Cybercrime

North Korean hackers funneled stolen crypto to Asian payment firm

According to blockchain data, a major Cambodian payments firm, Huione Pay, received over $150,000 in cryptocurrency from a digital wallet linked to the North Korean hacking group Lazarus. The funds were sent between June 2023 and February this year from an anonymous wallet used by Lazarus to launder money stolen from three crypto companies through phishing attacks. The FBI reported that Lazarus stole around $160 million from Atomic Wallet, CoinsPaid, and Alphapo last year to fund North Korea’s weapons programs.

Huione Pay, based in Phnom Penh, stated it was unaware of receiving funds indirectly from the hacks and cited multiple transactions between its wallet and the source as the reason. The company declined to explain why it had received the funds or provide details on its compliance policies. Despite blockchain tools allowing companies to identify high-risk wallets, Huione Pay claimed it had no control over the anonymous wallet’s transactions.

The National Bank of Cambodia (NBC) prohibits payment firms like Huione Pay from dealing with cryptocurrencies due to risks like money laundering and financing terrorism. The NBC indicated it might take corrective measures against Huione Pay. Meanwhile, US blockchain analysis firms reported that Huione Pay was among several platforms receiving stolen crypto, which was converted into different currencies, including tether (USDT), to obscure the money trail. Southeast Asia has become a hotspot for high-tech money laundering and cybercrime operations, highlighting the need for stronger regulatory measures.

Indonesia begins data recovery after ransomware attack

Indonesia is starting to recover data encrypted in a significant ransomware attack last month, which impacted over 160 government agencies. The cybercriminals, identified as Brain Cipher, initially demanded $8 million in ransom but later apologised and released the decryption key for free, according to cybersecurity firm StealthMole.

The attack disrupted several government services, including immigration and primary airport operations. Officials acknowledged that much of the data had yet to be backed up. Chief Security Minister Hadi Tjahjanto stated that data for 30 public services across 12 ministries had been recovered using a ‘decryption strategy,’ though details were not provided.

The Communications Ministry is gradually restoring services and assets affected by the attack. It remains to be seen if the government used Brain Cipher’s decryption key directly. Neither Hadi nor Communications Minister Budi Arie Setiadi commented on the matter.

Ransomware attacks involve encrypting data and demanding a ransom to unlock it. In this case, the attackers used malicious software known as Lockbit 3.0.

US House committee releases TikTok hearing transcript

The US House has voted to release a transcript of a March hearing on TikTok’s security threats to aid the Justice Department in defending a law that mandates ByteDance, TikTok’s Chinese owner, to divest its US assets. The US government’s stringent approach follows the lawsuits from ByteDance and TikTok creators challenging the law, which was signed by President Biden and could ban TikTok in the US if divestiture isn’t completed by January 2025.

Representative Cathy McMorris Rodgers stated that intelligence officials at the March hearing warned of dangers from foreign-controlled apps like TikTok, which could misuse American data. Despite the law, China has not intended to relinquish control over such applications, suggesting potential nefarious uses against Americans.

TikTok criticised the legislative process, claiming it was secretive and rushed. The Justice Department is set to respond to the legal challenges by 26 July, with a court hearing scheduled for 16 September.

The courts halted a previous attempt to ban TikTok by former President Trump in 2020. The current efforts focus on national security concerns, citing the app’s extensive data collection and the risks posed by Chinese ownership.

Macau government websites hit by cyberattack

Several Macau government websites were hacked, prompting a criminal investigation, Chinese state media reported on Wednesday. The hacked sites included those of the office of the secretary for security, the public security police, the fire services department, and the security forces services bureau, causing service disruptions.

Security officials in Macau’s Special Administrative Region believe the cyberattack originated from overseas. However, no further details have been disclosed at this time.

In response, authorities collaborated with telecommunications operators to restore the affected services as quickly as possible. The investigation into the source of the intrusion is ongoing.

Rising threat of deepfake pornography for women

As deepfake pornography becomes an increasing threat to women online, both international and domestic lawmakers face difficulties in creating effective protections for victims. The issue has gained prominence through cases like that of Amy Smith, a student in Paris who was targeted with manipulated nude images and harassed by an anonymous perpetrator. Despite reporting the crime to multiple authorities, Smith found little support due to the complexities of tracking faceless offenders across borders.

Recent data shows that deepfake pornography is predominantly used for malicious purposes, with 98% of such videos being explicit. The FBI has identified a rise in “sextortion schemes,” where altered images are used for blackmail. Public awareness of these crimes is often heightened by high-profile cases, but many victims are not celebrities and face immense challenges in seeking justice.

Efforts are underway to address these issues through new legislation. In the US, proposed bills aim to hold perpetrators accountable and require prompt removal of deepfake content from the internet. Additionally, President Biden’s recent executive order seeks to develop technology for detecting and tracking deepfake images. In Europe, the AI Act introduces regulations for AI systems but faces criticism for its limited scope. While these measures represent progress, experts caution that they may not fully prevent future misuse of deepfake technology.

US authorities disrupt Russian AI-powered disinformation campaign

Authorities from multiple countries have issued warnings about a sophisticated disinformation campaign backed by Russia that leverages AI-powered software to spread false information both in the US and internationally. The operation, known as Meliorator, is reportedly being carried out by affiliates of RT (formerly Russia Today), a Russian state-sponsored media outlet, to create fake online personas and disseminate misleading content. Since at least 2022, Meliorator has been employed to spread disinformation targeting the US, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel, as detailed in a joint advisory released by US, Canadian, and Dutch security services.

Meliorator is designed to create fake social media profiles that appear to be real individuals, primarily from the US. These bots can generate original posts, follow users, like, comment, repost, and gain followers. They are capable of mirroring and amplifying existing Russian disinformation narratives. The identities of these bots are crafted based on specific parameters like location, political ideologies, and biographical data. Meliorator can also group bots with similar ideologies to enhance their personas.

Moreover, most bot accounts had over 100,000 followers to avoid detection and followed genuine accounts aligned with their fabricated political leanings. As of June 2024, Meliorator was only operational on X, but there are indications that its functionality might have expanded to other social media networks.

The US Justice Department (DOJ) announced the seizure of two domain names and the search of nearly a thousand social media accounts used by Russian actors to establish an AI-enhanced bot farm with Meliorator’s assistance. The bot farm operators registered fictitious social media accounts using private email servers linked to the seized domain names. The FBI took control of these domains, while social media platform X (formerly Twitter) voluntarily suspended the remaining identified bot accounts for violating terms of service.

FBI Director Christopher Wray emphasised that this marks a significant step in disrupting a Russian-sponsored AI-enhanced disinformation bot farm. The goal of the bot farm was to use AI to scale disinformation efforts, undermining partners in Ukraine and influencing geopolitical narratives favouring the Russian government. These accounts commonly posted pro-Kremlin content, including videos of President Vladimir Putin and criticism of the Ukrainian government.

US authorities have linked the development of Meliorator to a former deputy editor-in-chief at RT in early 2022. RT viewed this bot farm as an alternative means of distributing information beyond its television broadcasts, especially after going off the air in the US in early 2022. The Kremlin approved and financed the bot farm, with Russia’s Federal Security Service (FSB) having access to the software to advance its goals.

The DOJ highlighted that the use of US-based domain names by the FSB violates the International Emergency Economic Powers Act, and the associated payments breach US money laundering laws. Deputy Attorney General Lisa Monaco stated that the DOJ and its partners will not tolerate the use of AI by Russian government actors to spread disinformation and sow division among Americans.

Why does it matter?

The disruption of the Russian operation comes just four months before the US presidential election, a period during which security experts anticipate heightened hacking and covert social media influence attempts by foreign adversaries. Attorney General Merrick Garland noted that this is the first public accusation against a foreign government for using generative AI in a foreign influence operation.

Australia accuses China-backed APT40 of cyberattacks on national networks

Australia’s government cybersecurity agency has pointed fingers at a China-backed hacker group, APT40, for pilfering passwords and usernames from two undisclosed Australian networks back in 2022. The Australian Cyber Security Centre, in collaboration with leading cybersecurity agencies from the US, Britain, Canada, New Zealand, Japan, South Korea, and Germany, released a joint report attributing these malicious cyber operations to China’s Ministry of State Security, the primary agency overseeing foreign intelligence. Despite these claims, China’s embassy in Australia refrained from immediate comments on the matter, dismissing the hacking allegations as ‘political manoeuvring’.

The accusations against APT40 come in the wake of previous allegations by US and British officials in March, implicating Beijing in a large-scale cyberespionage campaign that targeted a wide range of individuals and entities, including lawmakers, academics, journalists, and defence contractors.  Moreover, New Zealand also reported on APT40’s targeting of its parliamentary services and parliamentary counsel office in 2021, which resulted in unauthorised access to critical information.

In response to these cyber threats, Defence Minister Richard Marles emphasised the commitment of the Australian government to safeguard its organisations and citizens in the cyber sphere. The attribution of cyber attacks marks a significant step for Australia, signalling its proactive stance in addressing cybersecurity challenges. The timing of this report is noteworthy as Australia and China are in the process of repairing strained relations following tensions that peaked in 2020 over the origins of COVID-19, leading to retaliatory tariffs imposed by Beijing on Australian exports, most of which have now been lifted.

The identification of APT40’s cyber activities stresses the persistent threat posed by state-sponsored hacker groups and the critical importance of robust cybersecurity measures to protect sensitive information and national security. The incident serves as a reminder of the importance of joint attribution networks and international cooperation in combating cyber threats.

Thousands of event tickets leaked because of Ticketmaster hack

In an ongoing extortion scheme targeting Ticketmaster, nearly 39,000 print-at-home tickets for 150 upcoming concerts and events featuring artists like Pearl Jam, Phish, Tate McCrae, and Foo Fighters have been leaked by threat actors. The person responsible, known as ‘Sp1derHunters,’ is the same individual who sold data stolen from recent data breaches targeting Snowflake, a third-party cloud database provider.

The chain of events began in April when threat actors initiated the download of Snowflake databases from over 165 organisations using stolen credentials acquired through information-stealing malware. Subsequently, in May, a prominent threat actor named ShinyHunters started to sell the data of 560 million Ticketmaster customers, allegedly extracted from Ticketmaster’s Snowflake account. Ticketmaster later verified that their data had indeed been compromised through their Snowflake account.

Initially, the threat actors demanded a ransom of $500,000 from Ticketmaster to prevent the dissemination or sale of the data to other malicious actors. However, a recent development saw the same threat actors leaking 166,000 Taylor Swift ticket barcodes and increasing their demand to $2 million.
In response to the situation, Ticketmaster asserted that the leaked data was ineffective due to their anti-fraud measures with a system that continuously generates unique mobile barcodes. According to Ticketmaster, their SafeTix technology safeguards tickets by automatically refreshing barcodes every few seconds, making them impervious to theft or replication.

Contrary to Ticketmaster’s claims, Sp1d3rHunters refuted the assertion, stating that numerous print-at-home tickets with unalterable barcodes had been stolen. The threat actor emphasised that Ticketmaster’s ticket database has online and physical ticket types, such as Ticketfast, e-ticket, and mail, which are printed and cannot be automatically refreshed. Instead, they suggested that Ticketmaster must invalidate and reissue the tickets to affected customers.

The threat actors shared a link to a CSV file containing the barcode data for 38,745 TicketFast tickets, revealing ticket information for various events and concerts, including those featuring Aerosmith, Alanis Morissette, Billy Joel & Sting, Bruce Springsteen, Carrie Underwood, Cirque du Soleil, Dave Matthews Band, Foo Fighters, Metallica, Pearl Jam, Phish, P!NK, Red Hot Chili Peppers, Stevie Nicks, STING, Tate McRae, and $uicideboy$.

French study uncovers Russian disinformation tactics amid legislative campaign

Russian disinformation campaigns are targeting social media to destabilise France’s political scene during its legislative campaign, according to a study by the French National Centre for Scientific Research (CNRS). The study highlights Kremlin strategies such as normalising far-right ideologies and weakening the ‘Republican front’ that opposes the far-right Rassemblement National (RN).

Researchers noted that Russia’s influence tactics, including astroturfing and meme wars, have been used previously during the 2016 US presidential elections and the 2022 French presidential elections to support RN figurehead Marine Le Pen. The Kremlin’s current efforts aim to exploit ongoing global conflicts, such as the Israeli-Palestinian conflict, to influence French political dynamics.

Despite these findings, the actual impact of these disinformation campaigns remains uncertain. Some experts argue that while such interference may sway voter behaviour or amplify tensions, the overall effect is limited. The CNRS study focused on activity on X (formerly Twitter) and acknowledged that further research is needed to understand the broader implications of these digital disruptions.

Crypto thefts surge in 2024

The first half of 2024 saw a significant surge in cryptocurrency thefts, with over $1.38 billion stolen by 24 June, compared to $657 million during the same period in 2023, according to blockchain researchers TRM Labs. The increase in stolen crypto, driven by a few large-scale attacks and rising crypto prices, highlights the growing motivation among cybercriminals. Ari Redbord, global head of policy at TRM Labs, noted that while the security of the crypto ecosystem hasn’t fundamentally changed, the higher value of various tokens has made crypto services more attractive targets.

One of the year’s largest thefts involved $308 million worth of bitcoin stolen from Japanese exchange DMM Bitcoin. Large-scale losses remain relatively rare, although cryptocurrency companies face hacks and cyberattacks frequently. The theft increase comes as crypto prices rebound from the lows following the 2022 collapse of FTX, with bitcoin reaching an all-time high of $73,803.25 in March.

In 2022, around $900 million in cryptocurrency was stolen, partly due to a major $600 million theft from a blockchain network linked to the game Axie Infinity. The US has attributed that theft to North Korean hackers, who the UN has accused of using cyberattacks to fund its nuclear and missile programs. However, North Korea has denied involvement in hacking activities.