacity, North Korea itself does not have access to the resources necessary to carry out large attacks.

An elite organization

North Korea’s internal policies and actions are opaque to the international community. However, defector testimony claims that the nation’s top computer science students from the University in Pyong Yang make up Bureau 121. These talented hackers then enjoy special privileges in North Korean society[2]. Instead of rundown tenements or rural farmhouses, they receive relatively posh -by North Korean standards- uptown apartments in the Capitol. With these kinds of unheard-of perks, it’s no wonder that people desire the positions.

Significant revenue generation

North Korea’s illicit digital activities replace a portion of what’s lost due to sanctions and flawed policies. In 2019, a United Nations report concluded that the rogue country gained $2 billion from cyberattacks[3]. Now, that sounds bad, but maybe it’s some sort of Robin Hood situation, where they steal from the rich to provide food and essentials for their ailing citizens? But no, the money actually went to their weapons division, specifically the nuclear weapons program. This makes North Korean hackers a threat to global security.

Notable attacks

2013 South Korea Cyberattack

In March 2013, North Korea unleashed a devastating cyberattack against their neighbors to the South. Utilizing the “DarkSeoul” malware, they infiltrated banking and media institutions throughout the country. Their top two television stations, the Korean Broadcasting System and MBC, suffered widespread computer issues but were able to stay on the air.

Popular banks such as the Shinhan Bank, Jeju, and NongHyup reported outages for their online banking and in-person services alike. Some even had their internal files erased. Luckily, they recovered most of the data from backups and restored operations within a few hours. Although resolved relatively quickly, it was still proof North Korea could cause chaos to their enemies.

The Sony hack

The November 2014 hack of Sony Pictures remains one of the most-publicized cyberattacks in history. It was a massive data breach that exposed a mountain of sensitive info. This ranged from personal information regarding employees and inter-office emails to plans for upcoming films, scripts, and complete cuts of then-unreleased movies.

If anyone doubted whether North Korea was responsible for the attack, it was all but verified when the hackers made their demands. The most adamant requirement was for Sony to nix the release of “The Interview.” For the readers out there unfamiliar with the intricacies of the Seth Rogen/Jame Franco buddy comedy genre, The Interview starred the famous duo attempting to assassinate the Supreme Leader of North Korea, Kim Jong Un. In the face of the hack, and under threats of terrorism by the attackers, Sony pulled the movie from theaters and released it online only.

The Sony hack was a huge deal. It led the United States to bring formal charges against North Korea and increased tensions to the point that it has never really recovered.

WannaCry ransomware

WannaCry is another extremely high-profile cybersecurity incident. In May of 2017, using a Microsoft Windows vulnerability, WannaCry infected hundreds of thousands of computers in less than a day! While only receiving a paltry (by successful ransomware standards) $130,000 in ransoms, the virus made a huge practical impact.

The biggest example of this was the attack on National Health Service hospitals in England and Scotland. Many of them had to turn away non-life-threatening emergencies, and the incident disrupted ambulance service throughout the region.

After the attack, the United States held a Congressional hearing with security professionals to solicit ideas about improving resiliency to such situations.

Recent activity

The hacks above had the most significant impact on global cybersecurity, but that doesn’t mean Bureau 121 slowed down in recent years. On the contrary, they’ve been extremely busy! The increased popularity of cryptocurrency gives entities like the Lazarus Group an easy way to transact with the organizations they attack and launder the ransoms afterward.

They outright target cryptocurrency-related companies too. Research indicates they use the professional social media platform LinkedIn to lure in unsuspecting employees and spear phish to penetrate network vulnerabilities[4]. These underhanded tactics result in lucrative ill-gotten gains. According to the UN report mentioned above, $571 million out of the $2 billion revenue was from cryptocurrency theft.

Phishers target AstraZeneca

Using the LinkedIn phishing method, the Lazarus Group set their sights on pharmaceutical giant AstraZeneca in late November. State agents posing as high-level recruiters flooded their employees with fake job offers. Then, they emailed the targets with malware attachments. Luckily, no one fell for the scheme, but it shows that Bureau 121 isn’t burdened by any moral compass.

AstraZeneca is one of the companies working on a viable COVID-19 vaccine. Cybersecurity researchers believe that North Korea is focusing on COVID-related organizations at the moment[5]. As one of only 11 countries without a reported COVID-19 case[6], perhaps they don’t see the harm in attacking a vaccine maker. For the rest of us, we can only hope they fail.

Protect your data

When you think of state-sponsored hacking groups, you may assume they only attack political targets. However, rogue nations like North Korea gain a considerable portion of their revenue from such endeavors, as you’ve seen. Therefore, assume that any organization with network vulnerabilities and substantial cashflow is susceptible.

Protect your sensitive data from threat actors by using AXEL Go to store and share files. AXEL Go is built on secure blockchain technology and utilizes robust encryption to keep your documents safe and private. It is available on Windows, Mac, iOS, and Android. So, no matter where your platform allegiances lie, you can enjoy secure, private file sharing. Our free basic account offers all the great features of AXEL Go with 2GB of free online storage. Download it now.

 

[1] “North Korean Tactics”, Department of the Army, July 2020, http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html

[2] Ju-min Park, James Pearson, “In North Korea, hackers are a handpicked, pampered elite”, Reuters, Dec. 4, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea/in-north-korea-hackers-are-a-handpicked-pampered-elite-idUSKCN0JJ08B20141205

[3] Michelle Nichols, “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report”, Reuters, Aug. 5, 2019, https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[4] Anthony Cuthbertson, “North Korean Hackers Use LinkedIn for Cryptocurrency Heist, Report Reveals”, The Independent, Aug. 25, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-lazarus-linkedin-cryptocurrency-a9687086.html

[5] Jack Stubbs, “Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources”, Reuters, Nov. 27, 2020, https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

[6] Kaia Hubbard, “Countries Without Reported COVID Cases”, U.S. News, Nov. 13, 2020, https://www.usnews.com/news/best-countries/slideshows/countries-without-reported-covid-19-cases?slide=13

Ransomware is Big Business for REvil Hacker Group

REvil, or Sodinokibi, is one of the most notorious hacker gangs in the world. Known for their ransomware attacks, the group claims it will make $100 million by the end of the year[1]. Here is a brief overview of the Russian hackers and their illicit accomplishments.

A sordid history

For all of their high-profile attacks, concrete information about the group remains elusive to the public. They are likely based in Russia due to known cybersecurity information as well as their unwillingness to attack companies or governments in the former Soviet-bloc.

An offshoot

Cybersecurity analysts believe malicious developers from a previous group called GandCrab make up REvil[2]. GandCrab was a prolific gang that collected an estimated $2 billion in ransoms in an 18-month period between 2018-2019. REvil popped up almost immediately after GandCrab stopped activities in 2019, and the two malware share much of the same code.

The gang also employs a Ransomware-as-a-Service (RaaS) model to supplement their revenue. Those interested in a more in-depth breakdown of ransomware can read our recent blog post about the topic.

RaaS is interesting because the gang itself doesn’t have to focus constantly on finding new victims. REvil simply licenses out their malware to vetted affiliates, who do the dirty work of searching for and breaching vulnerable networks. REvil then takes a healthy 20-30% cut of the affiliates’ payments. How’s that for a business model!

High-profile attacks

Texas local governments. In a concerted August attack, REvil infected 23 local Texas government agencies and demanded a $2.5 million collective ransom[3]. The malware brought down the systems and websites of these agencies. Luckily, the victims were well-prepared in this case. Teams of cybersecurity experts restored the systems via backups or full rebuilds. They did not cooperate with REvil, and their sites are now back online.

Travelex: On New Year’s Eve in 2019, REvil infiltrated Travelex’s network. Travelex is a foreign currency exchange company known for its kiosks in airports around the world. Unfortunately for them, they weren’t very vigilant when it came to cybersecurity. They hadn’t installed any security patches for their VPN system in over two years! This allowed REvil to breach their network and inject ransomware easily.

It spread so fast that it took down their entire operation. Instead of coming clean about the hacking incident, Travelex claimed it was “planned maintenance” and quietly paid a $2.3 million ransom to the notorious gang. Once this information leaked (as it usually does), the company was in real hot water. Not only had their lax security policies led to a data breach and loss of service, but they lied about it. It evidently affected consumers’ trust, as the company did not recover from the situation. After a failed attempt to sell, Travelex fell into administration, cut over 1300 jobs, and is currently undergoing significant corporate restructuring[4].

Grubman Shire Meiselas & Sacks: In May of 2020, REvil stole over 750 gigabytes of confidential legal documents from the Grubman Shire Meiselas & Sacks law firm[5]. The practice is famous for representing celebrities and other high-profile clients. REvil gained access to records pertaining to people such as Madonna, Lady Gaga, Drake, Elton John, and United States President Donald Trump. At first, the ransom was an already-obscene $21 million but ballooned to $42 million after they figured out they had Trump’s information.

Upon the FBI’s guidance, the firm allegedly refused to pay the ransom, causing REvil to auction the information on the Dark Web to the highest bidder.

According to a recent interview with an apparent member of the gang, this may not be the entire story. The hacker claims a secret identity paid the ransom to prevent the Trump documents from leaking[6]. This cannot be confirmed but adds another layer of intrigue to the incident.

Televangelist Kenneth Copeland. Wealthy televangelist pastor Kenneth Copeland suffered a REvil attack recently as well. The hackers encrypted and stole 1.2 terabytes of information from the Kenneth Copeland Ministries’ computer systems. The data includes email databases, bank documents, financial contracts, and more. The actual ransom demand amount isn’t known at the moment, but with an estimated net worth of over $750 million, the famous Pastor can likely afford it. If unpaid, he’ll need to take some time off from banishing evil from the world, to focus on banishing REvil from his network.

Desperate or enterprising?

REvil uses a double-extortion method to extract ransom payments from its victims. This means that they encrypt the breached data so that the victim must either pay to unlock it or restore it from a backup (which they may or may not have). Concurrently, they steal and transfer the information back to their own storage and threaten to sell it on the Dark Web. This means even if the company, agency, or individual has a backup, they still might elect to pay up to stop the data from leaking. It’s a lucrative model, but evidently not lucrative enough.

According to the interview mentioned above, the gang may add another wrinkle. They are now considering flooding a victim’s website with bot traffic, called a Denial-of-Service, to bring it down while also employing the double-extortion methods. This cripples the victim’s ability to function and puts more pressure on them to remedy the situation quickly.

Some analysts wonder if this is a sign that the gang is in desperate need of more money. However, it could just be good, old-fashioned greed. Only time will tell. What is certain is that REvil shows no sign of stopping their practices soon, and even if it does shutter eventually, a new gang will form out of the ashes to continue their dubious legacy.

Data security

AXEL is a company dedicated to data security solutions. Our file sharing and storage cloud, AXEL Go, utilizes three ultra-secure technologies (Blockchain, IPFS, encryption) to keep private documents safe. We offer a fully-featured, free Basic plan with 2GB of online storage, as well as paid plans for power users and enterprise clients. Don’t just sit back and wait for hacker gangs like REvil to set their sights on you; protect yourself with AXEL Go. Download it today and try it out for Windows, Mac, Android, or iOS.

 

[1] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

[2] Jai Vijayan, “GandCrab Developers Behind Destructive REvil Ransomware”, Dark Reading, Sept. 25, 2019,https://www.darkreading.com/attacks-breaches/gandcrab-developers-behind-destructive-revil-ransomware/d/d-id/1335919

[3] “Texas government organisations hit by ransomware attack”, BBC News, Aug. 2019, https://www.bbc.com/news/technology-49393479

[4] Kalyeena Makortoff, “Travelex falls into administration, with loss of 1,300 jobs”, The Guardian, Aug. 6, 2020, https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-shedding-1300-jobs

[5] Lindsey O’Donnell, “REvil Ransomware Attack Hits A-List Celeb Law Firm”, threatpost, May 12, 2020, https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/

[6] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

A Story of Data Custody in the Modern Age: Part III

Lucas finds AXEL

In Part II of Lucas’ story, he found many companies were still collecting vast amounts of customer information even with new privacy regulations. But, that didn’t mean he was ready to shun technology. It was a modern conundrum shared by every technophile who values their privacy.

“I’m an IT professional who loves the latest and greatest technology. I can’t close myself off from the world and go hide out in a treehouse in the woods. That shouldn’t be my only option just because I don’t want these huge companies spying on me or making detailed models of my behavior. So, I started to scour the web looking for programs and services that weren’t going to auction off my information to the highest bidder. I stumbled upon AXEL from a Google search about cloud storage, and loved what I saw.”

Lucas and AXEL Go

Specifically, Lucas found our private, secure file storage and sharing application, AXEL Go.

“AXEL Go is basically my new best friend. I get instant access to all of my files and can share them with anyone. I use it at home on my PC and on my iPhone when I’m out. The first thing that impressed me was the company kept promoting this concept called ‘data custody.’ I’d never heard of the term before, but after reading into it a bit, it really hit home. It just means they’re all about giving control of data back to the people.”

AXEL is a champion of data custody and considers personal information private property. We never mine any content stored on AXEL Go and do not sell personal information to third parties, ever.

“That in itself sets them apart from most cloud companies. But they not only respect your data, they protect it too. Their security features are way more advanced than other cloud options.”

AXEL Go utilizes three secure technologies as the backbone of AXEL Go; blockchain, the InterPlanetary File System (IPFS), and password encryption. This unique combination makes AXEL Go an industry leader in security, ensuring your content stays safe at rest and in motion.

“It’s the best of both worlds. I don’t have to worry about the company itself selling my info, but I also am less concerned about hackers breaching their system. Their servers are decentralized, and I always use encrypted passwords on my files. So hackers can’t attack a single vulnerable server to get my content, and even if they do somehow get to my files, they won’t be able to access them. I looked it up, and the encryption algorithm they use for passwords takes billions of years to brute force crack. It’s reassuring. Now, if AXEL could make a social media platform…”

A happy ending

Thank you, Lucas, for your kind words and support for AXEL products. If you’re like Lucas and want a cloud sharing solution that provides security and privacy, download AXEL Go today. It’s free to signup, and our Basic accounts include all of AXEL Go’s unique features, 2GB of storage space, and enough fuel tokens to facilitate thousands of shares. AXEL envisions a better future for the internet, where everyone’s data gets the respect it deserves. Together, we will achieve this goal.