The Good, the Bad and the Ugly in Cybersecurity – Week 18

The Good

The cybercrime ecosystem is comprised of many actors: hackers and scammers steal information, market place operators sell it, and carders and fraudsters use it to steal money. Done right, this process yields a tidy profit for everyone involved. But moving large amounts of money nowadays is a challenge: enter cryptocurrency money laundering services on the darknet. Established a decade ago, Bitcoin Fog offered its cybercriminal clients an additional means of further anonymizing cryptocurrency transactions by separating transmitted Bitcoin from a particular Bitcoin address.

Over the years, the service has facilitated transactions estimated at $336 million and collaborated with notorious dark web marketplaces like AlphaBay and Silk Road. Typically, it is extremely hard to identify and prosecute the people behind such operations, but finally a joint effort by the IRS and the FBI has resulted in the arrest of Roman Sterlingov, aged 32, a dual Russian-Swedish national, as he landed at Los Angeles Airport.

Sterlingov is charged with money laundering and money transmission without a license in the District of Columbia. As the mastermind behind the operation, he allegedly made upwards of $8 million in commissions on transaction fees. While Sterlingov is finally in custody, the fight to take down Bitcoin Fog goes on: Although it is unclear who is now operating it, the platform appears to remain active,

The Bad

Unfortunately, the cyber conflict between the U.S. and Russia appears to be escalating. In response to the ongoing cyber espionage activities conducted by Russian intelligence, President Biden imposed sanctions on Russia earlier this month. That seems to have had little effect, so U.S. agencies are now taking a more direct approach and naming the Russian Foreign Intelligence Service (SVR) as the main culprit. In a joint alert published this week, the FBI, Homeland Security and CISA have detailed the depth and sophistication of this adversary.

The threat actor variously known as APT29, the Dukes, CozyBear, and Yttrium, seeks to collect intelligence from government networks, think tanks, policy analysis organizations, and information technology companies. The methods used by the group have evolved over the years from directly attacking victims using malware to obtaining access to enterprise cloud resources, particularly email accounts. Their focus is always on identifying and exploiting administrative accounts, and then exploiting these to gain access to sensitive information and exfiltrate it. The main methods described in the report are:

The alert highlights the group’s preference for “low and slow” operations, working carefully and methodically to evade detection at all costs. Given this emphasis by the attackers, and the scale of their operations so far, it is very likely that there are numerous other operations in operation but unknown at the moment, and likely many others in the planning.

The Ugly

The ransomware rampage has reached new lows this week. First up, Babuk ransomware operators have hit the Washington, D.C., Metropolitan Police Department, exfiltrating data and personal information of police officers, and threatening to publish these online if their ransom demands are not met.

DC Police Chief Robert J. Contee III addressed DC police personnel in a YouTube statement, suggesting that personal information had been leaked and advising force members and their families to practice extreme caution and extensive cyber-hygiene (hinting that follow up extortion or fraud attempts will likely follow). It is unclear if in addition to the data breach and leak there has been any disruption to police IT systems. What is clear is that this incident is a serious blow to the reputation of the DC Police Department.

Also in the Ugly pile this week are those attacking healthcare providers. An attack on Swedish company Elekta, which provides precision oncology and radiation treatment software, has resulted in delays and disruptions to radiation treatments across America. The attack seems to have hit the company’s cloud-based storage system, resulting in service disruption in 42 health care sites across the U.S. The company has issued a statement but has yet to confirm the source of the attack or how long services will remain unavailable.