North Korean hackers recently targeted U.S. media, IT and crypto firms in a coordinated attack,
March 25 (UPI) -- Google recently discovered coordinated attacks by North Korean government-backed hackers against U.S.-based organizations in the news media, IT, fintech and cryptocurrency industries, the company's cybersecurity unit said.
Two separate North Korean groups exploited a vulnerability in the web browser Chrome in an effort to remotely install malware, Google's Threat Analysis Group said in a blog post Thursday.
The earliest evidence of the exploit was on Jan. 4 and a patch was issued on Feb. 14, Google said.
One campaign by the hackers targeted over 250 individuals in 10 different companies by posing as recruiters with fake job offers from Disney, Google and Oracle.
Google said it suspected the two groups worked for the same entity but had different missions and used different techniques. The company said it notified all the targets of the attacks.
The report came days after U.S. national security adviser Jake Sullivan said North Korean hackers are working with Russian cybercriminals.
"North Korea's cyber capabilities have been manifest in the world and they work with all kinds of cybercriminals around the world, including Russian cybercriminals," Sullivan said Tuesday at a press conference.
He was responding to a question about a report from Harvard University's Belfer Center for Science and International Affairs last week that drew a connection between the two countries' cybercrime operations.
U.S. President Joe Biden on Monday warned American companies to be on heightened alert for cyberattacks by Russia in response to the heavy sanctions that have been imposed since its invasion of Ukraine.
FILE - Deputy Attorney General Lisa Monaco speaks to The Associated Press during an interview at the Department of Justice in Washington, Nov. 2, 2021. The Justice Department says four Russian government officials have been charged in hacks that targeted the global energy industry and thousands of computers around the world between 2012 and 2018. “Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Monaco said in a statement. (AP Photo/Manuel Balce Ceneta, File)
WASHINGTON (AP) — Four Russian officials, including hackers with a government intelligence agency, have been charged with the malicious hacking of critical infrastructure around the globe including the U.S. energy and aviation sectors between 2012 and 2018, the U.S. Justice Department and British Foreign Office announced.
Among the thousands of computers targeted in some 135 countries were machines at a Kansas nuclear power plant — whose business network was compromised — and at a Saudi petro-chemical plant in 2017 where the hackers overrode safety controls, officials said Thursday.
Though the intrusions date back years, the indictments were unsealed as the FBI has raised fresh alarms about efforts by Russian hackers to scan the networks of U.S. energy firms for vulnerabilities that could be exploited during Russia’s war against Ukraine.
The Foreign Office suggested in an announcement on its website that the timing — exposing “the global scope” of hacking by the KGB’s successor spy agency — was directly related to Russian President Vladimir Putin’s “unprovoked and illegal war in Ukraine.”
Additionally, multiple U.S. federal agencies on Thursday published a joint advisory on the hacking campaign, alerting energy executives to take steps to protect their systems from Russian operatives.
“The DOJ is firing warning shots at people who run Russia’s cyberattack capability,” tweeted threat intelligence analyst John Hultquist at the cybersecurity firm Mandiant.
“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” Deputy Attorney General Lisa Monaco said in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.”
None of the four defendants is in custody, though a Justice Department official who briefed reporters said officials deemed it better to make the investigation public rather than wait for the “distant possibility” of arrests. The State Department on Thursday announced rewards of up to $10 million for information leading to the “identification or location” of any of the four defendants.
The indicted Russians include an employee at a Russian military research institute accused of working with co-conspirators in 2017 to hack the systems of a foreign refinery and to install malicious software, twice resulting in emergency shutdowns of operations. The British Foreign Office identified the target as Saudi and said the military research institute was being sanctioned. The so-called “Triton” case — affecting the Petro Rabigh complex on the Red Sea — has been well-documented by cybersecurity researchers as one of the most dangerous on record. The malware was designed with a goal of inflicting physical damage by disabling a safety shutdown function that would normally stop a refinery from “catastrophic failure,” a Justice Department official said.
The employee, Evgeny Viktorovich Gladkikh, also tried to break into the computers of an unidentified U.S. company that operates multiple oil refineries, according to an indictment that was filed in June 2021 and was unsealed Thursday.
The three other defendants are alleged hackers with Russia’s Federal Security Service, or FSB — which conducts domestic intelligence and counterintelligence — and members of a hacking unit known to cybersecurity researchers as Dragonfly.
The hackers are accused of installing malware into legitimate software updates on more than 17,000 devices in the U.S. and other countries. Their supply chain attacks between 2012 and 2014 targeted oil and gas firms, nuclear power plants and utility and power transmission companies, prosecutors said.
The goal, according to the indictment, was to “establish and maintain surreptitious unauthorized access to networks, computers, and devices of companies and other entities in the energy sector.” That access would enable the Russian government to alter and damage systems if it wanted to, the indictment said.
A second phase of the attack, officials said, involved spear-phishing attacks targeting more than 500 U.S. and international companies, as well as U.S. government agencies including the Nuclear Regulatory Commission.
The hackers also successfully compromised the business network — though not the control systems — of the Wolf Creek Nuclear Operating Corporation in Burlington, Kansas, which operates a nuclear power plant.
The British Foreign Office said the FSB hackers had also targeted U.K. energy companies and stolen data from the U.S. aviation sector and other key U.S. targets.
____
AP reporter Frank Bajak contributed from Lima, Peru. Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP.
U.S. and British officials said that the four Russians were responsible for targeting systems in more than 100 countries over a six-year period, including energy and aviation sectors of the United States. Photo courtesy Federal Bureau of Investigation
March 25 (UPI) -- U.S. and British officials have accused four Russian officials -- including hackers with a Moscow intelligence agency -- with various cybercrimes committed over a period of several years against more than 100 countries, including the United States.
The U.S. Justice Department and British Foreign Office announced the cybercrimes on Thursday. They say the Russian officials worked with the Kremlin to conduct cyber intrusions between 2012 and 2018 that targeted the global energy sector in about 135 countries.
The department said the attacks came as part of two separate conspiracies targeting "thousands of computers, at hundreds of companies and organizations" over the six-year period.
The charges are part of two separate indictments last summer and unsealed on Thursday.
RELATEDU.S., EU strike deal to cut Russian fuel dependency; Biden heads on to Poland
One of the Russians identified in the indictment is Evgeny Viktorovich Gladkikh, an employee of a Russian defense research institute. Prosecutors say that he and three co-conspirators caused two separate emergency shutdowns at a foreign refinery by hacking the system and installing malware.
The attacks also included breaches at a nuclear power plant in Kansas and a chemical plant in Saudi Arabia.
"In some cases, the spearphishing attacks were successful, including in the compromise of the business network of the Wolf Creek Nuclear Operating Corporation in Burlington, Kan., which operates a nuclear power plant," the Justice Department said in a statement.
Gladkikh is charged with one count of conspiracy to cause damage to an energy facility.
The other three were identified as Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov. Authorities said they undertook years-long efforts to target and compromise computer systems of energy companies around the world. Those three are suspected hackers with Moscow's Federal Security Service.
None of the four have been arrested, officials said.
"After establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity," the department added.
Akulov, Gavrilov and Tyukov are charged with conspiracy to cause damage to an energy facility and conspiracy to commit computer fraud and abuse and wire fraud.
Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to systems. The pair were also charged with three counts of aggravated identity theft.
The British Foreign Office said that the charges are directly related to Russian President Vladimir Putin's "unprovoked and illegal war in Ukraine," which is now in its second month.
"The U.K., together with the U.S. and other allies, has exposed historic malign cyber activity of Russia's Federal Security Service," the foreign office said.
The Federal Security Service is Moscow's successor spy agency to the Soviet-era KGB.
Authorities said the cybercrimes include "substantial scanning and probing of networks in the American aviation sector, and exfiltration of data in aviation and other key U.S. targets."
"We are sending a clear message to the Kremlin by sanctioning those who target people, businesses and infrastructure," Foreign Secretary Liz Truss said in a statement. "We will not tolerate it."