The Good, the Bad and the Ugly in Cybersecurity – Week 10

The Good | U.S. Sanctions Spyware Targeting Government Officials & Journalists

This week the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) took a stand against commercial spyware specifically crafted to target government officials, journalists, and policy experts within the nation. Sanctions were placed on individuals and five entities affiliated with Intellexa Alliance for their involvement in the creation, operation, and dissemination of the spyware.

This move comes in response to the threat posed by escalating adoption of commercial spyware, which not only poses significant security risks within the United States, but has also been exploited by foreign entities to abuse human rights, suppress dissident voices around the world, and foster state-sponsored cyber espionage campaigns. According to OFAC, Intellexa boasts a global clientele, including authoritarian regimes, and acted as a consortium of several companies linked to mercenary spyware solutions such as Predator.

Predator spyware is capable of infiltrating both Android and iOS devices through zero-click attacks, granting operators unrestricted access to sensitive data and the ability to monitor designated targets covertly. OFAC disclosed that Predator had been deployed against U.S. government officials, journalists, and policy experts by unspecified foreign actors.

The sanctions target key figures and entities within the Intellexa Alliance, including its founder, a corporate specialist, and various affiliate companies, all of which belong to economic blocklists. A strong follow-up to the Biden administration’s commitment to countering spyware technology, the sanctions place visa restrictions on all individuals involved in the misuse of commercial spyware. This is a significant and first-of-its-kind step in curbing the illicit activities of mercenary spyware companies and rallies international organizations against doing business with or supporting sanctioned entities and individuals.

The Bad | Google AI Technology Stolen by Ex-Employee for China Tech Firms

A 38-year-old Chinese national and a California resident has been indicted for allegedly stealing trade secrets from Google while secretly collaborating with two China-based tech firms.

Linwei “Leon” Ding, a former Google engineer arrested this week, stands accused of illicitly transferring proprietary and confidential data to his personal account while covertly affiliating with companies in China’s artificial intelligence (AI) sector, as stated by the DoJ. Ding purportedly stole over 500 confidential files containing AI trade secrets with the intent of providing an advantage to Chinese companies in the ongoing, global AI race.

The DoJ emphasized that Ding’s actions gave unfair competitive benefits to himself and the affiliated PRC-based companies by stealing information on Google’s supercomputer data center infrastructure used specifically for hosting large and sophisticated AI models.

Ding is accused of concealing the theft by copying data from Google source files to the Apple Notes application on his company-provided MacBook, converting them to PDF files, and then uploading them to his Google account. Ding currently faces four counts of theft of trade secrets, each carrying a maximum penalty of 10 years in prison and up to a $250,000 fine if convicted.

Last year, President Biden issued an executive order on AI, intended to maintain America’s leadership in AI development, particularly in light of competition from nations such as China. Both the U.S. and Chinese governments recognize AI as an emerging technology that is strategically important with vast potential to enhance economic productivity across civilian industries and provide key capabilities for military and intelligence purposes. Theft of trade secrets and intelligence fuels economic espionage and other national-level security concerns related to advancements in AI technology.

The Ugly | BlackCat Ransomware Gang Pulls off Exit Scam

It seems that BlackCat ransomware operators have pulled a vanishing act this week, taking down their darknet website after allegedly scamming $22 million from one of their affiliates, currently attributed with attacking a subsidiary of healthcare giant, UnitedHealth Group.

While the gang has shut down its servers, data leak blog, and ransomware operation negotiation sites, security researchers have called out the likely possibility of an exit scam or an effort in rebranding the entire ransomware-as-a-service (RaaS) operation under a new identity. Source code analysis done on the takedown notice shows that it was taken from an archived leak site and displayed using a Python HTTP server. Further, Europol and the U.K.’s National Crime Agency (NCA) have declined involvement in taking down BlackCat operations.

This abrupt disappearance follows reports of a purported $22 million ransom payment received from UnitedHealth’s Change Healthcare unit, with allegations that the group reneged on sharing the proceeds with an affiliate involved in the attack. Speculations emerged from a disgruntled affiliate, known as ‘notchy’, who accused BlackCat of embezzling funds after their account suspension on the RAMP cybercrime forum, which also hints at the possibility of an exit scam and eventual rebranding.

So far, the cyber defense community has seen BlackCat ransomware run through various life cycles and monikers, including DarkSide/BlackMatter. The latest occurred in December of 2023 when BlackCat’s servers were hacked by the FBI and an international law enforcement operation seized their Tor negotiation and data leak sites. However, the gang was able to restart its operations. With a speculated exit scam to evade consequences and a possible rebrand on the way, organizations are reminded of the resilience and adaptability of modern ransomware operations.