Ukraine takes down Russian-linked hackers behind £6m ransom attack

Posted on

Ukraine has launched a major raid on a Russian-linked hacking network even as Vladimir Putin shrugged off Joe Biden‘s threat to get tough on cyber criminals.

Ukrainian police, accompanied by Korean officers, arrested six people on Wednesday accused of belonging to a hacking group known as Cl0p.

The group as a whole is accused of attacking hundreds of companies including in the US and Korea, and last year was paid a $6million Bitcoin ransom by one firm.  

It mirrors similar attacks by other Russian-linked groups in recent months, including on JBS meat processing plants and the Colonial Pipeline – which saw a combined $15million in ransom paid to hackers.

Ukraine’s action stands in stark contrast to Putin’s response when pressed by Joe Biden over hacking at their summit yesterday, which was to deny that Russia is the main source of attacks on US computer networks. 

Ukraine says it has arrested six people linked to the Cl0p hacking group which is accused of carrying out attacks on hundreds of firms including in the US

Ukraine says it has arrested six people linked to the Cl0p hacking group which is accused of carrying out attacks on hundreds of firms including in the US

Ukrainian police said they had carried out raids targeting six suspects Wednesday who they did not name for fear of hurting their investigation, Vice reported.

Officers also searched 21 addresses around the capital Kiev, seizing computers, cars and around 5million Ukrainian hryvnia, or $185,000.

The suspects have each been charged with hacking and money laundering, and are facing up to eight years in jail each.

However, it is not clear exactly what part they played in Cl0p – a hacking group described as ‘ruthless’, ‘sophisticated’, and ‘almost tireless’ by those who track it.

The group, also known as TA505 and FIN11, has been active since at least 2019 and has attacked hundreds of companies in that time.

They operate by installing a virus on a firm’s network which then harvests data and can be used to lock the system down.

Hackers then issue a ransom demand to the afflicted firm, demanding cash to unlock the computers and/or prevent their data being leaked online.

The group’s dark-net site currently contains information from almost 60 firms including the likes of Shell, Stanford University, and the University of California.

Cl0p has been linked to Russia by security firm FireEye, which says the virus the hackers used has been designed to detect whether the computers it infects use Russian-language keyboards.

If they do, then the bug will destroy itself without causing any harm.

Experts say the fail-safe shows the groups are either working with the Russia state, or else have come to the understanding that as long as they don’t target the country, their activities will be allowed to continue. 

Arrests were made on the same day Biden met with Putin and pressured him to take action against cybercriminals, a demand the Russian leader largely brushed off

Arrests were made on the same day Biden met with Putin and pressured him to take action against cybercriminals, a demand the Russian leader largely brushed off

Ukrainian police say they seized around $180,000 in cash, along with computer equipment and cars from the alleged hackers

Ukrainian police say they seized around $180,000 in cash, along with computer equipment and cars from the alleged hackers

Experts have long believed that Cl0p has been operating out of the former Soviet bloc, likely with the blessing of the Russian state (pictured, a car is confiscated)

Experts have long believed that Cl0p has been operating out of the former Soviet bloc, likely with the blessing of the Russian state (pictured, a car is confiscated)

Some data linked to the hackers is also written in the Russian language and they appear to stop working during Russian public holidays, FireEye added.

Cl0p’s methods mirror those used by other Russian-linked groups such as DarkSide, which the CIA blamed for the recent attack on the Colonial Pipeline.

The Colonial Pipeline Company revealed on May 7 that it had been hit by a ransomware attack that had forced it to take the pipeline – which supplies about half the east coast’s gasoline – offline.

It was only brought back online after the firm paid some $4.4million to hackers in Bitcoin, but still caused panic-buying and price hikes in some states.

Meat processing firm JBS was also hit by a similar attack two weeks ago, which shut down abattoirs in the US, Canada and Australia.

The firm said it had paid some $11million to the hackers after the ‘sophisticated’ attack took all of its beef processing plants in the US offline for a day – threatening food shortages and price hikes. 

FBI investigators subsequently blamed the attack on REvil, another group thought to operate out of eastern Euro with ties to Russia.

Another major security breach that was also linked to Russia was the SolarWinds hack last year, that compromised large sections of the US government, NATO, and other global bodies.

In response to the increasing attacks, G7 leaders including President Biden issued a joint statement following their meeting in Cornwall last week calling out Russia over its tactic backing of the hackers.

The statement specifically called on Putin to ‘identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.’

Biden

Putin

Biden warned Putin against attacks on American infrastructure at their summit yesterday, while Putin hit back – claiming the US is the top proponent of cyberattacks

Two weeks ago, meat processing plant JBS was hit by a major ransomware attack and was forced to pay $11million to hackers to get its plants back online

Two weeks ago, meat processing plant JBS was hit by a major ransomware attack and was forced to pay $11million to hackers to get its plants back online

Last month, hackers also shut down the Colonial Pipeline which supplies half of the East Coast's fuel, forcing the firm to pay $4million

Last month, hackers also shut down the Colonial Pipeline which supplies half of the East Coast’s fuel, forcing the firm to pay $4million

The same issue was raised by Biden with the Russian strongman during three hours of talks in Geneva on Wednesday.

Biden said he handed Putin a list of 16 industries that the US considered ‘off limits’ in terms of hacks, including critical infrastructure such as energy and water.

Should any of them come under attack in the future, Biden said he would use America’s ‘significant cyber capability’ to hit back at Russia – hinting that it could include taking out a vital oil pipeline on which much of the economy relies.

But at a press conference afterwards, Putin largely brushed off the threat – claiming it is the US, not Russia, which is mostly responsible for cyberattacks.

He has previously dismissed claims that attacks are being made by Russians or the Russian state as ‘farcical’.

Even Joe Biden was forced to subsequently admit in a verbal sparring match with a reporter that he is ‘not confident’ Putin will take action.

Instead, Biden said he was hoping to use the threat of action by the US and its allies to force Putin to crack down.

‘I said what will change their behavior is if the rest of the world reacts to them and it diminishes their standing in the world. I’m not confident of anything. I’m just stating the facts,’ Biden said.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *