Srsly Risky Biz: Thursday February 17

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

This Guy Killed JFK!

The leader of the Lurk hacking group, Konstanin Kozlovsky, was sentenced to 14 years in prison in a Yekaterinburg court this week.

At first glance this appears to be more evidence Russia is getting serious about cybercrime. Lurk was a professionally run group that managed to steal USD$45m before most of its members were arrested in 2016. But the history is, err, complicated. Kozlovsky's claims link him to world-changing hacks, criminal activity and treason.

Kozlovsky says he hacked the Democratic National Committee at the direction of the FSB in the leadup to the 2016 Presidential Election. We think this claim is bunkum — Kozlovsky wasn't indicted by the US for that hack, a bunch of GRU officials were. Kozlovsky's defence 'strategy' seems to be to claim that he was working at the behest of the Kremlin in essentially every significant Russian hack in the years leading up to his arrest in 2016.

He told the Dozhd TV station that "all Western media reports about Russian hackers are all me," and even claimed credit for WannaCry. Kozlovsky says he was directed by FSB officer Dmitry Dokuchaev, who was later convicted of treason and sentenced to six years in prison, allegedly for passing or selling information to US security firms which ultimately ended up with the FBI.

Dokuchaev denies directing or even knowing Kozlovsky, although it does seem at least plausible that a Russian cyber criminal might be employed to hack for the state. Dokuchaev himself, for example, was a criminal hacker before being recruited by the FSB, which apparently used potential prosecution for credit card fraud as leverage to convince Dokuchaev to work for them.

It doesn't sound like Dokuchaev was ever going to be a good fit for an intelligence agency though. In 2004 he told the Russian publication Vedomosti that "I always believed that information should be free", and "I don't like being forced to do anything, so I work alone".

In the same treason case as Dokuchaev, both his boss at the FSB as well as senior Kaspersky Lab employee Ruslan Stoyanov were convicted. Coincidentally Stoyanov authored Kaspersky's post on its role in capturing the Lurk group and other posts including on Russian financial cyber crime. An anonymous comment on the Lurk post says "Ruslan you have big metal balls for publishing this under your real name".

As for Kozlovsky, his arrest and conviction may just be the result of Lurk targeting Russian victims. Lurk managed to steal the equivalent of USD$45m from Sberbank, Russia's largest bank. Or it could be the result of targeting the wrong Russian victim. Lurk attempted to steal from Concord Catering, part of the conglomerate owned by Yevgeny Prigozhin. Prigozhin is close to Vladimir Putin, is known as 'Putin's chef', and is on the FBI's most wanted list for interfering in the 2016 US Presidential election by funding the Internet Research Agency. That's the 'troll factory' that tried to use social media operations to divide Americans in the lead up to the 2016 presidential election.

It's a tangled web, but our advice is simple: Don't defecate in your own backyard and certainly not in Vladimir Putin's.

On Crypto Laundering, All Roads Lead to Moscow

Chainalysis has released its 2022 Crypto Crime Report covering North Korean cryptocurrency thefts and holdings, ransomware activity and Russian involvement in ransomware and cryptocurrency laundering.

The biggest takeaway here is there is a tremendous funnelling of ransomware cryptocurrency through just six cryptocurrency businesses — over half of funds sent from ransomware addresses have ended up in a particular high-risk Russian exchange; one of two mixing services; or one of three large international exchanges.

The crypto laundering unrelated to ransomware is highly concentrated in Russia, particularly in Moscow City, the capital's financial district. In any given quarter, between a third to nearly a half of the cryptocurrency these Moscow City businesses receive comes from illicit or 'risky' addresses. (Risky addresses are not necessarily criminal but are frequently linked to criminal activity, such as high-risk exchanges and mixers.)

This concentration has been addressed previously by this newsletter. Since then the US Office of Foreign Assets Control has acted against a number of cryptocurrency exchanges. It took enforcement action against US-based BitPay and two Russian exchanges, Chatex and Suex. They were both sanctioned, apparently to some effect. Both were "nested exchanges," effectively front ends for larger exchanges. Suex, for example, used Binance and Huobi. Binance has removed Suex's account, describing the Russian front as "parasitic".

Binance and Huobi are based in China, but in an interview with CoinDesk a Russian startup executive explained why cryptocurrency firms tend to cooperate with overseas regulators. "Everybody responds, because everybody understands that otherwise, one day, say, you go for a vacation in Greece – and then the next several years you spend answering the [sic] questions in the U.S".

Experts think that regulatory action won't stop illicit cryptocurrency transfers immediately but can make a difference over time.

Joby Carpenter, a Cryptoassets and Illicit Finance expert with anti-financial crime professional organisation ACAMS, says tightening up the crypto ecosystem is realistic.

"It is difficult, but not impossible… to completely close down the loopholes presented by rogue cryptoasset services and exchanges," he told Seriously Risky Business. "Despite the inherent transparency and trackability of distributed ledger technology, the blockchain and hot/cold wallets cannot be excluded from the financial system without [authorities] being able to confiscate or take control of them."

But Carpenter points out we've seen exactly this kind of action.

"Recent enforcement action by law enforcement agencies in the U.S. and Europe has shown that illicit funds are still recoverable with access to the right information," he added.

He's not alone in his views. Gurvais Grigg, Global Public Sector CTO at Chainalysis, told Seriously Risky Business cryptocurrency is a very bad way to launder money. "Bad actors can use techniques to try and obfuscate their trail of funds but their transactions are recorded on a public, immutable ledger where the evidence is preserved forever," he says.

Chainalysis also had some interesting findings on ransomware. In 2021 there were more Iranian-linked ransomware strains (21) than Russian ones (16), but Russian-linked groups were responsible for almost three-quarters of ransomware revenue. Chainalysis speculates that this may partly be due to some Iranian crews using ransomware as light cover for disruptive attacks and extorting "negligible amounts of cryptocurrency from victims".

This newsletter has previously speculated about the proliferation of ransomware in jurisdictions such as Iran and North Korea, where diplomatic and law enforcement action are unlikely to be effective.

But for North Korea at least, cryptocurrency theft seems so effective — Chainalysis reports North Korea stole nearly USD$400m of cryptocurrency last year — that it doesn't have a strong motivation to get involved in the messy nitty gritty of ransomware operations and negotiations. Why bother when you can just steal the cryptocurrency directly?

Carolina Prelazzi, ACAMS' expert on Sanctions, Proliferation & AFC, points out that North Korea has been pretty successful in its efforts to launder cryptocurrency so far. "That cyber criminals linked to North Korea were able to launder all but $35 million of the $400 million in cryptoassets stolen in 2021 indicates that the current methods and tactics are working sufficiently well for them to continue to use them."

North Korea also has more resources available to it compared to ransomware crews. It has, for example, organised money mules in 30 countries for ATM cash-out attacks.

Prelazzi points out North Korea has also dabbled in other ways of using cryptocurrency that don't involve conversion to fiat currency. In 2018 it launched Marine Chain, a startup for shared ownership of maritime vessels using a digital token. This was possibly just a scam, but Prelazzi thinks it's also possible North Korea wanted to use stolen cryptocurrency to buy vessels that could be used to evade sanctions.

But even with increasing regulatory action and fewer options than North Korea, cyber and ransomware criminals will continue to explore new options as the cryptocurrency ecosystem evolves. The experts we consulted pointed to Decentralised Finance (DeFi) services and NFTs in particular as areas of likely increased criminal interest.

Carpenter explained that DeFi services "allow the movement of assets between two parties without the need for a central intermediary such as a broker, exchange, or payment system". And no central intermediary means no third party oversight, no consumer protection and no anti-financial crime controls.

Grigg points out that "criminals are early technology adopters… and they always go where there is money". The rise of the popularity of NFTs makes them a "target for abuse".

More Details on Framing of Indian Activist

Just over a year ago The Washington Post reported that malware had been used to plant falsified evidence on the laptop of Indian activist Rona Wilson, one of a group of activists arrested in what is now known as the Bhima Koregaon case. The UN has described this case as merely a "pretext to silence human rights defenders," and comes as the Indian government increasingly clamps down on dissent.

A new SentinelLabs report vastly expands what is known about the scope of the cyber campaign. Rather than being a one-off incident targeted at Wilson alone, the campaign stretches back to at least 2012 and has targeted hundreds of groups and individuals including "activists, human rights defenders, journalists, academics, and law professionals in India".

ModifiedElephant uses "unsophisticated and downright mundane" malware such as commodity remote access and Android trojans and keyloggers, but has been successful in gaining access to victims over time. ("It's not dumb if it works!")

ModifiedElephant seem pretty busy and definitely act like a state directed group. Its payloads were also used against targets of interest to Indian national security. Some ModifiedElephant targets were also hit with NSO's Pegasus mobile spyware.

It seems Rona Wilson was a popular target. The SideWinder group, a (possibly) Indian group targeting Asian government and military entities, also hacked Wilson's devices.

SentinelLabs sums up what it can determine from the evidence it has available:

We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.

This is terrible, at least for those of us who believe in human rights, and also highlights that abusive, state-directed surveillance is bigger than NSO Group and Pegasus. Let's hope the Indian judicial system gets to the truth.

Three Reasons to be Cheerful this Week:

1. Getting better at fixing bugs: Google's Project Zero reports that vendors on average now fix bugs it reports to them in 52 days (on average), down from 80 days 3 years ago. This is a vindication of Project Zero's 90-day disclosure window, which is used by Google to encourage vendors to patch. But we need to remember bugs aren't all the same — Spectre and Meltdown were disclosed after 216 days.
2. Beats being prosecuted: Google's Vulnerability Reward Program gave out USD$8.7m in rewards to security researchers for finding bugs last year .
3. One less BEC scammer: Dejan Medic, a resident of Serbia arrested in Hungary,  plead guilty to running a multi-million dollar Business Email Compromise scheme. Medic would use phone calls followed up with spoofed emails to extract money from victim companies. But he was dumb enough to use his real identity when setting up accounts to receive the funds.

Paying the Bills

If you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

We'll be publishing some more video demos in the coming weeks.

Shorts

You Gotta Hand it to 'em

A BGP hijack attack was used to steal USD$1.9m from the South Korean KLAYswap cryptocurrency platform. Rather than directly hijacking traffic destined for KLAYswap, the attackers targeted the digital asset wallet of KakaoTalk, an instant messaging service popular in South Korea.

The attackers first used a BGP hijack to advertise they owned the IP addresses of developers.kakao.com. They were then able to get a free 3-month SSL certificate for the domain from ZeroSSL as they could now prove that they controlled the domain. The developers.kakao.com domain hosts a dynamically loaded Kakao Software Development Kit javascript file. The attackers replaced this file with a malicious one so users making KLAYswap transactions had their cryptocurrency transferred to an address the attackers controlled. The BGP attack only lasted for three hours, but it seems that at least some KLAYswap transactions were affected for hours afterwards. It was a well executed operation.

The KLAYswap theft seems like North Korea's jam, but pretty small for the scale they operate at.

Curiouser and Curiouser

A Proofpoint report links a range of activity reported by various security firms into a single persistent actor that has been using commodity techniques to target the aviation, aerospace and transportation sector for over five years.

The group, which Proofpoint dubbed TA2541, uses commodity Remote Access Trojans (RATs) typically sent via transportation-related phishing email campaigns that can include hundreds of thousands of messages. It originally sent malware in macro-laden Word documents but in more recent campaigns sends links to payloads hosted on services such as Google Drive.

The group's motivations remain a mystery. Proofpoint describes them as a cybercriminal group because of "its use of specific commodity malware, broad targeting with high volume messages, and command and control infrastructure", but also states it "does not know what the threat actor’s ultimate goals and objectives are once it achieves initial compromise".

Other security reports on the same group are also cagey about its goals, although Cisco Talos believes the group is based in Nigeria and speculates it might be using the access it gains to sell credentials. To us that doesn't necessarily gel with a long-term focus on a specific sector. If you don't have a specific interest why not branch out to gather more credentials?

Industrial espionage, business email compromise or credential theft? You decide!

Disclosure: Proofpoint is a corporate sponsor of this newsletter.

That's A Lot of Strategy

The UK government recently released both its National Cyber Strategy ("cyber power in support of national goals") and its Government Cyber Security Strategy ("ensure that core government is resilient to cyber attack"). We are a fan of strategy and like how there are different documents for vastly different cyber-related goals.

From Commodore64 to Dark Web Market Founder

Dina Temple-Raston at The Record has an interesting interview and podcast with Ryan Green, one of the founders of Darkode, the largest english-language dark web market at the time.

Zoom and Enhance

Dan Petro, Lead Researcher at BishopFox, has written an interesting blog post on how to unredact text that has been obscured by pixelation. (Here's a real-world example.)