ESET researchers spot an updated version of the malware loader used in the Industroyer2 and CaddyWiper attacks
The post Sandworm uses a new version of ArguePatch to attack targets in Ukraine appeared first on WeLiveSecurity
Falsehoods about the war in Ukraine come in all shapes and sizes – here are a few examples of what’s in the fake news
The post Keeping it real: Don’t fall for lies about the war appeared first on WeLiveSecurity
Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.
The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.
A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo).
A hand-written notice posted outside a public health clinic today in Costa Rica warned of system outages due to a cyberattack on the nation’s healthcare systems. The message reads: “Dear Users: We would like to inform you that due a problem related to the information systems of the institution, we are unable to expend any medicine prescriptions today until further notice. Thank you for your understanding- The pharmacy.”
Esteban Jimenez, founder of the Costa Rican cybersecurity consultancy ATTI Cyber, told KrebsOnSecurity the CCSS suffered a cyber attack that compromised the Unique Digital Medical File (EDUS) and the National Prescriptions System for the public pharmacies, and as a result medical centers have turned to paper forms and manual contingencies.
“Many smaller health centers located in rural areas have been forced to close due to not having the required equipment or communication with their respective central health areas and the National Retirement Fund (IVM) was completely blocked,” Jimenez said. “Taking into account that salaries of around fifty thousand employees and deposits for retired citizens were due today, so now the payments are in danger.”
Jimenez said the head of the CCSS has addressed the local media, confirming that the Hive ransomware was deployed on at least 30 out of 1,500 government servers, and that any estimation of time to recovery remains unknown. He added that many printers within the government agency this morning began churning out copies of the Hive ransom note.
Printers at the Costa Rican government health ministry went crazy this morning after the Hive ransomware group attacked. Image: Esteban Jimenez.
“HIVE has not yet released their ransom fee but attacks are expected to follow, other organizations are trying to get a hold on the emergency declaration to obtain additional funds to purchase new pieces of infrastructure, improve their backup structure amongst others,” Jimenez said.
A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.
A HIVE ransomware chat page for a specific victim (redacted).
On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.
As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.
Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.
A message Conti posted to its dark web blog on May 20.
On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.
“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.
Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.
Conti’s threatening message this week regarding international interference in Ukraine.
Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.
Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.
But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.
“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”
Conti is by far the most aggressive and profitable ransomware group in operation today. Image: Chainalysis
ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.
Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.
“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.
ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.
Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.
Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.
But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Colombia, four in Ecuador and three in Chile.
A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.
“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”
It’s been 100 days since Russia invaded Ukraine, and we look back at various cyberattacks connected to the conflict
The post 100 days of war in Ukraine: How the conflict is playing out in cyberspace appeared first on WeLiveSecurity
Five years ago, ESET researchers released their analysis of the first ever malware that was designed specifically to attack power grids
The post Industroyer: A cyber‑weapon that brought down a power grid appeared first on WeLiveSecurity
(Almost) everything you always wanted to know about virtual private networks, but were afraid to ask
The post Virtual private networks: 5 common questions about VPNs answered appeared first on WeLiveSecurity
Cisco Talos has a long-standing relationship with Ukraine, so when Russia invaded the country earlier this year, things hit close to home. Cisco Talos leaders rallied together to provide cybersecurity threat hunting to vital infrastructure, humanitarian support and goods and services to employees and their families in the region.
Ashlee Benge, Amy Henderson and Sammi Seaman spearheaded initiatives to support and sustain Ukrainian employees and threat hunters working around-the-clock to prevent cyberattacks and remember the human element. Even in the midst of crisis, they’ve facilitated open communication, emphasized mental health and cultivated connection.
Given Ukraine’s unique position on the front lines of cyberwarfare, Cisco Talos has had a very close partnership with Ukraine. The threat intelligence team has worked with several partners in the country from a cyber threat perspective. That long standing connection is part of why Russia’s invasion of Ukraine has been felt so deeply. “Some Ukrainian team members evacuated before the invasion, others did not,” said Amy Henderson, head of strategic planning & communications. “Our teams of threat hunters have been around-the-clock hunting in the data since the invasion. They’re stopping attacks from happening.”
Cisco Talos set up Cisco Secure Endpoint on about thirty partners’ organizations and extended the offering to critical infrastructure organizations in Ukraine such as hospitals, directly monitoring Cisco Secure Endpoint, “because their people are busy doing other things right now. They can’t sit at a screen,” Henderson said.
Lead of Strategic Business Intelligence Ashlee Benge directs the Ukraine Threat Hunting Task Unit which requires empathy, compassion and an awareness of the needs of forty-five threat hunters. Veteran threat hunters with decades of experience have volunteered to contribute to the team while other members of Cisco Talos have also volunteered their skill sets to the work. Benge values the distinct contributions of her team members and describes them as, “quite brilliant and very good at their jobs. Talos does a really good job of hiring good people, and so the worst thing that I could do is get in their way.” Getting in their way looks different for different team members which is why Benge has established trainings and consistent ways to evaluate that the needs of her team are being met.
The nature of such a demanding, on-going situation coupled with the team’s dedication can lead employees to work themselves into the ground. To combat this, leaders maintain weekly check-ins that include asking employees how they’re taking care of themselves and checking for signs of burnout. “When you have rest you’re at peak performance and can problem solve. But when you start burning out and get to be irritable and snappy, you’re not able to problem solve. Just step back. You’ll be in a much better head space,” Henderson advises.
Stepping back has meant rotating projects to level out activity levels and urgency. Leaders have also stepped in to ensure employees take time off and that when they’re away, they’re fully away. “When you’re in such a high intensity environment it takes two to three days just to come off of that. If you’re only taking a day here or day there, you’re not even scratching the surface of coming down. So I’ll suggest maybe you need to take a week and completely recharge,” Henderson says.
Team Lead of Employee Experience Sammi Seaman was heartened by Cisco’s support of Ukrainian employees including helping employees and their families out of cities and into new housing. The humanitarian focus led Seaman to ask “How else can we help? Our colleagues have had to leave their homes and they’re still trying to do work. How do I get them necessities like medicine and shampoo?”
Seaman’s empathy and collaboration within her team and with Cisco Talos leadership led to determining the highest needs including more stable internet and navigating the transport of goods directly to employees and their families through freight mail. Seaman worked with her team to ensure necessary items like medical kits could get directly to people who needed them as quickly as possible. There are also pages available coordinating housing, transportation and other forms of support.
“It’s been interesting to think about people needing medicine for various reasons and that I’m also buying Legos and castles so that the children who have been displaced have toys and things that bring them joy and allow them to be kids in this situation,” Seaman said.
As Seaman prepared more boxes to ship, an employee shared a photograph of his daughter with some of the things Seaman had sent. “I just started crying. It was such a relief.” A relief she wanted to share, leaving the boxes for a moment to connect with other team members around the positive impact of their hard work.
“Despite all of these things that are happening around us that are horrific and awful and things that shouldn’t be happening, there are still things that we can celebrate. We’re still humans who have feelings, relationships, milestones and holidays.” – Sammi Seaman
Remembering children also became important during spring holidays. Through asking employees if they celebrated Easter and if they’d like Easter baskets, she learned that many employees celebrated traditional Orthodox Ukrainian Easter and would appreciate the baskets.
Seaman’s colleague researched what people in Ukraine typically put in their Easter baskets and together they made the baskets, boxed them up and shipped them. “The baskets weren’t a necessity but were nice to remind people that despite all of these things that are happening around us that are horrific and awful and things that shouldn’t be happening, there are still things that we can celebrate. We’re still humans who have feelings, relationships, milestones and holidays.”
Outside of work, Benge competes as an Olympic weightlifter. After months of training, her first national level meet was scheduled to happen early into the war in Ukraine. She considered withdrawing given the 24/7 nature of Cisco Talos’ response. However, “only because of the support of those around me,” Benge decided to compete—while working from her phone in the warm up room between lifts. The physical movement allows Benge to manage her mental health and stress while modeling self-care for the team: “If I can’t be my own best self, then the people around me can hardly be expected to do the same.”
Self-care and mental health are so important to the team that Henderson and Benge recently joined their colleagues, Matt Olney, the director of threat intelligence and interdiction, and Strategic Communications Leader Mitch Neff on a Cisco Secure podcast about mental health. The conversation illuminated the importance of reaching out for help, utilizing support systems such as those provided by Cisco and talking to someone including a therapist.
“Using those types of resources is a valuable thing, particularly when managing very high levels of stress and anxiety that come with cybersecurity. No matter what kind of support it is that we need, it’s important to take that time and recognize that it’s valuable to invest in your own mental health,” Benge stated.
Seaman shared that because it can be hard to ask for help or delegate, when she does, she gives herself a pat on the back. She advises that especially in crisis situations it’s important to remember that while things need to get done, it’s not entirely on you to get those things done. “The leadership at Cisco Talos has really emphasized that you’re not alone. The employee assistance program has been a great resource and I’ve got a therapist that I talk to about these things and make sure that I’m taking care of myself so that I can continue to take care of others.”
The team’s bond and purpose run deep. “We care deeply about everyone that we work with. It’s okay to not be on at all times. It’s okay to feel sad and it’s okay to feel anxious. One of the things that I’ve loved about working with Cisco Talos, especially during these more difficult things, is that everybody’s got your back and they make it a safe space to share those feelings. I truly feel like the people I work with are like my family. We’re curated an environment where we can all talk about what we’re going through.”
To learn more about Cisco Talos, Cisco Secure and Duo Security and how you can apply your empathy, skills and passion to make a difference in cybersecurity, check out open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
War in Europe, a reminder for shared service centers and shoring operations to re-examine IT security posture
The post Do back offices mean backdoors? appeared first on WeLiveSecurity
In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK’s House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.
The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).
Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:
Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach – the UK’s largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen – showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.
There is no question the security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future’.
The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:
As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource intensive measures’ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.
Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms ‘must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations’.
The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations. An area of high focus for example will be on Third Party controls and managing the relationship with them.
However there are more common security requirements as well. From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are is a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizon’s 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisation’s systems.
Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.
We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industries’ and jurisdictions’ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.
We are also running an event in London on 13 October: ‘Are you ready for TSA?’ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please register here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources.
Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses.
Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up with his wife there.
Penchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by Russia. In his hometown, Penchukov was a well-known deejay (“DJ Slava Rich“) who enjoyed being seen riding around in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local businesses.
The JabberZeus crew’s name is derived from the malware they used, which was configured to send them a Jabber instant message each time a new victim entered a one-time password code into a phishing page mimicking their bank. The JabberZeus gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently siphon any data that victims submit via a web-based form.
Once inside a victim company’s bank accounts, the crooks would modify the firm’s payroll to add dozens of “money mules,” people recruited through work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits — minus their commissions — via wire transfer overseas.
Tank, a.k.a. “DJ Slava Rich,” seen here performing as a DJ in Ukraine in an undated photo from social media.
The JabberZeus malware was custom-made for the crime group by the alleged author of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a top Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of running the Gameover Zeus botnet, a massive crime machine of 500,000 to 1 million infected PCs that was used for large DDoS attacks and for spreading Cryptolocker — a peer-to-peer ransomware threat that was years ahead of its time.
Investigators knew Bogachev and JabberZeus were linked because for many years they were reading the private Jabber chats between and among members of the JabberZeus crew, and Bogachev’s monitored aliases were in semi-regular contact with the group about updates to the malware.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in his blog from 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her birth weight.
“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day,” Warner wrote. This was enough to positively identify Tank as Penchukov, Warner said.
Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for many years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family, Tank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law enforcement.
Sources briefed on the investigation into Penchukov said that in 2010 — at a time when the Security Service of Ukraine (SBU) was preparing to serve search warrants on Tank and his crew — Tank received a tip that the SBU was coming to raid his home. That warning gave Tank ample time to destroy important evidence against the group, and to avoid being home when the raids happened. Those sources also said Tank used his contacts to have the investigation into his crew moved to a different unit that was headed by his corrupt SBU contact.
Writing for Technology Review, Patrick Howell O’Neil recounted how SBU agents in 2010 were trailing Tank around the city, watching closely as he moved between nightclubs and his apartment.
“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy, and a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The country had a notorious corruption problem. The running joke was that it was easy to find the SBU’s anticorruption unit—just look for the parking lot full of BMWs.”
I first encountered Tank and the JabberZeus crew roughly 14 years ago as a reporter for The Washington Post, after a trusted source confided that he’d secretly gained access to the group’s private Jabber conversations.
From reading those discussions each day, it became clear Tank was nominally in charge of the Ukrainian crew, and that he spent much of his time overseeing the activities of the money mule recruiters — which were an integral part of their victim cashout scheme.
It was soon discovered that the phony corporate websites the money mule recruiters used to manage new hires had a security weakness that allowed anyone who signed up at the portal to view messages for every other user. A scraping tool was built to harvest these money mule recruitment messages, and at the height of the JabberZeus gang’s activity in 2010 that scraper was monitoring messages on close to a dozen different money mule recruitment sites, each managing hundreds of “employees.”
Each mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money transfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for work tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that hadn’t already been withdrawn by the mules.
When it came time to transfer stolen funds, the recruiters would send a message through the fake company website saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”
Only, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts they’d already hacked into.
So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Tank and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.
My spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
In many instances, my call would come in just minutes or hours before an unauthorized payroll batch was processed by the victim company’s bank, and some of those notifications prevented what otherwise would have been enormous losses — often several times the amount of the organization’s normal weekly payroll. At some point I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it was probably in the millions.
Just as often, the victim company would suspect that I was somehow involved in the robbery, and soon after alerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those were always interesting conversations.
Collectively, these notifications to victims led to dozens of stories over several years about small businesses battling their financial institutions to recover their losses. I never wrote about a single victim that wasn’t okay with my calling attention to their plight and to the sophistication of the threat facing other companies.
This incessant meddling on my part very much aggravated Tank, who on more than one occasion expressed mystification as to how I knew so much about their operations and victims. Here’s a snippet from one of their Jabber chats in 2009, after I’d written a story for The Washington Post about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. In the chat below, “lucky12345” is the Zeus author Bogachev:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
tank:
lucky12345: It’s fucked.
On Dec. 13, 2009, one of Tank’s top money mule recruiters — a crook who used the pseudonym “Jim Rogers” — told his boss something I hadn’t shared beyond a few trusted confidants at that point: That The Washington Post had eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the dead tree edition.
jim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation Good news expected exactly by the New Year! Besides us no one reads his column
tank: Mr. Fucking Brian Fucking Kerbs!
Another member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — also is currently wanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI
Update, Nov. 16, 2022, 7:55 p.m. ET:: Multiple media outlets are reporting that Swiss authorities confirmed they arrested a Ukrainian national wanted on cybercrime charges. The arrest occurred in Geneva on Oct. 23, 2022. “The US authorities accuse the prosecuted person of extortion, bank fraud and identity theft, among other things,” reads a statement from the Swiss Federal Office of Justice (FOJ).
“During the hearing on 24 October, 2022, the person did not consent to his extradition to the USA via a simplified proceeding,” the FOJ continued. “After completion of the formal extradition procedure, the FOJ has decided to grant his extradition to the USA on 15 November, 2022. The decision of the FOJ may be appealed at the Swiss Criminal Federal Court, respectively at the Swiss Supreme Court.”
ESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm's fingerprints all over it
The post RansomBoggs: New ransomware targeting Ukraine appeared first on WeLiveSecurity
In our last blog, we gave a rundown of what the Telecommunications (Security) Act (TSA) is, why it’s been introduced, who it affects, when it starts, and how firms can prepare. Here, we take a closer look into the themes introduced by the Act, explore how the telecoms industry can explore zero trust to further improve its security posture, and outline the benefits that can be gained when complying.
When the Telecoms Security Act (TSA) was introduced, it was labelled as ‘one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry’ by Matt Warman, former Minister of State at the Department for Digital, Culture, Media, and Sport. The industry is certainly feeling the impending impact of the act – with one industry pundit at an event we ran recently describing it as a ‘multi-generational change’ for the sector.
One of the headline grabbers stemming from the Act are the associated fines. With the new powers granted to it by the Act, Ofcom now has the responsibility to oversee operators’ security policies and impose fines of up to 10 percent of turnover or £100,000 a day in case operators don’t comply or the blanket ban of telecoms vendors such as Huawei. Sounds like the typical ‘stick’-based costly compliance messaging that no-one particularly wants to hear, right? But what if the TSA had some ‘carrot’-based business benefits that are much less discussed?
The TSA introduces a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately. ny of the themes introduced in the code of practice can be aligned with the themes in a zero trust security model, which are also a focus for CISOs.
Zero trust security is a concept (also known as ‘never trust, always verify’) which establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. At Duo, our approach to zero trust is:
A crucial point to note here: much like a solution that claims to help with all aspects of the TSA, telecom providers should be wary of any vendor who claims to have a zero-trust product. Both are far much bigger than any ‘silver bullet’ solution purports to offer. But there is a good reason a zero-trust framework has been mandated by the US White House for all federal agencies, and recommended by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).
As well as helping to mitigate the significant cyber risks presented to the telecoms industry, a zero-trust strategy provides many business benefits. Our recent Guide to Zero Trust Maturity shows that:
A robust zero-trust security program includes phishing-resistant multi factor authentication (MFA), access controls for devices and applications, risk-signalling, dynamic authentication, firewalls, analytics, web monitoring and more. As I said previously there is no one answer to zero trust, or indeed the TSA, but getting the basics right like strong MFA, single sign on (SSO) and device trust are an easy and effective way to get started.
The TSA will be a huge undertaking for industry, but it is important to focus on the benefits such a wide-reaching set of regulatory rules will inevitably result in. As another guest from our recent event put it: ‘the TSA is full of the latest and modern best practice around security, so the aim really is to raise the tide and all ships, which can only be a good thing.’
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country
The post SwiftSlicer: New destructive wiper malware strikes Ukraine appeared first on WeLiveSecurity
ESET Research has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022
The post A year of wiper attacks in Ukraine appeared first on WeLiveSecurity
As the war shows no signs of ending and cyber-activity by states and criminal groups remains high, conversations around the cyber-resilience of critical infrastructure have never been more vital
The post How the war in Ukraine has been a catalyst in private‑public collaborations appeared first on WeLiveSecurity
A Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware groups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail Pavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies.
Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.
The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C.
Meanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia.
In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.
“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”
In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).
A month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.
“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”
Prosecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020.
Previous reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware forum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.”
As noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.
In thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting download links to databases from companies that have refused to negotiate after five days.
Matveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces more than 20 years in prison.
Further reading:
Who is the Network Access Broker “Wazawaka?”
The New Jersey indictment against Matveev (PDF)
The indictment from the U.S. attorney’s office in Washington, D.C. (PDF)
Nikita Kislitsin, formerly the head of network security for one of Russia’s top cybersecurity firms, was arrested last week in Kazakhstan in response to 10-year-old hacking charges from the U.S. Department of Justice. Experts say Kislitsin’s prosecution could soon put the Kazakhstan government in a sticky diplomatic position, as the Kremlin is already signaling that it intends to block his extradition to the United States.
Nikita Kislitsin, at a security conference in Russia.
Kislitsin is accused of hacking into the now-defunct social networking site Formspring in 2012, and conspiring with another Russian man convicted of stealing tens of millions of usernames and passwords from LinkedIn and Dropbox that same year.
In March 2020, the DOJ unsealed two criminal hacking indictments against Kislitsin, who was then head of security at Group-IB, a cybersecurity company that was founded in Russia in 2003 and operated there for more than a decade before relocating to Singapore.
Prosecutors in Northern California indicted Kislitsin in 2014 for his alleged role in stealing account data from Formspring. Kislitsin also was indicted in Nevada in 2013, but the Nevada indictment does not name his alleged victim(s) in that case.
However, documents unsealed in the California case indicate Kislitsin allegedly conspired with Yevgeniy Nikulin, a Russian man convicted in 2020 of stealing 117 million usernames and passwords from Dropbox, Formspring and LinkedIn in 2012. Nikulin is currently serving a seven-year sentence in the U.S. prison system.
As first reported by Cyberscoop in 2020, a trial brief in the California investigation identified Nikulin, Kislitsin and two alleged cybercriminals — Oleg Tolstikh and Oleksandr Vitalyevich Ieremenko — as being present during a 2012 meeting at a Moscow hotel, where participants allegedly discussed starting an internet café business.
A 2010 indictment out of New Jersey accuses Ieremenko and six others with siphoning nonpublic information from the U.S. Securities & Exchange Commission (SEC) and public relations firms, and making $30 million in illegal stock trades based on the proprietary information they stole.
[The U.S. Secret Service has an outstanding $1 million reward for information leading to the arrest of Ieremenko (Александр Витальевич Еременко), who allegedly went by the hacker handles “Zl0m” and “Lamarez.”]
Kislitsin was hired by Group-IB in January 2013, nearly six months after the Formspring hack. Group-IB has since moved its headquarters to Singapore, and in April 2023 the company announced it had fully exited the Russian market.
In a statement provided to KrebsOnSecurity, Group-IB said Mr. Kislitsin is no longer an employee, and that he now works for a Russian organization called FACCT, which stands for “Fight Against Cybercrime Technologies.”
“Dmitry Volkov, co-founder and CEO, sold his stake in Group-IB’s Russia-based business to the company’s local management,” the statement reads. “The stand-alone business in Russia has been operating under the new brand FACCT ever since and will continue to operate as a separate company with no connection to Group-IB.”
FACCT says on its website that it is a “Russian developer of technologies for combating cybercrime,” and that it works with clients to fight targeted attacks, data leaks, fraud, phishing and brand abuse. In a statement published online, FACCT said Kislitsin is responsible for developing its network security business, and that he remains under temporary detention in Kazakhstan “to study the basis for extradition arrest at the request of the United States.”
“According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than 10 years ago when Nikita worked as a journalist and independent researcher,” FACCT wrote.
From 2006 to 2012, Kislitsin was editor-in-chief of “Hacker,” a popular Russian-language monthly magazine that includes articles on information and network security, programming, and frequently features interviews with and articles penned by notable or wanted Russian hackers.
“We are convinced that there are no legal grounds for detention on the territory of Kazakhstan,” the FACCT statement continued. “The company has hired lawyers who have been providing Nikita with all the necessary assistance since last week, and we have also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan to assist in protecting our employee.”
FACCT indicated that the Kremlin has already intervened in the case, and the Russian government claims Kislitsin is wanted on criminal charges in Russia and must instead be repatriated to his homeland.
“The FACCT emphasizes that the announcement of Nikita Kislitsin on the wanted list in the territory of the Russian Federation became known only today, June 28, 6 days after the arrest in Kazakhstan,” FACCT wrote. “The company is monitoring developments.”
The Kremlin followed a similar playbook in the case of Aleksei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums. Burkov was arrested in 2015 by Israeli authorities, and the Russian government fought Burkov’s extradition to the U.S. for four years — even arresting and jailing an Israeli woman on phony drug charges to force a prisoner swap.
That effort ultimately failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison.
Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Image: Andrei Shirokov / Tass via Getty Images.
Arkady Bukh is a U.S. attorney who has represented dozens of accused hackers from Russia and Eastern Europe who were extradited to the United States over the years. Bukh said Moscow is likely to turn the Kislitsin case into a diplomatic time bomb for Kazakhstan, which shares an enormous border and a great deal of cultural ties with Russia. A 2009 census found that Russians make up about 24 percent of the population of Kazakhstan.
“That would put Kazakhstan at a crossroads to choose between unity with Russia or going with the West,” Bukh said. “If that happens, Kazakhstan may have to make some very unpleasant decisions.”
Group-IB’s exodus from Russia comes as its former founder and CEO Ilya Sachkov remains languishing in a Russian prison, awaiting a farcical trial and an inevitable conviction on charges of treason. In September 2021, the Kremlin issued treason charges against Sachkov, although it has so far refused to disclose any details about the allegations.
Sachkov’s pending treason trial has been the subject of much speculation among denizens of Russian cybercrime forums, and the consensus seems to be that Sachkov and Group-IB were seen as a little too helpful to the DOJ in its various investigations involving top Russian hackers.
Indeed, since its inception in 2003, Group-IB’s researchers have helped to identify, disrupt and even catch a number of high-profile Russian hackers, most of whom got busted after years of criminal hacking because they made the unforgivable mistake of stealing from their own citizens.
When the indictments against Kislitsin were unsealed in 2020, Group-IB issued a lengthy statement attesting to his character and saying they would help him with his legal defense. As part of that statement, Group-IB noted that “representatives of the Group-IB company and, in particular, Kislitsin, in 2013, on their own initiative, met with employees of the US Department of Justice to inform them about the research work related to the underground, which was carried out by Kislitsin in 2012.”
The top-level domain for the United States — .US — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.
Researchers at Infoblox say they’ve been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors. Infoblox found the domains involved are typically three to seven characters long, and hosted on bulletproof hosting providers that charge a premium to ignore any abuse or legal complaints. The short domains don’t host any content themselves, but are used to obfuscate the real address of landing pages that try to phish users or install malware.
A graphic describing the operations of a malicious link shortening service that Infoblox has dubbed “Prolific Puma.”
Infoblox says it’s unclear how the phishing and malware landing pages tied to this service are being initially promoted, although they suspect it is mainly through scams targeting people on their phones via SMS. A new report says the company mapped the contours of this link shortening service thanks in part to pseudo-random patterns in the short domains, which all appear on the surface to be a meaningless jumble of letters and numbers.
“This came to our attention because we have systems that detect registrations that use domain name generation algorithms,” said Renee Burton, head of threat intelligence at Infoblox. “We have not found any legitimate content served through their shorteners.”
Infoblox determined that until May 2023, domains ending in .info accounted for the bulk of new registrations tied to the malicious link shortening service, which Infoblox has dubbed “Prolific Puma.” Since then, they found that whoever is responsible for running the service has used .US for approximately 55 percent of the total domains created, with several dozen new malicious .US domains registered daily.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. But Uncle Sam has long outsourced the management of .US to various private companies, which have gradually allowed the United States’s top-level domain to devolve into a cesspool of phishing activity.
Or so concludes The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content.
Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and identified approximately 30,000 .US phishing domains. Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Others were used to impersonate or attack U.S. government agencies.
Under NTIA regulations, domain registrars processing .US domain registrations must take certain steps (PDF) to verify that those customers actually reside in the United States, or else own organizations based in the U.S. However, if one registers a .US domain through GoDaddy — the largest domain registrar and the current administrator of the .US contract — the way one “proves” their U.S. nexus is simply by choosing from one of three pre-selected affirmative responses.
In an age when most domain registrars are automatically redacting customer information from publicly accessible registration records to avoid running afoul of European privacy laws, .US has remained something of an outlier because its charter specifies that all registration records be made public. However, Infoblox said it found more than 2,000 malicious link shortener domains ending in .US registered since October 2023 through NameSilo that have somehow subverted the transparency requirements for the usTLD and converted to private registrations.
“Through our own experience with NameSilo, it is not possible to select private registration for domains in the usTLD through their interface,” Infoblox wrote. “And yet, it was done. Of the total domains with private records, over 99% were registered with NameSilo. At this time, we are not able to explain this behavior.”
NameSilo CEO Kristaps Ronka said the company actively responds to reports about abusive domains, but that it hasn’t seen any abuse reports related to Infoblox’s findings.
“We take down hundreds to thousands of domains, lots of them proactively to combat abuse,” Ronka said. “Our current abuse rate on abuseIQ for example is currently at 0%. AbuseIQ receives reports from countless sources and we are yet to see these ‘Puma’ abuse reports.”
Experts who track domains associated with malware and phishing say even phony information supplied at registration is useful in identifying potentially malicious or phishous domains before they can be used for abuse.
For example, when it was registered through NameSilo in July 2023, the domain 1ox[.]us — like thousands of others — listed its registrant as “Leila Puma” at a street address in Poland, and the email address blackpumaoct33@ukr.net. But according to DomainTools.com, on Oct. 1, 2023 those records were redacted and hidden by NameSilo.
Infoblox notes that the username portion of the email address appears to be a reference to the song October 33 by the Black Pumas, an Austin, Texas based psychedelic soul band. The Black Pumas aren’t exactly a household name, but they did recently have a popular Youtube video that featured a cover of the Kinks song “Strangers,” which included an emotional visual narrative about Ukrainians seeking refuge from the Russian invasion, titled “Ukraine Strangers.” Also, Leila Puma’s email address is at a Ukrainian email provider.
DomainTools shows that hundreds of other malicious domains tied to Prolific Puma previously were registered through NameCheap to a “Josef Bakhovsky” at a different street address in Poland. According to ancestry.com, the anglicized version of this surname — Bakovski — is the traditional name for someone from Bakowce, which is now known as Bakivtsi and is in Ukraine.
This possible Polish and/or Ukrainian connection may or may not tell us something about the “who” behind this link shortening service, but those details are useful for identifying and grouping these malicious short domains. However, even this meager visibility into .US registration data is now under threat.
The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity.
Infoblox’s Burton says Prolific Puma is remarkable because they’ve been able to facilitate malicious activities for years while going largely unnoticed by the security industry.
“This exposes how persistent the criminal economy can be at a supply chain level,” Burton said. “We’re always looking at the end malware or phishing page, but what we’re finding here is that there’s this middle layer of DNS threat actors persisting for years without notice.”
Infoblox’s full report on Prolific Puma is here.
On Dec. 18, 2013, KrebsOnSecurity broke the news that U.S. retail giant Target was battling a wide-ranging computer intrusion that compromised more than 40 million customer payment cards over the previous month. The malware used in the Target breach included the text string “Rescator,” which also was the handle chosen by the cybercriminal who was selling all of the cards stolen from Target customers. Ten years later, KrebsOnSecurity has uncovered new clues about the real-life identity of Rescator.
Rescator, advertising a new batch of cards stolen in a 2014 breach at P.F. Chang’s.
Shortly after breaking the Target story, KrebsOnSecurity reported that Rescator appeared to be a hacker from Ukraine. Efforts to confirm my reporting with that individual ended when they declined to answer questions, and after I declined to accept a bribe of $10,000 not to run my story.
That reporting was based on clues from an early Russian cybercrime forum in which a hacker named Rescator — using the same profile image that Rescator was known to use on other forums — claimed to have originally been known as “Helkern,” the nickname chosen by the administrator of a cybercrime forum called Darklife.
KrebsOnSecurity began revisiting the research into Rescator’s real-life identity in 2018, after the U.S. Department of Justice unsealed an indictment that named a different Ukrainian man as Helkern.
It may be helpful to first recap why Rescator is thought to be so closely tied to the Target breach. For starters, the text string “Rescator” was found in some of the malware used in the Target breach. Investigators would later determine that a variant of the malware used in the Target breach was used in 2014 to steal 56 million payment cards from Home Depot customers. And once again, cards stolen in the Home Depot breach were sold exclusively at Rescator’s shops.
On Nov. 25, 2013, two days before Target said the breach officially began, Rescator could be seen in instant messages hiring another forum member to verify 400,000 payment cards that Rescator claimed were freshly stolen.
By the first week of December 2013, Rescator’s online store — rescator[.]la — was selling more than six million payment card records stolen from Target customers. Prior to the Target breach, Rescator had mostly sold much smaller batches of stolen card and identity data, and the website allowed cybercriminals to automate the sending of fraudulent wire transfers to money mules based in Lviv, Ukraine.
Finally, there is some honor among thieves, and in the marketplace for stolen payment card data it is considered poor form to advertise a batch of cards as “yours” if you are merely reselling cards sold to you by a third-party card vendor or thief. When serious stolen payment card shop vendors wish to communicate that a batch of cards is uniquely their handiwork or that of their immediate crew, they refer to it as “our base.” And Rescator was quite clear in his advertisements that these millions of cards were obtained firsthand.
The new clues about Rescator’s identity came into focus when I revisited the reporting around an April 2013 story here that identified the author of the OSX Flashback Trojan, an early Mac malware strain that quickly spread to more than 650,000 Mac computers worldwide in 2012.
That story about the Flashback author was possible because a source had obtained a Web browser authentication cookie for a founding member of a Russian cybercrime forum called BlackSEO. Anyone in possession of that cookie could then browse the invite-only BlackSEO forum and read the user’s private messages without having to log in.
BlackSEO.com VIP member “Mavook” tells forum admin Ika in a private message that he is the Flashback author.
The legitimate owner of that BlackSEO user cookie went by the nickname Ika, and Ika’s private messages on the forum showed he was close friends with the Flashback author. At the time, Ika also was the administrator of Pustota[.]pw — a closely-guarded Russian forum that counted among its members some of the world’s most successful and established spammers and malware writers.
For many years, Ika held a key position at one of Russia’s largest Internet service providers, and his (mostly glowing) reputation as a reliable provider of web hosting to the Russian cybercrime community gave him an encyclopedic knowledge about nearly every major player in that scene at the time.
The story on the Flashback author featured redacted screenshots that were taken from Ika’s BlackSEO account (see image above). The day after that story ran, Ika posted a farewell address to his mates, expressing shock and bewilderment over the apparent compromise of his BlackSEO account.
In a lengthy post on April 4, 2013 titled “I DON’T UNDERSTAND ANYTHING,” Ika told Pustota forum members he was so spooked by recent events that he was closing the forum and quitting the cybercrime business entirely. Ika recounted how the Flashback story had come the same week that rival cybercriminals tried to “dox” him (their dox named the wrong individual, but included some of Ika’s more guarded identities).
“It’s no secret that karma farted in my direction,” Ika said at the beginning of his post. Unbeknownst to Ika at the time, his Pustota forum also had been completely hacked that week, and a copy of its database shared with this author.
A Google translated version of the farewell post from Ika, the administrator of Pustota, a Russian language cybercrime forum focused on botnets and spam. Click to enlarge.
Ika said the two individuals who tried to dox him did so on an even more guarded Russian language forum — DirectConnection[.]ws, perhaps the most exclusive Russian cybercrime community ever created. New applicants of this forum had to pay a non-refundable deposit, and receive vouches by three established cybercriminals already on the forum. Even if one managed to steal (or guess) a user’s DirectConnection password, the login page could not be reached unless the visitor also possessed a special browser certificate that the forum administrator gave only to approved members.
In no uncertain terms, Ika declared that Rescator went by the nickname MikeMike on DirectConnection:
“I did not want to bring any of this to real life. Especially since I knew the patron of the clowns – specifically Pavel Vrublevsky. Yes, I do state with confidence that the man with the nickname Rescator a.k.a. MikeMike with his partner Pipol have been Pavel Vrublevsky’s puppets for a long time.”
Pavel Vrublevsky is a convicted cybercriminal who became famous as the CEO of the Russian e-payments company ChronoPay, which specialized in facilitating online payments for a variety of “high-risk” businesses, including gambling, pirated Mp3 files, rogue antivirus software and “male enhancement” pills.
As detailed in my 2014 book Spam Nation, Vrublevsky not-so-secretly ran a pharmacy affiliate spam program called Rx-Promotion, which paid spammers and virus writers to blast out tens of billions of junk emails advertising generic Viagra and controlled pharmaceuticals like pain relief medications. Much of my reporting on Vrublevsky’s cybercrime empire came from several years worth of internal ChronoPay emails and documents that were leaked online in 2010 and 2011.
Pavel Vrublevsky’s former Facebook profile photo.
In 2014, KrebsOnSecurity learned from a trusted source close to the Target breach investigation that the user MikeMike on DirectConnection — the same account that Ika said belonged to Rescator — used the email address “zaxvatmira@gmail.com.”
At the time, KrebsOnSecurity could not connect that email address to anything or anyone. However, a recent search on zaxvatmira@gmail.com at the breach tracking service Constella Intelligence returns just one result: An account created in November 2010 at the site searchengines[.]ru under the handle “r-fac1.”
A search on “r-fac1” at cyber intelligence firm Intel 471 revealed that this user’s introductory post on searchengines[.]ru advertised musictransferonline[.]com, an affiliate program that paid people to drive traffic to sites that sold pirated music files for pennies apiece.
According to leaked ChronoPay emails from 2010, this domain was registered and paid for by ChronoPay. Those missives also show that in August 2010 Vrublevsky authorized a payment of ~$1,200 for a multi-user license of an Intranet service called MegaPlan.
ChronoPay used the MegaPlan service to help manage the sprawling projects that Vrublevsky referred to internally as their “black” payment processing operations, including pirated pills, porn, Mp3s, and fake antivirus products. ChronoPay employees used their MegaPlan accounts to track payment disputes, order volumes, and advertising partnerships for these high-risk programs.
Borrowing a page from the Quentin Tarantino movie Reservoir Dogs, the employees adopted nicknames like “Mr. Kink,” “Mr. Heppner,” and “Ms. Nati.” However, in a classic failure of operational security, many of these employees had their MegaPlan account messages automatically forwarded to their real ChronoPay email accounts.
When ChronoPay’s internal emails were leaked in 2010, the username and password for its MegaPlan subscription were still working and valid. An internal user directory for that subscription included the personal (non-ChronoPay) email address tied to each employee Megaplan nickname. That directory listing said the email address zaxvatmira@gmail.com was assigned to the head of the Media/Mp3 division for ChronoPay, pictured at the top left of the organizational chart above as “Babushka Vani and Koli.”
[Author’s note: I initially overlooked the presence of the email address zaxvatmira@gmail.com in my notes because it did not show up in text searches of my saved emails, files or messages. I rediscovered it recently when a text search for zaxvatmira@gmail.com on my Mac found the address in a screenshot of the ChronoPay MegaPlan interface.]
The nickname two rungs down from “Babushka” in the ChronoPay org chart is “Lev Tolstoy,” which the MegaPlan service showed was picked by someone who used the email address v.zhabukin@freefrog-co-ru.
ChronoPay’s emails show that this Freefrog email address belongs to a Vasily Borisovich Zhabykin from Moscow. The Russian business tracking website rusprofile[.]ru reports that Zhabykin is or was the supervisor or owner of three Russian organizations, including one called JSC Hot Spot.
[Author’s note: The word “babushka” means “grandma” in Russian, and it could be that this nickname is a nod to the ChronoPay CEO’s wife, Vera. The leaked ChronoPay emails show that Vera Vrublevsky managed a group of hackers working with their media division, and was at least nominally in charge of MP3 projects for ChronoPay. Indeed, in messages exposed by the leaked ChronoPay email cache, Zhabykin stated that he was “directly subordinate” to Mrs. Vrublevsky].
JSC Hot Spot is interesting because its co-founder is another ChronoPay employee: 37-year-old Mikhail “Mike” Shefel. A Facebook profile for Mr. Shefel says he is or was vice president of payment systems at ChronoPay. However, the last update on that profile is from 2018, when Shefel appears to have legally changed his last name.
Archive.org shows that Hot Spot’s website — myhotspot[.]ru — sold a variety of consulting services, including IT security assessments, code and system audits, and email marketing. The earliest recorded archive of the Hot Spot website listed three clients on its homepage, including ChronoPay and Freefrog.
ChronoPay internal emails show that Freefrog was one of its investment projects that facilitated the sale of pirated Mp3 files. Rusprofile[.]ru reports that Freefrog’s official company name — JSC Freefrog — is incorporated by a thinly-documented entity based in the Seychelles called Impex Consulting Ltd., and it is unclear who its true owners are.
However, a search at DomainTools.com on the phone number listed on the homepage of myhotspot[.]ru (74957809554) reveals that number is associated with eight domain names.
Six of those domains are some variation of FreeFrog. Another domain registered to that phone number is bothunter[.]me, which included a copyright credit to “Hot Spot 2011.” At the annual Russian Internet Week IT convention in Moscow in 2012, Mr. Shefel gave a short presentation about bothunter, which he described as a service he designed to identify inauthentic (bot) accounts on Russian social media networks.
Interestingly, one of r-fac1’s first posts to Searchengines[.]ru a year earlier saw this user requesting help from other members who had access to large numbers of hacked social media accounts. R-fac1 told forum members that he was only looking to use those accounts to post harmless links and comments to the followers of the hacked profiles, and his post suggested he was testing something.
“Good afternoon,” r-fac1 wrote on Dec. 20, 2010. “I’m looking for people with their own not-recently-registered accounts on forums, (except for search) Social networks, Twitter, blogs, their websites. Tasks, depending on your accounts, post text and a link, sometimes just a link. Most often the topic is chatter, relaxation, discussion. Posting my links in your profiles, on your walls. A separate offer for people with a large set of contacts in instant messengers to try to use viral marketing.”
Neither Mr. Shefel nor Mr. Zhabykin responded to requests for comment.
Mr. Zhabykin soon moved on to bigger ventures, co-founding a cryptocurrency exchange based in Moscow’s financial center called Suex. In September 2021, Suex earned the distinction of becoming the first crypto firm to be sanctioned by the U.S. Department of the Treasury, which effectively blocked Suex from the global financial system. The Treasury alleged Suex helped to process millions in criminal transactions, including the proceeds of numerous ransomware attacks.
“I don’t understand how I got mixed up in this,” Zhabykin told The New York Times in 2021. Zhabykin said Suex, which is registered in the Czech Republic, was mostly a failure and had conducted only a half dozen or so transactions since 2019.
The Russian business tracking service Rusprofile says Zhabykin also is the owner of a company based in the United Kingdom called RideWithLocal; the company’s website says it specializes in arranging excursions for extreme sports, including snowboarding, skiing, surfing and parasailing. Images from the RideWithLocal Facebook page show helicopters dropping snowboarders and skiers atop some fairly steep mountains.
A screenshot from the Facebook page of RideWithLocal.
Constella Intelligence found a cached copy of a now-deleted LinkedIn profile for Mr. Zhabykin, who described himself as a “sporttech/fintech specialist and mentor.”
“I create products and services worldwide, focusing on innovation and global challenges,” his LinkedIn profile said. “I’ve started my career in 2002 and since then I worked in Moscow, different regions of Russia, including Siberia and in Finland, Brazil, United Kingdom, Sri Lanka. Over the last 15 years I contributed to many amazing products in the following industries: sports, ecology, sport tech, fin tech, electronic payments, big data, telecommunications, pulp and paper industry, wood processing and travel. My specialities are Product development, Mentorship, Strategy and Business development.”
Rusprofile reports that Mikhail Borisovich Shefel is associated with at least eight current or now-defunct companies in Russia, including Dengi IM (Money IM), Internet Capital, Internet Lawyer, Internet 2, Zao Hot Spot, and (my personal favorite) an entity incorporated in 2021 called “All the Money in the World.”
Constella Intelligence found several official documents for Mr. Shefel that came from hacked Russian phone, automobile and residence records. They indicate Mr. Shefel is the registrant of a black Porsche Cayenne (Plate:X537SR197) and a Mercedes (Plate:P003PX90). Those vehicle records show Mr. Shefel was born on May 28, 1986.
Rusprofile reveals that at some point near the end of 2018, Shefel changed his last name to Lenin. DomainTools reports that in 2018, Mr. Shefel’s company Internet 2 LLC registered the domain name Lenin[.]me. This now-defunct service sold physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union.
Meanwhile, Pavel Vrublevsky remains imprisoned in Russia, awaiting trial on fraud charges levied against the payment company CEO in March 2022. Authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.
In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top spammers and botmasters to launch a distributed denial-of-service (DDoS) attack against a ChronoPay competitor that shut down the ticketing system for the state-owned Aeroflot airline.
Following his release, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.
KrebsOnSecurity sought comment on this research from the Federal Bureau of Investigation (FBI) and the U.S. Secret Service, both of which have been involved in the Target breach investigation over the years. The FBI declined to comment. The Secret Service declined to confirm or dispute any of the findings, but said it is still interested in hearing from anyone who might have more information.
“The U.S. Secret Service does not comment on any open investigation and won’t confirm or deny the accuracy in any reporting related to a criminal manner,” the agency said in a written statement. “However, If you have any information relating to the subjects referenced in this article, please contact the U.S. Secret Service at mostwanted@usss.dhs.gov. The Secret Service pays a reward for information leading to the arrest of cybercriminals.”