Newsletters

A cyber-espionage group has mimicked the tactics of an FSB-linked APT to target Russian organizations for months.

Named GamaCopy (or Core Werewolf), the group emulated the tactics of Gamaredon (or Armageddon), a cyber-espionage group operated by the Russian FSB intelligence agency from the occupied region of Crimea.

The group's false flag attacks have been taking place since June of last year. The campaign has tricked several security vendors who misattributed attacks to Gamaredon, according to a report from Chinese security firm Knownsec 404.

In its last days in office last week, the Biden administration signed an executive order (EO 14144) with new requirements and standards for strengthening the US' cybersecurity defenses and ecosystem.

This is the administration's second cyber executive order after EO 14028 from May 2021.

Below, we're gonna go over all the main points included in last week's release. The list is going through the EO from top to bottom. Items are not listed based on "importance."

Five hacks linked to the DPRK: The US, South Korea, and Japan have linked five 2024 crypto-heists to North Korean hackers. This includes DMM Bitcoin ($308mil), WazirX ($235mil), Upbit ($50mil), Radiant Capital ($50mil), and Rain Management ($16mil).

Synnovius attack fallout: The UK NHS says that a ransomware attack on lab service provider Synnovis last year has had an impact on the health of several patients, including permanent long-term damage in at least two cases. [Additional coverage in Bloomberg]

Fico blames Ukraine for cyberattack: Slovakia's PM Robert Fico has blamed Ukraine for a ransomware attack that crippled its cadastre agency earlier this year. As local media puts it, Fico, who is a known Putin fanboy and a pro-Kremlin propaganda mouthpiece, has cited no evidence.

PowerSchool data breach: Edu software company PowerSchool says hackers breached its SIS student management platform and stole some student records. The company is notifying affected schools, per a DataBreaches.net report.

Gravy Analytics hack: Hackers claim to have breached Gravy Analytics, a company that aggregates and sells access to app location data. [Additional coverage in 404 Media]

UGKK ransomware attack: Slovakia's Geodesy, Cartography, and Cadastre Authority suffered what appears to be a ransomware attack. [Additional coverage in Finsider.sk]

Treasury hack: US officials claim that Chinese state-sponsored hackers have breached the US Treasury Department and accessed internal unclassified documents. The hack allegedly took place after hackers initially breached identity service provider BeyondTrust in December last year. The attackers specifically targeted the Office of Foreign Assets Control (OFAC), the office that imposes foreign sanctions. China, as usual, claimed to be innocent and a victim of "groundless claims." [Additional coverage in NPR]

Cyberhaven Chrome extension compromised: A threat actor has phished an employee of security firm Cyberhaven and published a malicious update to the company's official Chrome extension. The update stole cookies from visited sites and uploaded the data to the attacker's server. According to Secure Annex, the malicious code and the attacker's server IP were also found in multiple other Chrome extensions, and the Cyberhaven compromise appears to be part of a larger campaign. At least 36 extensions are believed to have been compromised as part of this operation.

VW data leak: Sensitive information of 800,000 VW Group vehicle owners was found accessible online. The data came from a VW mobile app used by the owners of VW, Audi, Seat, and Skoda-branded EVs. The data contained information on owners and geolocation data that could be used to reconstruct trips, per a Spiegel report.

Cyberattack hits Ukrainian state registers: Ukrainian officials claim that Russian GRU hackers have breached the government's electronic state registers, a collection of databases that stores information on the Ukrainian population and private sector. The hack took place a year after Ukraine intelligence hacked and wiped data from Russia's tax agency last year.

Japan Airlines cyberattack: Japan Airlines was hit by a cyberattack on December 19 that led to the cancelation of over 20 domestic flights. Most systems were recovered within days. Per a Japan Airlines statement, this looks to have been a DDoS attack. [Additional coverage in the Associated Press]

DMM hack linked to North Korea: The FBI and Japan's National Police have linked the DMM Bitcoin $308 million crypto-heist to North Korean hackers—and specifically to a group tracked as TraderTraitor.

China and Russia appear to have understood before everyone else the role social media influencers play in modern societies, and are using them as weapons against unprepared Western democracies.

Both autocratic regimes have passed strict laws regulating the online presence of social media personalities while at the same paying foreign influencers in covert operations designed to subvert and influence foreign societies and elections.

China passed a law at the end of last year mandating that social media influencers and bloggers with over 500,000 followers must list their legal names on their profiles.

Planned changes to the leadership of US Cyber Command (CYBERCOM) and the National Security Agency (NSA) will prioritise short-term cyber disruption operations at the expense of longer-term intelligence collection. 

The incoming Trump administration plans to end the current 'dual-hat' arrangement whereby both organisations are led by a single officer, according to The Record. The article says the proposal is in its early stages but there aren't any major impediments to the change. Essentially, it only requires that both the Secretary of Defense and the Chairman of the Joint Chiefs certify that the change wouldn't pose an 'unacceptable risk to the military effectiveness' of CYBERCOM. 

The change has been proposed before. President Obama supported a split way back in 2017, and it was again pushed just before the end of President Trump's first term. On that occasion, the plan was killed by then-chairman of the Joint Chiefs, General Mark Milley. 

The US Cybersecurity and Infrastructure Security Agency has sent out 2,131 pre-ransomware activity notifications to US organizations throughout the year.

The notifications were sent via a program named the Pre-Ransomware Notification Initiative (PRNI), which CISA launched in March of 2023.

The program uses tips received from the private sector to detect early ransomware activity and notify potential targets before their data is stolen or encrypted.

Threat actors have secretly abused a suspected zero-day in DrayTek routers since August of last year to hack devices, steal passwords, and then deploy ransomware on connected networks.

According to a joint report from Forescout and PRODAFT, the attacks were carried out by a threat actor known as Monstrous Mantis—believed to be linked to the Ragnar Locker ransomware group.

The attacker used the zero-day to extract and crack the passwords of DrayTek Vigor routers and then hand out the credentials to selected collaborators.