Information Technology

Hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021 through at least seven attacks and most of it was Ether or ETH rather than Bitcoin, according to blockchain analysis firm, Cainalysis. 2021 was a record year for North Korea’s military hackers, the most notorious of which is Lazarus, the group behind the destructive wiper attack on Sony Pictures Entertainment in 2014, WannaCry ransomware in 2017, multiple banks via the SWIFT banking system, and numerous cryptocurrency exchanges. 

ZDNet Recommends

Also known as APT 38, the group has focused in on cryptocurrency theft as a prime vehicle for raising revenue for the country and evading US and UN economic sanctions. A UN Panel of experts in 2018 concluded that its cryptocurrency hacks contribute to North Korea’s ballistic missile programs.SEE: Scallops, vaccines and Tesla: The wild world of blockchain and cryptocurrencyThe group employs common tactics used by other nation-state hacking groups and cybercriminals, including social engineering, phishing and software exploits. “From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” Chainalysis said in its report. Attacks from North Korean hackers in 2021 mostly targeted investment firms and centralized cryptocurrency exchanges, according to Chainalysis. The groups used social engineering to move funds from targets’ wallets to addresses controlled by North Korean accounts. The funds were then laundered and cashed out.  

Last year, 68% of the funds that North Korean hackers stole were Ether, which replaced Bitcoin as the primary cryptocurrency. Bitcoin, however, still plays a key role in laundering stolen Ether via decentralized exchanges before being mixed into new wallets and then cashed out. Cryptocurrency mixer or ‘tumbler’ software breaks down a user’s funds into small sums and blends it with other transactions in micro-transactions before sending an equivalent value to a new address. The US filed its first money laundering charges against a US Bitcoin mixing service in 2020.   “DPRK is a systematic money launderer, and their use of multiple mixers … is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat,” the report notes.North Korea also has about $170 million in cryptocurrency holdings from 49 attacks that have yet to be laundered through mixers. Of that, $55 million came from attacks carried out in 2016 while $35 million came from attacks in 2020 and 2021. Chainalysis notes that $97 million stolen from cryptocurrency wallets managed by Japanese cryptocurrency exchange Liquid.com in August was moved to addresses controlled by a party working on behalf of DPRK, resulting in $91.35 million being laundered. North Korea’s hacks on cryptocurrency exchanges are well document by the US Cybersecurity and Infrastructure Security Agency (CISA). The US government’s umbrella term for the country’s hacking is HIDDEN COBRA. A February 2021 report from CISA details the work of North Korean hackers in connection with the AppleJesus malware that targeted Windows and Mac systems worldwide by posing as a legitimate cryptocurrency trading platform.  More

A ‘massive’ cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science.A statement by Ukranian police says cyber attackers left “provocative messages” on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.

ZDNet Recommends

The country’s cyber-police department is working with the State Special Communications Service and Ukraine’s security service to investigate the attacks. As of Friday morning, some of the websites have been restored, while others remain offline.SEE: A winning strategy for cybersecurity (ZDNet special report) “As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down. Our specialists have already started restoring the work of IT systems, and the cyberpolice has opened an investigation,” Oleg Nikolenlo, spokesperson for Ukraine’s Foreign Ministry, said on Twitter.Websites affected by the attack include those of the Ukrainian cabinet, a number of ministries and the state services website, which stores electronic passports and vaccination certificates.Josep Borrell, high representative of the EU for foreign affairs and security policy, said the European Union is mobilising “all its resources” to aid Ukraine following the cyberattack.

“This deserves the strongest condemnation,” he told reporters, according to Bloomberg, adding: “Of course I cannot point at anyone as I have no evidence, but we can imagine.” Currently, nobody has explicitly claimed responsibility for the attack or made concrete accusations over where it originated. However, it came just hours after the EU renewed economic sanctions on Russia by a further six months.Russia has previously been accused of conducting a number of different cyberattacks against Ukraine, including one that disrupted energy supplies, causing power cuts in December 2015.MORE ON CYBERSECURITY More

Singapore has uncovered a distribution network hawking e-vaporisers and other related components via Telegram. The messaging app was tapped to advertise and supply the contraband items to “a large number of people” in chatgroups. The network was busted followed a 24-hour operation conducted on January 6, which uncovered the illegal activities of a distributor and peddlers, said Singapore’s Health Sciences Authority (HSA) in a statement Friday. The industry regulator said the items had an estimated street value of almost SG$200,000 ($148,596). Adding that two male and one female subjects were assisting in its investigation, HSA said: “They had used Telegram to illegally advertise and supply such prohibited items to a large number of people in these chatgroups. “E-vaporiser smugglers and peddlers are using anonymous messaging applications, such as Wechat and Telegram, in a bid to conduct their illegal activities clandestinely. HSA had been closely monitoring the e-vaporiser distribution networks on platforms such as Telegram, which are used to sell the prohibited items,” it added.Singapore’s Tobacco (Control of Advertisements and Sale) Act prohibits the import, distribution, sale, or offer for sale of imitation tobacco products, which include e-vaporisers, shisha tobacco, and smokeless tobacco. Violators face a fine of up to SG$10,000, or imprisonment of up to six months, or both for the first offence, and a fine of up to SG$20,000, or imprisonment of up to 12 months or both for the second or subsequent offence. The law also prohibits the purchase, use, and possession of such products. Violators face a fine of up to SG$2,000.HSA last October seized a record of more than SG$2 million worth of e-vaporisers and related components. RELATED COVERAGE More

The House Select Committee investigating the January 6th terror attack on the US Capitol has issued four subpoenas to Google, Facebook, Twitter and Reddit as it seeks more information about the incident. Chairman Bennie Thompson said in a statement that the subpoenas were issued due to “inadequate responses to prior requests for information.”The subpoenas related to “the spread of misinformation, efforts to overturn the 2020 election, domestic violent extremism, and foreign influence in the 2020 election.””Two key questions for the Select Committee are how the spread of misinformation and violent extremism contributed to the violent attack on our democracy, and what steps—if any—social media companies took to prevent their platforms from being breeding grounds for radicalizing people to violence,” Thompson said. “It’s disappointing that after months of engagement, we still do not have the documents and information necessary to answer those basic questions.  The Select Committee is working to get answers for the American people and help ensure nothing like January 6th ever happens again. We cannot allow our important work to be delayed any further.”In a letter to Alphabet CEO Sundar Pichai, Thompson said YouTube was a “platform for significant communications by its users that were relevant to the planning and execution of January 6th attack on the United States Capitol, including livestreams of the attack as it was taking place.”The letter notes that former Trump administration official Steve Bannon live-streamed his podcast on YouTube in the days before and after January 6 and live-streams of the attack appeared on YouTube as it was taking place. 

“The Select Committee believes Alphabet has significant undisclosed information that is critical to its investigation, concerning how Alphabet developed, implemented, and reviewed its content moderation, algorithmic promotion, demonetization, and other policies that may have affected the January 6, 2021 events,” Thompson wrote. “For example, Alphabet has not produced any documents that fully explain non-public moderation discussions and policies that led to President Trump’s suspension or that explain whether or why the platform did or did not act regarding President Trump’s account in advance of January 6th. Additionally, Alphabet has not produced documents relating to YouTube’s policy decisions that may have had an impact on the planning, coordinating, and execution of January 6th Attack on the U.S. Capitol.”In a statement to ZDNet, Google said they “have been actively cooperating with the Select Committee since they started their investigation, responding substantively to their requests for documents, and are committed to working with Congress through this process.” “We have strict policies prohibiting content that incites violence or undermines trust in elections across YouTube and Google’s products, and we enforced these policies in the run-up to January 6 and continue to do so today. We remain vigilant and are committed to protecting our platforms from abuse,” a Google spokesperson said. Thompson’s letters to the CEOs of Facebook parent company Meta, Reddit and Twitter similarly criticize the companies for failing to adequately respond to questions from Congress about their role in facilitating the attack last year. Meta did not respond to ZDNet’s requests for comment. A Twitter spokesperson declined to comment. A Reddit spokesperson said, “We received the subpoena and will continue to work with the committee on their requests.”Thompson said a number of Meta’s platforms were used “to share messages of hatred, violence, and incitement; to spread misinformation, disinformation, and conspiracy theories around the election; and to coordinate or attempt to coordinate the Stop the Steal movement.””Public accounts about Facebook’s Civic Integrity Team indicate that Facebook has documents that are critical to the Select Committee’s investigation,” Thompson said among a host of other charges about Facebook’s role in the attack on Congress. Reddit was slammed by the Select Committee for hosting the “r/The_Donald” ‘subreddit’ community that eventually moved to the website TheDonald.win in 2020. The website “hosted significant discussion and planning related to the January 6th attack,” according to Thompson. Twitter was also accused of allowing users to plan and execute the assault on the Capitol. Thompson said Twitter “was reportedly warned about potential violence being planned on the site in advance of January 6th.””Twitter users also engaged in communications amplifying allegations of election fraud, including by the former President himself,” Thompson said. “Twitter’s former CEO Jack Dorsey acknowledged last year that Twitter bore some responsibility for the violence that occurred on January 6th.”Thompson said Twitter has refused to produce documents related to the warnings they got about the potential attack and would not commit to a timeline for complying with the Select Committee’s request for a variety of documents related to the 2020 election. “Finally, Twitter has failed to produce any documents that fully explain either its decision to suspend President Trump’s account on January 8, 2021, or any other decisions the company made regarding President Trump’s account relating to the events of January 6th,” Thompson said.  More

The New York Power Authority (NYPA) announced a new deal with cybersecurity firm IronNet and Amazon Web Services that will help the country’s largest state public power organization bolster its cybersecurity defenses. Victor Costanza, deputy CISO at the NYPA, said the rise in sophisticated cyber attacks prompted them to help municipal utilities implement a strong security program that can detect and mitigate attacks in real-time. “With the technologies provided by IronNet and AWS, the IT and power infrastructures in NYPA’s supply chain ecosystem can collect and share anonymized cyber threat information so we can defend our enterprise networks collectively, raising the security posture of all of us throughout the state,” Costanza said.The deal comes two days after the Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020.CISA also specifically cited previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. Bill Welch, co-CEO of IronNet, said that in the same way utilities band together to provide mutual aid after damaging weather events, NYPA is making collaborative responses to cyber attacks possible. “We are proud to work with NYPA to enable all public utility stakeholders to adopt a proactive defense against any cyber adversary with an eye on the grid—from criminal groups to nation-states,” Welch said.  

NYPA will be adopting IronNet’s Collective Defense solution, which is supported by AWS. The tool will allow municipal utilities in New York and their partners “to create a dynamic, radar-like view of the attack landscape that provides visibility into a wider and deeper range of threats across the state’s entire power grid.”IronNet and AWS ran a pilot program with five NYPA municipalities before the deal was signed and decided to expand it due to its success. “Powered by a network detection and response system that tracks network anomalies with behavioral analytics, NYPA’s key supply chain partners can use IronNet’s Collective Defense platform to collaborate in real time to better detect and defend against attacks. This approach further enhances the resilience of New York’s grid amidst the escalating prevalence of attacks on US critical infrastructure,” IronNet explained in a statement. “Defenders of the state’s IT and power infrastructure will receive alerts on anomalous network behaviors correlated with other Collective Defense participants from the U.S. energy sector at large. In the event of a coordinated attack, the community also benefits from expert guidance from the top cybersecurity professionals of IronNet’s Security Operations Center.” More

School officials in Albuquerque, New Mexico have cancelled classes for Thursday and Friday due to a cyberattack. The shutdown took place just days after a ransomware attack hit government services across Bernalillo County.

In a statement posted to the Albuquerque Public Schools (APS) website, officials said schools will remain closed “as the district continues to investigate a cyberattack that compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” On Wednesday, the school said it was working with cybersecurity experts to get systems back up and running before Friday. The school amended its statement on Thursday.  Athletic activities and other extracurricular activities will continue, but school meals will not be served while the schools are closed. For those in need of meals while the schools are shut down, officials suggested the Roadrunner Food Bank Food Assistance Line for help.They also suggested parents turn to the Boys & Girls Clubs of Central New Mexico, which will be providing free all-day programming for youth 5-18 while the school deals with the cyberattack.  APS Superintendent Scott Elder told the Albuquerque Journal that teachers discovered the attack on Wednesday morning after they tried to log into the student information system and were unable to gain access to the site.”APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network, and ensure a safe environment to return to school and business as usual,” Elder said. 

APS spokeswoman Monica Armenta said the district does have cyber insurance. Multiple government services across Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos, and Tijeras — have been dealing with a ransomware attack that started between midnight and 5:30 a.m. on January 5.

County officials have taken the affected systems offline and cut network connections, but most county building are closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. County officials said in a statement that the attack knocked out the Clerk’s Office, limiting access to marriage licenses, real estate transactions, and voter registrations. “The public is being asked to understand the gravity of this ransomware issue and that, at this time, county services are still limited,” officials said. FBI spokesman Frank Fisher told the Albuquerque Journal that even though the school outages were taking place at the same time as the other issues, the cyberattack on APS was not tied to the ransomware attack on Bernalillo County.On Wednesday, reports emerged that the Metropolitan Detention Center went into lockdown after the attack. A public defender filed a lawsuit revealing that the ransomware attack knocked out the jail’s internet, data management servers, and security camera networks. The lawyer said inmates’ rights had been violated because video-based court hearings were cancelled and people could only contact their lawyers through pay phones. 

ZDNet Recommends More

Corporations aren’t doing enough to improve their employees’ personal security practices. Credentials remain the highest targeted data type as they are the gateway to ransomware and data theft. 61% of data breaches in 2021 involved the use of stolen and misused credentials. Bad actors took advantage of a global pandemic to increase the number of phishing attacks, the cause of stolen credentials in 36% of breaches — a 9% increase over last year — according to the Verizon 2021 Data Breach Investigations Report. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

We know one of the best ways to protect corporate data is to require multi-factor authentication (MFA). The use of MFA is expanding, more than 50% of enterprises provide an option to use MFA, and, according to Yubico and 451 Research, over 74% of organizations say they are increasing investment in MFA solutions. Major platforms, such as Salesforce, announced that all logins to their platform will require MFA in February 2022, and organizations like the IRS have taken a strong stance on the requirement for MFA. Every platform should follow suit, and companies that command a premium to offer MFA should be publicly shamed (see the SSO Wall of Shame) into making this a core part of all of their offerings. While the increasing adoption and additional spending are good trends to see, progress has been too slow.To improve overall corporate security, enterprises should be actively educating and providing tools for employees to follow these same practices in their personal lives. When we attach the word corporate to security we’re letting employees off the hook. We’re sending the message that at work you have to follow secure processes — implying that at home they have no such requirement.In August 2020, MalwareBytes Labs reported 20% of organizations experienced breaches due to remote workers. This number is likely underreported given the rapid increase in remote workers and the length of time the pandemic has impacted the workforce. Equally alarming, employees themselves are overconfident in their likelihood to be the cause of a breach. 61% of respondents in Egress’ Insider Data Breach Survey for 2021 answered that they felt they were equally or less likely to be the cause of a data breach while working from home.The slow adoption of security best practices is often attributed to tool complexity and user experiences. We are all creatures of habit, and if we encourage the use of password managers, multi-factor authentication, and firewalls for personal use we would see the resistance decline for implementing these tools in the enterprise. Given how connected we all are, the rising demands of working anywhere, and increasingly savvy bad actors who capitalize on a remote workforce, enterprises can no longer contain their efforts to the office space and ignore the home environment. The costs for education and licensing that support employees at home is a small investment that will pay big dividends in increased security at work and provide a boon for protecting employee personal data. More

Google and IBM are urging tech organizations to join forces to identify critical open source projects after attending a White House meeting on open source security concerns. The meeting, led by White House cybersecurity leader Anne Neuberger, included officials from organizations like Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux, and Oracle as well as government agencies like the Department of Defense and the Cybersecurity and Infrastructure Security Agency (CISA). The meeting took place as organizations continue to address the Log4j vulnerability that has caused concern since it was discovered in December. 

more Log4j

Kent Walker, president of global affairs at Google and Alphabet, said that, given the importance of digital infrastructure to the world, it is time to start thinking of it in the same way we do our physical infrastructure. “Open source software is a connective tissue for much of the online world — it deserves the same focus and funding we give to our roads and bridges,” Walker said.In a blog post, Walker explained that during the meeting, Google floated several proposals for how to move forward in the wake of the Log4j vulnerability. Walker said a public-private partnership is needed to identify a list of critical open source projects, and criticality should be determined based on the influence and importance of a project. The list will help organizations prioritize and allocate resources for the most essential security assessments and improvements.  IBM’s enterprise security executive Jamie Thomas echoed Walker’s comments and said the White House meeting “made clear that government and industry can work together to improve security practices for open source.”

“We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field,” Thomas said. Walker touted the work of organizations like the OpenSSF — which Google invested $100 million into — that are already seeking to create standards like this. 

He also said Google proposed setting up an organization to serve as a marketplace for open source maintenance, matching volunteers from companies with the critical projects that most need support. He noted that Google was “ready to contribute resources” to the move. The blog post notes that there is no official resource allocation and few formal requirements or standards for maintaining the security of critical open source code. Most of the work to maintain and enhance the security of open source, including fixing known vulnerabilities, “is done on an ad hoc, volunteer basis.””For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that ‘many eyes’ were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all,” Walker said.  More