21 June 2023

Security News This Week: A Newly Named Group of GRU Hackers Is Wreaking Havoc in Ukraine

ANDY GREENBERG ANDREW COUTS

PRISON SURVEILLANCE IS now much more than skin deep. A jail in Atlanta, Georgia, has begun rolling out a new tracking system that monitors everything from inmates’ locations to their literal heartbeats, according to documents WIRED obtained through a public records request. Made by Talitrix, the system uses hundreds of sensors installed around a jail that link to a Fitbit-like wristband worn by inmates. Georgia prison officials say the surveillance tech will improve safety inside and help mitigate the impacts of staffing shortages. Privacy experts say it’s the latest erosion of inmates’ rights.

If privacy is virtually nonexistent in jail, it may not be much better before you’re even convicted of a crime. Just ask a family in Indiana’s Monroe County, who are being monitored by probation officers through an app called Covenant Eyes. The app records everything a person does on their device, taking screenshots at least once per minute as well as monitoring network requests, all of which are sent to an “ally.” (The allies, in this case, are two probation officers.) The father, who has been charged with possession of child sexual abuse material, is in jail awaiting trial after the app alerted officers that someone had attempted to visit Pornhub, which would have been a violation of his bond. But thanks to shortcomings in the app, the whole thing may have been a mistake.

Beyond potentially unconstitutional surveillance, there are many other ways government data collection can hurt your privacy. Millions of people in India may have had their data exposed thanks to an alleged breach of CoWIN, India’s vaccination-tracking app. The Indian health ministry says reports of a breach are “without any basis,” and independent security researchers say the breach may not be as widespread as some believed. The government is now investigating.

In the US, a newly declassified report commissioned by the Office of the Director of National Intelligence reveals that spy agencies have been compiling a “large” trove of data about virtually every American simply by purchasing the information from commercial sources, like data brokers. Privacy advocates say the practice is a potential end run around constitutional protections.

Earlier this month, a former intelligence officer publicly claimed the US government has an “intact” craft made by a “non-human” entity, among other extraterrestrial allegations. The claims have caught the attention US Congress members, several of whom are planning investigations. Given the openness some lawmakers have to conspiratorial thinking, this issue may finally fly out of the shadows.

A more pressing concern for the US government may come from right here on Earth. Encryption chips made by a subsidiary of a company on the US Commerce Department’s so-called Entity List are being used by a slew of government bodies, including the US Navy, NATO, and NASA. The company, Hualan, landed on the Entity List thanks to its close ties to China’s military. But this “red flag” hasn’t stopped these agencies and others from purchasing the encryption chips from Initio, a Hualan subsidiary, raising concerns over a potential backdoor. Initio says it doesn’t have the ability to implement a backdoor in its chips, and several agencies told WIRED that they take the necessary precautions to ensure the security of the tech they use. Given how difficult it is to find a backdoor in these chips, however, these assurances may do little to assuage experts’ fears.

Finally, the Russia-based ransomware gang Clop went on a hacking spree that hit US government agencies and international companies including Shell and British Airways. Clop hackers carried out their cybercriminal campaign by exploiting a vulnerability in the file-transfer service MOVEit. The flaw has since been patched, but the full extent of the stolen data and list of targets remains unclear.

But that's not all. Each week, we round up the biggest security and privacy stories we weren't able to cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

As Russia has carried out its unprecedented cyberwar in Ukraine over nearly a decade, its GRU military intelligence hackers have taken center stage. The notorious GRU hacker groups Sandworm and APT28 have triggered blackouts, launched countless destructive cyberattacks, released the NotPetya malware, and even attempted to spoof results in Ukraine’s 2014 presidential election. Now, according to Microsoft, there’s a new addition to that hyper-aggressive agency’s cyberwar-focused bench.

Microsoft this week named a new group of GRU hackers that it’s calling Cadet Blizzard, and has been tracking since just before Russia’s full-scale invasion of Ukraine in February 2022. Redmond’s cybersecurity analysts now blame Cadet Blizzard for the destructive malware known as WhisperGate, which hit an array of government agencies, nonprofits, IT organizations, and emergency services in Ukraine in January 2022, just a month before Russia’s invasion began. Microsoft also attributes to Cadet Blizzard a series of web defacements and a hack-and-leak operation known as Free Civilian that dumped the data of several Ukrainian hacking victim organizations online while loosely impersonating hacktivists, another of the GRU’s trademarks.

Microsoft assesses that Cadet Blizzard appears to have the help of at least one private sector Russian firm in its hacking campaign but that it’s neither as prolific nor as sophisticated as previously known GRU groups plaguing Ukraine. But as Russia has switched up the tempo of its cyberwar, focusing on quantity rather than quality of attacks, Cadet Blizzard may play a key role in that brutal cadence of chaos.

You might think that in 2023, Russian hackers would have learned not to travel to countries with US extradition treaties—not to mention a US state. But one allegedly prolific ransomware extortionist associated with the notorious Lockbit group was arrested this week in Arizona, the Department of Justice announced. Ruslan Magomedovich Astamirov, a 20-year-old man living in Russia’s Chechen Republic, carried out at least five ransomware attacks against victims in Florida, Tokyo, Virginia, France, and Kenya, according to prosecutors. And in one case, he allegedly pocketed 80 of the bitcoin ransom personally. Astamirov’s arrest represents a relatively rare instance of US officials laying hands on a ransomware hacker, most of whom typically stay on Russian soil and evade arrest. It’s not yet clear why Astamirov made the mistake of traveling, but here’s hoping it’s a trend. Lots of other US-extradition countries are lovely this time of year.

File this one under “complicated headlines”: According to a search warrant unearthed by Forbes, the FBI used information stolen by a hacker from a dark-web assassination market to investigate a person going by the pseudonym Bonfire—whom the FBI believes is a Louisiana hairdresser named Julie Coda—to commission the murder of her niece’s father. In fact, Bonfire was being scammed by a fake murder-for-hire service, as is almost always the case with such dark-web deals. And to compound her problems, her alleged attempted murder-for-hire was revealed to the FBI by a hacker working as an informant to the US Department of Homeland Security. To further complicate this dark, strange story, that hacker appears to have been a foreign national flipped by the DHS and convicted of possessing child sexual abuse materials.

Last week it came to light that Estonia-based cryptocurrency wallet service Atomic Wallet had been breached by hackers apparently based in North Korea who stole tens of millions of dollars. Crypto analysts at Elliptic have now uncovered the larger picture of that heist and found that the hackers’ haul was in fact in the nine figures, making it one of North Korea’s biggest crypto heists in recent years. According to Elliptic, a large tranche of the funds have flowed to the Russian exchange Garantex, which was sanctioned by the US Treasury Department last year but continues to operate.

No comments: