The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Supply chain attacks. NOBELIUM and The Lazarus Group target the technology supply chain.
- The REvil plot thickens. US and foreign agencies allegedly behind REvil shutdown.
- Retail disruption. Cyberattack takes down online grocery services of UK’s largest retailer.
- Gas station chaos. Distribution of fuel disrupted across Iran following cyberattack.
- Dark web arrests. 150 people arrested since the largest dark web marketplace take down.
- Expanding influence. US State Department set to establish Bureau of Cyberspace and Digital Policy.
1. Nation-state threat actors target the IT supply chain
NOBELIUM is attacking a variety of companies in the technology supply chain in order to establish long-term systematic access. The nation-state threat actor is utilising social engineering and credential-based attacks to gain privileged access instead of exploiting software vulnerabilities.
The Lazarus Group has also been targeting the technology supply chain to install remote access Trojans (‘RATs’) to gain persistent access on compromised IT services’ networks.
SO WHAT? Supply chain attacks aim to abuse trusted relationships and compromise downstream clients. As mitigation, organisations should ensure that third-party providers have fundamental security controls in place prior to engaging them. This can be done, for instance, by requiring the completion of a relevant security questionnaire.
2. The REvil plot thickens
It is alleged that the operational shutdown of the REvil ransomware group on 17 October 2021 was the result of a joint international law enforcement operation. The operation involved multiple US and foreign agencies who reportedly hacked the group’s network infrastructure and took partial control of their servers.
Many ransomware groups have criticized the actions of the US Government, while the prolific DarkSide ransomware group has started distributing USD 7 million worth of Bitcoin (BTC) across multiple BTC wallets, likely over fears of seizure.
SO WHAT? The law enforcement operation has struck a potentially fatal blow against REvil and indicates a willingness of certain law enforcement agencies to act aggressively to counter ransomware.
3. Cyberattack takes down online grocery services of UK’s largest retailer
A cyberattack significantly disrupted the online operations of the UK’s largest retailer, Tesco, following an attack on the company’s groceries website and application. The attack left customers unable to place or amend their orders for two days, from 23 to 24 October.
Given that online orders make up 14.6 percent of Tesco’s UK sales, an attack of this nature carries significant business and financial impacts for the retailer.
SO WHAT? Web applications remain a popular target for cyber criminals, given the adverse impact a successful attack can have. To help mitigate the risk of a successful attack, organisations should ensure they conduct regular security assessments of their applications, such as penetration tests and code reviews.
4. Cyberattack cripples Iranian fuel stations
A cyberattack on 26 October brought to a halt the sale of subsidised fuel across Iran. The attack disabled government-issued smart cards used for purchasing cheaper fuel. No group has claimed responsibility for the attack, however Iranian officials are attributing the attack to a “foreign country”. There are suggestions the responsible threat actor also conducted the attack that grounded Iran’s train service in July 2021.
SO WHAT? Critical infrastructure is often not built with security in mind, making them attractive and high-impact targets. Fuel providers as well as organisations reliant on fuel supplies for their operations should build this consideration into their risk assessments and business continuity planning.
5. Dark web arrests
Since dark web marketplace DarkMarket was taken down in January 2021, law enforcement agencies spanning nine countries have arrested 150 individuals suspected of having involvement with the market. At the time of its takedown, DarkMarket was the largest dark web marketplace in operation. Law enforcement has also seized over EUR 26 million in cash and cryptocurrency. The operation is still ongoing, leading to a recent take down of two Italian dark web marketplaces.
SO WHAT? This operation shows that the law enforcement community is increasingly prepared to leverage global partnerships to combat, investigate, and prosecute those involved in transnational cybercrime.
6. US State Department to set up new Bureau of Cyberspace and Digital Policy
As part of the Biden administration’s broader push to treat cyber threats as a top-tier national security issue, the US State Department announced plans for organisational changes to confront international cyber security challenges, such as ransomware. The restructuring will include the creation of a new Bureau of Cyberspace and Digital Policy, for which cyberspace security will be a key focus.
The move comes amid heightened international tensions around cybersecurity issues, with a senior US State Department official flagging how ransomware attacks linked to Russian criminal gangs have driven home the challenges of international diplomacy.
SO WHAT? This operation shows that the law enforcement community is increasingly prepared to leverage global partnerships to combat, investigate, and prosecute those involved in transnational cybercrime.
Email Joseph
@SRMInform
S-RM
hello@s-rminform.com
S-RM YouTube
