National Security Agency Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 07 May 2024 18:08:04 +0000 en-US hourly 1 https://wordpress.org/?v=62356 200474804 LockBit Leader Identity Revealed, NCA Publishes More Data https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/ https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/#comments Tue, 07 May 2024 18:08:04 +0000 https://gridinsoft.com/blogs/?p=21920 On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world. NCA Unveils LockBitSupp Identity Several… Continue reading LockBit Leader Identity Revealed, NCA Publishes More Data

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
On May 7, 2024, UK National Crime Agency published the detailed dossier on the LockBit ransomware group’s leader. Dmitry Khoroshev, known as LockBitSupp, leads one of the most vicious ransomware groups since its inception in 2020. After unmasking, law enforcement initiated sanctioning the hacker in numerous countries around the world.

NCA Unveils LockBitSupp Identity

Several days ago, on May 5, 2024, a changed LockBit site variant, that appeared after the law enforcement hack in February of the same year, got back online. Earlier, it used to contain the hefty list of information that law enforcement agencies managed to leak from the network of the threat actor. This time, however, they went further: instead of court judgments, they promised to publish personal information of the LockBit gang leader.

Darknet blog hacked
Hacked leak site that LockBit used before the February takedown is back online

Man under the nickname LockBitSupp always attracted a lot of attention: both due to the success of his ransomware group and unusual publicity of a ransomware group leader that was never seen before. What’s more tempting is the promise to pay $10 million to a person who’d reveal his identity. He was outstandingly confident about his anonymity, and for a good reason, so the huge reward was left unclaimed ever since this “contest” was first announced.

Though now, by the looks of it, Dmitry Yurievich Khoroshev owes $10 million to NCA specialists. During the first summary of Operation Cronos, NCA already threatened to publish his identity, but that was probably a mere bluff. But not this time – the full list of the guy’s personal information was both published and turned into courts in order to imply personal sanctions. They in particular suppose arrest of the personal assets and implying travel bans.

LockBit Leader Compromised: Will This Stop the Gang?

Despite the overall excitement around the identity reveal of LockBitSupp, it won’t make that much difference to the gang. Just another stain on the reputation, that has got the first, and much stronger blow back in February. Deanonymizing of the gang’s leader places it in the row with Evil Corp, whose chief Maksim Yakubets is a long-term guest of the FBI’s wanted board.

A more important news of the fresh release is an updated pack of data about the affiliates and operations of the ransomware group. NCA, together with law enforcement agencies, leaked attack statistics, affiliate counters and names, and the geography of attacks.

As far as the fresh leak says, after the February attack, 2/3 of the LockBit affiliates escaped the business. This was somewhat noticeable by the decline in the group’s activity, but not to that extent. Still, the quality of these attacks noticeably decreased: no loud names in the last two months. At the same time, the number of attacks on the UK companies plummeted to a similar extent (-73%) – definite reaction to the NCA’s effort.

The post LockBit Leader Identity Revealed, NCA Publishes More Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lockbit-leader-identity-revealed/feed/ 1 21920
Nation-State Threat Actors are an Actual Menace, According to CISA https://gridinsoft.com/blogs/nation-state-threat-actors/ https://gridinsoft.com/blogs/nation-state-threat-actors/#respond Tue, 19 Apr 2022 21:35:33 +0000 https://gridinsoft.com/blogs/?p=7352 On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. Nation-State threat actors in… Continue reading Nation-State Threat Actors are an Actual Menace, According to CISA

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

]]>
On April 13, the US government (specifically, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation) made a warning about nation-state threat actors using specialized malware to access industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

Nation-State threat actors in a governmental warning notification

The advanced persistent threat actors, as the alert states, use custom-made software to attack ICS and SCADA devices. These instruments allow finding the targeted devices, compromising them, and taking control over them once the access to operational technology network is established.

The specially tailored tools are designed specifically to attack Open Platform Communications Unified Architecture (OPC UA) servers, Schneider Electric programmable logic controllers (PLCs,) and OMRON Sysmac NEX PLCs.

According to the document, the threat actors can also infiltrate the Windows-based engineering workstations of informational and operational technology networks. That is possible with the usage of an exploit of CVE-2020-15368 vulnerabilities related to AsrDrv103.sys motherboard driver. The driver can be compromised, leading to the execution of malicious code in the Windows core. The infiltrators aim to escalate privileges and, moving laterally within the industrial control system’s networks, create diversions in electricity and natural gas supply and distribution.

Dragos report and scale of the threat

The specialists at Dragos, an industrial cybersecurity company, have described1 the recently revealed PIPEDREAM malware as a modular attack framework that can cause “disruption, degradation, and possibly even destruction, depending on targets and the environment.”

Robert M. Lee, CEO at Dragos, has stated that PIPEDREAM is connected to the nation-state actor under the moniker CHERNOVITE. Lee claims that it is the first time malicious software with such destructive capabilities has been discovered before its actual usage.

The PIPEDREAM is a complex program whose five constituent elements are responsible for different objectives. The malware is designed to detect and hijack devices, compromise the programmable logic controllers, and disrupt them, jeopardizing the correct work of industrial objects. If PIPEDREAM were used against existing industrial systems, the consequences would be unpredictable up to catastrophic.

Pipedream is malware aimed a physical destruction

The malware in question uses various-function exploits automatized to a high degree. Different modules of PIPEDREAM inject noxious configurations into devices, alter their parameters, and manage devices’ contents.

CODESYS, a development environment for controller programs, proved to have at least seventeen vulnerabilities potentially exploitable by hackers. PIPEDREAM is capable of compromising CODESYS as well.

The very possibility of hijackers tampering with the settings of the industries’ programmable controllers is appalling. Dragos warns about an option for the terrorists to destabilize the operational environment by disabling the emergency shutdown. If that occurred, the attacked system would go critical and unstable.

Mandiant report and Pipedream origins

Mandiant, a threat intelligence company, provided a report that matches the one by Dragos. In its message, Mandiant describes PIPEDREAM (aka INCONTROLLER) as malware designed to target specifically Schneider Electric and Omron automation systems.

Schneider Electric, in turn, reported2 that there was neither evidence of vulnerabilities that could have been exploited by PIPEDREAM nor detected assaults on the company’s devices. However, the enterprise admitted that the threat level was troubling and added the “recommended mitigations” section to the notification for all customers to comply.

The trace leads to Russia

Apparently, the origin of the information about PIPEDREAM is the Russo-Ukrainian war. The clash takes place not solely on the ground but also on the Network3. After an unsuccessful hacker attack on a Ukrainian energy provider, cybersecurity company ESET4 has given a thorough description of how the INDUSTROYER2 malware worked. Possibly, that information helped Dragos and Mandiant detect and dissect another malicious program – PIPEDREAM.

The disputed malware now stands in one row with Stuxnet, Havex, Industroyer 1 and 2, Triton, and BlackEnergy2 – malicious tools designed against vital industrial control systems.

As a countermeasure against possible threats, cybersecurity agencies strongly advise industrial control organizations to increase all safety measures. These are well-known rules: 2-factor-authentication, no passwords auto-filling, changing passwords, and overall vigilance against potential invasive actions.

The post Nation-State Threat Actors are an Actual Menace, According to CISA appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/nation-state-threat-actors/feed/ 0 7352
US Cyber ​​Command confirms cyberattacks against ransomware https://gridinsoft.com/blogs/cyberattacks-against-ransomware/ https://gridinsoft.com/blogs/cyberattacks-against-ransomware/#respond Mon, 06 Dec 2021 23:02:23 +0000 https://gridinsoft.com/blogs/?p=6607 The United States Cyber Command has publicly recognized the use of offensive actions (cyberattacks) in order to neutralize cybercriminal groups that attacked American companies using ransomware programs. The Head of Cyber Command and director of the National Security Agency Paul Nakasone, in an interview with the New York Times, declined to elaborate on exactly what… Continue reading US Cyber ​​Command confirms cyberattacks against ransomware

The post US Cyber ​​Command confirms cyberattacks against ransomware appeared first on Gridinsoft Blog.

]]>
The United States Cyber Command has publicly recognized the use of offensive actions (cyberattacks) in order to neutralize cybercriminal groups that attacked American companies using ransomware programs.

The Head of Cyber Command and director of the National Security Agency Paul Nakasone, in an interview with the New York Times, declined to elaborate on exactly what action the team of experts took. The US military’s computer operatives are increasingly willing to hack into criminals, not just statesmen who pose a threat to critical US infrastructure. But this is one of the first unequivocal evidence from Cyber Command that the agency is targeting criminal groups that hold the computer systems of American enterprises as “hostages.”

Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs. That’s an important piece that we should always be mindful of.Nakasone told the newspaper.

US government security officials have begun to actively pursue ransomware groups after attackers hacked into the networks of the fuel giant Colonial Pipeline and the world’s largest meat producer JBS earlier this year.

According to Paul Nakasone, the US government launched offensive actions against ransomware operators, including trying to cut off funding sources for hackers.

The US government’s counteractions against ransomware groups, many of which are based in Eastern Europe and Russia, also include indicting alleged extortionists and sanctioning cryptocurrency exchanges accused of laundering money for hackers.

However, it is not only the US government that has decided to use more aggressive measures against ransomware. The UK Government Liaison Center has announced plans to use national cyber forces formed last year to hack and pursue ransomware groups.

We must deal with ransomware, and this is difficult, we must clearly explain the red lines and the behavior that we want to see, we must uncover these connections between criminals and states and make them pay in such cases.said the head of the British intelligence service Jeremy Fleming.

While the details of such operations are usually kept secret, they usually involve blocking criminals’ phone signals or interfering with their servers.

The White House has tried to pressure the Russian government into cracking down on cybercriminals operating from Russian soil. It remains to be seen whether that will happen — Moscow has often turned a blind eye to hackers who do not target Russian organizations, analysts say.CNN journalists also told.

The post US Cyber ​​Command confirms cyberattacks against ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cyberattacks-against-ransomware/feed/ 0 6607