A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine


Finally, the Russia-based ransomware gang Clop went on a hacking spree that hit US government agencies and international companies including Shell and British Airways. Clop hackers carried out their cybercriminal campaign by exploiting a vulnerability in the file-transfer service MOVEit. The flaw has since been patched, but the full extent of the stolen data and list of targets remains unclear.

But that’s not all. Each week, we round up the biggest security and privacy stories we weren’t able to cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

As Russia has carried out its unprecedented cyberwar in Ukraine over nearly a decade, its GRU military intelligence hackers have taken center stage. The notorious GRU hacker groups Sandworm and APT28 have triggered blackouts, launched countless destructive cyberattacks, released the NotPetya malware, and even attempted to spoof results in Ukraine’s 2014 presidential election. Now, according to Microsoft, there’s a new addition to that hyper-aggressive agency’s cyberwar-focused bench.

Microsoft this week named a new group of GRU hackers that it’s calling Cadet Blizzard, and has been tracking since just before Russia’s full-scale invasion of Ukraine in February 2022. Redmond’s cybersecurity analysts now blame Cadet Blizzard for the destructive malware known as WhisperGate, which hit an array of government agencies, nonprofits, IT organizations, and emergency services in Ukraine in January 2022, just a month before Russia’s invasion began. Microsoft also attributes to Cadet Blizzard a series of web defacements and a hack-and-leak operation known as Free Civilian that dumped the data of several Ukrainian hacking victim organizations online while loosely impersonating hacktivists, another of the GRU’s trademarks.

Microsoft assesses that Cadet Blizzard appears to have the help of at least one private sector Russian firm in its hacking campaign but that it’s neither as prolific nor as sophisticated as previously known GRU groups plaguing Ukraine. But as Russia has switched up the tempo of its cyberwar, focusing on quantity rather than quality of attacks, Cadet Blizzard may play a key role in that brutal cadence of chaos.

You might think that in 2023, Russian hackers would have learned not to travel to countries with US extradition treaties—not to mention a US state. But one allegedly prolific ransomware extortionist associated with the notorious Lockbit group was arrested this week in Arizona, the Department of Justice announced. Ruslan Magomedovich Astamirov, a 20-year-old man living in Russia’s Chechen Republic, carried out at least five ransomware attacks against victims in Florida, Tokyo, Virginia, France, and Kenya, according to prosecutors. And in one case, he allegedly pocketed 80 of the bitcoin ransom personally. Astamirov’s arrest represents a relatively rare instance of US officials laying hands on a ransomware hacker, most of whom typically stay on Russian soil and evade arrest. It’s not yet clear why Astamirov made the mistake of traveling, but here’s hoping it’s a trend. Lots of other US-extradition countries are lovely this time of year.

File this one under “complicated headlines”: According to a search warrant unearthed by Forbes, the FBI used information stolen by a hacker from a dark-web assassination market to investigate a person going by the pseudonym Bonfire—whom the FBI believes is a Louisiana hairdresser named Julie Coda—to commission the murder of her niece’s father. In fact, Bonfire was being scammed by a fake murder-for-hire service, as is almost always the case with such dark-web deals. And to compound her problems, her alleged attempted murder-for-hire was revealed to the FBI by a hacker working as an informant to the US Department of Homeland Security. To further complicate this dark, strange story, that hacker appears to have been a foreign national flipped by the DHS and convicted of possessing child sexual abuse materials.

Last week it came to light that Estonia-based cryptocurrency wallet service Atomic Wallet had been breached by hackers apparently based in North Korea who stole tens of millions of dollars. Crypto analysts at Elliptic have now uncovered the larger picture of that heist and found that the hackers’ haul was in fact in the nine figures, making it one of North Korea’s biggest crypto heists in recent years. According to Elliptic, a large tranche of the funds have flowed to the Russian exchange Garantex, which was sanctioned by the US Treasury Department last year but continues to operate.



Source link