New hacking group mimics Russia-linked group to target Russian entities, Chinese cybersecurity experts say

A hacking group, named as GamaCopy, has been imitating the tactics of the Russia-linked threat actor Gamaredon to target Russian-speaking victims, according to research by Chinese cybersecurity firm Knownsec.

GamaCopy’s latest campaign employed phishing documents disguised as reports on Russian armed forces’ locations in Ukraine, along with the open-source software UltraVNC for remote access.

However, while GamaCopy mirrors many techniques used by Gamaredon, researchers identified notable differences. For example, GamaCopy primarily uses Russian-language victims, whereas Gamaredon typically targets Ukrainian speakers. Additionally, GamaCopy’s use of UltraVNC represents a unique element in its attack chain.

Since June 2023, GamaCopy has targeted Russia’s defense and critical infrastructure sectors. However, the group is believed to have been active even earlier, i.e. since August 2021. Knownsec’s analysis suggests that GamaCopy’s operations are part of a deliberate false-flag campaign and links the group to another state-sponsored actor known as Core Werewolf, which has similarly targeted Russian defense systems since 2021.

This discovery follows recent reports of other hacker groups, conducting cyber-espionage campaigns against Russian entities, highlighting the increasing complexity and state-backed nature of these threats.

Hacker claims breach at Gravy Analytics data firm

A hacker claims to have breached US location tracking company Gravy Analytics, leaking around 1.4 gigabytes of data. The allegation, shared on a Russian-language cybercriminal forum, included screenshots suggesting a data theft. Verification attempts were complicated as Gravy’s website remained offline and the company did not respond to messages.

Cybersecurity experts reviewing the leaked data found the breach credible. Marley Smith from RedSense and John Hammond from Huntress both confirmed the data appeared legitimate, though the hacker’s identity remains unclear.

Gravy was previously involved in a crackdown by President Biden’s administration targeting data brokers collecting sensitive location data without proper consent. The Federal Trade Commission (FTC) settled with Gravy and Mobilewalla in December over allegations of deceptive data practices.

The FTC expressed concerns that such data could be misused for stalking, blackmail, and espionage but declined to comment on the breach. FTC Chair Lina Khan recently warned that targeted advertising practices leave sensitive data highly vulnerable.

Hacker demands ransom from India’s largest health insurer after data leak

Star Health, India‘s largest health insurer, has revealed it received a $68,000 ransom demand following a data breach that exposed customer details, including medical records. The cyberhacker used Telegram chatbots and a website to leak sensitive information, leading to significant reputational damage and a drop in the company’s stock value.

The hacker, who made the ransom demand in August, sent the request to Star Health’s managing director and CEO. While the company has launched an internal investigation, it also faces allegations that its chief security officer was involved in the data leak, although no evidence of wrongdoing has been found so far.

Star Health has taken legal action against both the hacker and Telegram, which has not permanently banned the accounts linked to the hacker. The company has sought help from Indian cybersecurity authorities to identify the individual behind the attack.

Telegram has not responded to requests for comment but previously removed the chatbots linked to the hack after Reuters brought them to its attention. The investigation continues as Star Health works to contain the damage from the breach.

Hacker steals AI design details from OpenAI

A hacker infiltrated OpenAI’s internal messaging systems last year, stealing details about the design of its AI technologies, according to Reuters’ sources familiar with the matter. The breach involved discussions on an online forum where employees exchanged information about the latest AI developments. Crucially, the hacker needed access to the systems where OpenAI builds and houses its AI.

OpenAI, backed by Microsoft, did not publicly disclose the breach, as no customer or partner information was compromised. Executives briefed employees and the board but did not involve federal law enforcement, believing the hacker had no ties to foreign governments.

In a separate incident, OpenAI reported disrupting five covert operations that aimed to misuse its AI models for deceptive activities online. The issue raised safety concerns and prompted discussions about safeguarding advanced AI technology. The Biden administration plans to implement measures to protect US AI advancements from foreign adversaries. At the same time, 16 AI companies have pledged to develop the technology responsibly amid rapid innovation and emerging risks.

US Department of Justice charges Russian hacker in cyberattack plot against Ukraine

The US Department of Justice has charged a Russian individual for allegedly conspiring to sabotage Ukrainian government computer systems as part of a broader hacking scheme orchestrated by Russia in anticipation of its unlawful invasion of Ukraine.

In a statement released by US prosecutors in Maryland, it was disclosed that Amin Stigal, aged 22, stands accused of aiding in the establishment of servers used by Russian state-backed hackers to carry out destructive cyber assaults on Ukrainian government ministries in January 2022, a month preceding the Kremlin’s invasion of Ukraine.

The cyber campaign, dubbed ‘WhisperGate,’ employed wiper malware posing as ransomware to intentionally and irreversibly corrupt data on infected devices. Prosecutors asserted that the cyberattacks were orchestrated to instil fear across Ukrainian civil society regarding the security of their government’s systems.

The indictment notes that the Russian hackers pilfered substantial volumes of data during the cyber intrusions, encompassing citizens’ health records, criminal histories, and motor insurance information from Ukrainian government databases. Subsequently, the hackers purportedly advertised the stolen data for sale on prominent cybercrime platforms.

Stigal is moreover charged with assisting hackers affiliated with Russia’s military intelligence unit, the GRU, in targeting Ukraine’s allies, including the United States. US prosecutors highlighted that the Russian hackers repeatedly targeted an unspecified US government agency situated in Maryland between 2021 and 2022 before the invasion, granting jurisdiction to prosecutors in the district to pursue charges against Stigal.

In a subsequent development in October 2022, the same servers arranged by Stigal were reportedly employed by the Russian hackers to target the transportation sector of an undisclosed central European nation, which allegedly provided civilian and military aid to Ukraine post-invasion. The incident aligns with a cyberattack in Denmark during the same period, resulting in widespread disruptions and delays across the country’s railway network.

The US government has announced a $10 million reward for information leading to the apprehension of Stigal, who is currently evading authorities and believed to be in Russia. If convicted, Stigal could face a maximum sentence of five years in prison.

University student pled guilty to cyberstalking

Iván Santell-Velázquez pled guilty before the United States District Court Judge Silvia Carreño-Coll, to cyberstalking. The defendant hacked 100 student email accounts and stole their personal information while studying at the University of Puerto Rico at Cayey. Additionally, in the years between 2019 and 2021, the defendant hacked the Snapchat accounts of several women, who were studying at the University of Puerto Rico, and harassed them by sharing their intimate pictures on Twitter and Facebook.

US Attorney Muldrow stated that this case shows how crucial it is to protect personal information, especially in response to suspicious SMS messages and emails. On October 12, 2022, the sentencing hearing is expected to take place.

British Army’s YouTube and Twitter accounts hacked and used to promote crypto scams

The UK Ministry of Defence has confirmed that the British Army’s Twitter and YouTube accounts were hacked and used to spread scams.

Hackers changed the organisation’s profile picture, bio, and cover photo on Twitter to make it appear as though it was part of The Possessed NFT collection.

On YouTube, hackers deleted all of the videos on the British Army’s channel and changed its name and profile picture to look like the (real) investment company Ark Invest. Hackers replaced the British Army’s videos with a series of old live streams featuring former Twitter CEO Jack Dorsey and Tesla CEO Elon Musk.

The Army has regained control of the accounts.

Hacker claims to have stolen records of 1 billion Chinese citizens

One hacker has claimed to have stolen the personal information of 1 billion Chinese citizens from a Shanghai police database, including their names, addresses, birthplace, national ID numbers, mobile numbers, and all crime/case details.

The hacker has offered to sell the more than 23-terabyte data trove for 10 bitcoin on the hacker forum Breach Forums, where they identify themselves as ChinaDan.

China’s authorities have not yet responded. Many Chinese citizens are afraid that it might be real. By Sunday afternoon, Weibo had blocked the hashtag ‘Shanghai data leak’.

British Army’s social media accounts were hacked

British Army’s Twitter and YouTube accounts were hacked. The name of the Army’s Twitter account was changed, while videos on cryptocurrency, and posts related to NFTs appeared on their feed. The British Army stated there is no evidence as to who may be behind the hacking of the accounts. The accounts were restored to normal while investigations regarding the hacks are still ongoing. Army’s spokesperson stated that there will not be any further comments on the incident until the investigation is complete.