Overview of security incidents for the period 8-14 May 2021

The highlight of the week is undoubtedly the attack on the American fuel giant Colonial Pipeline, which caused a shortage of gasoline across the US West Coast. Read about this and other high-profile security incidents for the period from 8 to 14 May 2021 in our review.

On May 7, Colonial Pipeline learned that it was the victim of a cyberattack using ransomware DarkSide. Due to the attack, the operators had to turn off her computer network, as well as the fuel line. Since the Colonial Pipeline transports about 2.5 million barrels of refined fuel a day and supplies 45% of all fuel consumed on the US East Coast, the government had to impose a state of emergency in 18 states.

After the attack, information began to appear in the media that hackers working for the Russian government were behind it, but the DarkSide operators decided to publicly dispel this theory. On May 10, they issued a statement that their group is “apolitical” and not affiliated with the government of any country. In addition, the hackers promised to continue to carefully select their victims in order to avoid disastrous consequences for society.

A few days after the group’s statement was published on its website, a summary of the documentation allegedly stolen by hackers from three other companies appeared on the DarkSide Leaks, but the data itself has not been published. One of the three companies attacked is located in the United States, the second is in Brazil and the third is in Scotland, and none of them is involved in critical infrastructure. All three companies are small enough that a disruption in their operations does not lead to serious consequences for the public, as happened in the case of Colonial Pipeline.

On May 14, the DarkSide group announced the theft of confidential data from the French branch of the Japanese electrical engineering corporation Toshiba. According to them, they stole 740 GB of information, which contains information about the work of management and new business projects of the company, as well as personal data of employees.

It became known on May 14, Darkside’s servers were shut down. Grouping topics will also be removed from underground forums. Cybercriminals have lost access to the public part of their infrastructure, including their blog, payment server, and CDN (Content Delivery Network) servers. The hackers also introduced new restrictions on further criminal activities. They will not attack the social sector (healthcare, educational institutions) and government organizations. Affected companies that have not yet paid the ransom will receive tools to decrypt their data.

Another high-profile story related to ransomware is the publication of personal data of Washington police officers by the Babuk group. As it became known last month, extortionists attacked the Metropolitan District of Columbia Police Department (USA) and threatened to release the data of criminal investigations and disclose police informants in case of non-payment of the ransom. On May 11, the attackers said that negotiations for the payment of the ransom were deadlocked and published 20 personal files of police officers.

As part of Apple’s litigation with Epic Game, details of a major cyberattack on App Store users six years ago became known, which the Apple company kept silent about. On September 21, 2015, Apple managers discovered 2.5 thousand malicious applications that infect devices of 128 million users. In total, the malware was downloaded 203 million times.

Pradeo experts have warned of new Android malware being portrayed by cybercriminals as the Google Chrome app. The fake app is part of a sophisticated hybrid malware campaign in which cybercriminals also use phishing to steal credentials from victims. Fake Google Chrome has been installed on hundreds of thousands of Android devices over the past few weeks, experts say.

In turn, Cleafy researchers have identified a banking Trojan for Android devices capable of stealing user credentials and SMS messages. Criminals target users of banking applications in Spain, Germany, Italy, Belgium and the Netherlands. The malware dubbed TeaBot (also known as Anatsa) is in its early stages of development.

Not without reports of attacks on critical infrastructure last week. The Water Action Response Network, which includes utilities, informed its members via email that two water systems in Pennsylvania, USA, had been “cyber intruded.” According to the letter, the hackers have installed a web shell on corporate networks for remote access to them. The attack was detected and stopped, and the FBI initiated an investigation. The organization did not disclose the names of the enterprises.

The German Federal Constitutional Defense Service (Bundesamt für Verfassungsschutz, BfV) has accused Iranian hackers of cyberattacks against German companies in which they trick their victims into installing malware. According to the report, the attacks are part of a large-scale Iranian campaign to gain access to confidential information from German organizations.

A series of targeted attacks by a professional cyber group on Russian federal executive authorities were identified by experts from Rostelecom and NKTsKI. The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from isolated segments and email correspondence of key employees.

Catch up on more articles here


Must read


Related Posts