Select Page
North Korea’s Lazarus Group Was Behind $540 Million Ronin Theft

North Korea’s Lazarus Group Was Behind $540 Million Ronin Theft

Early this week, the Ukrainian Computer Emergency Response Team and Slovakian cybersecurity firm ESET warned that Russia’s notorious GRU Sandworm hackers had targeted high-voltage electrical substations in Ukraine using a variation of their blackout-inducing Industroyer malware, also known as Crash Override. Days later, the US Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new industrial control-system hacking tool set of unspecified provenance, dubbed Pipedream, that seemingly hasn’t been deployed against targets but that the operators of industrial systems need to proactively block.

Russia’s war on Ukraine has resulted in massive data leaks in which spies, hacktivists, criminals, and regular people looking to support Ukraine have grabbed and publicly released huge quantities of information about the Russian military, government, and other Russian institutions. And separate of the conflict, WIRED took a look at the true impact of source code leaks in the big picture of cybercriminal breaches.

Plus, DuckDuckGo finally released a version of its privacy browser for desktop, and WhatsApp is expanding to offer a Slack-like group chat organizational scheme called Communities.

And there’s more! We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Blockchain analysis researchers from Elliptical and Chainalysis said on Thursday that they had traced the massive quantity of cryptocurrency stolen last month from the Ronin network bridge to the North Korean Lazarus hacking group. The US Treasury also announced expanded sanctions against North Korea, Lazarus, and the group’s affiliates. The attackers stole large quantities of the Ethereum currency ether and some USDC stablecoin totaling $540 million at the time. (The value of the stolen funds has since risen to over $600 million.) Lazarus hackers have been on a cybercriminal rampage for years, breaching companies, orchestrating scams, and generally gathering profits to bankroll the Hermit Kingdom.

NSO Group, the Israeli developer of the powerful and widely used spyware Pegasus, was declared “valueless” in filings in British court this week. The assessment, described as “abundantly clear,” came from the third-party consultancy Berkeley Research Group that has been managing the fund that owns NSO. As a stunning number of autocrats and authoritarian governments have purchased NSO tools to target activists, dissidents, journalists, and other at-risk people, the spyware maker has been denounced and sued (repeatedly) by tech giants in an attempt to limit its reach. Targeted surveillance is big business and a nexus where espionage and human rights issues converge. Reuters reported this week, for example, that senior EU officials were targeted last year with unspecified Israeli-made spyware.

T-Mobile confirmed it had been breached last year (for what felt like the millionth time) after hackers put the personal data of 30 million customers up for sale for 6 bitcoins, or about $270,000 at the time. Recently unsealed court documents show, though, that the telecom hired a third-party firm as part of its response, and the firm paid the attackers about $200,000 for exclusive access to the trove in the hopes of containing the crisis. Paying hackers through third parties is a known but controversial tactic for dealing with ransomware attacks and digital extortion. One of the reasons it is frowned upon is that it often doesn’t succeed, as was the case with the T-Mobile data, which attackers continued to sell.

In a report this week, researchers from Cisco Talos said that a new type of information-stealing malware called “ZingoStealer” is spreading rapidly on the app Telegram. The cybercriminal group known as Haskers Ganghe is distributing the malware for free to other criminals or anyone who wants it, researchers said. The group, which may be based in Eastern Europe, frequently shares updates and tools on Telegram and Discord with the cybercriminal “community.”


More Great WIRED Stories

Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine

Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine

More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station’s circuit breakers and turn off the lights to a fraction of Ukraine’s capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia’s GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations.

Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine’s deputy minister of energy.

“The hack attempt did not affect the provision of electricity at the power company. It was promptly detected and mitigated,” says Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, known as the State Services for Special Communication and Information Protection (SSSCIP). “But the intended disruption was huge.” Asked about the earlier report that seemed to describe an attack that was at least partially successful, Zhora described it as a “preliminary report” and stood by his and CERT-UA’s most recent public statements.

According to CERT-UA, hackers penetrated the target electric utility in February, or possibly earlier—exactly how isn’t yet clear—but only sought to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of “wiper” malware designed to destroy data on computers within the utility, including wiper software that targets Linux and Solaris-based systems, as well as more common Windows wipers, and also a piece of code known as CaddyWiper that had been found inside of Ukrainian banks in recent weeks. CERT-UA claimed Tuesday that it was also able to catch this wiper malware before it could be used. “We were very lucky to be able to respond in a timely manner to this cyberattack,” Zhora told reporters in a press briefing Tuesday.

Shutdown of Russia’s Hydra Market Disrupts a Crypto-Crime ATM

Shutdown of Russia’s Hydra Market Disrupts a Crypto-Crime ATM

On the dark web, the takedown of yet another cryptocurrency-based black market for drugs has become almost a semiannual routine, with plenty of competitors ready to fill the shoes of any market law enforcement manages to bust. But the seizure of the Russian-language dark-web site Hydra may have ripple effects that go further than most: It represents a disruption of not just the post-Soviet world’s biggest hub of online narcotics sales, but also of a cybercriminal money-laundering and cash-out service that had been used in crimes with victims across the globe.

German law enforcement agencies announced early Tuesday morning that German federal police known as the BKA—in a joint operation with the FBI, DEA, IRS Criminal Investigations, and Homeland Security Investigations in the US—seized Hydra’s Germany-based servers, shutting down the site and confiscating $25 million in bitcoins stored there. In doing so, they’ve put an end to, by some measures, the longest-running and most crowded black market in the history of the dark web, with 19,000 seller accounts and more than 17 million customer accounts, according to BKA. The US treasury simultaneously imposed new sanctions on the market and more than a hundred of its cryptocurrency addresses.

In total, Hydra facilitated more than $5 billion dollars in illicit cryptocurrency transactions since it launched in 2015, according to blockchain analysis firm Elliptic. The majority of those transactions, Elliptic says, were sales of illegal drugs, which were strictly limited to Hydra’s target market of former Soviet states. But Hydra also played a significant and more global role for cybercriminals: It offered “mixing” services designed to launder crypto and make it more difficult to trace, alongside exchange services that allowed clients to trade in the crypto proceeds from all manner of crime for Russian rubles—in some cases, even for cash bundles buried in the ground for customers to dig up later.

“It has this dual function of being a drugs market and a service for cybercriminals—and particularly Russian cybercriminals,” says Jess Symington, Elliptic’s research lead. “So it does impact more than just the drugs community, and it forces these individuals to now potentially reconsider how they’re going to launch their funds or cash out.”

Around half of the roughly $2 billion in transactions going into Hydra’s cryptocurrency addresses in 2021 and early 2022 were from illicit or “risky” sources, such as stolen funds, dark-web markets, ransomware, online gambling, scams, and individuals and organizations facing sanctions, according to cryptocurrency tracing firm Chainalysis. In other words, close to a billion dollars’ worth of the money entering Hydra over that time wasn’t clean money used to buy drugs or other contraband available for sale on the site, but rather dirty money that Hydra was helping to launder and exchange for rubles.

Chainalysis has so far tracked just over $200 million in stolen cryptocurrency going into the site’s coffers in 2021 and 2022. It has also tracked much smaller amounts linked to other crimes, with roughly $4 million from sanctioned sources, $5 million from fraud, and $4 million from ransomware. (Chainalysis saw close to $9 million in total ransomware payments funneled into Hydra over the market’s lifetime but says that relatively small number is a conservative estimate.) Another major chunk of the site’s incoming payments during that time, close to $310 million, were from dark-web markets—including some funds from Hydra recycled back into the site—as users sought to launder the proceeds from the sales of drugs and other illegal products and services and cash out.

TSA’s First Crack at Guarding Pipelines From Hackers Falls Short

TSA’s First Crack at Guarding Pipelines From Hackers Falls Short

More than three weeks into Russia’s war of choice against Ukraine, fears of cyberattacks on the country’s critical infrastructure have been replaced by widespread death, destruction, and devastating upheaval across the country. The United Nations estimates that 6.5 million people have been displaced, in addition to 3.2 million who had already fled Ukraine. Mariupol, once a thriving city of 430,000 along the country’s southern coast, has been reduced to rubble. Russia has killed more than 100 children during its assault so far.

As the war rages on, we investigated one of the weapons Russia appears to have recently deployed against Ukraine: an AI-powered “suicide drone.” Russia’s reported use of the KUB-BLA drone raises the specter of autonomous weapon systems deciding who dies during warfare. This week also saw what may be the first use of a deepfake to spread misinformation during wartime. The deepfake, of a robotic Volodymyr Zelensky calling on Ukrainians to surrender to Russia, was deeply unconvincing. The Ukrainian president quickly refuted its authenticity, while Facebook, Twitter, and YouTube raced to remove the video from their platforms, potentially providing a how-to guide for responding to sophisticated misinformation in the future.

While we have yet to see Russia wage damaging cyberattacks against Ukraine’s critical infrastructure since it invaded the country in late February, malware used by Russian government hacker group Sandworm, dubbed Cyclops Blink, has spread further than previously known. Researchers at TrendMicro discovered that a version of the malware can infect Asus routers.

Speaking of Russia-linked hackers, we took a deep dive into some 60,000 pages of leaked chats and files swiped from the Conti ransomware group. Our findings revealed the internal machinations of the gang’s oddly businesslike hierarchy, its plans to launch a crypo payment platform and a social network (with dreams of starting an online casino), and what its links to Russia’s military hackers really look like. 

The Lapsus$ collective, meanwhile, is adding “chaotic energy” to the world of cybercrime. As we found in our dive into the group’s activities—which include targeting high-profile companies like Samsung and Nvidia—its tactics differ from ransomware gangs like Conti, using phishing attacks and data theft to extort its victims rather than encrypting their systems and demanding payment. And while the group claims it’s not politically motivated, some experts remain unsure about Lapsus$’s ultimate aim.

Lastly, we dove into Big Tech’s big plans to finally (finally!) kill off the password. After a decade of work on the problem, the FIDO Alliance—whose members include Amazon, Meta, Google, Apple, and more—believes it has discovered the missing piece to make ditching our passwords easy.

Of course, that’s not all. For all the big security stories we didn’t have a chance to cover this week, click the headlines below. (And yes, a lot of them have to do with Russia.)

The Transportation Security Administration isn’t just in charge of airport security. The agency is also tasked with protecting US oil and gas pipelines—and it’s not going well. Thanks to understaffing and strict federal requirements, the TSA is reportedly struggling to meet its pipeline-security mandate. The TSA’s focus on protecting this critical infrastructure follows the May 2021 attack on Colonial Pipeline, but its mission has become all the more crucial as the specter of worst-case-scenario attacks by Russia or other nation-state actors looms large.

Google’s Threat Analysis Group (TAG) on Thursday said it uncovered a new group of “financially motivated” attackers that it believes breaks into targeted systems and then sells that access to other malicious actors, including Russian cybercrime groups like ransomware gangs Wizard Spider (aka UNC 1878) and Conti. Dubbed Exotic Lily by Google researchers, the group appears to be located in Central Europe and has targeted a wide range of victims, with a focus on cybersecurity, health care, and IT firms. To dupe these targets, Exotic Lily’s members use phishing attacks concealed through spoofed domains, fake email addresses, and fake profiles on social media and other platforms, according to TAG.

Vigilante hackers have been on a tear against Russian targets since the first days of Vladimir Putin’s war against Ukraine. But it’s the newly reinvigorated Anonymous hacktivist collective that’s caused the most ruckus. Late this week, Anonymous claimed to have stolen 79 GB of emails from Transneft, a state-controlled Russian pipeline company, which were revealed by the transparency journalism outlet Distributed Denial of Secrets. Clearly having a bit of fun, the Anonymous hacktivists dedicated their intrusion to Hillary Clinton, who appeared to call on Anonymous to hack Russian targets during a February 25 appearance on MSNBC.

Acting out of an abundance of caution, Germany’s Federal Office for Information Security (BSI), warned local companies against using Kaspersky’s antivirus software on the grounds that the company would be compelled to spy on users for the Kremlin. Echoing the US government’s murky foundation for banning Kaspersky products in 2017, BSI’s warning does not appear to be based on any specific intelligence, and the company asserted as much in response to BSI’s warning. “We believe that peaceful dialogue is the only possible instrument for resolving conflicts,” the company said in a statement. “War isn’t good for anyone.”


More Great WIRED Stories

Russia Wants to Label Meta an ‘Extremist Organization’

Russia Wants to Label Meta an ‘Extremist Organization’

Neutrality is a core tenet of cryptocurrency. But in the course of the war in Ukraine, exchanges have blocked accounts of sanctioned Russian individuals and those close to them. Activists have also used apps like Tinder and Google Maps to circumvent Russia’s information blockades, offering a counterweight to the country’s propaganda machine. And face recognition algorithms have made it frighteningly easy to identify Russian soldiers—which could backfire disastrously when the technology inevitably gets it wrong.

Elsewhere in the world, security researchers have caught China’s APT41 hackers spying on US state systems. That’s no big surprise in itself, but the way they got in—through a livestock-tracking app and the Log4j vulnerability—was an unexpected combo. Critical bugs in an IoT remote-access tool have put hundreds of thousands of medical devices, ATMs, and more at risk. And we looked at how law enforcement in some parts of the world use phone data to persecute LGBTQ communities.

We also explored how NFTs really work, and we took a look at YouTube’s policy against election disinformation—and why it’s not sustainable in the long run. And while it’s not strictly a security story, this in-depth profile of Facebook’s Joel Kaplan goes a long way toward explaining how those sorts of policies get formed in the first place.

And there’s more! We’ve rounded up all the news here that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

A week after blocking Facebook in the country, Russia has now throttled access to Instagram as well. It also launched a criminal probe against parent company Meta, intending to label it an extremist organization. The moves came after Meta announced that it would allow calls for violence against Russian soldiers—and for the death of Vladimir Putin—by users in the region, which in peacetime would be a violation of the platforms’ policies. Facebook’s president of global affairs clarified on Friday that the loosened policy would apply only to users in Ukraine. 

Around the time of Russia’s invasion of Ukraine, the satellite company Viasat experienced a disruption in service in parts of Europe. It initially called the incident a “cyber event” but didn’t provide much detail. Now, Reuters reports, Western intelligence agencies have taken an interest in the apparent hack. It’s not clear yet if Russia was the responsible party, but Viasat does have defense contracts with the US and some European countries, which raises the stakes of potential intrusion by Moscow.

As part of the $1.5 trillion omnibus spending bill headed soon to Joe Biden’s desk, critical infrastructure operators will be required to report cyberattacks and ransomware directly to the US Cybersecurity and Infrastructure Security Agency within 72 hours. The hope is that this kind of visibility will not only help with formulating responses to these incidents, but will give the US a fuller picture of how adversaries are attacking it. There’s no financial penalty for noncompliance, but CISA will be able to subpoena any organization that drags its feet.

One problem with ransomware is that even when you find the people doing it, they can be very hard to arrest. That’s thanks in large part to the blind eye Russia has historically turned to the operations of domestic groups. This week, though, the US managed to extradite not one but two alleged ransomware operators, including one of the people behind last summer’s unprecedented Kaseya hack. The other was a Canadian man accused of acting as a Netwalker ransomware affiliate. 


More Great WIRED Stories