British snoops at GCHQ knew FBI was going to arrest Marcus Hutchins

WannaCry killer had been working with the spy agency


Secretive electronic spy agency GCHQ was aware that accused malware author Marcus Hutchins, aka MalwareTechBlog, was due to be arrested by US authorities when he travelled to United States for the DEF CON hacker conference, according to reports.

The Sunday Times – the newspaper where the Brit government of the day usually floats potentially contentious ideas – reported that GCHQ was aware that Hutchins was under surveillance by the American FBI before he set off from his home in the UK to Las Vegas.

Hutchins, 23, was arrested on August 2 as he boarded his flight home. He had previously been known to the public as the man who stopped the WannaCry ransomware outbreak.

Government sources told The Sunday Times that Hutchins' arrest in the US had freed the British government from the "headache of an extradition battle" with the Americans. This is a clear reference to the cases of alleged NASA hacker Gary McKinnon, whose attempted extradition to the US failed in 2012, and accused hacker Lauri Love, who is currently fighting an extradition battle along much the same lines as McKinnon.

One person familiar with the matter told the paper: "Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition."

Hutchins had previously worked closely with GCHQ through its public-facing offshoot, the National Cyber Security Centre, to share details of how malware operated and the best ways of neutralising it. It is difficult to see this as anything other than a betrayal of confidence, particularly if British snoopers were happy for the US agency to make the arrest – as appears to be the case.

American prosecutors charged Hutchins with six counts related to the creation of the Kronos banking malware. He faces a potential sentence of 40 years in prison. He pleaded not guilty to the charges last week.

Hutchins' bail conditions are unusually lenient for an accused hacker, with the Milwaukee court hearing his plea more or less relaxing all restrictions on him – with the exception of not allowing him to leave the US and prohibiting him from visiting the domain that sinkholed the WannaCry malware.

The man himself has been active on Twitter again since his bail restrictions were lifted:

Previously, FBI agents had tried claiming Hutchins might try obtaining firearms to commit crimes, based solely on his having tweeted about visiting a shooting range in Las Vegas – a common tourist pastime in Sin City. ®


Other stories you might like

  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading

Biting the hand that feeds IT © 1998–2022