Eliana Willis

The Federal Bureau of Investigation (FBI) has linked the Conti ransomware group to at least 16 attacks aimed at disrupting healthcare and first responder networks in the United States.  

The targets identified include 911 dispatch carriers, law enforcement agencies, and emergency medical services — all of which have been attacked over the past year as medical services struggled to manage the COVID-19 pandemic. According to the FBI’s flash advisory (.PDF), Conti has been connected to at least 400 cyberattacks against organizations worldwide, and 290, at minimum, are based in the US.  In what has become a popular tactic for ransomware operators to increase the chances of a payout, attackers will infiltrate a victim’s network, steal confidential files, and then launch ransomware. If blackmail demands — usually made in cryptocurrency such as Bitcoin (BTC) — are not met, organizations then face the prospect of their data being published or sold via a leak site.  The Conti ransomware group is one of dozens of double-extortion criminal collectives that operate leak sites, having joined the likes of Sodinokibi, Nefilim, and Maze last year.  Conti may use stolen credentials, RDP, or phishing campaigns to obtain initial access to a network. According to the FBI, the group may also use Cobalt Strike, Mimikatz, Emotet, and Trickbot alongside Conti ransomware during attacks.  “If the victim does not respond to the ransom demands two to eight days after the ransomware deployment, Conti actors often call the victim using single-use Voice Over Internet Protocol (VOIP) numbers,” the advisory reads. “The actors may also communicate with the victim using ProtonMail, and in some instances, victims have negotiated a reduced ransom.”

The FBI does not encourage victim organizations to pay up, as decryption keys are not guaranteed to work and each successful extortion attempt only encourages ransomware-related criminal activity.  However, whether or not a victim has paid, the FBI urges transparency to law enforcement agencies when ransomware incidents occur. When it comes to Conti specifically, the FBI has requested boundary logs showing links to IP addresses, cryptocurrency wallet information, any decryptor files available, as well as encrypted file samples,  Recently, the finger has been pointed at Conti for a debilitating ransomware attack on Ireland’s Health Service Executive (HSE) on May 14. Officials say that a ransomware demand of $20 million will not be paid, and while Conti has released an — unverified — decryption tool to the service, the group has still threatened to sell or leak HSE records allegedly stolen during the attack.  Dublin’s High Court has issued an injunction against Conti, under “persons unknown,” in an effort to stop the spread of stolen information. At the time of writing, staff are still unable to access email, there are delays with issuing birth, death, and marriage certificates. The COVID-19 vaccination program is rolling out as normal but there may also be delays in receiving test results.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A former intelligence analyst for the US Federal Bureau of Investigation (FBI) has been indicted for stealing confidential files over a period of 13 years. 

Kendra Kingsbury, of Dodge City, Kansas, has been charged by a federal grand jury in a two-count, unsealed indictment made public on Friday. The US Department of Justice (DoJ) said that between June 2004 and December 2017, the 48-year-old removed and then kept national security, secret, and confidential documents at her home.  Classified material allegedly removed from FBI systems included documents relating to cybersecurity threats, terrorism, intelligence bulletins, open FBI investigations, human operations, and files describing the “technical capabilities of the FBI against counterintelligence and counterterrorism targets.” In addition, some of the material specifically related to al Qaeda members suspected “associates” of Osama Bin Laden and emerging terrorist groups in Africa.  As an FBI intelligence analyst for over 12 years in the law enforcement agency’s Kansas division, Kingsbury had been trained in the handling of sensitive material and non-disclosure practices. During her tenure, the intelligence agent was assigned to squads including those focused on counterterrorism, drug trafficking, and gang crime.  “The defendant was not authorized to remove and retain these sensitive government materials, including the national defense Information and classified documents,” the indictment reads. “Nor did the defendant have a “need to know” in most, if not all, of the information contained in those materials.”

Kingsbury was suspended in 2017 and has now been arrested and has made her initial court appearance in the District of Kansas. The former analyst is being charged with two counts of the “willful retention of national defense information.”  “The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing,” said Alan Kohler, Jr. Assistant Director of the FBI’s Counterintelligence Division. “The defendant, who’s well trained in handling classified information, put her country’s sensitive secrets at risk. The FBI will go to great lengths to investigate individuals who put their own interests above US national security, including when the individual is an FBI employee.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Several cryptocurrency mining operators reportedly have halted their activities in China amidst increasing threats of a government crackdown. A senior official had called for the need to mitigate financial risks and more closely monitor activities on business platforms.  Chinese vice premier Liu He said late-Friday the country’s financial infrastructure must remain robust and guard against disruptions. Doing so would require the use of monetary policies to mitigate financial risks, noted Liu, who was speaking at the 51st meeting of the Financial Stability and Development Committee, which he chaired. In stressing the need to identify potential financial threats, he outlined the need to bolster the monitoring of business platforms that facilitated financial activities as well as crack down on Bitcoin mining and trading transactions. The mention, though, was brief and he provided no further details on possible regulations. 

Read this

Why Singapore doesn’t need Bitcoin

The island will get its first Bitcoin ATM in March, but does it really need another currency which main appeal is the anonymity it offers, especially since Singapore is reportedly susceptible to money laundering?

Read More

However, his statement marked the first time a top Chinese government official had referred specifically to crypto mining. It comes just days after three state-backed financial groups in China issued a joint statement warning against the use of cryptocurrencies as payment and reminded industry players that digital currencies should not be used in any financial activities in the country.   Liu’s remarks also prompted several crypto mining operators to halt their activities in China and look overseas for alternative mining sites, according to a Reuters report. Crypto exchange Huobi’s subsidiary Huobi Mall said via a Telegram statement Sunday that it had suspended its local businesses and was in discussions with overseas service providers for the “exports of mining rigs”. It told customers “not to worry and calm down”.  Fellow crypto mining operator HashCow said it would stop purchasing new BItcoin rigs and would refund customers that had ordered compute power but had not begun mining. The company owns 10 mining sites in China, according to Reuters. BTC.TOP also halted its activities in China, with its founder Jiang Zhuoer pointing to regulatory risks. In a post on microblogging platform Weibo, Jiang said the crypto mining pool in future would operate mainly in North America as Chinese authorities clamped down on mining activities. 

He further noted that China was likely to lose its crypto computing power to foreign markets in future, with mining pools in the US and Europe taking dominance.  Researchers last month cautioned that, unless more stringent regulations were implemented, China’s crypto mining could undermine the world’s sustainability efforts. The report estimated that the country accounted for more than 75% of Bitcoin’s hashing power or calculations, fuelled by China’s proximity to manufacturers of the required hardware and access to cheap power.  While it had outlawed financial activities involving cryptocurrencies, the Chinese government had created its own alternative that is commonly described as the digital version of the yuan or renminbi (RMB). Called Digital Currency Electronic Payments (DCEP), the digital yuan was developed on blockchain and cryptographic technologies and might later support near-field communication (NFC) capabilities, to allow offline money transfers between two digital wallets that were within proximity.  US Federal Reserve Chairman Jerome Powell said last week the government agency would be more involved in cryptocurrencies and mooted creating its own digital currency in future. He added that the Federal Reserve would soon release a discussion paper that looked at the implications of digital payments, with “a particular focus on the possibility of issuing a US central bank digital currency”. China’s threats of a potential crackdown, alongside Elon Musk’s detour on accepting Bitcoin as a payment option, led to a tumultuous week for the cryptocurrency. It shed more than 10% in value, dipping to its current hold at $35,598. RELATED COVERAGE More

The team behind the seL4 is no longer under the umbrella of Australia’s Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Data61, with members being shifted from microkernels to supporting artificial intelligence. “[CSIRO’s Data61] dismantles Trustworthy Systems (TS), the team that shook the scientific world with the first correctness proof of an OS, #seL4. TS staff to reallocate to AI projects or sacked,” professor Gernot Heiser, chairman of the seL4 Foundation, said on Friday. “Claims by [Data61] of research excellence sound hollow. I challenge you to identify work in Data61 eclipsing the TS team and #seL4. Yet it’s easy to identify highly incremental work in Data61 that seems safe.” In 2009, the security of seL4 was mathematically proven. Heiser added that total disaster was avoided thanks to the seL4 Foundation being established last year. A spokesperson for CSIRO said seL4 was a “mature area of technology” that the organisation had invested in over a number of years, and that the organisation would remain as a foundation member so it could “pivot” away from its work. “In order to support the nation in the most important areas, CSIRO will no longer maintain the existing Trustworthy Systems Group. The Trustworthy Systems group is focused on the area of formal methods for design, implementation, and verification of software systems,” CSIRO said.

“We are strengthening our focus on areas such as cybersecurity, industry 4.0 and natural hazards/environmental analytics, as well as emerging areas such as Trustworthy AI.” The spokesperson added Data61 was following new goals with money being put towards AI, “reinventing” how science would be done using digital technologies, and “putting digital science and technology at the heart of Australia’s recovery and resilience”. “As a result of the changes, there will be approximately 100 positions created including 30 new post doctorate positions,” the spokesperson said. “In the short term up to 70 people in Data61 will be potentially impacted, however, the number will likely be less as we work to redeploy people throughout the organisation. Within two years, given the new positions, we expect headcount to be higher than today.” The research conducted by Trustworthy Systems will continue at the University of New South Wales, Heiser said, but was scathing of the decision taken. “If this shining example of Aussie innovation no longer has a place in Data61, then what is the organisation good for? I find this development highly upsetting not only due to its impact on my own work, our agenda for making the world’s computing systems secure, but also as a taxpayer who is funding this organisation,” he wrote.”I am no longer convinced that my tax dollars are well spent there.” Related Coverage More

Image: Getty Images
Three months after global aviation industry IT supplier SITA fell victim to a cyber attack, Air India has disclosed the incident resulted in the data of around 4.5 million of its passengers being stolen. The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021, Air India said in a statement [PDF]. The stolen information included name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data, and credit card data. No frequent flyer passwords or CVV/CVC data were stolen, however, as this information was not held by SITA. SITA, an information technology and communications company, is the data processor of Air India’s passenger service system.     While the SITA cyber attack was first discovered at the end of February, Air India said it only understood the severity of the cyber attack last month. Since then, Air India has been conducting investigations, securing compromised servers, engaging external specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India FFP program, it said. When the cyber attack was disclosed, SITA said Star Alliance and One World airlines were affected. Alongside Air India, this included Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Air New Zealand, Cathay Pacific, Singapore Airlines, among others. In March, Singapore Airlines disclosed 580,000 of its frequent flyer members were compromised in the cyber attack.

According to SITA, the vendor serves around 90% of the world’s airlines, which amounts to 2,800 customers including airlines, airports, and government agencies. Over the weekend, a handful of airlines were forced to cancel or delay flights after Sabre suffered a global IT outage. Virgin Australia, American Airlines, and Alaska Airlines were among the airlines affected. Sabre blamed the outage on its hardware provider, Dell EMC. “Dell/EMC has confirmed it experienced a hardware redundancy failure that impacted Sabre’s system, including PSS and check-in,” Sabre told ZDNet. “The issue has been resolved. Dell/EMC is working to understand why the failure occurred.”Related Coverage More

TPG Telecom said on Monday morning that it had the data of two customers accessed on its legacy TrustedCloud hosting service. It added it did not believe any other customers were impacted by the breach. “The incident was isolated to the TrustedCloud service. The TrustedCloud service is hosted in a standalone environment that is separate from our telecommunications networks and other systems,” the company told the ASX. “The incident has not impacted customers from any of our other brands, products or services.” TPG Telecom gained TrustedCloud when it purchased IntraPower in 2011, with the service being “in the process of being decommissioned” and set to disappear in August. The telco said the service had only a “few” remaining customers. “We have introduced measures to improve the security of the TrustedCloud service,” TPG said. “Although we are confident this incident has not impacted our other environments, we have also increased the cybersecurity defences across our entire business.” Earlier this month, the Australian Department of Parliamentary Services has said its March outage was a result of a deliberate choice to shut down its legacy mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network.

“The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” The legacy MDM system remains in use in a limited capacity.The Australian Signals Directorate said it knew who conducted the attack, but would not say who. Related Coverage More