Category Archives: Russia

Half of Pandemic Money Stolen, Just $400 Billion

Posted on by

At least 30% of unemployment claims are fraudulent. 70% of the money has left our shores…oh don’t worry…the Biden administration has set aside $2 billion to stop this. What?

Beware of increased unemployment fraud due to identity theft

Axios:

Criminals may have stolen as much as half of the unemployment benefits the U.S. has been pumping out over the past year, some experts say.

Why it matters: Unemployment fraud during the pandemic could easily reach $400 billion, according to some estimates, and the bulk of the money likely ended in the hands of foreign crime syndicates — making this not just theft, but a matter of national security.

Catch up quick: When the pandemic hit, states weren’t prepared for the unprecedented wave of unemployment claims they were about to face.

  • They all knew fraud was inevitable, but decided getting the money out to people who desperately needed it was more important than laboriously making sure all of them were genuine.

By the numbers: Blake Hall, CEO of ID.me, a service that tries to prevent this kind of fraud, tells Axios that America has lost more than $400 billion to fraudulent claims. As much as 50% of all unemployment monies might have been stolen, he says.

  • Haywood Talcove, the CEO of LexisNexis Risk Solutions, estimates that at least 70% of the money stolen by impostors ultimately left the country, much of it ending up in the hands of criminal syndicates in China, Nigeria, Russia and elsewhere.
  • “These groups are definitely backed by the state,” Talcove tells Axios.
  • Much of the rest of the money was stolen by street gangs domestically, who have made up a greater share of the fraudsters in recent months.

What they’re saying: “Widespread fraud at the state level in pandemic unemployment insurance during the previous Administration is one of the most serious challenges we inherited,” said White House economist Gene Sperling.

  • President Biden has been clear that this type of activity from criminal syndicates is despicable and unacceptable. It is why we passed $2 billion for UI modernizations in the American Rescue Plan, instituted a Department of Justice Anti-Fraud Task Force and an all-of-government Identity Theft and Public Benefits Initiative.”

How it works: Scammers often steal personal information and use it to impersonate claimants. Other groups trick individuals into voluntarily handing over their personal information.

  • “Mules” — low-level criminals — are given debit cards and asked to withdraw money from ATMs. That money then gets transferred abroad, often via bitcoin.

The big picture: Before the pandemic, unemployment claims were relatively rare, and generally lasted for such short amounts of time that international criminal syndicates didn’t view them as a lucrative target.

  • After unemployment insurance became the primary vehicle by which the U.S. government tried to keep the economy afloat, however, all that changed.
  • Unemployment became where the big money was — and was also being run by bureaucrats who weren’t as quick to crack down on criminals as private companies normally are.
  • Unemployment fraud is now offered on the dark web on a software-as-a-service basis, much like ransomware. States without fraud-detection services are naturally targeted the most.

The bottom line: Many states are now getting more sophisticated about preventing this kind of fraud. But it’s far too late.

*** What Is Unemployment Insurance Fraud? | does

Consequences should also be on the states and we don’t spend anything more in unemployment until at least 50% is recovered…..billions of dollars likely ending up in the hands of foreign crime syndicates based in China, Russia and other countries, experts say.

“Fraud is being perpetrated by domestic and foreign actors,” Blake Hall, CEO and founder of ID.ME, told FOX Business. “We are successfully disrupting attempted fraud from international organized crime rings, including Russia, China, Nigeria and Ghana, as well as U.S. street gangs.”

Haywood Talcove, the CEO of LexisNexis Risk Solution, suggested the bulk of the money – about $250 billion – went to international criminal groups, most of which are backed by the state. The money is essentially being used as their slush fund for “nefarious purposes,” such as terrorism, illegal drugs and child trafficking, Talcove said.

The criminals have been able to access the money by stealing personal information and using it to impersonate claimants or buying it on the dark web. The groups also use an army of internet thieves to submit fraudulent claims. States, which administer the aid, may be prepared to combat fraud from individuals who are trying double-dip or cash in on benefits they don’t need, but not international criminals using the dark web to exploit the system.

Feds Seized 2 Cyber Domains of Hackers/SolarWinds

Posted on by

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

Beware of Russian Influence on Vaccine Disinformation

Posted on by

It is additional definition of the cyber war…

Operatives at the behest of Moscow have never passed up the opportunity to exploit a crisis in the Western world. It has gone on for years, back to the days of the KGB, now know as the SVR.

Opinion | Operation Infektion: A three-part video series ... Yet, does media keep making the same mistakes?

Readers and researchers must validate the sources, all of them and check them often. Big media has fallen victim as well and some make corrections while others don’t bother.

Even CNN has admitted as much –>

Washington (CNN)Online platforms directed by Russian intelligence are spreading disinformation about two of the coronavirus vaccines being used in the US, a State Department spokesperson confirmed to CNN on Sunday.

The agency’s Global Engagement Center identified three Russian outlets — News Front, New Eastern Outlook and Oriental Review — that are spreading not only misinformation about the virus, but also regarding “international organizations, military conflicts, protests; and any divisive issue that they can exploit,” according to the spokesperson.
“These sites all vary in their reach, tone, and audience — but they all are spreading Russian propaganda and disinformation. The State Department’s finding of a link between these sites and Russian Intelligence is a result of a joint interagency conclusion,” the spokesperson said.

In part:

French and German YouTubers, bloggers and influencers have been offered money by a supposedly UK-based PR agency with apparent Russian connections to falsely tell their followers the Pfizer/BioNTech vaccine is responsible for hundreds of deaths.

Fazze, an “influencer marketing platform … connecting bloggers and advertisers”, claimed to be based at 5 Percy Street in London but is not registered there. On Tuesday, it temporarily closed its website and made its Instagram account private.

The agency contacted several French health and science YouTubers last week and asked them, in poor English, to “explain … the death rate among the vaccinated with Pfizer is almost 3x higher than the vaccinated by AstraZeneca”.

The influencers were told to publish links on YouTube, Instagram or TikTok to reports in Le Monde, on Reddit and on the Ethical Hacker website about a leaked report containing data that supposedly substantiates the claim.

The article in Le Monde is about data reportedly stolen by Russian hackers from the European Medicines Agency and later published on the Dark Web. It contains no information on mortality rates. The pages on the other two sites have been deleted.

The influencers were asked to tell their subscribers that “the mainstream media ignores this theme”, and to ask: “Why some governments actively purchasing Pfizer vaccine, which is dangerous to the health of the people?”

The brief also included requests to “act like you have the passion and interest in this topic”, and to avoid using the words “advertising” or “sponsored” in posts or videos because “the material should be presented as your own independent view”.

Screen shots of the emails were posted on Twitter by Léo Grasset, a popular French science YouTuber with nearly 1.2m subscribers. Grasset said the campaign had a “colossal budget” but that the agency refused to identify its client.

The French investigative news site Numerama also published extracts from the exchanges, including Fazze’s exhortation to “encourage viewers to draw their own conclusions, take care of themselves and their loved ones”.

Mirko Drotschman, a German YouTuber and podcaster with 1.5 million subscribers, also posted a screenshot of an email asking him to take part in an “information campaign” about “a significant number of deaths” after the Pfizer shot.

“Please send us statistics on the age of your subscribers … and how much it would cost,” the mail concluded. The French investigative website Fact&Furious posted a mail describing Fazze’s budget as “considerable” and the fee as “the rate you wish”.

According to LinkedIn, Fazze’s management come from Moscow and have worked for an agency reportedly founded by a Russian entrepreneur.

French media have pointed to the similarities between Fazze’s message and the official Twitter account of Russia’s Sputnik V – a viral vector vaccine like AstraZeneca – which has repeatedly claimed “real world data” shows they are “safer and more efficient” than mRNA vaccines.

An EU study last month accused Russian and Chinese media of “state-sponsored disinformation” aimed at sowing mistrust in western vaccines by sensationalising safety concerns, making “unfounded links between shots and deaths in Europe”, and promoting Russian and Chinese vaccines as superior.

 

Anyone Notice the Battle for the Arctic?

Posted on by

The Pentagon has a civilian advisory committee where retired flag officers meet and discuss global and domestic conflicts, research them and then present those items to key Pentagon personnel. The question is, do any discussions include the battle for the Arctic?

When General Lloyd Austin, Secretary of Defense says that climate change and white supremacy are the biggest existential threat to the homeland…others for sure are arguing other real threats and that includes the Arctic.

Back in March of 2018, testimony was presented the Senate Armed Services Committee by commanders of the U.S. Pacific Fleet, the U.S. European Command and the Coast Guard Commandant that the Russian footprint in the Arctic has robustly surpassed that of the United States.

In part:

The U.S. lacks abilities
Despite a change in rhetoric, the facts on the ground remain the same: The U.S. is falling further and further behind in the region, operating a single aging polar-class icebreaker.

“The Arctic is the only theater of operations where the U.S. Navy is outclassed by a peer competitor. Russian surface warships have demonstrated the ability to carry out complex combined operations in the High North, while the American Navy maintains a policy that only submarines operate above the Bering Strait. Are submarines enough of a deterrence? Probably. But I don’t think they provide the real presence needed to assert the U.S.’ rights to the opening Arctic,” Holland explains.

Any reaction by the U.S. to catch up in the Arctic comes about 10 years to late, says Huebert. “Yes, as the current ICEX military exercise shows U.S. submarines have the capability of patrolling the Arctic and surfacing through the ice, but what is lacking are the constabulary capabilities in the form of surface vessels and icebreakers.”

Is the U.S. Waking up?
After more than a decade of lobbying by the U.S. Coast Guard to secure funds to construct a new icebreaker, the agency may finally make progress on this front. Congress’ upcoming appropriations bill is likely to include funding to design and construct a new icebreaker. Still, this falls way short of what would be needed, says Holland. “That is good, but it is late, and there’s no commitment to build the three to five more [icebreakers] that is estimated we’ll need. Nor is there any thought about designing the Navy’s ships of the future so they can operate in the High North.”

Holland hopes that the change in rhetoric marks a newfound seriousness by America’s military leadership about the rapidly growing challenges in the Arctic. This also includes China’s emergence as an Arctic power and its desire to utilize the NSR as its own Polar Silk Road as laid out in its newly-released Arctic strategy.

“These countries have a clear strategic vision for what they want out of the Arctic. As do European Arctic states. It’s time for the U.S. to stand up for its rights and responsibilities as an Arctic nation.” More here.

Why is this even a topic for real?

President Vladimir Putin in recent years has made Russia’s Arctic region a strategic priority and ordered investment in military infrastructure and mineral extraction.

Moscow: Russian Foreign Minister Sergei Lavrov on Monday warned Western countries against staking claims in the Arctic ahead of this week’s Arctic Council meeting in Reykjavik.

The Arctic in recent years has become the site of geopolitical competition between the countries that form the Arctic Council (Russia, the United States, Canada, Norway, Denmark, Sweden, Finland and Iceland) as global warming makes the region more accessible.

A ministerial meeting of the eight-country council will take place on Wednesday and Thursday.

“It has been absolutely clear for everyone for a long time that this is our territory, this is our land,” Lavrov said at a press conference in Moscow.

“We are responsible for ensuring our Arctic coast is safe,” he said.

“Let me emphasise once again — this is our land and our waters,” he added.

“But when NATO tries to justify its advance into the Arctic, this is probably a slightly different situation and here we have questions for our neighbours like Norway who are trying to justify the need for NATO to come into the Arctic.”

The United States in February sent strategic bombers to train in Norway as part of Western efforts to bolster its military presence in the region.

For the first time since the 1980s, the US Navy deployed an aircraft carrier in the Norwegian Sea in 2018.

President Vladimir Putin in recent years has made Russia’s Arctic region a strategic priority and ordered investment in military infrastructure and mineral extraction.

As ice cover in the Arctic decreases, Russia is hoping to make use of the Northern Sea Route shipping channel to export oil and gas to overseas markets.

Lavrov will meet with his US counterpart Antony Blinken on the sidelines of the Arctic Council ministerial meeting in a test of Moscow’s strained relationship with Washington.

Despite mounting tensions, Russia and the United States during climate negotiations earlier this year noted the Arctic as an area of cooperation.

Three Russian ballistic missile submarines participated in Arctic training drills near the North Pole, and the Russian Ministry of Defense shared footage on Friday of the submarines bursting through the ice.
The drills entailed Russian submarines breaching the ice and Russian troops conducting cold-weather ground maneuvers on the open ice. A pair of MiG-31 Foxhound jet interceptors also flew over the Arctic, with support from an Il-78 aerial refueling tanker. According to Russia’s Navy, about 600 Russian military personnel and civilian personnel were present and about 200 models of Russian weapons and military equipment were involved. Source
An officer speaks on walkie-talkie as the Bastion anti-ship missile systems take positions on the Alexandra Land island near Nagurskoye, Russia, Monday, May 17, 2021. Bristling with missiles and radar, Russia’s northernmost military base projects the country’s power and influence across the Arctic from a remote, desolate island amid an intensifying international competition for the region’s vast resources. Russia’s northernmost military outpost sits on the 80th parallel North, projecting power over wide swathes of Arctic amid an intensifying international rivalry over the polar region’s vast resources. (AP Photo/Alexander Zemlianichenko)

For a scary photo essay of the Russians in the Arctic, click here.

 

So while it appears that nobody is really heeding these warnings, yet another discussion was held in 2019 at the Aspen Security Conference. Here the Pentagon released a new Arctic strategy document challenging and addressing the gains made by China and Russia in the Arctic region.

Moscow is deploying more resources northwards and investing in Arctic-capable forces, while Beijing has declared itself a “near-Arctic” power. The U.S. is moving to meet this challenge and give the region more prominence in its strategic planning.

Schultz said the U.S. “should be concerned about Russia, who is way ahead of us in this game, and the emerging aggressive China, who is pushing into the game.” He noted that while Americans may “think about the Arctic as a very faraway place,” the “Russian world view is very much based on the Arctic.”

A “polar security cutter” is currently under construction for the Coast Guard, effectively a militarized ice breaker. Its order demonstrates the U.S military pivot towards the Arctic and an effort to close the gap with its rivals, particularly Russia. More here.

In part of that released strategy document is the following:

NDS goals and priorities guide DoD’s strategic approach to the Arctic.The Joint Force must be able to deter, and if necessary, defeat great power aggression. DoD must prioritize efforts to address the central problem the NDS identifiesi.e., the Joint Force’s eroding competitive edge against China and Russia,and the NDS imperative to ensure favorable regional balances of power in the IndoPacific and Europe. Developing a more lethal, resilient, agile, and ready Joint Force will ensure that our military sustains its competitive advantages, not only for these key regions of strategic competition, but globally as well.Maintaining a credible deterrent for the Arctic region requires DoD to understand and shape the Arctic’s geostrategic landscape for future operations and to respond effectively to contingencies in the Arctic region, both independently and in cooperation with others. DoD’s strategic approach seeks to do so by implementing three ways in support of thedesired Arctic endstate(each described in detail in this document):

Building Arctic awareness;

Enhancing Arctic operations;and

Strengthening the rulesbased order in the Arctic

Read the full 19 page document here.

 

Looks Like Law Enforcement Actually Shutdown DarkSide

Posted on by

A big hat tip to the work of law enforcement but which agency remains unknown at this point.

Shutting down the servers of DarkSide is a great achievement but not before there were other victims such as Toshiba.

A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.

Toshiba Tec Corp (6588.T), which makes products such as bar code printers and is valued at $2.3 billion, was hacked by DarkSide – the group widely believed to be behind the recent Colonial Pipeline attack, its French subsidiary said.

From Krebs:

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”

***

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action. source

Darkside

“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

  • Blog.
  • Payment server.
  • DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”