Whose line of attack is it anyway? Cyber-assault whodunnits harder than ever to solve

Sophisticated groups not always so easy to pick out

Government-backed spies and hackers are increasingly using commercially available malware – thanks to a flourishing market of off-the-shelf software nasties – making it harder for researchers to identify who exactly is behind a cyber-attack.

Traditionally, infosec bods have sought to pinpoint and unmask hacking crews by studying the malicious code they use, or domain names and IP addresses for the backend control servers, and so on. However, when groups within intelligence agencies use common and widely available toolkits, or launch attacks from each others' networks, it's hard to figure out who exactly is behind an intrusion, according to FireEye eggheads. It could be a nation state operation, it could be some criminals in a basement, or it could be a bored teenager, all using the same toolsets. As always, attribution is difficult.

"The adversary often gives us evidence, when they send a piece of malware they are handing you a piece of forensic evidence to track them," explained FireEye's John Holtquist. "We would find indications or unique artifacts that we could connect because we knew no one else could have access to this information of infrastructure."

As underground malware markets become more prevalent, developers can write and sell software nasties to various groups. This is particularly the case with Russia, where crafting malware is a cottage industry and hackers that get caught face the choice of prison or cooperating with the government. The result is government hacking groups getting their pick of commercial malware to borrow or repurpose, muddying the waters in terms of identification. Anyone can buy and use these programs.

"The security services have the requirement to do this [hacking] work and do all the law enforcement as well," noted Holtquist. "We have seen them pull from the criminal space again and again."

Global events can also obscure sources of cyber-assaults. One such example is China, where researchers Benjamin Read and Cris Kittner found that the 2016 reorganization of the People's Liberation Army caused a hiatus, then re-launching, of China's state-backed political and economic hacking campaigns.

China crisis

Likewise, the Chinese hacking groups that were thought to have disbanded years ago have suddenly reappeared, and with them attacks that were long dormant. In the case of one 2018 attack on an unspecified US shipping company, network intruders sat quietly for more than a year and a half.

Trump's axing of cyber czar role has left gaping holes in US defence


"They set up a backdoor, and all you see for the next 18 months is someone checking the back door a couple times a month, then suddenly they moved in and got data," said Read. "It is not just that we see these gaps, but we see on-network activity pausing too."

To make matters worse, financial hacking groups are also becoming more sophisticated and difficult to distinguish. Researchers Kimberly Goody and Nart Villaneuve said that financial attacks, like heists on the SWIFT transaction system or ATM 'jackpotting' attacks, use the sort of complex operations previously only undertaken by government groups.

"Due to the profitability of these attacks where you can make millions of dollars in one operation," said Goody, "and due to the growing sophistication of criminals, this is a trend we expect to see continue."

Mea culpa: Some of the blame also falls on us hacks. Goody and Villaneuve note that when attacks occur, articles can also confuse the attacks from the tools. In the case of the this year's attacks on Ticketmaster, Feedify, and British Airways, for example, the MageCart malware was used each time, likely by different groups with different aims rather than one party devoted entirely to MageCart.

Rather than look to link infections with groups, the researchers suggest people separate the two, and understand that these days a piece of malware itself isn't a giveaway of a specific group, but rather a single tool that might have come from elsewhere. ®

Send us news

Google location tracking to forget you were ever at that medical clinic

Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

Continue reading

AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data

Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

Continue reading

Google: How we tackled this iPhone, Android spyware

Watching people's every move and collecting their info – not on our watch, says web ads giant

Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

Continue reading

NSO claims 'more than 5' EU states use Pegasus spyware

And it's like, what ... 12, 13,000 total targets a year max, exec says

NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

Continue reading

Europol arrests nine suspected of stealing 'several million' euros via phishing

Victims lured into handing over online banking logins, police say

Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

Continue reading

OpenSea phishing threat after rogue insider leaks customer email addresses

Worse, imagine someone finding out you bought one of its NFTs

The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

An employee of OpenSea's email delivery vendor "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

"If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

Continue reading

'Prolific' NetWalker extortionist pleads guilty to ransomware charges

Canadian stole $21.5m from dozens of companies worldwide

A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

Continue reading

Walmart accused of turning blind eye to transfer fraud totaling millions of dollars

Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

America's Federal Trade Commission has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

In a lawsuit [PDF] filed Tuesday, the regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

Continue reading

LGBTQ+ folks warned of dating app extortion scams

Uncle Sam tells of crooks exploiting Pride Month

The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

Continue reading

Beijing probes security at academic journal database

It's easy to see why – the question is, why now?

China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

Continue reading

HelloXD ransomware bulked up with better encryption, nastier payload

Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

Continue reading

Israeli air raid sirens triggered in possible cyberattack

Source remains unclear, plenty suspect Iran

Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

Continue reading