Cyber attackers come in a variety of forms and sources. Conventional military attacking uses traditional kinetic forces attacking or defending one another. In the cyber domain it can sometimes be impossible to know who is behind the attack. The belligerent could be a state actor, civilian, activists’ groups, mercenaries, contractors, or criminal organizations. Unless there is clear and concise evidence with admissions the unknown variable behind the threat is exceedingly difficult to uncover. Additionally, these actors can cloak themselves behind alias names to hide their true identity. While a group may have a collective name its meaningless without ties to an individual. This brings up the right to war or “jus ad bellum,” for a nation state to retaliate on a cyber-attack (Blank 2013). Aside from identifying the individual or group, determining the motivation behind an attack can also be difficult to determine. Whether based on financial gain, political discord, ideology or even ego the governments are beginning to take notice and utilize these motives in the asymmetrical cyber domain battlefield.
In the ever-evolving world of warfare, governments are taking notice and maximizing the weapons at their disposal. Sovereign and unsovereign nations are employing non-state actors to extend their offensive strategies to service their states’ interests. Non-state actors partially include hacktivists, patriot hackers, and cyber-militias to serve requests under the orders of who they serve. By exploring several examples these groups have already begun shaping a new order for total warfare.
LAPSUS$
A new group that appears on government and security companies’ radar around 2021. Their primary focus is on large corporations stealing their proprietary data and using it for extortion. Unlike ransomware where a device is compromised and all its contents have been encrypted, which only can be decrypted once the victim pays the ransom, and the transaction is complete. LAPSUS$ steals the sensitive data and threatens the victim by releasing the data unless a bounty is paid. For companies with overly sensitive data, it could be catastrophic if they do not give in to the group’s demands. Averrtium, a security solutions partner, LAPSUS$ has successfully breached technology juggernauts such as Microsoft, Nvidia, Okta, and Samsung. The flashy style of LAPSUS$ takes to social media to post their kill by providing screenshots and partial source code of the victims. The rising notoriety brough the group to infamous stardom in a relatively short period of time.
In March of 2022, LAPSUS$ successfully infiltration Microsoft, the largest technology company in the world and released code from their popular platforms such as Cortana and Bing. The search engine Bing competes heavily with Alphabet’s Google search engine. The group used several different tactics to gain elevated permissions in order to secure proprietary data. To gain initial access, the group performed social engineering tactics by targeting Microsoft employees to acquire their Multi-Factor Authentication (MFA) codes. The codes could be sent via email, text message (SMS), authenticator apps, or physical tokens. Each MFA type has a good, better, best approach but each can all be exploited. LAPSUS$ performed a SIM swap attack to gain control of an employee’s phone number to acquire the code. In this type of attack, the cyber actor will socially engineer or convince the cell phone carrier that they have a new SIM card to replace their current because of damaged or stolen (Nakash 2023). Once activated the hacker has the phone number of the person they are trying to infiltrate, and all calls and messages will soon be delivered to the new device. It may take hours or days to realize that the original device no longer has service and is not receiving any communication, by that time it may already be too late. The hackers can move laterally throughout the network if not properly secured and segmented increasing permissions through additionally compromised accounts.
LAPSUS$ is also known for publicly recruiting individuals from their targets to aid the infiltration of the companies’ system. Exclusively using Telegram, an end-to-end encryption messaging platform, to post positions or exclusive individuals. This abrasive tactic shows future conscripts how confident the group is at conducting its transparent actions. Unlike Advanced Persistent Threats (APT), they do not hide under the radar or try to cover their tracks once inside a system. The audacity for a criminal to conduct activity in plain sight is very bold and eventually helps Computer Network Defense (CND) architecture.
With prize in hand, the group posted on their Telegram channel approximately 37GB of data from Microsoft’s coding repository. Despite the compromise, Microsoft claimed that the breach did not pose any significant risk to their customers. Even though LAPSUS$ does not cover their tracks the damage has already been done. The embarrassment of Microsoft being hacked is big news that spreads like wildfire, especially in the technology community.
FIN7
FIN7, a financially motivated hacker group that has been around for almost a decade. Unlike LAPSUS$, FIN7 uses sophisticated tools to deliver Remote Access Trojan (RAT) onto the target’s machines in the form of MSIX installers. These actors impersonate brands such as Concur. The group has been responsible for creating cyber weapons such as Birdwatch, Carbanak, Diceloader, Powerplant and more. This primary method of deployment is using spear phishing. This targeted attack deceives individuals or entire organizations to provide credentials or personally identifiable information (PII). Spear phishing is similar to regular phishing campaigns to acquire such information how spear phishing is tailored and specifically designed for a specific target. The attacker will try to learn and research the target as much as possible to entice them to open the email. These campaigns tend to lean on emotions of the individuals to leverage fear, urgency, trust, or greed to convince the user to open the email and provide information. Furthermore, these emails tend to come from trusted sources or domains they are already familiar with, usually, these accounts are already compromised or spoofed. Spear phishing is one of the most effective forms of cyber-attack because of how heavily it utilizes social engineering.
In Spring of 2022 a chain of United States healthcare companies was attacked with Carbanak malware from FIN7. As usual, it began with a malicious email sent to the spear-phished victim. Unbeknownst, the attached contain the Carbanak variant RAT which allowed FIN7 access to the network infrastructure. Once in, the attacked could remotely navigate through the network and harvest credentials, elevate permissions, perform lateral movement, and eventually exfiltrate sensitive data. While monitoring user activity the group captured keystrokes and screenshots to acquire user credentials for important systems. With proper permission, the malware could spread like wildfire to other computers and systems. The malware quickly compressed and exfiltrated sensitive information such as patient records, financial and insurance information, and other PII. Once exfiltrated the group monetized through means of extortion, pay up the attackers for the data back or risk it being sold on the DarkWeb.
Unfortunately, the victims were not just hospital employees but innocent patients being treated at these facilities. Not only was the trust tarnished for the employees of the company but also for the current and future patients. Of course, the healthcare organization took a reputational and financial hit too. Additionally, because the organization could not protect sensitive patient data, they are likely to be scrutinized and fined by government regulatory agencies. This provides a broader implication of these kinds of attacks leveraging domestic and foreign pressure to secure data from exploitation while trying to abide by regulatory compliance.
While not the usual targets of FIN7 the moment could easily be seized due to the type of data stored in hospital information systems. Healthcare systems have shareholders and the bottom-line matters. Sometimes these organizations do not have a sophisticated security and network team that maintain information systems thus leaving them vulnerable and unpatched to security threats. Furthermore, because of the sophisticated level of these APTs they can be quickly modified to overcome security measures that may have prevented the previous variant from achieving its goal.
LockBit
Ransomware is a prolific and multi variant throughout cyber-attacks worldwide. They continue to evolve and attack a broad array of industries. The obvious targets or financial and government industries for their economic impact or nation security interests. However, other businesses are fair game blurring the line between civilian or combatant targets. Industries such as food, agriculture, infrastructure, and education are easy victims to prey on. Suspecting organizations for humanitarian reasons or to support public works should not have to be concerned with state vs state interests nor fall in scope of an attack. Emergency services, transportation and even healthcare are no longer protected in this evolving landscape of available targets. Unfortunately, these are easier targets because of the data they house and their lack of security infrastructure.
Ransomware-as-a-Service (Raas), using a type of malware to encrypt files on a computer or device and holding the data hostage until the victim pays a ransom, typically in a form of digital currency before providing a decryption key to unlock the data. In 2022, an infamous Ransomware named LockBit was used exclusively by cybercriminals performing RaaS attacks. According to the United States Department of Justice, LockBit ransomware group have victimized over 2,500 organization located in more than half the countries around the world. The organization led by Dimitry Yuryevich Khoroshev, a Russian national began the beginning works of LockBit around 2019. Over a truly brief period the group has extorted hundreds of millions of dollars from what should be protected organizations such as schools and non-profits.
There are several methods LockBit has gained access into a system. Frequently it uses known exploitations in common protocols such as Remote Desktop Protocol (RDP). Any public facing endpoint such as servers that allow RDP access are significantly more susceptible to attacks. Another attack vector or Virtual Private Networks (VPN) that corporations usually host for their associates to access companies’ resources remotely. In order for the connection to be established there must be a public facing edge device such as a firewall or VPN concentrator that the client can connect to. The individual attempting to connect will provide a set of credentials, certificates, or other means to verify and authenticate. If unsecure, attacks can brute force or steal credentials to access the VPN and begin accessing corporate data.
One of the first major victims of LockBit was Accenture, an Information Technology consulting firm. According to Securin, LockBit exploited common vulnerability CVE-2018-13379 which existed in FortiNet’s firewall operating systems that hosted Secure Socket Layer (SSL) VPN connections. It has been speculated that an insider aided the initial connection for LockBit to enter the network. When successfully connected the attacker on the same network could send malicious requests via service location protocol (SLP) and take control. Once the initial access has been established the tool infects a system which propagates through known host to host communication protocols. Once on a machine it will bypass User Access Control (UAC) and run in the background unnoticed by the suppressed permissions. Furthermore, to avoid detection it will attempt to disable the local antivirus running on the machine. The malware spread very quickly on a device and encrypted several bytes of data from each file leaving it with a “.lockbit” extension. A common “readme.txt” file is often left on the desktop of the infected machine to instruct the victim on how to pay the ransom for their data or expect a consequence.
Once encrypted with a private key, the attacker will begin exfiltrating the data to a storage container where they can decrypt and read in plain text to be examined. The LockBit group has publicly facing web services it attempts to hide behind to release the sensitive data or sell it if the ransom is not paid. This vicious cycle can repeat itself rendering a company useless or restoring from uncompromised backups, if applicable. Threats are always evolving which is why it is important to maintain patches, alerts on vulnerabilities, and provide user training against social engineering methods. Not every attack is preventable but by having a defense in depth approach it can reduce the attack surface and impact on the organization.
