Dr. Chase Cunningham - Defend & Conquer Weekly Review December 13, 2023

As we approach the festive season, it is crucial to stay informed about the latest developments in the world of cybersecurity. In this article, we will delve into some noteworthy incidents and trends that have emerged in recent weeks, shedding light on the dark side of cybersecurity.

Wyoming Shell Companies Facilitating Global Hacks

In a captivating article published on Reuters, cybercriminals have leveraged shell companies based in Wyoming to carry out global hacking activities. The unexpected revelation was brought to light by a Somali reporter, Abdalle Ahmed Mumin, who grew concerned after learning about the abduction of a colleague at the University of Mogadishu.

The article goes on to unveil the intricate workings of these front shell organizations, responsible for facilitating money laundering and illicit financial transactions. Wyoming, widely regarded as an unlikely hub for such activities, has witnessed three instances of high-profile hacking involving Wyoming Limited Liability Companies (LLCs) in the past four months alone. Interviews with tech experts, compliance professionals, and hacking victims indicate that Wyoming, once known as a haven for outlaws in the 19th century, is now catering to 21st-century cybercriminals.

The usage of LLCs in Wyoming proves convenient for hackers, as these entities shield owners from liability and offer ease of setup. Compounded by the fact that registered agents and state representatives can serve as public points of contact, the true ownership of these LLCs remains hidden from the wider public. Consequently, any business communication originating from Wyoming may warrant further scrutiny, as it could potentially involve money laundering or cybercriminal activities.

Insomniac Games Ransomware Attack

Gaming enthusiasts were met with disappointment when news broke of a successful ransomware attack on Insomniac Games, the renowned developer responsible for acclaimed titles such as the Spider-Man series. The attack impeded the development of the highly anticipated Wolverine game.

The ransomware operator, identified as Rosita (or Rashida), substantiated their claims by releasing select data stolen from Insomniac Games. Among the leaked data were potentially sensitive details pertaining to the upcoming Wolverine game, including an annotated screenshot. Furthermore, passport scans belonging to Insomniac Games employees, including an ex-employee now working at Disney, were also exposed. This breach raises concerns regarding personally identifiable information (PII) and the potential misuse of leaked data.

Tracking Sandman APT and Chinese Link to Keyplug Backdoor

Collaborative efforts between Sentinel One, PricewaterhouseCoopers (PwC), and Microsoft Threat Intelligence have uncovered the existence of shared tactical and targeting overlaps between the elusive APT group Sandman and a China-based threat cluster that utilizes the Keyplug backdoor.

The combined analysis of LuaDream (associated with Sandman) and Keyplug-based malware in victim networks indicates the merging of development practices and shared functionalities. Aptly named Storm Eight Six Six (by Microsoft) and Red Dev 40 (by PwC), these ongoing investigations offer valuable insights into the operations and possible affiliations of these threat actors.

While the attribution of these attacks may not be definitive, the collaboration between Sandman and a China-linked group highlights the evolving landscape of cyberthreats. It serves as a stark reminder of the importance of remaining vigilant against highly organized and sophisticated actors, both state-sponsored and otherwise.

Escalation of Cyberattacks in Ukraine

As winter approaches, experts predict an intensification of cyberattacks targeting Ukraine. Against the backdrop of an ongoing conflict, a cyberattack launched against Ukraine's largest telecom operator has disrupted internet services and affected several government agencies.

Attributed to Russia, this cyberattack represents one of the largest assaults on Ukrainian infrastructure since the country's invasion a year ago. The attack targeted Kyivstar, leading to a widespread collapse of the company's telecom and internet access networks. Ukrainian government agencies, well-acquainted with such cyber threats, have pointed fingers at Russia once again.

This brazen attack aligns with the anticipated increase in Russian cyber operations during the winter months. It signifies a concerning shift from purely digital assaults to attacks that directly impact physical infrastructure, further complicating the geopolitical landscape.

U.S. Allies Warned of Russian State Actor Spear Phishing Campaigns

The U.S. Cyber Command's Cyber National Mission Force, in collaboration with interagency and foreign partners, recently issued a joint cyber advisory highlighting the formidable spear phishing campaign tactics and techniques employed by the Russian state actor "Star Blizzard" (formerly known as Seaborgium, Callisto group Ta four four six, cold driver, tag 53, and Blue Charlie).

This long-standing threat group, linked to the Russian FSB (Federal Security Service), has targeted academia, defense organizations, government entities, non-governmental think tanks, and high-profile individuals since 2019. The advisory warns that these malicious activities extend beyond U.S. borders, impacting targets in the United Kingdom as well.

While the detailed report generated by the U.S. Cyber Command's Cyber National Mission Force is not readily available to the general public, it emphasizes the urgency of diligently reviewing and addressing indicators of compromise (IOCs) or other attack-related artifacts within network infrastructures. Mitigating the risk posed by state-sponsored adversaries necessitates a proactive and comprehensive approach to cybersecurity.

---

As we wrap up this overview of the latest cybersecurity developments, it is important to remember that cybersecurity is an ongoing battle. The incidents discussed here serve as reminders that cyber threats continue to evolve, requiring individuals, organizations, and governments to remain ever-vigilant in their efforts to protect sensitive information, critical infrastructure, and valuable assets.

During this holiday season, I urge you all to remain safe, stay informed, and be proactive in your cybersecurity measures. By doing so, we can collectively contribute to a safer digital landscape and prevent cybercriminals from exploiting vulnerabilities.

Stay secure, and I'll catch you in the next update.