The Russian ransomware group, whose leaders were accused by the Department of Justice in December, is retaliating against the US government, many major US companies and a major news organization by identifying employees working at home during a pandemic and trying to infiltrate their networks using malware designed to to damage their operations.
In recent days, Symantec Corp., a division of Broadcom, one of the many companies monitoring corporate and government networks, has discovered sophisticated new attacks by a hacker group that, according to the Treasury, has sometimes worked for Russian intelligence.
In an urgent warning issued on Thursday evening, the company said that Russian hackers took advantage of the sudden change in American work habits to inject code into corporate networks at a speed and breadth that had not been previously observed.
Ransomware allows hackers to demand that companies pay millions for access to recovered data.
While ransomware has long been a problem for US officials, after devastating attacks on the cities of Atlanta and Baltimore and cities through Texas and Florida, they have gained new proportions in the election year. The Department of Homeland Security is fighting to tighten voter registration systems in cities and states, fearing that they can also be frozen and voter lists unavailable to turn the November 3 elections into chaos.
“Security firms are accused of crying, but what we saw in the last few weeks is wonderful,” said Eric Chien, CTO of Symantec, who was known as one of the engineers who first identified the Stuxnet code used by United The states and Israel harmed Iran’s nuclear centrifuges ten years ago. “Now it’s all about making money, but the infrastructure they deploy can be used to destroy a lot of data – and not just in corporations.”
An FBI warning approved on May 1 states that ransomware attacks “in the US, county, and government networks are likely to threaten the availability of data on interconnected election servers, even if this is not the intention of the actors.”
Late last year, a cyber attack on an Internet company in Louisiana allowed hackers to attack the Louisiana State Secretary and nine court secretary offices a week before the election. In January, in Tillamook County, Oregon, ransomware did not allow voter registration personnel to access voter registration data because they prepared data for the primary election in May.
Symantec declined to name the companies that were targeted by Russian hackers, citing the usual confidentiality of its client base. But it said that it had already identified 31, including major US brands and Fortune 500 firms. It is unclear whether any of these companies received extortion requests that could only appear if the malware code had been activated by its authors. Chien said the warning was issued because “these hackers have ten years of experience and they don’t spend time on small, two-bit outfits. They follow the largest American firms and only American firms. ”
Hackers call themselves Evil Corp., the play Mr. Robot “television series. In December, the Department of Justice said they “engaged in cybercrime on an almost unimaginable scale,” introducing malware to steal tens of millions of dollars from online banking systems. The Treasury imposed sanctions on them, and the State Department offered $ 5 million for information that led to the arrest or conviction of the group leader.
The indictment is one of many over the past few years against Russian groups, including intelligence agents and an Internet research agency, accused of interfering in the 2016 elections. These indictments were intended as a deterrent. But Moscow defended hackers Evil Corp. from extradition, and they are unlikely to stand trial in the United States. In a sanctions announcement, the U.S. Treasury Department claimed that some of the group’s leaders worked for the FSB, the successor to the Soviet KGB.
The December indictment and sanctions called Maxim Yakubets, who, according to the Treasury, “works for the FSB of Russia” three years ago and “is entrusted with working on projects for the Russian state, including obtaining confidential documents using cyber means.” and conducting cyber support operations on her behalf. ”
Symantec said it had informed federal officials about the results, which are confirmed by at least one other company that monitors corporate networks. The Ministry of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not immediately respond to questions about whether it saw the same activity or planned to issue a parallel warning.
But the attack methodology suggests that it was intended for the era of domestic work.
According to Chien, malware was deployed on regular websites and even on one news site. But this did not infect every computer that went shopping or read about the events of the day. Instead, the code looked for a sign that the computer is part of a large corporate or government network. For example, many firms force their employees to use a “virtual private network” or VPN, a secure channel that allows workers in basements or attics to tunnel into their corporate computer systems as if they were in the office.
“These attacks are not trying to infiltrate the VPN,” Chien said. “They just use it to determine who the user is working for.” The systems then wait for the employee to go to a public or commercial website and use this moment to infect their computer. After reconnecting the machine to the corporate network, the code is deployed in the hope of gaining access to corporate systems.
The charge was intended to bankrupt Evil Corporation. This failed. One month after the indictment of Evil Corp. torn off the map, but in May took up it again, according to researchers from Symantec and Fox-IT, a security company that is a division of the NCC Group. Over the past month, they have successfully cracked organizations using special tools for ransomware.
Hackers Evil Corp. they managed to disable the antivirus software in the victim’s systems and delete the backup systems, which, according to Fox-IT researchers, was a clear attempt to interfere with the victims ’ability to recover their data, and in some cases prevent the“ ability to recover at all ”.
Although Symantec does not report how much money Evil Corp. earned on its recent attacks, Fox-IT researchers said they had previously seen Russian hackers demanding more than $ 10 million to unlock data on a single victim’s network.
“We saw them increase their ransom claims over the past few years to millions of dollars when they achieve big goals,” said Maarten van Danzig, Fox-IT threat analyst. “They are the most professional group we see deploying attacks of this magnitude today.”
This article originally appeared in New York Times,
© 2020 The New York Times Company