Category Archives: Cyber War

Half of Pandemic Money Stolen, Just $400 Billion

Posted on by

At least 30% of unemployment claims are fraudulent. 70% of the money has left our shores…oh don’t worry…the Biden administration has set aside $2 billion to stop this. What?

Beware of increased unemployment fraud due to identity theft

Axios:

Criminals may have stolen as much as half of the unemployment benefits the U.S. has been pumping out over the past year, some experts say.

Why it matters: Unemployment fraud during the pandemic could easily reach $400 billion, according to some estimates, and the bulk of the money likely ended in the hands of foreign crime syndicates — making this not just theft, but a matter of national security.

Catch up quick: When the pandemic hit, states weren’t prepared for the unprecedented wave of unemployment claims they were about to face.

  • They all knew fraud was inevitable, but decided getting the money out to people who desperately needed it was more important than laboriously making sure all of them were genuine.

By the numbers: Blake Hall, CEO of ID.me, a service that tries to prevent this kind of fraud, tells Axios that America has lost more than $400 billion to fraudulent claims. As much as 50% of all unemployment monies might have been stolen, he says.

  • Haywood Talcove, the CEO of LexisNexis Risk Solutions, estimates that at least 70% of the money stolen by impostors ultimately left the country, much of it ending up in the hands of criminal syndicates in China, Nigeria, Russia and elsewhere.
  • “These groups are definitely backed by the state,” Talcove tells Axios.
  • Much of the rest of the money was stolen by street gangs domestically, who have made up a greater share of the fraudsters in recent months.

What they’re saying: “Widespread fraud at the state level in pandemic unemployment insurance during the previous Administration is one of the most serious challenges we inherited,” said White House economist Gene Sperling.

  • President Biden has been clear that this type of activity from criminal syndicates is despicable and unacceptable. It is why we passed $2 billion for UI modernizations in the American Rescue Plan, instituted a Department of Justice Anti-Fraud Task Force and an all-of-government Identity Theft and Public Benefits Initiative.”

How it works: Scammers often steal personal information and use it to impersonate claimants. Other groups trick individuals into voluntarily handing over their personal information.

  • “Mules” — low-level criminals — are given debit cards and asked to withdraw money from ATMs. That money then gets transferred abroad, often via bitcoin.

The big picture: Before the pandemic, unemployment claims were relatively rare, and generally lasted for such short amounts of time that international criminal syndicates didn’t view them as a lucrative target.

  • After unemployment insurance became the primary vehicle by which the U.S. government tried to keep the economy afloat, however, all that changed.
  • Unemployment became where the big money was — and was also being run by bureaucrats who weren’t as quick to crack down on criminals as private companies normally are.
  • Unemployment fraud is now offered on the dark web on a software-as-a-service basis, much like ransomware. States without fraud-detection services are naturally targeted the most.

The bottom line: Many states are now getting more sophisticated about preventing this kind of fraud. But it’s far too late.

*** What Is Unemployment Insurance Fraud? | does

Consequences should also be on the states and we don’t spend anything more in unemployment until at least 50% is recovered…..billions of dollars likely ending up in the hands of foreign crime syndicates based in China, Russia and other countries, experts say.

“Fraud is being perpetrated by domestic and foreign actors,” Blake Hall, CEO and founder of ID.ME, told FOX Business. “We are successfully disrupting attempted fraud from international organized crime rings, including Russia, China, Nigeria and Ghana, as well as U.S. street gangs.”

Haywood Talcove, the CEO of LexisNexis Risk Solution, suggested the bulk of the money – about $250 billion – went to international criminal groups, most of which are backed by the state. The money is essentially being used as their slush fund for “nefarious purposes,” such as terrorism, illegal drugs and child trafficking, Talcove said.

The criminals have been able to access the money by stealing personal information and using it to impersonate claimants or buying it on the dark web. The groups also use an army of internet thieves to submit fraudulent claims. States, which administer the aid, may be prepared to combat fraud from individuals who are trying double-dip or cash in on benefits they don’t need, but not international criminals using the dark web to exploit the system.

JBS, the Meat Processor Paid $11M in Ransom

Posted on by

Reuters: JBS USA, subsidiary of Brazilian firm JBS SA (JBSS3.SA), confirmed in a statement on Wednesday the company paid the equivalent of $11 million in ransom in response to a criminal hack against its operations.

The world’s largest meat producer canceled shifts at its U.S. and Canadian meat plants last week, after JBS said it was hit with a crippling cyberattack that threatened to disrupt food supply chains and inflate food prices.

***

“This was a very difficult decision to make for our company and for me personally,” JBS USA CEO Andre Nogueira said in a statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

The company said it paid the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

According to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, ransomware is a type of malware that shuts down a company’s computer infrastructure with hackers demanding payment to unlock the system.

Earlier this month, the FBI attributed the infiltration to Russia-based hackers.

JBS said it was in constant contact with federal officials, and while investigations are ongoing, “preliminary investigation results confirm that no company, customer or employee data was compromised.”

Texas JBS meatpacking plant rejects state effort to test ...

The company said it spends $200 million annually in IT services.

JBS is not the first company to recently pay ransom to cyber criminals based in Russia. JBS said its ability to resolve the issues resulting from the attack was “due to its cybersecurity protocols, redundant systems and encrypted backup servers.” Additionally, the company employs more than 850 IT professionals around the world. JBS maintained that no company, customer or employee data was compromised.

Bloomberg: 

It also halted slaughter operations across Australia and idled one of Canada’s largest beef plants. The FBI has attributed the incident to REvil, a hacking group that researchers say has links to Russia.

The global shutdowns upended agricultural markets and raised concerns about food security as hackers increasingly target critical infrastructure.Operations have returned to normal levels and the company expected lost production to be fully recovered by the end of this week.

In its latest statement, JBS said the vast majority of the company’s facilities were operational at the time of payment. It had made the decision to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated” in consultation with internal IT professionals and third-party cybersecurity experts.

JBS added it has maintained constant communications with government officials throughout the incident, and that third-party forensic investigations are still ongoing.

Dow Jones had earlier reported the ransom payment.

US has Recovered Ransom Payment of the Colonial Pipeline Hack

Posted on by

Just last month, this site posted a detailed article about the fallout of DarkSide, the hackers of the Colonial Pipeline. In short, U.S. officials seized at least two servers.

Now there is more….like the ransom payment, not all of it, but $2.3 million in real dollars, remember it was paid in cryptocurrency. (Remember, money was paid out to all the dark actors of the DarkSide)

“In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account,” the DarkSide ransomware operation told its affiliates.

DarkSide: New targeted ransomware demands million dollar ...

****

(AP) — The Justice Department has recovered the majority of a multimillion-dollar ransom payment to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.

The operation to recover the cryptocurrency from the Russia-based hacker group is believed to be the first of its kind, and reflects what U.S. officials say is an increasingly aggressive approach to deal with a ransomware threat that in the last month has targeted critical industries around the world.

“By going after an entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said at a news conference announcing the operation.

Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system.

Colonial officials have said they took their pipeline system offline before the attack could spread to its operating system, and decided to pay a roughly $4.4 million ransom in an effort to bring itself back online as soon as it could.

The FBI generally discourages the payment of ransom, fearing it could encourage additional hacks.

Feds Seized 2 Cyber Domains of Hackers/SolarWinds

Posted on by

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

SolarWinds Strikes Again and Again

Posted on by

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the  DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.