AXEL.org

russian hackers

What Does Cyberwarfare Look Like? Just Ask Ukraine.

Since March of last year, Russia has been deploying troops close to the Russia-Ukraine border [1]. While troop movement within a nation is typically normal, Russia’s relationship with Ukraine is anything but. Since 2014, Russia has aggressively shown its desire to annex Ukrainian territory, starting with its occupation of Crimea, a territory that was formerly part of Ukraine, but mostly comprised of people of Russian ethnicity. However, it soon became clear that Crimea was just the beginning for Moscow’s leaders. Following Russia’s occupation of Crimea in 2014, the country began to use unique, digital strategies to destabilize Ukraine.

Beginning in 2015, Russia has engaged in flagrant cyberwarfare with Ukraine. And these attacks weren’t just data breaches and ransomware attacks; they’ve affected nearly every resident of Ukraine. Ultimately, the Russia-Ukraine conflict could be a sneak peek of how war is waged in the future.

Hackers Target Ukraine

Following Russia’s annexation of Crimea, Ukraine saw relative calm for almost two years. However, in December 2015, Russia launched an effective, atypical attack. On December 23, a Russian cyber-military unit, “Sandworm,” attacked Ukraine’s power grid, and knocked out electricity to over 200,000 Ukrainians.[2] Thankfully, power was restored to most places within six hours. Although a few hours without electricity isn’t exactly a devastating attack, it was undoubtedly worrying. After all, this was the first-ever confirmed hack that took down a power grid.[2] Additionally, power grid control centers were still not fully operational over two months after the attack, highlighting the sheer strength and organization of the attack.

Unfortunately, this was not the only cyberattack that Russia has executed on Ukrainians. One year later, in December 2016, Russia again attacked Ukraine’s power grid.[3] They quickly followed up by targeting Ukrainian banks and state-owned industries in June 2017.[4] Following this major attack, Russia seemed to calm down, and tensions actually diffused for a few years. However, this changed in early 2022. As Russia began to mobilize its troops toward the Ukraine border, Moscow launched another cyberattack. This time, Russians were able to take down over 70 Ukrainian government websites, along with a message that warned Ukrainians to “Prepare for the worst.”[5]

Although Russia launched multiple effective cyberattacks, many cybersecurity experts believe Russian President Vladimir Putin could have ordered the attacks to be so much worse. After all, Ukraine’s 2016 power grid outage only lasted for about an hour. This made some believe that Russia was using Ukraine as a “testbed” for refining cyberattacks that could be used globally[3]. No matter Russia’s ultimate purpose, these cyberattacks show a glimpse of Russia’s unique military strategy.

Disinformation Campaigns

In addition to cyberattacks, Russia has also used the Internet to sew instability within Ukraine as well. When Russia invaded Crimea in 2014, the country used state media and social media to sway ethnic Russians in Ukraine to support the annexation.[6] These accounts falsely alleged that Western forces manipulated Ukrainian protests, and also fabricated stories of Ukrainian soldier misconduct. Using this disinformation, Russia was able to gain enough support to annex Crimea with (relatively) little pushback.

If these disinformation efforts sound familiar, well, they are. Russia used similar techniques to meddle in the United States’ 2016 presidential election.[6] It’s a sinister, yet successful strategy for promoting Russian interests. With the emergence of the Internet and the popularity of social media, information warfare is relatively simple. Being able to kindle instability from thousands of miles away is a new, anxiety-inducing strategy that is being utilized in Ukraine, the United States, and other nations. Although it may not lead to traditional warfare casualties, Russia’s cyberwarfare actions have been extremely successful in promoting Putin’s interests.

What Would a Cyberwar Look Like?

When people think of cyberattacks, most think of data breaches and ransomware attacks. Damaging, yes, but they typically don’t harm anyone outside of the affected business and its customers. Cyberwarfare is very different. While Russia’s power grid attacks on Ukraine were effective, they were not nearly as devastating as they could have been. If Russia chooses to execute full-strength cyberattacks, the consequences could be deadly. In this scenario, Russia could shut off most of the country’s electricity, disable heat in the middle of winter, and shut down Ukraine’s military communications.[7] A cyberattack like this could make it astonishingly easy for Russia to successfully invade Ukraine. While an attack of this magnitude has not been undertaken by Russia or any other nation, the possibility of one is undoubtedly concerning. Full-fledged cyberwarfare is something the world has never seen, but the possibility of it increases every day.

Of course, it’s naive to assume that Russia is the only country preparing for cyberwarfare. The United States certainly has the capability to defend itself against cyberwarfare, and the ability to execute offensive cyberattacks. In fact, the United States was one of the first nations to engage in an act of cyberwarfare. In 2010, the U.S. and Israel jointly infected Iran’s nuclear infrastructure with the Stuxnet computer worm.[8] This attack crippled Iran’s nuclear program, highlighting just how successful cyberattacks can be.

When it comes to cyberwarfare, we really don’t know what the rules are yet. If Russia attacks another nation’s electricity or heat, indirectly leading to civilian deaths, is that a war crime? Or is remotely targeting infrastructure fair game? There are dozens of questions that haven’t been answered. Unfortunately, we may learn these answers during a future cyberwar. Whether this new kind of war is waged between Russia and Ukraine, the U.S. and China, or some other combination of unfriendly nations, we know the consequences of cyberwarfare will be severe.

About AXEL

Cybercrime is an ever-present threat. Thankfully, AXEL makes it easy to protect yourself from ransomware and data breaches. At AXEL, we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go. AXEL Go uses 256-bit encryption, blockchain technology and decentralized servers to ensure it’s the most secure file transfer software on the market. Whether you need to transfer large files or send files online, AXEL Go is the best cloud storage solution. If you’re ready to try the most secure file-sharing app for PC and mobile devices, get two free weeks of AXEL Go here.

[1] Roth, Andrew. “EU and UK Pledge Backing to Ukraine after Russian Military Buildup.” The Guardian. Guardian News and Media, April 6, 2021. https://www.theguardian.com/world/2021/apr/05/eu-sounds-alarm-at-russian-troops-ukraine-border-moves

[2] Zetter, Kim. “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid.” Wired. Conde Nast, March 3, 2016. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

[3] Zetter, Kim. “The Ukrainian Power Grid Was Hacked Again.” VICE, January 10, 2017. https://www.vice.com/en/article/bmvkn4/ukrainian-power-station-hacking-december-2016-report

[4] Polityuk, Pavel, and Alessandra Prentice. “Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack.” Reuters. Thomson Reuters, June 27, 2017. https://www.reuters.com/article/us-ukraine-cyber-attacks-idUSKBN19I1IJ

[5] “Ukraine Cyber-Attack: Russia to Blame for Hack, Says Kyiv.” BBC News. BBC, January 14, 2022. https://www.bbc.com/news/world-europe-59992531

[6] Merchant, Nomaan. “US Tries to Name and Shame Russian Disinformation on Ukraine.” ABC News. ABC News Network, January 28, 2022. https://abcnews.go.com/Politics/wireStory/us-shame-russian-disinformation-ukraine-82526617

[7] Miller, Maggie. “Russian Invasion of Ukraine Could Redefine Cyber Warfare.” POLITICO, January 28, 2022. https://www.politico.com/news/2022/01/28/russia-cyber-army-ukraine-00003051

[8] Melman, Yossi. “’Computer Virus in Iran Actually Targeted Larger Nuclear Facility’.” Haaretz.com. Haaretz, September 28, 2010. https://www.haaretz.com/1.5118389.

The World’s Top Hacking Groups – Part 2

In Part 1 of AXEL’s feature on the world’s top hacking groups, we featured some of the leading cultivators of chaos in the world. From state-sponsored groups like Bureau 121 to leaderless hacktivist organizations like Anonymous, no two hacking groups are the same. Each organization has different personnel, goals, and methods of achieving those goals, with some more successful than others. In a way, these criminal syndicates are extremely similar to traditional businesses: If you’re financially successful, your group will flourish. If you struggle to make steady income, you’ll lose employees and, eventually, your entire company.

However, just as it is in the business world, there are some hacking groups that are seemingly too big to fail. Typically, these groups are state-sponsored, and receive oodles of cash for security purposes. While these state-sponsored groups may rarely grab headlines, these are the syndicates that truly hold the most power. After all, an independent hacker group can be taken down with a thorough investigation. A hacker group supported by a powerful nation is extremely unlikely to ever face investigations or oversight from other nations.

These four groups represent some of the most powerful hacking organizations in the world:

Cozy Bear

Cozy Bear is yet another Russian state-sponsored hacking group that focuses on attacking Western governments and media [1]. This group, however, seemingly has an intense focus on the United States. In 2014, the group hacked the State Department and the White House’s email systems, and in 2020, breached the Commerce and Treasury departments [2]. As part of Russia’s foreign intelligence service, Cozy Bear, along with sibling hacking group Fancy Bear, hacked into the Democratic National Committee (DNC) in 2016. Oddly enough, Cozy Bear and Fancy Bear were unaware of each other’s activities, and both independently hacked the political committee [3].

Although Cozy Bear and Fancy Bear both breached the DNC’s servers in 2016, Cozy Bear’s latest actions show that these hacks aren’t done for partisan purposes. In July 2021, the group breached the servers of the Republican National Committee (RNC) [4]. Ultimately this highlights Russia’s main strategy regarding cyberwarfare. The goal isn’t to make sure a certain candidate wins; it’s to undermine faith in the electoral process, thus lowering confidence in the nation itself. While Russia may have a preferred candidate every four years, it’s cybersecurity actions show a clear, nonpartisan strategy to simply embarrass the United States and decrease faith in its political processes. And Cozy Bear is just one of many groups Russia uses to further this goal.

REvil

One of the newest hacking groups in the world is also one of the most notorious. REvil is a private Russian group that makes millions from its ransomware attacks on businesses. The group initially gained attention in May 2020, when it hacked an entertainment-focused law firm and stole a number of files from the firm. REvil threatened then-President Donald Trump to release compromising documents unless the group received a massive USD $42 million ransom [5]. However, cybersecurity researchers quickly believed that this was a bluff, and no compromising documents were ever released by REvil [6].

Unfortunately, REvil’s initial failure did not deter the group. In 2021, the group was responsible for two massive cyberattacks. First, in May 2021, REvil breached JBS Foods, the world’s largest beef producer. This attack forced the company to shut down some of its food processing plants, threatening a potential beef shortage. However, just one day after the initial attack, JBS paid a USD $11 million ransom to REvil to decrypt its servers [7]. While the quick payment ensured there would be no major shortages, it showed how desperate businesses can be if hit with a devastating ransomware attack. Just a month later, REvil attacked Kaseya, a networks, systems, and IT software company. This attack shut down Kaseya’s main software, ultimately affecting up to 1,500 businesses worldwide. The impacts of this attack were felt worldwide, with a Swedish grocery store chain closed because of inoperable cash registers, and New Zealand schools being taken offline [8].

Thankfully, in October 2021, REvil itself was forced offline by a multi-country operation led by the United States [9]. While this doesn’t mean REvil will never pop up again, the crackdown on ransomware shows that even the most notorious private hacking groups can be stopped.

Chinese Cyber Operations

While not much is known about China’s cyber operations, we do know that their attacks have been effective. In 2010, China was the culprit behind Operation Aurora, an advanced, highly-sophisticated attack on dozens of American companies, including Google and Adobe [10]. In the attack, China stole intellectual property, along with access to the Gmail accounts of two high-profile human rights activists.

Following this complex cyberattack, China was accused of executing one of the worst cyberattacks of all time: The Equifax data breach. In February 2020, the United States charged four members of China’s People’s Liberation Army with the 2017 hack that leaked personal information of over 150 million Americans [11]. While the United States has no way of extraditing the four soldiers for trial, this claim highlighted the sheer power of state cyber operations groups. The Equifax hack had a profound effect on everyday Americans, and caused concern that extremely effective and damaging cyberattacks could become commonplace in the future.

In the present, China’s cyber operations have expanded. This escalation is fueled by the desire for more intelligence, particularly from the United States amid rising tensions between the two global superpowers [12]. In fact, Western governments have accused China of hacking into Microsoft’s Exchange company server. This hack affected about 250,000 organizations worldwide, allowing Chinese hackers to pilfer through company emails for intelligence. While this hack was not nearly as impactful as the Equifax breach, it highlights China’s renewed focus on gathering massive amounts of intelligence on the United States and other Western nations.

NSA Tailored Access Operations

While many of the world’s top hacking groups operate far from North America, the world’s most powerful group is undoubtedly within American borders. The National Security Administration’s (NSA) Tailored Access Operations group gathers intelligence from foreign targets by hacking into devices, stealing data, and monitoring communications. Additionally, the group develops software that can destroy a foreign target’s computer and networks [13]. The group is responsible for developing malware that targeted Iran’s nuclear program, along with regularly breaching Chinese computer networks for gathering intelligence.

The United States’ targeted surveillance capabilities should come as no surprise. After all, the NSA is well-known for its mass surveillance techniques. Tailored Access Operations is relatively similar to other state cyber operations groups: It uses targeted surveillance to gather intelligence, and uses sophisticated malware to attack its targets. Of course, because it’s the NSA, there is the possibility that the group has even more publicly unknown high-tech resources for cyberattacks. While Tailored Access Operations works in the shadows, the strength of the NSA, and the United States in general, make this group the most powerful hackers in the world.

About AXEL

Some of these powerful hacking groups will, unfortunately, continue to wreak havoc in 2022. That’s why data security and user privacy remain as important as ever. At AXEL we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go. AXEL Go uses 256-bit encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. If you’re ready to try the best file sharing app for PC and mobile devices, try two free weeks of AXEL Go here.

[1] Meyer, Josh. “Cozy Bear Explained: What You Need to Know about the Russian Hacks.” NBCNews.com. NBCUniversal News Group, September 15, 2016. https://www.nbcnews.com/storyline/hacking-in-america/cozy-bear-explained-what-you-need-know-about-russian-hacks-n648541

[2] Nakashima, Ellen, and Craig Timberg. “Russian Government Hackers Are behind a Broad Espionage Campaign That Has Compromised U.S. Agencies, Including Treasury and Commerce.” The Washington Post. WP Company, December 14, 2020. https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html 

[3] “Bear on Bear.” The Economist. The Economist Newspaper, September 22, 2016. https://www.economist.com/united-states/2016/09/22/bear-on-bear

[4] Turton, William, and Jennifer Jacobs. “Russia ‘Cozy Bear’ Breached GOP as Ransomware Attack Hit.” Bloomberg.com. Bloomberg, July 6, 2021. https://www.bloomberg.com/news/articles/2021-07-06/russian-state-hackers-breached-republican-national-committee

[5] Collier, Kevin, and Diana Dasrath. “Criminal Group That Hacked Law Firm Threatens to Release Trump Documents.” NBCNews.com. NBCUniversal News Group, May 16, 2020. https://www.nbcnews.com/tech/security/criminal-group-hacked-law-firm-threatens-release-trump-documents-n1208366

[6] Vanian, Jonathan. “Everything to Know about Revil, the Group behind Several Devastating Ransomware Attacks.” Fortune. Fortune, July 8, 2021. https://fortune.com/2021/07/07/what-is-revil-ransomware-attack-kaseya/

[7] Abrams, Lawrence. “JBS Paid $11 Million to REvil Ransomware, $22.5m First Demanded.” BleepingComputer. BleepingComputer, June 10, 2021. https://www.bleepingcomputer.com/news/security/jbs-paid-11-million-to-revil-ransomware-225m-first-demanded/

[8] Satter, Raphael. “Up to 1,500 Businesses Affected by Ransomware Attack, U.S. Firm’s CEO Says.” Reuters. Thomson Reuters, July 6, 2021. https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/

[9] Bing, Christopher, and Joseph Menn. “Exclusive Governments Turn Tables on Ransomware Gang Revil by Pushing It Offline.” Reuters. Thomson Reuters, October 21, 2021. https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/

[10] Zetter, Kim. “Google Hack Attack Was Ultra Sophisticated, New Details Show.” Wired. Conde Nast, January 15, 2010. https://www.wired.com/2010/01/operation-aurora/

[11] Perez, Evan, and Zachary Cohen. “US Charges 4 Members of Chinese Military with Equifax Hack.” CNN. Cable News Network, February 11, 2020. https://www.cnn.com/2020/02/10/politics/equifax-chinese-military-justice-department/index.html

[12] Sabbagh, Dan. “Experts Say China’s Low-Level Cyberwar Is Becoming Severe Threat.” The Guardian. Guardian News and Media, September 23, 2021. https://www.theguardian.com/world/2021/sep/23/experts-china-low-level-cyber-war-severe-threat

[13] Peterson, Andrea. “The NSA Has Its Own Team of Elite Hackers.” The Washington Post. WP Company, August 29, 2013. https://www.washingtonpost.com/news/the-switch/wp/2013/08/29/the-nsa-has-its-own-team-of-elite-hackers/

The World’s Top Hacking Groups – Part 1

Click here to read Part 2 of AXEL’s blog on the world’s top hacking groups

Ever since the invention of computers, there have been hackers. However, in the early history of computers, “hackers” weren’t seen as shadowy, havoc-wreaking figures, but simply as enthusiasts. These early hackers tinkered with computers, and ended up creating some of the earliest computer programs. But as computers rapidly gained popularity in the 1980s, cybersecurity cracks were starting to show, and skilled individuals took advantage. In 1989, Joseph Popp created the first ransomware device: A floppy disk sent to world health professionals disguised as medical research. When inserted, the disk locked the user’s computer, and demanded the victim mail $189 to a PO Box in Panama [1]

While this early example of hacking is easy-to-understand, modern hacking and ransomware is far more complicated, not just from a technological standpoint, but from an organizational standpoint as well. Gone are the days of individual, hoodie-clad loners furiously typing on their computers in the dark. Today, the people who carry out the world’s worst hacks are part of hacking groups. After all, hackers are smart, and realize that they can do more damage working together, rather than alone. Most of the world’s worst hacks have occurred at the hands of a few hacking organizations, committed to causing chaos around the globe.

These groups have the money and manpower to cause digital devastation on a global scale:

Bureau 121 & Lazarus

North Korea has long been a mysterious, yet aggressive nation, and its state-sponsored hacking group is no exception. Although not much is known about Bureau 121, cybersecurity experts have tied the group to the North Korean government. However, because of the country’s poor infrastructure, experts believe that Bureau 121 plans and executes its operations in Shenyang, China, a city just 100 miles from the North Korean border [2]. The organization mostly targets South Korean businesses, unsurprisingly. One of its biggest attacks was a ransomware attack on South Korea’s Hydro & Nuclear Power Company, resulting in a massive data breach.

While North Korean hackers mostly focus on their South Korean neighbors, it gained worldwide notoriety when Lazarus Group, an affiliate of Bureau 121, attacked Sony Pictures. First, the group leaked thousands of emails between Sony Pictures executives, and leaked unannounced, upcoming films from the studio. More concerningly, the group threatened to commit acts of terrorism at movie theaters unless Sony’s film “The Interview,” a comedy whose plot includes the assassination of Kim Jong-Un, North Korea’s leader, was pulled from theaters [3]. The United States quickly tied the hack to North Korea, but because of the countries’ icy relationship, no arrests have been made.

Syrian Electronic Army

The Syrian Electronic Army (SEA) was formed during the Arab Spring, a series of anti-government protests and uprisings in the Middle East in the early 2010s. It was created to protect controversial Syrian President Bashar al-Assad from Syrian dissidents during the widespread protests [4]. Interestingly, cybersecurity experts are unsure if the group is sponsored by the Syrian government, or is simply a group of pro-Assad hackers [5]. In either case, the SEA is a vehemently pro-Assad organization that has two goals: Punish media organizations that are critical of Assad, and spread Syria’s state-sponsored narrative [4].

One of the SEA’s most famous hacks occurred in 2013, when the group hacked into the Associated Press’ Twitter account and falsely reported that then-President Obama was injured in an explosion at the White House [6]. This single Tweet caused stocks to plummet, highlighting just how much damage can be caused from hackers thousands of miles away. In addition to this notable AP hack, the SEA has hacked Western media organizations, including Facebook, Microsoft, and The New York Times.

Fancy Bear

Although this group may have a cuddly name, its actions are anything but soft. Cybersecurity experts widely believe Fancy Bear to be a Russian-sponsored hacking group responsible for a variety of hacks to advance Russian interests [7]. The group has committed attacks on Germany’s Parliament, French President Emmanuel Macron, and a variety of other Western governments [8]. The group typically uses well-disguised phishing emails to gain access to restricted information.

Fancy Bear used this strategy to pull off its most daring, consequential hack: an attack that leaked thousands of Democratic National Committee (DNC) emails in 2016 [9]. The cyberattack resulted in the public reveal of thousands of DNC emails, many of which were seen as controversial or simply embarrassing. While many countries spy on others during elections, this was one of the first times a foreign country was able to successfully meddle in a United States election. Although it’s impossible to determine if the 2016 Presidential election would have been different if Fancy Bear didn’t commit the attack, this hack showed how valuable, and devastating, cyberattacks can be before elections.

Anonymous

Perhaps the most famous hacking organization in the world, Anonymous is unlike any other group. Anonymous is decentralized, with no leader or physical hub. While this may sound like a disadvantage, this organization ensures that the group can continue its activities even if members drop out or are apprehended. Anonymous is a “hacktivist” group, and does not have specific goals or enemies. However, Anonymous certainly has a broad aspiration to promote freedom of speech and diminish government control [10].

Anonymous gained notoriety during its 2008 cyberattacks on the Church of Scientology, when the group managed to shut down the Church’s website. Following this attack, the organization gained popularity around the world, expanding the group’s hacking capabilities (and potential targets). The group targeted Tunisia’s government during the Arab Spring protests, Visa and MasterCard for declining to do business with WikiLeaks, and Bank of America for its shady mortgage practices [11].

Since 2008, Anonymous has continued to attack governments and organizations that break the group’s core beliefs. However, the long-term impact of these attacks are often negligible. Anonymous’s main strategy is a distributed denial of service (DDoS) attack. While DDoS attacks are successful in shutting down websites and gaining notoriety, once the website is back up, there are few long-term effects of Anonymous’s involvement. So although Anonymous is one of the most notorious hacking collectives in the world, more organized groups are able to cause greater long-term effects with their cyberattacks.

About AXEL

Hacking groups aren’t going away any time soon. That’s why data security and user privacy remain as important as ever. At AXEL we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go. AXEL Go uses 256-bit encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. If you’re ready to try the best file sharing app for PC and mobile devices, try two free weeks of AXEL Go here.

[1] Kelly, Samantha Murphy. “The Bizarre Story of the Inventor of Ransomware.” CNN. Cable News Network, May 16, 2021. https://www.cnn.com/2021/05/16/tech/ransomware-joseph-popp/index.html

[2] Lee, Dave. “Bureau 121: How Good Are Kim Jong-Un’s Elite Hackers?” BBC News. BBC, May 29, 2015. https://www.bbc.com/news/technology-32925503

[3] VanDerWerff, Emily, and Timothy Lee. “The 2014 Sony Hacks, Explained.” Vox. Vox, January 20, 2015. https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea

[4] Harding, Luke, and Charles Arthur. “Syrian Electronic Army: Assad’s Cyber Warriors.” The Guardian. Guardian News and Media, April 30, 2013. https://www.theguardian.com/technology/2013/apr/29/hacking-guardian-syria-background

[5] Perlroth, Nicole. “Hunting for Syrian Hackers’ Chain of Command.” The New York Times. The New York Times, May 17, 2013. https://www.nytimes.com/2013/05/18/technology/financial-times-site-is-hacked.html?pagewanted=all&_r=0

[6] Moore, Heidi, and Dan Roberts. “AP Twitter Hack Causes Panic on Wall Street and Sends Dow Plunging.” The Guardian. Guardian News and Media, April 23, 2013. https://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall

[7] O’Flaherty, Kate. “Midterm Election Hacking — Who Is Fancy Bear?” Forbes. Forbes Magazine, August 23, 2018. https://www.forbes.com/sites/kateoflahertyuk/2018/08/23/midterm-election-hacking-who-is-fancy-bear/?sh=5bccc7aa2325

[8] Hern, Alex. “Macron Hackers Linked to Russian-Affiliated Group behind US Attack.” The Guardian. Guardian News and Media, May 8, 2017. https://www.theguardian.com/world/2017/may/08/macron-hackers-linked-to-russian-affiliated-group-behind-us-attack

[9] Frenkel, Sheera. “Meet Fancy Bear, the Russian Group Hacking the US Election.” BuzzFeed News. BuzzFeed News, October 15, 2016. https://www.buzzfeednews.com/article/sheerafrenkel/meet-fancy-bear-the-russian-group-hacking-the-us-election

[10] Sands, Geneva. “What to Know About the Worldwide Hacker Group ‘Anonymous.’” ABC News. ABC News Network, March 19, 2016. https://abcnews.go.com/US/worldwide-hacker-group-anonymous/story?id=37761302

[11] “The 10 Craziest Hacks Done by Anonymous.” Complex. Complex, May 31, 2020. https://www.complex.com/pop-culture/2011/08/the-10-craziest-anonymous-hacks/

2021 Cybersecurity Year in Review

Throughout 2021, cybersecurity incidents have grabbed headlines across the world. Although the topic may not have been at the forefront of most people’s minds in 2021, cybersecurity has greatly affected everyone’s life in some way. From vicious cyberattacks to genuine progress on user privacy, cybersecurity has undoubtedly had a long, eventful year. And although exciting progress has been made in some areas of cybersecurity, cybercrime and other online attacks will, unfortunately, continue into 2022 and beyond.

2021 has been a long year for many, particularly for cybersecurity experts. Here are all the ways cybersecurity has changed for the better (and worse) throughout the past year.

COVID Phishing

Near the beginning of 2021, COVID-19 vaccinations became readily available to people in the United States. While this helped minimize the negative effects of the pandemic, it also offered a new opportunity for scammers. As businesses and governments began to mandate COVID vaccinations, cybercriminals responded by creating phishing emails that disguised themselves as genuine business emails [1]. From fake vaccine-record upload sites to emails from phony public health organizations, scammers used the uncertainty and anxiety of COVID to make a quick buck off of unsuspecting people.

Unfortunately, phishing emails aren’t the trick cybercriminals are using. COVID scams are coming from all angles, including texts, social media posts, and robocalls. In fact, the Federal Trade Commission (FTC) has logged over 600,000 complaints in 2021 regarding COVID-related scams. In all, these scams have cost consumers over USD $600 million [2]. And with COVID remaining in the public spotlight into 2022, these scams are likely to continue. With this in mind, it’s important to brush up on cybersecurity tips. Check out AXEL’s blog, The History of Internet Spam, to learn how to protect yourself from phishing emails, social media spam, and more.

Colonial Pipeline Attack

In May, the Colonial Pipeline, an oil pipeline that supplies much of the gasoline to the Southeastern United States, was struck by a ransomware attack. Interestingly, the cybercriminals attacked the pipeline’s billing system, rather than its operational systems [3]. Because of this, Colonial itself shut down its own pipeline, as the company would have been unable to bill customers with the ransomware. Soon after the sheer scale of the attack was realized, Colonial Pipeline paid the nearly USD $5 million ransom.

While Colonial Pipeline quickly paid the ransom, the negative consequences of the attack were felt by consumers for weeks. States from New Jersey to Texas faced severe gas shortages, causing price jumps and panic buying [4]. In all, the Colonial Pipeline attack affected millions of consumers, and caused a severe breach of trust in Colonial Pipeline. Undoubtedly, 2021’s most memorable cyberattack was a doozy.

Ransomware is Evolving

When thinking of ransomware, many people picture a single offender, causing digital chaos while hunkered in a dark basement. However, this stereotype of modern cybercriminals is far from the truth. In 2021, ransomware groups are practically businesses, regularly recruiting new hackers to join criminal enterprises. Nowadays, just a handful of organizations are the perpetrators of most ransomware attacks [5]. And these shady organizations have ransomware down to a science.

Some ransomware organizations even offer customer service help desks to help victims pay the ransom and receive the decryption key. This is possible because of skyrocketing ransom demands. In fact, the average ransom payment was over USD $310,000 last year [5]. But because there’s little action that can be taken after being struck with ransomware, businesses and firms are usually forced to pay the extraordinary cost. In 2021, cyberattacks aren’t just individuals wreaking havoc; they’re carried out by well-funded, well-organized criminal syndicates. That’s why it’s vital to stay up to date on the latest strategies to protect yourself, your business, or your firm.

Crackdowns on Russian Cybercrime

One of the most notorious ransomware organizations is REvil, a Russian-based cybercrime syndicate responsible for many of the most expensive ransomware attacks. REvil had a successful first half of 2021, attacking JBS Foods and extracting USD $11 million from the meat-processing giant [6]. However, following this attack, REvil finally began to face crackdowns from law enforcement.

In September, the FBI hacked into REvil’s servers, obtaining a universal decryption key. Even worse for the group, the FBI remained hidden even after gaining access to REvil’s information, giving law enforcement more time to prowl around the servers of the shadowy criminal enterprise [7]. With this information, the United States Department of Justice coordinated arrests against two alleged REvil members, along with retrieving USD $6 million in cryptocurrency from the group [8]. This action greatly impaired REvil’s work, highlighting the strategies law enforcement can take in the future to shut down similar criminal organizations.

The Rise of Multi-Factor Authentication

Whenever you log in to Google, Facebook, or nearly any other secure website, a password simply isn’t enough anymore. Multi-Factor Authentication (MFA) has become the norm among most sites, requiring anything from text authentication to security questions to successfully log in. While this can be a headache for some users, it undoubtedly prevents countless cyberattacks each year. After all, passwords just aren’t the same as they used to be.

In fact, Microsoft is even allowing users to simply not have passwords. Instead, the company offers a mixture of authenticators including security keys, SMS verification, and email verification [9]. While the traditional password is unlikely to go away soon, the pivot to MFA highlights the extra security measures that companies are taking to protect users (and themselves). MFA is one of the cheapest, easiest, and quickest ways to protect user privacy, and its widespread adoption is a positive step toward a more secure digital future.

What to Expect in 2022

While there have been both positive and negative developments for cybersecurity in 2021, the problems that have plagued individuals and businesses are likely to continue into 2022. Ransomware isn’t going away any time soon, even with the crackdown on REvil. Phishing emails will remain, and will simply take advantage of other current events to harm individuals. Finally, MFA will remain widespread, and will hopefully lead businesses to take even more precautions against cybercrime. In 2022, cybersecurity will remain a vital issue for businesses and individuals alike. However, if appropriate precautions are taken by all, we can make 2022 a disastrous year for cybercriminals.

About AXEL

In today’s chaotic Digital Age, hacks, data breaches and ransomware attacks are an everyday occurrence. That’s why data security and user privacy remain as important as ever. At AXEL we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go. AXEL Go uses 256-bit encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. If you’re ready to try the best file sharing app for PC and mobile devices, try two free weeks of AXEL Go here.

[1] Hunter, Tatum. “That Email Asking for Proof of Vaccination Might Be a Phishing Scam.” The Washington Post. WP Company, September 24, 2021. https://www.washingtonpost.com/technology/2021/08/24/covid-vaccine-proof-scam-email/

[2] Waggoner, John, and Andy Markowitz. “Coronavirus Scams – Beware Fake Claims, Phony Websites.” AARP, December 6, 2021. https://www.aarp.org/money/scams-fraud/info-2020/coronavirus.html

[3] Bertrand, Natasha, Evan Perez, Zachary Cohen, Geneva Sands, and Josh Campbell. “Colonial Pipeline Did Pay Ransom to Hackers, Sources Now Say.” CNN. Cable News Network, May 13, 2021. https://edition.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html

[4] Bair, Jeffrey, and Javier Blas. “Petrol Shortages Sweep Us as Colonial Pipeline Remains Down.” Oil and Gas News | Al Jazeera. Al Jazeera, May 11, 2021. https://www.aljazeera.com/economy/2021/5/11/petrol-shortages-sweep-us-as-colonial-pipeline-remains-down

[5] Bajak, Frank. “Ransomware, Explained: How the Gangs That Shut down Colonial Pipeline, JBS USA Operate.” USA Today. Gannett Satellite Information Network, June 3, 2021. https://www.usatoday.com/story/tech/2021/06/03/how-does-ransomware-work-colonial-pipeline-jbs-usa-attacks-explainer/7520704002/

[6] Montalbano, Elizabeth. “JBS Paid $11m to Revil Gang Even after Restoring Operations.” Threatpost English, June 10, 2021. https://threatpost.com/jbs-paid-11m/166767/

[7] De Chant, Tim. “FBI, Others Crush Revil Using Ransomware Gang’s Favorite Tactic against It.” Ars Technica, October 22, 2021. https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/

[8] “Revil: Day of Reckoning for Notorious Cyber Gang.” BBC News. BBC, November 8, 2021. https://www.bbc.com/news/technology-59215167

[9] Warren, Tom. “Microsoft Accounts Can Now Go Fully Passwordless.” The Verge. The Verge, September 15, 2021. https://www.theverge.com/2021/9/15/22675175/microsoft-account-passwordless-no-password-security-feature

The SolarWinds Beneath Hackers’ Wings

On December 13th, 2020, cybersecurity firm FireEye disclosed news of one of the most comprehensive cyber-espionage campaigns ever carried out against the United States and other global victims[1]. Since then, a significant amount of information has become public. Here, we summarize the attack, a few notable victims, and look into which hacking group could be responsible.

The infiltration

The attack happened due to an exploit in the Orion software from the company SolarWinds. The Orion Platform is an enterprise monitoring program that can manage and analyze information from traditionally separate IT domains, such as infrastructure, networking, and virtualization.

SUNSPOT

First, the hackers gained access to the SolarWinds Orion build environment. This means they could inject malware directly into the program’s source code before the company sent it to customers in the form of regular updates. It also meant they had to be sophisticated enough to conceal their tracks so that the developers didn’t notice anything out of the ordinary.

The malicious agents then used a new malware called SUNSPOT to install a backdoor into the Orion software[2].  Interestingly, the implantation of this malware required extensive knowledge of both Orion and Microsoft exploits. SUNSPOT works by monitoring the Microsoft operating system and searching for running processes involved with Orion source code compilation. It then injects the backdoor code (codename SUNBURST) into one of the Orion source files before the compiler runs and the software officially updates.

SUNBURST

After implantation, the SUNBURST backdoor has a dormancy period of approximately two weeks[3]. Disguised as a legitimate Orion plugin, the trojan payload connects to a third-party server, retrieves various commands, and executes them. These commands allow the plugin to take over the host computer completely. Now the group can:

  • Transfer files. Allows the hackers to retrieve files from the host computer as well as send more infected payloads.
  • Execute files. Allows hackers to install more malware onto the compromised systems.
  • Profile the system. Searches for more vulnerabilities and maps the network’s layout.
  • Reboot the machine. Hackers can reboot systems after malware installations.
  • Disable system services. This makes it easier to conceal activities since monitoring programs and antivirus software can be shutdown.

Analysts continue to find new malware installed by the SolarWinds hackers as they spend more time studying the breach.

The compromised

SolarWinds had over 300,000 customers. That includes 425 FORTUNE 500 companies and all five branches of the United States government[4]. While it’s unlikely the hackers actively infiltrated every organization using the software, the company believes that up to 18,000 of them using their Orion Platform could have malware installed. Full breaches did occur to many high-profile targets. Here is an abbreviated list of victims:

Microsoft

As we’ve seen, the hackers had a deep understanding of Microsoft cloud software. In fact, Microsoft representatives had to admit that the malicious agents viewed their product’s proprietary source code[5]. Although the intruders could not alter any of the code, even viewing it is a significant incident. Large tech corporations such as Microsoft keep their source code under serious security. Their intellectual property is the lifeblood of their businesses, so it goes to show how deep the hackers were in their systems.

FireEye

FireEye is one of the largest, most-respected cybersecurity firms in the world. They initially found the attack, but only because the company itself fell victim. The hackers accessed FireEye’s internal systems and stole security testing tools, but the company insists no customer data was compromised[6]. Regardless, it’s interesting that an organization whose entire business is protecting others from hackers got hacked.

Administrative Office of the U.S. Courts

Federal agencies seem to be the main targets of the perpetrators behind the hack.  The Administrative Office of the U.S. Courts has publicly confirmed being affected by the incident[7]. This is troubling because officials claim the threat actors compromised an electronic document filing system used by the Federal Judiciary. So, highly-sensitive federal court documents have been accessible to hackers since the Spring of 2020!

Department of Energy

A representative for the department confirmed that the SolarWinds malware infected systems within the Department of Energy and the National Nuclear Security Administration. Now that sounds serious! Fortunately, it does not appear that the hackers accessed networks pertaining to national security. On December 18th, DOE spokesperson Shaylyn Hynes said, “At this point, the investigation has found that the malware has been isolated to business networks only..[8]” and there have not been any updates since.

Department of Justice

The U.S. DOJ didn’t get off as easily as others. Here, the hackers moved through their network and accessed the email accounts of thousands of employees[9]. According to a DOJ spokesman, it “only” amounted to approximately 3% of the workforce, and the culprits did not breach any classified information. However, that still means over 3,000 people had their accounts infiltrated.

This is only 5 of the over 250 organizations listed by Bleeping Computer confirmed to be affected[10]. There are hundreds more, including The United States Treasury, The Department of Homeland Security, the United States Department of State, The Department of Health’s National Institutes of Health, Cisco, VMWare, Intel, and so on. It is undoubtedly the most comprehensive and dangerous hack ever known.

The perpetrators

Immediately after FireEye disclosed the attack to the public, Reuters reported that state-sponsored Russian hackers were thought to be behind it[11].  On December 14th -one day after the initial disclosure- the Washington Post went as far as to attribute it specifically to the Russian Advanced Persistent Threat group (APT), Cozy Bear[12]. Typically, the digital forensics necessary to pinpoint attribution of an attack take weeks or months, and many times it is never certain. Dedicated cybersecurity websites such as FireEye have not given direct attribution, showing the gulf of technical knowledge between the mainstream media and those with more experience. Given the geopolitical implications (U.S. politicians immediately began saber-rattling and calling the intrusion an “act of war”[13]), news outlets should wait for more facts to come out before running with the most inflammatory stories possible.

The evidence

So, what are the facts? At the moment, they’re pretty scarce. A joint statement by the FBI, CISA, NSA, and The Office of the Director of National Intelligence says that is “likely” to blame for the massive attack[14]. President Trump says [15]. Neither offer much evidence to back their claims.

The only evidence made public tying any specific group to the incident was recently published by the cybersecurity firm Kaspersky. Their researchers found code overlap between SUNBURST and the malware Kazuar[16]. The Russian-speaking hacker group Turla (note: NOT Cozy Bear) uses Kazuar. They don’t go so far as to provide any degree of certainty for the link, however. There are other potential explanations for the similarities.

The alternative explanations

The SolarWinds hackers may have purchased the Kazuar malware tools. Or, more insidiously, the perps could have purposefully inserted code to make it appear as if it were a Russian operation to conceal its true origin. That may seem too much like a Hollywood movie, but consider the tremendous technical lengths to which the hackers went to stay hidden. Adding another layer of covertness isn’t so far-fetched.

And, there is recent precedent for such tactics. In 2018, the threat actors behind the PyeongChang Olympics attack planted “false flags” within their code to obfuscate the source[17]. The Turla group itself employed deceitful methods in 2019 to pin their activities on Iran[18]. So, if Turla is capable of this, and the SolarWinds attack itself was so sophisticated and obscured, why would they leave such a calling card in their code?

This is not to claim that this attack is definitely not of Russian origin. Indeed, they have the motive and the capabilities. But, we should acknowledge that it is very uncertain at the moment. Kaspersky, FireEye, Crowdstrike, and others have gone out of their way not to blame any particular threat actor with any confidence. The mainstream media should follow suit. Let the forensic investigations continue and see where the evidence leads. At the moment, it points toward Russia, but not conclusively.

Data protection

If enormous breaches like this teach us anything, it’s that your data needs to be protected. Secure your data at rest and in motion with AXEL Go. AXEL Go is a file-sharing and storage platform that offers industry-leading security features. Utilizing technology such as blockchain, the InterPlanetary File System (IPFS), and AES 256 encryption, you can keep your sensitive documents safe from any would-be data thieves.

Sign up for our Basic, full-featured AXEL Go account and receive 2GB of free online storage and plenty of AXEL Tokens to fuel thousands of typical shares. You don’t have to live in fear of when the next breach will happen. You can secure your files with AXEL Go.

 

[1] “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, FireEye, Dec. 13, 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[2] “CrowdStrike Intelligence Team”, “SUNSPOT: An Implant in the Build Process”, CrowdStrike, Jan. 11, 2021, https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

[3] “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, FireEye, Dec. 13, 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[4] Gopal Ratnam, “SolarWinds Hack Recovery May Cost Upward of $100B”, Government Technology, Jan. 12, 2021, https://www.govtech.com/security/SolarWinds-Hack-Recovery-May-Cost-Upward-of-100B.html

[5] Maggie Miller, “Microsoft says hackers viewed source code as part of SolarWinds attack”, MSN, Dec. 31, 2020, https://www.msn.com/en-us/news/politics/microsoft-says-hackers-viewed-source-code-as-part-of-solarwinds-attack/ar-BB1co3VF

[6] Mike Lennon, “FireEye Says ‘Sophisticated’ Hacker Stole Red Team Tools”, Security Week, Dec. 8, 2020, https://www.securityweek.com/fireeye-says-sophisticated-hacker-stole-red-team-tools

[7] Dustin Volz, Robert McMillan, “Federal Judiciary’s Systems Likely Breached in SolarWinds Hack”, The Wall Street Journal, Jan. 7, 2021, https://www.wsj.com/articles/federal-judiciarys-systems-likely-breached-in-solarwinds-hack-11610040175

[8] “DOE Update on Cyber Incident Related to Solar Winds Compromise”, Energy.gov, Dec. 18, 2020, https://www.energy.gov/articles/doe-update-cyber-incident-related-solar-winds-compromise

[9] Catalin Cimpanu, “SolarWinds fallout: DOJ says ahckers accessed its Microsoft O365 email server”, ZDNet, Jan. 6, 2021, https://www.zdnet.com/article/solarwinds-fallout-doj-says-hackers-accessed-its-microsoft-o365-email-server/

[10] Sergiu Gatlan, “SolarWinds victims revealed after cracking the Sunburst malware DGA”, Bleeping Computer, Dec. 22, 2020, https://www.bleepingcomputer.com/news/security/solarwinds-victims-revealed-after-cracking-the-sunburst-malware-dga/

[11] Raphael Satter, “IT company SolarWinds says it may have been hit in ‘highly sophisticated’ hack”, Reuters, Dec. 13, 2020, https://www.reuters.com/article/us-usa-solarwinds-cyber/it-company-solarwinds-says-it-may-have-been-hit-in-highly-sophisticated-hack-idUSKBN28N0Y7

[12] Ellen Nakashima, Craig Timberg, “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce”, The Washington Post, Dec. 14, 2020, https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html

[13] Maggie Miller, “Lawmakers ask whether massive hack amounted to act of war”, The Hill, Dec. 18, 2020, https://thehill.com/policy/cybersecurity/530784-lawmakers-ask-whether-massive-hack-amounted-to-act-of-war

[14] “JOINT STATEMENT BY THE FEDERAL BUREAU OF INVESTIGATION (FBI), THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (CISA), THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE (ODNI), AND THE NATIONAL SECURITY AGENCY (NSA)”, CISA.gov, Jan. 5, 2021, https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

[15] Justin Sink, “Faced with massive suspected Russian cyber-attack on the U.S. government, Trump blames China”, Fortune, Dec. 21, 2020, https://fortune.com/2020/12/21/faced-with-massive-suspected-russian-cyber-attack-on-the-u-s-government-trump-blames-china/

[16] Tara Seals, “SolarWinds Hack Potentially Linked to Turla APT”, threat post, Jan. 11, 2021, https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/

[17] Tom Spring, “Olympic Destroyer: A False Flag Confusion Bomb, threat post, March 8, 2018, https://threatpost.com/olympic-destroyer-a-false-flag-confusion-bomb/130262/

[18] Oscar Williams, “Russia’s Turla hackers used Iranian cyber weapons to “mask identity”, says NCSC”, NS Tech, Oct. 21, 2019, https://tech.newstatesman.com/security/russia-turla-iran-ncsc

Ransomware is Big Business for REvil Hacker Group

REvil, or Sodinokibi, is one of the most notorious hacker gangs in the world. Known for their ransomware attacks, the group claims it will make $100 million by the end of the year[1]. Here is a brief overview of the Russian hackers and their illicit accomplishments.

A sordid history

For all of their high-profile attacks, concrete information about the group remains elusive to the public. They are likely based in Russia due to known cybersecurity information as well as their unwillingness to attack companies or governments in the former Soviet-bloc.

An offshoot

Cybersecurity analysts believe malicious developers from a previous group called GandCrab make up REvil[2]. GandCrab was a prolific gang that collected an estimated $2 billion in ransoms in an 18-month period between 2018-2019. REvil popped up almost immediately after GandCrab stopped activities in 2019, and the two malware share much of the same code.

The gang also employs a Ransomware-as-a-Service (RaaS) model to supplement their revenue. Those interested in a more in-depth breakdown of ransomware can read our recent blog post about the topic.

RaaS is interesting because the gang itself doesn’t have to focus constantly on finding new victims. REvil simply licenses out their malware to vetted affiliates, who do the dirty work of searching for and breaching vulnerable networks. REvil then takes a healthy 20-30% cut of the affiliates’ payments. How’s that for a business model!

High-profile attacks

Texas local governments. In a concerted August attack, REvil infected 23 local Texas government agencies and demanded a $2.5 million collective ransom[3]. The malware brought down the systems and websites of these agencies. Luckily, the victims were well-prepared in this case. Teams of cybersecurity experts restored the systems via backups or full rebuilds. They did not cooperate with REvil, and their sites are now back online.

Travelex: On New Year’s Eve in 2019, REvil infiltrated Travelex’s network. Travelex is a foreign currency exchange company known for its kiosks in airports around the world. Unfortunately for them, they weren’t very vigilant when it came to cybersecurity. They hadn’t installed any security patches for their VPN system in over two years! This allowed REvil to breach their network and inject ransomware easily.

It spread so fast that it took down their entire operation. Instead of coming clean about the hacking incident, Travelex claimed it was “planned maintenance” and quietly paid a $2.3 million ransom to the notorious gang. Once this information leaked (as it usually does), the company was in real hot water. Not only had their lax security policies led to a data breach and loss of service, but they lied about it. It evidently affected consumers’ trust, as the company did not recover from the situation. After a failed attempt to sell, Travelex fell into administration, cut over 1300 jobs, and is currently undergoing significant corporate restructuring[4].

Grubman Shire Meiselas & Sacks: In May of 2020, REvil stole over 750 gigabytes of confidential legal documents from the Grubman Shire Meiselas & Sacks law firm[5]. The practice is famous for representing celebrities and other high-profile clients. REvil gained access to records pertaining to people such as Madonna, Lady Gaga, Drake, Elton John, and United States President Donald Trump. At first, the ransom was an already-obscene $21 million but ballooned to $42 million after they figured out they had Trump’s information.

Upon the FBI’s guidance, the firm allegedly refused to pay the ransom, causing REvil to auction the information on the Dark Web to the highest bidder.

According to a recent interview with an apparent member of the gang, this may not be the entire story. The hacker claims a secret identity paid the ransom to prevent the Trump documents from leaking[6]. This cannot be confirmed but adds another layer of intrigue to the incident.

Televangelist Kenneth Copeland. Wealthy televangelist pastor Kenneth Copeland suffered a REvil attack recently as well. The hackers encrypted and stole 1.2 terabytes of information from the Kenneth Copeland Ministries’ computer systems. The data includes email databases, bank documents, financial contracts, and more. The actual ransom demand amount isn’t known at the moment, but with an estimated net worth of over $750 million, the famous Pastor can likely afford it. If unpaid, he’ll need to take some time off from banishing evil from the world, to focus on banishing REvil from his network.

Desperate or enterprising?

REvil uses a double-extortion method to extract ransom payments from its victims. This means that they encrypt the breached data so that the victim must either pay to unlock it or restore it from a backup (which they may or may not have). Concurrently, they steal and transfer the information back to their own storage and threaten to sell it on the Dark Web. This means even if the company, agency, or individual has a backup, they still might elect to pay up to stop the data from leaking. It’s a lucrative model, but evidently not lucrative enough.

According to the interview mentioned above, the gang may add another wrinkle. They are now considering flooding a victim’s website with bot traffic, called a Denial-of-Service, to bring it down while also employing the double-extortion methods. This cripples the victim’s ability to function and puts more pressure on them to remedy the situation quickly.

Some analysts wonder if this is a sign that the gang is in desperate need of more money. However, it could just be good, old-fashioned greed. Only time will tell. What is certain is that REvil shows no sign of stopping their practices soon, and even if it does shutter eventually, a new gang will form out of the ashes to continue their dubious legacy.

Data security

AXEL is a company dedicated to data security solutions. Our file sharing and storage cloud, AXEL Go, utilizes three ultra-secure technologies (Blockchain, IPFS, encryption) to keep private documents safe. We offer a fully-featured, free Basic plan with 2GB of online storage, as well as paid plans for power users and enterprise clients. Don’t just sit back and wait for hacker gangs like REvil to set their sights on you; protect yourself with AXEL Go. Download it today and try it out for Windows, Mac, Android, or iOS.

 

[1] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

[2] Jai Vijayan, “GandCrab Developers Behind Destructive REvil Ransomware”, Dark Reading, Sept. 25, 2019,https://www.darkreading.com/attacks-breaches/gandcrab-developers-behind-destructive-revil-ransomware/d/d-id/1335919

[3] “Texas government organisations hit by ransomware attack”, BBC News, Aug. 2019, https://www.bbc.com/news/technology-49393479

[4] Kalyeena Makortoff, “Travelex falls into administration, with loss of 1,300 jobs”, The Guardian, Aug. 6, 2020, https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-shedding-1300-jobs

[5] Lindsey O’Donnell, “REvil Ransomware Attack Hits A-List Celeb Law Firm”, threatpost, May 12, 2020, https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/

[6] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/