Introduction:
1、FBI says it 'hacked the hackers' to shut down major ransomware group
2、Why Government Institutions Are the Perfect Target for Hackers
FBI says it 'hacked the hackers' to shut down major ransomware group ♂
WASHINGTON — The Department of Justice on Thursday announced the destruction of the Russian-linked Hive ransomware group after a global law enforcement operation that ran for months.
The criminal syndicate sold ransomware tools and services to affiliates around the world starting in the summer of 2021, at the height of the COVID-19 pandemic.
They received more than $100 million in profits from victims who paid to get their data back or prevent it from being leaked. According to the Justice Department, Hive targeted more than 1,500 victims in over 80 countries, from hospitals to Costa Rica's public health agency, crippling businesses and harming critical infrastructure.
The FBI says it hacked into Hive's networks in July 2022, burrowing into its digital infrastructure to spy on the group's operations and gather important intelligence before ultimately dismantling the operation on Wednesday night.
"Simply put, using lawful means, we hacked the hackers," explained Deputy Attorney General Lisa Monaco during a press conference Thursday.
According to FBI Director Chris Wray, law enforcement officers were able to provide digital keys to victims who had notified the FBI. This allowed the victims to retrieve their files and return to business without paying a ransom. The Justice Department claims the intervention saved over $130 million in ransom payments, a figure that could have been higher had more victims come forward.
Additionally, the FBI and its partners in Europol and German and Dutch law enforcement were able to completely take over Hive's digital infrastructure, from its command and control servers to its darkweb extortion website where it advertises its victims and dumps stolen data.
On Wednesday evening, the leak site was replaced with a banner from the international group of law enforcement agencies announcing the seizure.
The infiltration and ultimate disruption of the Hive ransomware group is the latest effort by the Department of Justice to fight back against the plague of damaging and costly ransomware attacks in recent years.
In July 2021, the Biden administration launched the Ransomware and Digital Extortion Task Force, bringing together resources from the Justice Department and the Department of Homeland Security to seek and act on intelligence about ransomware.
The Justice Department has also sanctioned tools ransomware groups use to hide and move their money, seized cryptocurrency wallets belonging to ransomware groups, and arrested prominent ransomware actors.
The operation targeting Hive continues in a pattern of using several different tools to respond to ransomware groups in different ways.
"We've made it clear that we will strike back against cybercrime using any means possible," said Monaco, the deputy attorney general.
The Justice Department did not announce any specific arrests or information about how it located Hive's servers. When asked whether the group has ties to Russia or whether arrests might be announced in the future, Attorney General Merrick Garland said he wouldn't comment further on ongoing investigations.
Ransomware expert and cybersecurity analyst Allan Liska explained that the Justice Department's decision to disrupt Hive makes sense, because the intelligence value of hiding in their networks was decreasing.
"I think one of the big reasons is we've seen a significant slowdown in Hive attacks," he said. Without revenue from victims, Hive may have made the choice to shut down, he said. "So it makes sense as a good time to go ahead and seize everything and grab as much intelligence as you can from them."
Liska said he also expects the Justice Department to announce arrests in the future. But perhaps most importantly, the operation should inspire fear that the FBI is lurking in the networks of other ransomware groups, he added.
"So it's a pretty impressive operation overall. And I like the fact that they were very clear that, 'Yeah, we infiltrated their network and we spent what is it now, eight months in that network,'" said Liska. "That has got to have a whole lot of other ransomware groups really, really nervous right now."
While Hive has not been one of the most damaging ransomware groups, it was responsible for a large number of incidents.
According to Kimberly Goody, a senior manager at Mandiant Threat Intelligence and Google Cloud, Hive ransomware was found in over 15 percent of the intrusions her team responded to in 2022, over 50 percent of them in the United States and many impacting the healthcare sector.
Hive has been destroyed, but ransomware experts said the operators will most likely join other groups or rebuild, a common phenomenon in what's become a global industry.
Additionally, members in Russia will likely continue to operate with impunity, as the Russian state has often declined to pursue investigations, arrests, or extradite those charged to the United States.
However, the disruption forces those operators to pause and do costly and time-consuming work to rebuild.
"Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand," said John Hultquist, the head of Mandiant Threat Intelligence within Google Cloud.
Why Government Institutions Are the Perfect Target for Hackers ♂
The days of “being lucky” are gone. Companies that thought they were safe from cyber attacks are now just fully at risk, and the “It won’t happen to me” mentality needs to change. Let’s do a quick recap of the most recent cyber events: increased ; hacks on major supply chains and critical infrastructure organizations like SolarWinds, Colonial Pipeline, JBS and Kaseya; and and pushing stricter cybersecurity protocols. Malicious attacks are rising from sophisticated criminal hacking groups, and there’s a continuous proliferation of larger companies being targeted. And when these companies are attacked, their reach goes beyond their organizational walls.
Hackers are looking for opportunities that give them “more bang for their buck,” and are the perfect target for a number of reasons:
Government agencies and institutions house highly sensitive information - a goldmine for hackersThe government is at the intersection of many different industries - attacks could be coming from all sidesGovernment IT and security teams are faced with a “do more with less” challenge - they don’t have the bandwidth to address and secure all threatsState and local governments are typically less funded than federal government institutions. Small budgets and scarce resources don’t protect against large-scale attacks - easier to target and easier to breachThe government has a huge reliance on third parties and contractors -
If hit with a cyber attack, government institutions have implications like those critical infrastructure or supply chain companies that could potentially affect thousands of organizations and hundreds of thousands of people. And while this is definitely something to be concerned about, the real concern lies in the threat of the unknown.
PROTECTING GOVERNMENT INSTITUTIONS AGAINST THE UNKNOWN
The threat of the unknown is daunting. You never know when a cyber attack is going to happen. If Colonial Pipeline could’ve terminated the VPN connection and established multifactor authentication before the criminal hacking group DarkSide hacked into their systems, we’re sure they would’ve taken those precautions.
You also never know how an attack could happen. Government agencies are inevitably vulnerable to attacks due to the high volume of confidential information they store (which is heavily targeted), their widespread reach across industries and the number of third parties they regularly deal with. Hackers see all of these vulnerabilities as opportunities to infiltrate governments and wreak havoc that expands beyond one government agency. But the most advantageous avenue for hackers poses threats that IT and security teams aren’t even aware of.
THIRD PARTIES CREATE ENDLESS SECURITY GAPS
When a government uses a third party to perform a certain function, they are releasing control over assets that help maintain government security, such as network credentials and access to critical networks. Once that control is released externally to a third party, it immediately creates a new door for a hacker to open. All the hacker needs is the key.
Depending on the type of access third parties are granted (like a into a network), third parties are providing the perfect gateway for hackers to breach the government perimeter. As we saw in the Colonial Pipeline attack, all it takes is an active VPN account of a former employee and a stolen password to break into one of the nation’s largest pipelines. Or if third-party contractors prefer , who’s to say that a hacker can’t create code to break into the sharing session and steal confidential government information? Third parties are giving away keys to these doors with every access attempt into government networks. Cybersecurity teams need to find solutions to bolt, lock, seal and secure those doors at all costs.
A SIMPLE ANSWER FOR A COMPLEX QUESTION
The question: How can governments prevent these threats that are seemingly unknown? After all, they don’t know who is accessing what on the other side of that third-party connection, nor are they aware of all the threats that come with external user access.
The answer: Find a to mitigate risks and gain back control.
There are solutions that are specifically built to manage third-party remote access. They use rules to narrow the scope of access each user has and track all third-party activity across networks, applications and systems. There are also solutions that can do all this while staying in . Governments are required to comply with hefty regulations, but since the government is at the intersection of so many industries, they also adhere to industry standards like , and other industry compliance policies. The amount of regulations governments have to keep up with is undoubtedly overwhelming, not to mention the added stress caused by tracking the access of every third party or contractor from that industry. Streamlining remote access so it securely and efficiently protects against unknown threats is possible with the right solution.
Hackers have plenty of reasons why they would want to attack a government institution. They also have plenty of methods of how to attack. The challenge governments face is how they should protect against these threats that could come from a variety of places.
评论已关闭