the US Federal Bureau of Investigation (FBI) says it has disrupted a giant botnet built and operated by a Russian government intelligence unit known for launching destructive cyberattacks against energy infrastructure in the United States and Ukraine. Separately, law enforcement agencies in the US and Germany moved to decapitate”Hydra”, a billion dollar Russian darknet drug bazaar that also helped launder the proceeds of multiple Russian ransomware groups.
FBI officials said on Wednesday they broke up”cyclops blink”, a collection of compromised network devices managed by hackers working with the Russian Federation Main Intelligence Directorate (GRU).
TO statement from the US Department of Justice (DOJ) says GRU hackers built Cyclops Blink by exploiting previously undocumented security weaknesses in firewalls and routers made by both ASUS and WatchGuard Technologies. The DOJ said that it did not seek to disinfect compromised devices; instead, he obtained court orders to remove the Cyclops Blink malware from his “command and control” servers, the hidden machines that allowed the attackers to orchestrate the botnet’s activities.
The FBI and other agencies warned in march that the Cyclops Blink malware was created to replace a threat called “VPNFilter”, an earlier malware platform targeting vulnerabilities in a number of consumer-grade wired and wireless routers. In May 2018, the FBI executed a similar strategy to take down VPNFilter, which had spread to more than half a million consumer devices.
On April 1, ASUS published updates to fix the security vulnerability in a variety of your Wi-Fi routers. Meanwhile, WatchGuard appears to have silently fixed its vulnerability in an update shipped nearly a year agoaccording to Dan Goodin on Ars Technica.
SANDWORM AND NEWT
Security experts say that both VPNFilter and Cyclops Blink are the work of a hacker group known as sand worm or voodoo bearthe same Russian outfit accused of cutting off Ukraine’s electricity in 2015.
Sandworm has also been implicated in the “industrial“December 2016 Ukrainian power grid malware attacks, as well as the 2016 global malware contagion”NoPetya,” that crippled businesses around the world using an exploit believed to have been developed by and then stolen from US National Security Agency (NSA).
The action against Cyclops Blink came just weeks after the Justice Department unsealed indictments against four Russian men accused of launching cyberattacks against energy utilities in the United States and abroad.
One of the indictments named three Russian officials Federal Security Service (FSB) suspected of being members of Berserk Bear aka Dragonfly 2.0 aka Havexwhich has been blamed for attacking power companies and other critical infrastructure around the world and is widely believed to be working at the behest of the Russian government.
The other indictment named Russians affiliated with a group of expert pirates known as “Triton” or “Trisis”, which infected a Saudi oil refinery with destructive malware in 2017 and then tried to do the same to US energy facilities.
The Justice Department said that in the early stage of Dragonfly between 2012 and 2014, the defendants hacked into the computer networks of industrial control system (ICS) companies and software vendors, then hid malware inside legitimate software updates to these systems.
“After unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims’ networks for additional ICS/SCADA devices,” the report said. Justice Department. “Through these and other efforts, including spearphishing and “watering hole” attacks, the conspirators installed malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by companies. electrical and energy.
In the second iteration of Dragonfly between 2014 and 2017, the hacking group spear-phished more than 3,300 people at more than 500 US and international companies and entities, including US federal agencies such as the Nuclear Regulation Commission.
“In some cases, phishing attacks have been successful, even in compromising the business network (i.e., involving computers not directly connected to the ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant,” continues the Justice Department account. “Furthermore, after establishing an illegal foothold on a particular network, the conspirators would typically use that foothold to further penetrate the network by gaining access to other computers and networks on the victim entity.”
Also this week, German authorities seized the server infrastructure of Hydra Market, a bustling underground market for illegal narcotics, stolen data and money laundering that has been operating since 2015. German Federal Criminal Police Office (BKA) said Hydra had approximately 17 million customers and more than 19,000 suppliers, with sales of at least €1.23 billion in 2020 alone.
On a statement about the downing of Hydrathe US Treasury Department said blockchain researchers had determined that roughly 86 percent of the illicit Bitcoin received directly by Russian virtual currency exchanges in 2019 came from Hydra.
The Treasury sanctioned a series of cryptocurrency wallets associated with Hydra and with a virtual currency exchange called “Garantex”, which, according to the agency, processed more than $100 million in transactions associated with illicit actors and darknet markets. That amount included approximately $8 million in ransomware proceeds laundered through Hydra on behalf of multiple ransomware groups, including Ryuk and with you.
“Today’s action against Hydra and Garantex builds on recent sanctions against virtual currency exchanges SUEX and CHATEX, which, like Garantex, operated out of Federation Tower in Moscow, Russia,” the Treasury Department said.
*** This is a syndicated Security Bloggers Network blog from Krebs on security written by Brian Krebs. Read the original post at: https://krebsonsecurity.com/2022/04/actions-target-russian-govt-botnet-hydra-dark-market/