Search This Blog

Showing posts with label Russia. Show all posts

The White House believes that the attackers on the Colonial Pipeline are located in Russia

 The Russian authorities should take action against the hacker group DarkSide, which, according to Washington, is located in Russia and is involved in the cyberattack on the U.S. pipeline company Colonial Pipeline. This opinion was expressed on Tuesday by the press secretary of the White House Jennifer Psaki at a regular briefing for journalists.

She was asked whether Russia has any responsibility in connection with the fact that DarkSide is on Russian territory. "U.S. President Joe Biden said his intelligence community has not yet completed a comprehensive analysis of the incident. Moreover, according to the FBI, the attack is attributed to the hacker group DarkSide, located in Russia, so this country must act responsibly," noted Psaki.

"But, again, we will wait until our intelligence community to conduct a comprehensive analysis before we can report anything else on this," she concluded.

On Monday, Biden suggested that the criminal elements who carried out the hacking attack on the Colonial Pipeline may be in Russia. Brandon Wales, the Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), said on Tuesday that FBI experts are confident that criminal elements, not authorities of any state, were responsible for the cyber attack.

Press Secretary of the Russian President Dmitry Peskov stressed that Russia had nothing to do with the cyber attack. He stressed that "the United States refuses to cooperate in countering cybercrime."

The Russian Embassy in Washington rejected "baseless fabrications by individual journalists" about Moscow's possible involvement in this attack.

Earlier, E Hacking News reported that the hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

Chinese hackers attacked a Russian developer of military submarines

Chinese hackers reportedly attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. Experts believe the hackers are acting in the interests of the Chinese government.

According to cybersecurity company Cybereason, in April, Chinese hackers attacked the Russian CKB Rubin. The attack began with a fake letter that the hackers sent to the general director of CKB Rubin allegedly on behalf of the JCS “Concern “Sea Underwater Weapon – Gidropribor”, the State Research Centre of the Russian Federation.

The letter contained a malicious attachment in a file with images of an autonomous unmanned underwater vehicle. "It is very likely that hackers attacked Gidropribor or some other institution before that," the author of the Telegram channel Secator believes.

The RoyalRoad malware attachment used in the CKB Rubin attack is one of the tools that guarantees delivery of malicious code to the end system, which is most often used by groups of Asian origin, said Igor Zalewski, head of the Solar JSOC CERT Cyber Incident Investigation Department at Rostelecom-Solar.

Cybereason pointed out that the attack on CKB Rubin has similarities to the work of Tonto and TA428 groups. Both have been previously seen in attacks on Russian organizations associated with science and defense.

It is worth noting that the CKB Rubin traces its history back to 1901. More than 85% of the submarines which were part of the Soviet and Russian Navy at various times were built according to its designs.

According to Igor Zalevsky, the main Rubin's customer is the Ministry of Defense, CKB Rubin deals with critically important and unique information related to the military-industrial complex of the Russian Federation which explains the interest of cyber-criminals.

Experts believe that such attacks will gain momentum because specialized cyber centers are being created due to aggravation of information confrontation between states.

Information security expert Denis Batrankov noted that designers are attacked for the sake of industrial espionage mainly by special services of other states. "The problem is that we all use software, which has many hacking methods that are not yet known. Intelligence agencies are buying new vulnerabilities from the black market for millions of dollars,” added he.

Russian Actors Change Techniques After UK and US Agencies Expose Them

After the western agencies outed their techniques, Russian actors from the APT29 group responded to the expose by using a red-teaming software to get into the victim's network as a trusted pentesting exercise. Currently, NCSC (National Cyber Security Centre) of UK and the US have alarmed, that the SVR is currently exploiting vulnerabilities that are critical rated (a dozen of them) which also include RCEs in devices that range from VMware virtualization to Cisco's routers, as well as the famous Pulse Secure VPN flaw, along with other equipment. 

"The NCSC, CISA, FBI, and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise," says the NCSC website. It found a case where the spies look for verification credentials in mails, which included passwords and PKI keys. Quite similar to MI6 with a bit of GCHQ, the SVR is a foreign intelligence agency of Russia and is as popular among the cybersecurity realm as APT29. 

Last month, UK and US agencies came together to expose the group's techniques, allowing cybersecurity research around the world to have a glance at the lethal state-sponsored attackers that might've attacked their network infrastructure. After finding the NCSC report, the SVR actors have changed their TTP to avoid getting further caught and also to escape any preventive measures that network defenders might've placed. Besides this, the group is also pretending to be an authorized red-team pentester, to avoid getting caught. The actors also got into GitHub and installed Sliver, an open-source red-teaming platform, to keep their access active. 

The Russian actors have become more active in exploiting these vulnerabilities. NCSC, in its blogpost, warned smart City infrastructure, public operators, to be alert of suspicious state-sponsored actors that intend to steal data. "Why the sudden focus on smart streetlights and all the rest of it? The risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights, and access control systems. We understand at least one UK council is removing some smart city gear after having thought of the wisdom of installing it," reports the Register.

SolarWinds Hack Alarms US Spy Agencies to Inspect Software Suppliers' Ties with Russia


US intelligence agencies have started to study supply chain threats from Russia, a top official within the Justice Department confirmed on Thursday 6th of May, in the wake of the far-reaching hacker operations that used software developed by SolarWinds as well as other suppliers. 

SolarWinds Inc. is an American multinational that creates software to help companies manage their IT infrastructure, systems, and networks. It is based in Austin, Texas, and has distribution and product development branches at several US locations and other countries.

According to John Demers, Assistant Attorney General for National Security, the examination will concentrate on any supply chain vulnerabilities arising from Russian businesses—or US businesses operating in Russia. 

“If there’s a back-end software design and coding being done in a country where we know that they’ve used sophisticated cyber means to do intrusions into U.S. companies, then maybe … U.S. companies shouldn’t be doing work with those companies from Russia or other untrusted countries,” Demers stated during a Justice Department-hosted cybersecurity conference. 

Demers stated that any information gathered from the Commerce Department would be passed on to the FBI and the other intelligence officials to determine whether more actions are required to remove suppliers from the U.S. supply chains or not. 

The White House accused the Russian SRV foreign intelligence agency of the spying operation which used the software of SolarWinds and penetrated at least nine U.S. federal agencies. Russian technology firms have also been endorsed by the management of Biden to finance the cyber operations of Russian intelligence agencies. Though the allegations were rejected by Moscow. 

However, the United States intelligence analysis reveals that the Biden administration is also looking into how potential spying operations will mimic whatever the SVR is supposed to use weak points in US tech companies' networks. 

An extensive range of US government and businesses were exposed to infiltration by allegedly Russian hacking. Initially, SolarWinds, stated that the malicious code had been downloaded by 18,000 customers. However, the original target list of spies was made up of 100 corporations and, as per the White House, at least nine federal agencies. 

Concerns of American officials regarding exposures to the supply chain have indeed increased in recent weeks as certain hacks arose. 

Whereas a 2019 executive order signed by then-President Donald Trump appears to approve the supply chain inspection, that forbids US telecommunications companies from using hardware that constitutes a national security risk. 

Although the executive order was widely seen as an effort to further limit the Chinese telecommunications company Huawei's access to US markets, it can also be applied to various other technologies from other countries. U.S. intelligence officers are tasked with constantly reviewing international supply chain threats and providing for additional "rules and regulations" to recognize innovations or nations that may pose a danger. 

In the supply chain screening, the US intelligence officials have long expressed fears that Moscow could use the Russian suppliers' technology to spy on America.

Weak passwords is one of the main reasons for computer hacking in Russia

 According to Sberbank Bi.Zone branch cybersecurity specialists, most users use passwords that are too simple, which cybercriminals can easily guess in 46 percent of cases.

In addition, according to a study of the Russian payment system "Mir Plat.form", less than a third of Russians (28%) use different passwords on the Internet, and the data of other Russian citizens are under threat.

For example, most Russians are used to using the same or similar passwords for different sites. At the same time, 76% of them remember passwords, 40% use auto-save, 29% write them down on paper and 18% save them on their devices in text form.

Digital security experts believe you should use different passwords for different sites and services. Moreover, it's safer to remember them than to write them down or use auto-save. According to them, most break-ins occur because of the leakage of a single password and brute-force it to other services.

Yandex confirmed that the repeats are dangerous, if the attacker finds out the password, he will try to enter with it in social networks, in the mail services, and in online banks.

Yandex added that they monitor the appearance of various databases of stolen passwords on the Internet and, if they suspect that a person may use the same combination of characters, they send him in advance to a mandatory change of login data.

The press service of the Vkontakte said that their system will not allow the use of a combination of letters, numbers and signs, which has already been used before when changing credentials.

Specialists urge Internet users to be more responsible in choosing a password to avoid losing important information, money and not to become a victim of blackmail. The most secure password is a combination of upper and lower case letters and digits in random order, with punctuation symbols added.

New South Wales Labor Party Hit By Avaddon Threat Attackers Demand Ransom

On Wednesday afternoon New South Wales (NSW) police unit has disclosed an apparent ransomware attack on the New South Wales labor party. 

Global cybercriminals group has given a 10 days timeline to the labor party to pay a ransom or else the illicitly accessed credentials will be put into the public domain including driver’s licenses, images of passports, and employment contracts.

According to the data, the ransomware operational group named Avaddon, which emerged in Russia is found to be behind the recent breach. Additionally, for further information Sydney City Police Area Command, has already begun its inquiries against the attack. 

The Avaddon ransomware was originated in the middle of 2020 in an underground forum(where participants exchange information on abusive tactics and engage in the sale of illegal goods and services, which are a form of online social network (OSN). Research suggests that Avaddon has been linked to various malicious activities, including data compromise and leaked credentials of at least 23 organizations as of February this year. 

Further, a research university, Rey Juan Carlos in Spain has published a research paper in which it disclosed that the Avaddon ransomware uses distributed denial-of-service attacks against its victims that denied to pay the ransom. 

“NSW Labor, the company does not want to cooperate with us, so we give them 240 hours to communicate and cooperate with us. If this does not happen before the time counter expires, we will leak valuable company documents…” 

“…We have a large amount of data on contracts, a lot of confidential information, confidential contracts, driver’s licenses, passports, employment contracts, information about employees, resumes, and more,” Avaddon said in a post on its website. 

Prior to this cyberattack, Austrian high profile organizations have been targeted including the email systems of the Commonwealth and West Australian parliaments that were taken offline this year. Now, a major political party has become a victim of cyber threats; however, this is the first time when cyber attackers have tried to extort an Australian political party for their financial advantages. 

Josh Lemon, managing director of digital forensics and incident response at business advisory firm Ankura, said most of the screenshots contained keywords such as “sensitive” and “confidential”. 

“Although it’s a little bit abstract, as someone who isn’t the victim, it’s intended to provide proof to the actual victim,” Mr. Lemon added. 

The Russian Ministry of Internal Affairs began to identify serial cybercrimes with a special program

The press service of the Russian Ministry of Internal Affairs reported that employees of the department have been using a special program "Remote fraud" in their work for more than one year. Thanks to its program, it was possible to detect signs of about 324,000 crimes committed in cyberspace

"The "Remote Fraud" system, which has been used by employees of the Ministry of Internal Affairs for a year now, shows a high level of its effectiveness. With its help, we detect signs of serial cybercrimes more quickly and qualitatively," said the press service of the Russian Interior Ministry.

It is reported that special software developed for Russian law enforcers collects systematizes, processes, analyzes information that was collected during the investigation of criminal cases committed in cyberspace with the use of computer or telecommunication technologies.

The "Remote Fraud" system captures the required data from the moment a cybercrime report is registered.

On May 2, 2021, the Russian Ministry of Internal Affairs also announced that it was finalizing the development of the service, which will soon be implemented in the ministry's mobile application. The new service, called "Anti-fraudster", is created to increase the efficiency of counteraction to telephone fraud.

The main functionality of "Anti-fraud" is to warn the user that cybercriminals or scammers are calling or sending SMS from phone numbers previously seen in the commission of criminal, fraudulent actions.

"The total cost of developing, implementing and deploying the application is 44.9 million rubles ($606,000). All work will be completed, as we expect, by December 25 of this year. Despite the fact that the idea of developing such a service has long been in the Russian Interior Ministry, the contract with the selected contractor was concluded only at the end of March 2021", reported the press service of the Ministry of Internal Affairs.

Application of the Ministry of Internal Affairs of Russia, which will add the service "Anti-fraud", is already available for download on App Store and Google Play.

It is interesting to note that at the end of April 2021, Sberbank said that the application "Sberbank Online" with the next update will have a service, with the help of which the mobile app will automatically check the phone numbers of incoming calls and warn users in a situation where the caller is suspected of being a fraudster.

Group-IB revealed a distributed network of fraudulent sites imitating WHO

Group-IB, an international company specializing in preventing cyberattacks and investigating high-tech crimes, revealed a distributed network of 134 fraudulent sites imitating the World Health Organization (WHO). The attackers promised users a reward for taking a fake Health Awareness Day survey.

"However, instead of the promised €200, users were redirected to dating sites, paid subscriptions or fraudulent resources," the report said.

It is noted that in early April, the UN International Computing Center (UNICC) alerted Group-IB about a fake website using the WHO brand.

"After answering simple questions, the user was offered to share the link to the survey with his friends and colleagues in his WhatsApp contact base. Group-IB researchers found that when a victim clicked the "Share" button and unknowingly involved their friends in the scam, instead of the promised reward they were redirected to third-party scams offering to participate in another raffle, install a browser extension or sign up for paid services. In the worst case users could end up on a malicious or phishing site," explains the company.

During the investigation, the Group-IB Digital Risk Protection team uncovered a complex distributed fraud infrastructure that included a network of 134 virtually identical linked domains that hosted World Health Day-themed pages. Group-IB blocked all fraudulent domains within 48 hours of detection, after which the fraudsters completely stopped using the WHO brand on their network.

Further investigation revealed that all of these domains identified and blocked by Group-IB were part of a larger network controlled by a group of scammers codenamed DarkPath Scammers. Fake resources created under the WHO were linked to at least 500 other fraud and phishing resources mimicking more than 50 international brands from the food, sports gear, e-commerce, software, energy and auto industries.

Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 

RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."

Experts reported cyber attacks from the U.S. during the Navalny rallies in Russia

DDoS attacks were launched against official websites of the Ministry of Foreign Affairs, Ministry of Labor, Ministry of Economic Development, Prosecutor General's Office and The National Guard of the Russian Federation (Rosgvardiya).

Specialists of the National Coordinating Center for Computer Incidents (NCCI), established by order of Federal Security Service (FSB), recorded a series of attacks on governmental portals during unauthorized actions in support of Alexei Navalny (founder of the Anti-Corruption Foundation, included by the Ministry of Justice in the register of organizations performing the functions of a foreign agent). This was announced by Nikolai Murashov, deputy director of the NCCI.

According to him, the official websites of the Russian Ministry of Foreign Affairs, the Ministry of Labor, the Ministry of Economic Development, the Prosecutor General's Office and Rosgvardiya were subjected to DDoS attacks. The attacks were carried out on different days but followed the same scenario. Murashov noted that attacks were carried out from US IP-address.

Moreover, DDoS attacks were often used for extremist purposes as well. As an example, the expert cited the situation with the cyber-attack on the portal of the Traffic Organization Center of Nizhny Novgorod.

"After receiving unauthorized access, the resource posted a picture of Navalny and a text message stating that the attack was in support of him. The malicious influence was carried out from IP addresses of France and Germany," Murashov said.

In general, Murashov noted "a significant increase in the number of malicious resources in the foreign address space, the functioning of which was terminated in 2020," which "is associated with large-scale DDoS attacks on Russian information systems."  It is noted that in 2020, 68,420 large-scale cyber attacks on Russian Internet resources were stopped.

In addition, Murashov commented on the situation of Russian involvement in the hacking of SolarWinds.

He noted that the U.S. has not provided any information confirming the involvement of the Russians in the hacking of SolarWinds software.

"American colleagues do not bother to pass on any information that would make it possible to judge that certain Russian citizens were involved in these attacks," he said. 

Murashov pointed out that international cooperation is important in this area. "All our appeals to the U.S. side for international cooperation to investigate such incidents still remain unanswered," he said.

More than one hundred Russian companies were subjected to a cyber attack

Kaspersky Lab, which specializes in developing systems to protect against cyber threats, reported a fraudulent mailing on behalf of The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), which has become widespread in Russia

In April, Kaspersky Lab uncovered a series of cyber attacks on system administrators of sites in Russia. By April 23, the company detected about 4 thousand emails containing fraudulent messages sent to more than 2 thousand e-mail addresses. The mailing peaked on April 16-17, but the messages are still coming in.

The purpose of the cyber attack is to infect web resources managed by sysadmins and gain access to the site management. If successful, hackers will be able to create pages, post any information and download files.

Under the guise of a regulatory authority, intruders are sending fraudulent notifications about the need to confirm the fact of domain name management.

The letter contains instructions according to which it is necessary to create a file with specified content in the root directory of the site. In reality, the sysadmin runs a Trojan program with his own hands to remotely control the victim's computer.

"To confirm that you have the actual ability to manage the domain name, create a file (with the .php extension) in the root directory of the site", says the text of the fraud letter.

"In order not to give the recipient time to suspect something wrong, he was required to execute the instruction in a short time - within three days", said Alexander Liskin, head of Kaspersky Lab's antivirus research laboratory.

"Site administrators are often subjected to attacks, for example, hackers extorted money from them by sending fake notifications about the approaching deadline for completing the site lease. But this time the goal of the attack is to gain access to site management. Attackers are doing everything to convince recipients that the letter is authentic: the sender is listed as a regulatory agency and an appropriate emblem is added to enhance the effect", said Liskin.

The expert recommended remaining vigilant when receiving messages from unknown senders in emails and messengers and to double-check the information supposedly from official bodies. It is still unknown who was behind the attack, the company's specialists are investigating the cyberattack.

Russian hackers reportedly stole secret device blueprints from Apple

Hackers reportedly gained access to blueprints of the latest Apple developments by attacking the servers of the Taiwanese company Quanta Computer. The announcement of the results of the attack was made in Russian.

One of Apple's main suppliers, the Taiwanese company Quanta Computer, faced a ransomware attack. The hackers demanded to pay them $50 million. Quanta Computer also produces goods for HP, Facebook and Google Alphabet.

The attack was carried out by a group of REvil ransomware operators, also known as Sodinokibi. The group announced the penetration into the computer network of Quanta Computer in its blog on the Darknet. On Sunday, a REvil spokesman, known as Unknown, said the ransomware group would soon announce "the largest attack in history," the message was made in Russian on a channel where the REvil group is recruiting new partners.

Quanta acknowledged the attack without explaining whether data was stolen.

According to the agency, REvil members tried to engage Quanta Computer in ransomware talks in the past week, ahead of Apple's first new product launch in 2021, which took place April 20.

A spokesman for the hackers claimed to have stolen and encrypted "all the local network data," demanding $50 million for the decryption key.

The hackers received a response two days later from a person who said he was "not responsible for the company," but wanted to find out the terms of the interaction. Two days later, a REvil spokesperson threatened to release data about new Apple products. This was followed by the first publication of images, which, according to the hackers, were working materials about new Apple laptops. The materials contained specific component serial numbers, dimensions and performance parameters detailing the many components inside an Apple laptop. One of the images was signed by Apple designer John Andreadis and dated March 9, 2021.

Now REvil is trying to get money from Apple, the group has demanded a ransom by May 1, and until then plans to continue publishing new files every day.

Apple declined to respond to questions about the hack.

Recall, on April 20, Apple held a presentation of its new products, it showed a new generation of iMacs with processors of its own design, iPad Pro tablets, as well as Air Tag tags for tracking the location of objects through the application.

Data from thousands of Russian companies have been made publicly available on the web

The data of several hundred Russian companies that used the free online project manager Trello has been made publicly available. Among the hundreds of thousands of leaked boards are those containing confidential information.

Data from boards of free online project manager Trello, which were maintained by Russian companies, was made publicly available. Leaked data of several hundred large companies and thousands of small and medium-sized businesses were found by analysts of Infosecurity a Softline company.

The company specified that in Russia, Trello boards are mainly used by small and medium-sized businesses, and there are representatives of large organizations, including banks.

Kirill Solodovnikov, CEO of Infosecurity, called the entry of corporate data in the network "an illustration of a leak, which occurred not due to hacker attacks, but as a result of inattention or negligence of company employees". 

According to Infosecurity, organizations post lists of employees and customers, contracts, passport scans, documentation related to participation in tenders and product development, as well as credentials of corporate accounts and passwords to various services. 

"Usually it is not difficult to determine from which organization the information leaked. Its name often appears either in the name of the board or in the description of tasks," added the experts.

Analysts Infosecurity found that nearly a million public boards of service Trello are currently indexed by search engines, and thousands of them contain confidential information. So, now, according to thematic queries in search engines, there are more than 9000 boards with mentions of logins and passwords.

Trello belongs to the Australian software developer Atlassian, other similar free services include Evernote, Wunderlist, XMind, Notion. Data from Trello boards were already in the public domain, but this was the first time such a large-scale leak occurred.

Sergei Novikov, deputy head of the Kaspersky Lab's Threat Research and Analysis Center, noted that the service is used by cyber groups to coordinate their activities. Infosecurity told about detecting a board in Trello, which belonged to a group of fraudsters who specialize in deceiving credulous foreigners under the "Russian brides" scenario when the hunt is conducted for those willing to meet young girls from Russia.

"Hackers could use data from the boards, for example, to attack companies' clients or hack corporate Instagram accounts, as in the fall of 2020," added Infosecurity.

Experts warned that data leaks could also lead to fines for violations of the law on personal data, for example, it contradicts the storage of scans of clients' passports in public storage located abroad.

Sweden accused Russia of a hacking attack on the Confederation of Sports

The Swedish Prosecutor's Office and the Swedish State Security Service accused Russia's Main Intelligence Directorate of a hacking attack on the Swedish Sports Confederation

The hacker group Fancy Bear, which has been linked to the Russian GRU, was behind the attack. However, the attacks were not a one-time event. Investigators found successful attacks in 2017 and 2018, allowing the hackers to access the personal data of Swedish athletes. Among them were medical records. This data was subsequently released to the public.

In addition, Fancy Bear used this data to discredit Swedish athletes. One of these was the football player Olivia Schug. In 2018, hackers hacked into the computers of the Swedish Sports Confederation's anti-doping division, gaining access and publishing the athletes' doping test records. And they accused Schug of doping. All because of asthma medication containing banned drugs. So Shug was wrongly suspended.

The names of other athletes who were similarly affected by Fancy Bear, Swedish law enforcers decided not to name them.

"We have had the help of security services from other countries to secure this evidence, which clearly indicates that it is Russian military intelligence that is behind these data breaches," said Daniel Stenling, head of the security police's counterintelligence unit.

According to prosecutor Mats Ljungqvist, these are serious crimes because the state is behind the crimes, they are large-scale and involve access to sensitive medical information that is subject to secrecy.

But there will be no punishment for the hackers. The prosecutor's office has decided to drop the case. After all, all the suspects in the hacking attacks are foreign nationals, who apparently work for the GRU. Therefore, there will be no opportunity to conduct an investigation abroad, nor will there be any extradition of the suspects.

This is not the first time Fancy Bear has been accused of hacking sports organizations.

- In 2016, the World Anti-Doping Agency accused Russian hackers of stealing medical information about U.S. Olympic athletes and publishing it online;

- This year there was an attack on the Court of Arbitration for Sport in Lausanne;

- In 2018, Fancy Bear published stolen International Olympic Committee documents;

- In 2018, they published information about Swedish athletes and their medical.

Positive Technologies rejected accusations of the U.S. Department of the Treasury of Russia's cooperation with intelligence services

 Russian cyber security company Positive Technologies rejected the accusations of interference in the American elections, made by the U.S. Treasury Department. This was said in a statement issued by the company, which was made available on Friday, April 16.

"As a company, we reject the baseless accusations made against us by the U.S. Treasury Department: in the nearly 20-year history of our work, there is not a single fact of using the results of Positive Technologies' research activities outside the traditions of ethical information sharing with the professional information security community and transparent business conduct," the company notes.

According to the results of 2020, Positive Technologies revenue grew by 55% compared to 2019 and amounted to 5.6 billion rubles ($73.4 million). The company currently employs more than 1.1 thousand people. The firm has been creating innovative information security solutions for 18 years. Its products and services allow to identify, verify and neutralize real business risks that may arise in the IT infrastructure of enterprises. Today, more than 2,000 companies in 30 countries use the company's products. 

Recall that on April 15, the USA Ministry of Finance announced the introduction of new sanctions against Russia. Washington blacklisted 32 individuals and organizations, including six technology companies. In addition to Positive Technologies, the victims were Era military innovative technopolis, the St. Petersburg-based software developer called OOO NeoBIT, a large IT supplier of the Russian defense industry complex Advanced System Technologies (AST), the Rostov Research Institute of Specialized Computing Devices for Protection and Automation (Spetsvuzavtomatika), as well as IT- the company Pasit. They are accused of connections with the Russian special services.

After the restrictions were imposed, the U.S. Ambassador in Moscow and John Sullivan were summoned to the Russian Foreign Ministry on April 15. Russian presidential aide Yuri Ushakov outlined to him the nature of the response to the restrictions.

Moscow warned of a strong response to Washington's moves.

The Kremlin assessed the possible impact of new sanctions on the Russian economy. They stressed that the effectiveness of the country's economic bloc is internationally recognized and there is no reason to doubt it.

Here's a Quick Look at How Pakistani Counterfeiters Helped Russian Operatives


One company stood out in a cascade of U.S. sanctions imposed on Thursday on Russian cybersecurity companies and officials allegedly acting on behalf of the Kremlin intelligence in Karachi, Pakistan: ‘A fresh air farm house’. 

The Farm House, whose Facebook page reveals a waterpark-equipped vacation rental, is run by 34-year-old Mohsin Raza, considered one of two founders of an internet faux ID enterprise that prosecutors say helped Russian operatives get a toehold in the United States. 

According to a U.S. Treasury assertion and an indictment issued this week by federal prosecutors in New Jersey, Raza operated a digital faux ID mill, churning out photographs of doctored drivers’ licenses, bogus passports, and cast utility payments to assist rogue shoppers to go verification checks at U.S. fee firms and tech corporations. 

Reuters reached Raza in Pakistan at a telephone number offered by the US Treasury's sanctions record. He confirmed his identity and acknowledged being a digital counterfeiter, saying he used "simple Photoshop" to change ID cards, bills, and other documents to order. Raza – who stated he is additionally dabbled in graphic design, e-commerce and cryptocurrency – denied any wrongdoing, saying he was merely serving to individuals entry accounts that they’d been frozen out of.

Among his clients, the New Jersey indictment alleges was a worker of the Internet Research Agency – a notorious Russian troll farm implicated by U.S. investigators, media experiences, leaked paperwork, and former insiders in efforts to intrude in U.S. elections. The IRA worker used Raza’s companies in 2017 to obtain cast drivers’ licenses to assist the identification of pretend accounts on Facebook, based on the indictment. 

Facebook didn’t instantly provide any remark. Raza stated he did not observe who used his service. He stated inspiration for his enterprise got here a number of years in the past when a PayPal account which he had opened beneath an alias was locked, trapping a whole lot of {dollars} he’d obtained for optimizing on-line search outcomes. 

Money earned from the fake ID business was poured into the construction of the Fresh Air Farm House, Raza said. The facility, which features three bedrooms, a playing field, a water slide, and a BBQ area, is now on a US list of sanctioned entities alongside Russian oligarchs and defense contractors. Raza's business is an example of how transnational cybercrime can serve as a springboard for state-sponsored disinformation, said Tom Holt, who directs the School of Criminal Justice at Michigan State University. 

The alleged use by Russian operatives of a Pakistani fake ID merchant to circumvent American social media controls "highlights why this globalized cybercrime economy that touches so many areas can be a perfect place to hide - even for nation-states," he said.

The United States imposes sanctions against 25 Russian companies for cyber attacks and Crimea

 On 15 April, the US Treasury Department put 25 Russian companies, six of which are IT companies, on its sanctions list as a response to allegedly organized cyber attacks by Russia, the situation in Crimea, and interference in the election.

The U.S. Treasury Department also listed 16 organizations and 16 individuals from the Russian Federation that U.S. authorities believe were behind the hacking of SolarWinds software and an attack on the networks of several U.S. departments, as well as interfering in the 2020 U.S. presidential election.

Recall that in February 2020, U.S. intelligence officials said that Russia had begun interfering in the 2020 presidential election. Specifically, they claimed that Russia was interfering in both the Democratic Party primaries and the overall course of the election, "hoping to sow chaos and discord." In addition, Russian secret services allegedly tried to force U.S. citizens to spread disinformation and bypass social media mechanisms aimed at combating fake news. However, no evidence of interference was presented.

On March 16, 2021, a report of the Office of the Director of National Intelligence of the United States was made public. According to the authors of the report, the Russian authorities, with the approval of Russian President Vladimir Putin, organized a campaign aimed at "denigrating" Democratic Party candidate Joseph Biden and supporting his Republican rival Donald Trump, as well as "undermining confidence in the election in general and aggravating sociopolitical controversy in the United States."

At the highest level, Moscow has repeatedly rejected claims that Russia tried to interfere in U.S. election processes.

In March 2021, Russian presidential spokesman Dmitry Peskov suggested that the publication of the U.S. National Intelligence Report was "a reason to put on the agenda the issue of new sanctions against our country."

"Russia also did not interfere in previous elections and did not interfere in the elections mentioned in this report in 2020. Russia has nothing to do with any campaign against any of the candidates. In this regard, we consider this report incorrect, as it is absolutely groundless and unsubstantiated," said Peskov.

On March 17, 2021, Russian Foreign Ministry spokeswoman Maria Zakharova, speaking on the Russia-24 television channel, described the report of the U.S. intelligence agencies on Russian "interference" in the election as "an excuse for their existence."

Foreign hackers attack Russian research institutes

Against the backdrop of the pandemic, foreign hackers have increased their activity against Russian research institutes which specialize in developing vaccines against the coronavirus, as well as military and aviation projects. Experts believe the stolen information could be used for political purposes. But lately, the focus of such attacks has shifted from espionage to the destruction of critical infrastructure.

Cybersecurity experts have described an increase in targeted attacks on research institutes. Group-IB reported that Russian research institutes specializing in military and aviation developments, as well as those responsible for developing vaccines for the coronavirus, have recently been of great interest to foreign pro-state hackers.

Company Doctor Web confirms that targeted attacks on research institutes have tended to increase recently. In September 2020, for example, a Russian research institute contacted its virus laboratory, and Doctor Web discovered that the institute's network had been compromised by two hacker groups. One of them had infiltrated the research institute's network back in 2017 and remained undetected until 2020. During the investigation, it emerged that a similar malware was installed on the local network of another Russian research institute in May 2019.

Sometimes a group can go undetected for longer and also embed multiple programs at once: for example, Group-IB found six types of malware on one client's network.

"Among the malware was a banking Trojan in accounting, spyware on employees' mobile devices that connected to work Wi-Fi, malware and Trojans on work machines", said Anastasia Tikhonova, head of research at APT Group-IB.

Targeted attacks are difficult to detect because they always affect only one organization, said Igor Zdobnov, head of Doctor Web's virus laboratory. In his opinion, state-sponsored hackers are behind the attacks on research institutes for espionage purposes.

Group-IB adds that such operations have recently become more overt, with their focus shifting from espionage to the destruction of critical infrastructure.

For example, on July 3, 2020, it was revealed that Israeli authorities were under suspicion of carrying out a cyber attack on one of Iran's nuclear facilities. The incident occurred on July 2 and involved a fire and explosion at an underground uranium enrichment facility in Natanz.

Cybersecurity experts warned of a possible attack on Russian accounts in May

DeviceLock, a company engaged in the fight against data leaks, warned of the preparation of an attack on the accounts of Russians during the May holidays due to the sale of access to the switch of one of the mobile operators on the Darknet. 

In particular, it is reported that in early March a proposal appeared on the Darknet to sell access to the switch of one of the mobile operators, the connection to which allows to intercept control over the SS7 signaling system, which controls the traffic of mobile operators.

The experts said that they were asking $30,000 for access to the switch, so the purchase only makes sense if the hacker attack is being prepared on a large scale, capable of recouping the expense.

"Since attackers usually need from two weeks to a month to prepare an attack of this type, it can be timed to May holidays, when most Russians will loosen control over their accounts and other financial assets," summarized Olesya Yarmolenko, general director of Smart Line Inc (DeviceLock systems manufacturer).

According to her, this operator most likely has a cooperation agreement with one or more Russian cellular service providers. At the same time, according to DeviceLock data, in early April access to the switch could have reached the buyer from the CIS countries, and due to the active spread of online banking and relatively high account balances, Russia has always been the most desirable target for fraudsters on the Internet.

Sergey Nenakhov, head of the information security audit department at Infosecurity a Softline company, explained that the clients should switch the two-factor protection of critical services to push notifications instead of SMS, and also use special authenticator applications which generate one-time codes directly on the device itself.

It is also specified that VTB is aware of the risks of attacks on citizens through interception of messages, but the bank assured that the adopted set of technical measures does not allow attackers to use the technology to gain access to the clients' funds.

At the same time, representatives of mobile operators did not respond to inquiries about the risks of attacks through the SS7 standard.

Cyber Criminals began to use a new scheme to defraud Russians

The classic scheme to defraud Russian bank clients with the help of malicious emails is experiencing a second birth. Now the scammers, presenting themselves as Yandex.Money operators, demand to transfer funds to a bitcoin wallet under the threat of publishing compromising videos.

They are relying primarily on the fact that the potential victim will react to a familiar brand: the letters are sent from the email address Yandex.Money electronic payment service, which belongs to Sberbank, changed its name to YooMoney last year.

In the letter, the attacker, who calls himself a programmer, claims that he managed to hack into the user's computer and gain full access to it and related devices, including the camera. According to the scammer, he managed to make an intimate video of the victim, and if he doesn't get what he wants, he will send the video to his entire contact list.

"Transfer $650 to my bitcoin wallet. My bitcoin wallet (BTC Wallet): bc1qpg0uv2dcsjvpe9k2y7knxpzfdqu26tvydeu4pf. After receiving payment, I will delete the video and you will never hear from me again. I give you 50 hours (over two days) to pay. I have a notification of reading this email and a timer will go off when you see this email," the scammer intimidates the victim.

YooMoney's press office said they are aware of this technique by the scammers and have already taken appropriate action. "The information is sent from a domain that we no longer own. Yesterday we received information about this and passed it on to the domain owner's security service," the service stated.

Extortion of this kind is quite well known and has a long history, explained the agency executive director of the Association of participants in the market of electronic money and remittances Pavel Shust. Such messages can be sent in the thousands, hoping that someone will believe the threats and transfer money after all. The expert explained that in reality, of course, no one has hacked the computer and has no compromising materials, this letter should simply be deleted and forgotten about it.