Wow, what a week for cybersecurity news!
Yet another ransomware attack has gone public, this time about automobile company Kia Motors. Additionally, the United States has unsealed indictment documents against North Korea totalling over $1.3B, the Space Force has begun adding cybersecurity professionals to its ranks, and much more.
If only there was one location where you could read about these and the other most important infosec headlines from the week… Oh wait, that place exists and you’ve already found it! Congrats.
As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on only the most compelling developments in the field.
The United States is no stranger to threats and actual cyber attacks from North Korea. However, as DARK Reading’s article outlines, new unsealed documents have revealed over $1.3B in thefts.
The indictments unsealed were against three members of the North Korean military intelligence agency, Reconnaissance General Bureau (RGB), for their role in several cyber attacks in recent years that have resulted in the theft of more than $1.3 billion from organizations across the globe.
Simultaneous to this release, the FBI, Treasury Department, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also released details on the malware and other indicators of compromise (IoC) associated with a North Korean-backed campaign called “AppleJeus.” This campaign has been targeted organizations that conduct cryptocurrency transactions since the year 2018.
All of these actions signal the US’s continued effort to track down and deter what many in the public deem as attempts by North Korea’s military to fund their many projects. “We continue to shine a light on the global campaign of criminality being waged by the DPRK,” said assistant attorney general John Demers in a prepared statement. “Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus.”
According to FED Scoop, the Space Force has begun receiving its first cybersecurity personnel from other military services. The chief of space operations said that this personnel started the transition process at the beginning of February.
Most of the personnel transitioning into the new force come from within the Department of the Air Force, which oversees the Space Force. In total, the force has brought in 2,400 of the 6,400 active duty cyber personnel it’s planning for, Gen. John Raymond, commanding general of the Space Force, told reporters during a media call.
These Cyber Guardians — what cybersecurity professionals in the Space Force are to be called — will be protecting satellites and other space-based assets from hacks. While many key members of the Space Force have repeated that they want to keep this branch of the military “lean,” cyber personnel is one area that they’re actively bringing onboard.
“There’s a spectrum of threats that are out there. Everything from reversible jamming of satellites and GPS satellites, communication satellites, GPS satellites,” Raymond said. “And there’s cyber threats.”
Our next story is one that broke in the last 24 hours from Motor 1: Kia Motors America has allegedly been hit with a ransomware attack by the DoppelPaymer cyber gang. The group is demanding $20 million for a decryptor and to not leak the stolen data.
It was reported earlier this week that Kia Motors America was suffering a nationwide IT outage that affected their servers, self-payment services, dealer platforms, and phone support system. About a day after this report, a ransom note was released to the public that was “created during an alleged Kia Motors America cyber attack by DoppelPaymer cyber gang.” Hyundai Motor America — Kia Motors America’s parent company — states that it was not affected by the attack.
Kia Motors America also denies that it was the subject of a ransomware attack. “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack,” the company stated on Thursday.
It remains to be seen if the automobile giant was actually hit with a ransomware attack, but the report alone contributes to a large and growing list of enormous companies hit by ransomware in the past few years.
A Nigerian national, Obinwanne Okeke, has been sentenced to 10 years in prison for allegedly coordinating an international spear phishing campaign that has cost victims approximately $11 million in losses, Cyberscoop reports.
The scheme, which lasted from 2015 to 2019, targeted a British firm called Unatrac Holding Limited. This firm acted as the export sales office for Caterpillar, Inc. This scheme targeted the firm with fake invoices and fake wire transfer requests. The FBI opened an investigation into the alleged scam in 2018 after Unatrac raised alarm about an email compromise operation that had targeted the firm, according to court documents.
The scheme by Okeke and his team collected hundreds of victims over the course of their operation, according to the FBI’s press release on the matter.
Business email compromises like this one plague business around the world. In fact, there were $1.7 billion worth of losses caused by BEC scams in 2019 alone, the most recent year the FBI has published data.
Our last story from the week from CSO Online brings us another ransomware story, this time focused on a cyber criminal group associated with the Egregor ransomware strain.
This cyber criminal has allegedly been dismantled in Ukraine following a joint action by US, French, and Ukraine authorities. The website that was used by the Egregor group to post information about victims in order to pressure them into paying has also been shut down, along with their command-and-control server.
Egregor is a ransomware program that first appeared back in September 2020 and saw rapid growth after the retirement of Maze, another prominent ransomware group. Both Maze and Egregor use the ransomware-as-a-service (RaaS) model that relies on other cyber criminals called affiliates breaking into corporate networks and distributing the ransomware for a cut of the ransoms.
Also, both Maze and Egregor use double extortion techniques. This means that not only is the stolen data encrypted, but attackers also steal the data and threaten to release it if the ransom is not paid. The website serves as a hub for the adversaries to showcase their loot and mock their victims.