Category Archives: Cyber War

JBS, the Meat Processor Paid $11M in Ransom

Posted on by

Reuters: JBS USA, subsidiary of Brazilian firm JBS SA (JBSS3.SA), confirmed in a statement on Wednesday the company paid the equivalent of $11 million in ransom in response to a criminal hack against its operations.

The world’s largest meat producer canceled shifts at its U.S. and Canadian meat plants last week, after JBS said it was hit with a crippling cyberattack that threatened to disrupt food supply chains and inflate food prices.

***

“This was a very difficult decision to make for our company and for me personally,” JBS USA CEO Andre Nogueira said in a statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

The company said it paid the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, ransomware is a type of malware that shuts down a company’s computer infrastructure with hackers demanding payment to unlock the system.

Earlier this month, the FBI attributed the infiltration to Russia-based hackers.

JBS said it was in constant contact with federal officials, and while investigations are ongoing, “preliminary investigation results confirm that no company, customer or employee data was compromised.”

Texas JBS meatpacking plant rejects state effort to test ...

The company said it spends $200 million annually in IT services.

JBS is not the first company to recently pay ransom to cyber criminals based in Russia. JBS said its ability to resolve the issues resulting from the attack was “due to its cybersecurity protocols, redundant systems and encrypted backup servers.” Additionally, the company employs more than 850 IT professionals around the world. JBS maintained that no company, customer or employee data was compromised.

Bloomberg: 

It also halted slaughter operations across Australia and idled one of Canada’s largest beef plants. The FBI has attributed the incident to REvil, a hacking group that researchers say has links to Russia.

The global shutdowns upended agricultural markets and raised concerns about food security as hackers increasingly target critical infrastructure.Operations have returned to normal levels and the company expected lost production to be fully recovered by the end of this week.

In its latest statement, JBS said the vast majority of the company’s facilities were operational at the time of payment. It had made the decision to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated” in consultation with internal IT professionals and third-party cybersecurity experts.

JBS added it has maintained constant communications with government officials throughout the incident, and that third-party forensic investigations are still ongoing.

Dow Jones had earlier reported the ransom payment.

US has Recovered Ransom Payment of the Colonial Pipeline Hack

Posted on by

Just last month, this site posted a detailed article about the fallout of DarkSide, the hackers of the Colonial Pipeline. In short, U.S. officials seized at least two servers.

Now there is more….like the ransom payment, not all of it, but $2.3 million in real dollars, remember it was paid in cryptocurrency. (Remember, money was paid out to all the dark actors of the DarkSide)

“In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account,” the DarkSide ransomware operation told its affiliates.

DarkSide: New targeted ransomware demands million dollar ...

****

(AP) — The Justice Department has recovered the majority of a multimillion-dollar ransom payment to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.

The operation to recover the cryptocurrency from the Russia-based hacker group is believed to be the first of its kind, and reflects what U.S. officials say is an increasingly aggressive approach to deal with a ransomware threat that in the last month has targeted critical industries around the world.

“By going after an entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a news conference announcing the operation.

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating system, and decided to pay a roughly $4.4 million ransom in an effort to bring itself back online as soon as it could.

The FBI generally discourages the payment of ransom, fearing it could encourage additional hacks.

Feds Seized 2 Cyber Domains of Hackers/SolarWinds

Posted on by

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

SolarWinds Strikes Again and Again

Posted on by

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the  DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.

 

Zuckerberg Infected Voting Integrity

Posted on by

Founderscode wrote about this December of 2020 in detail.

RCP, in part: In the months leading up to November’s election, voting officials in major cities and counties worked with a progressive group funded by Facebook founder Mark Zuckerberg and its allies to create ballots, strategically target voters and develop “cure” letters in situations where mail-in ballots were in danger of being tossed out.

The Center for Tech and Civic Life, or CTCL, provided millions of dollars in private funding for the elections that came from a $350 million donation from Zuckerberg and his wife, Priscilla Chan.  The CTCL gave “COVID-19 response” grants of varying amounts to  2,500 municipalities in 49 states.

Facebook's Mark Zuckerberg pledges $300M to support 'safe ...

In exchange for the money, elections divisions agreed to conduct their elections according to conditions set out by the CTCL, which is led by former members of the New Organizing Institute, a training center for progressive groups and Democratic campaigns.

A CTCL partner, the Center for Civic Design, helped design absentee ballot forms and instructions, crafted voter registration letters for felons and tested automatic voter registration systems in several states, working alongside progressive activist groups in Michigan and directly with elections offices in Georgia and Utah.

Still other groups with a progressive leaning, including the Main Street Alliance, The Elections Group and the National Vote at Home Institute, provided support for some elections offices.

“COVID-19 response” grants of varying amounts to  2,500 municipalities in 49 states.
Center for Tech and Civic Life

Facebook, with the CTCL, was also part of the effort, providing a guide and webinar for election officials on how to engage voters. Included were directions to report “voter interference” to Facebook authorities. The company also provided designated employees in six regions of the U.S. to handle questions. Together, the groups strategically targeted voters and waged a voter assistance campaign aimed at low-income and minority residents who typically shun election participation, helping Democratic candidates win key spots all over the U.S.

The little-explored roles of CTCL and other such groups emerged in emails and other records obtained by RealClearInvestigations and public documents secured by conservative litigants and groups, including the Foundation for Government Accountability, which has filed more than 800 public records requests with elections offices accepting the grants.

Previously, the Zuckerberg-funded effort has been described in generally positive terms, notably when NPR reported in December on “How Private Money From Facebook’s CEO Saved The 2020 Election” — in the face of the coronavirus pandemic, President Trump’s doubts about the legitimacy of the process and “Congress’ neglect.”

In 2018, RCI reported that a New York University School of Law program funded by billionaire Michael Bloomberg had placed environmentally minded lawyers in the offices of Democratic state attorneys general to challenge Trump administration policies. And examples of private efforts to steer cash-strapped public education are numerous, from the Koch charities on the right to more recent race-conscious programs on the left emphasizing the legacy and centrality of white racism in society.

Zuckerberg did not respond to an emailed request from RCI for comment. In a post-election interview, he praised Facebook’s security work during the election and singled out its policing of “misinformation.” He noted working with polling officials to watch for information that might lead to “voter suppression” and said Facebook had strengthened its enforcement “against militias and conspiracy networks like Q-Anon.”

Facebook has banned Trump from its platform and has delisted individuals – many of them conservatives — for espousing views about the election that it insists are “misinformation.”
***
All of this and more is the reason Florida Governor, Ron DeSantis and other governors are reworking voter integrity law. Texas is the most recent to address the issue and may call a special legislative session to establish new voting laws.