Hackers 2 Operation Takedown Full Movie 35
Sacha Weakland
Suspected North Korean hackers have been running a spearphishing email operation targeting people interested in North Korean refugees, according to new research from ESTsecurity, a South Korea-based security firm.
As part of the takedown, the FBI was able to gain access to Qakbot infrastructure and identify over 700,000 computers worldwide, including more than 200,000 in the United States, that appear to have been infected with Qakbot. To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by law enforcement that would uninstall the Qakbot malware. This uninstaller was designed to untether the victim computer from the Qakbot botnet, preventing further installation of malware through Qakbot.
Talos notes that the malicious file names being used are written in Italian, which suggests the hackers are mostly targeting users in that region, adding that the campaign has also targeted English and German-speaking individuals. Venere tells TechCrunch that identifying the true scope of the campaign is difficult, but said that the Qakbot distribution network is highly effective and has the ability to push large-scale campaigns.
What made the Emotet malware strain so alarming is the malware was offered for sale to other hackers via the Dark Web. This allowed multiple criminal organizations to put the malware to use across the globe. This type of attack is one of the biggest cybercrime attacks used in the world today. Emotet ransomware grew quickly and rivaled other large ransomware variants including TrickBot and Ryuk.
The system used by Emotet involved hundreds of servers located across the globe, all having different functionalities to manage machines of the infected victims, spread the malware, serve other criminal groups, and make the network more resilient against takedown attempts.
In court filings unsealed the same day as the announcement, the Justice Department said that the espionage campaign was "very consequential," and that the hackers had stolen sensitive documents from NATO countries.
Russia's intelligence and security agencies have overlapping, sometimes competing cyber-operations. Some of the most destructive known cyberweapons -- Sandworm and NotPetya, for example -- have been developed by Russia's military intelligence agency, known as the GRU. That agency, and another called the Foreign Intelligence Service (SVR), has been accused in the hacking of U.S. political campaigns in 2016.
"In terms of general persistent activity of this team/group/unit they have been probably the more active and professional one, in contrast to other operations employed by the [Russian] military for example," Michael Sandee, a researcher with Fox-IT, a Dutch digital forensics company, said in an e-mail.
U.S. officials said they had been monitoring Turla and Snake-related variations of the malware for nearly two decades. British officials, meanwhile, said last year that Center 16 had been "observed conducting cyber-operations since at least 2010."
The FBI also said it had determined that FSB hackers "used Snake malware to target the personal computer of a journalist for a U.S. news media company who has reported on the government of the Russian Federation."
"Were Turla to become aware of Operation Medusa before its successful execution, Turla could use the Snake malware on the subject computers and other Snake-compromised systems around the world to monitor the execution of the operation to learn how the FBI and other governments were able to disable the Snake malware and harden Snake's defenses," FBI agent Taylor Forry wrote.
"It is unlikely to really cause much lasting disruption to the intelligence-gathering operation long-term, but probably a bit annoying for the Russians in the short term, as they lose some access and need to reestablish," Fox-IT's Sandee said. "I think it is more of a distraction than anything else, and simply done to do something, rather than nothing, if you catch my drift."
Qakbot, also known as QBot and Pinkslipbot, first emerged in 2008 and was historically known as a banking Trojan virus that steals financial data from infected systems. In more recent times, Qakbot has used a variety of infection vectors, including switching file names and formats and deploying several techniques to hide its operation.
Reports of the takedown first came Thursday morning when security researchers noted on Twitter that Hive's dark web leak site had been replaced by an apparent takedown notice from various law enforcement agencies. Shortly after, the Department of Justice (DOJ) held a press conference in which Attorney General Merrick Garland announced that the FBI Wednesday night acted on a court order to seize servers containing the criminal network's "critical information." Moreover, the department was given authorization to seize Hive's leak site.
Hive is a ransomware-as-a-service operator that first emerged in June 2021 and claimed hundreds of victims in its first months. According to the Justice Department's press release on the takedown, Hive has "targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."
Just minutes after the U.S. Department of Justice repossessed the domains of Megaupload, Megavideo, Megaporn and a collection of other popular filesharing sites, the hacker collective Anonymous got to work on a few takedowns of its own.
On Thursday afternoon, Anonymous claimed credit for cyberattacks that knocked offline the websites of the U.S. Department of Justice, Recording Industry of America, Motion Picture Association of America and Universal Music. The so-called denial of service attacks that overwhelmed those sites with junk traffic came less than an hour after the Justice Department announced the takedown of the Mega sites, along with the arrest of former hacker and Mega founder Kim Dotcom and six others, who are being indicted on charges of copyright infringement and money laundering.
Universal Music, for its part, added itself to Anonymous' target list in a recent legal spat with the Mega sites. After Mega's recently appointed chief executive officer and hip hop producer Swizz Beatz assembled a team of celebrities including Kanye West, Will.i.am, Alicia Keyes and others to appear in a promotional video for the company, Universal issued a takedown notice to YouTube. Despite not owning the rights to the song, YouTube nonetheless removed the video, sparking a lawsuit from Mega.
The FBI is the lead agency tasked with investigating cybercrime, including defending hospitals and health systems from frequent cyberattacks. Hear the dramatic story of their recent takedown of the Hive ransomware gang, whose criminal enterprise threatened patient safety.
00;00;00;21 - 00;00;24;25
Tom Haederle
Defending hospitals and health systems from frequent cyber attacks is a battle largely fought in the shadows out of the public eye. And when the good guys score a big win, as the FBI recently did with its takedown of a criminal gang whose cyber mischief threaten caregivers and patients, some of the operational details must remain in the shadows. Nonetheless, the following is a great story, with a lesson for cybercriminals everywhere: mess with health care and you will pay.
00;01;25;27 - 00;01;50;25
John Riggi
Thanks, Tom. Great to be here again with you and all our listeners. This again is John Riggi, your national advisor for Cybersecurity and Risk. And what a special episode we have today, an exclusive interview with the FBI supervisory special agent Justin Crenshaw, who will be here to give us an inside look at the HIVE ransomware gang takedown.
00;01;51;04 - 00;02;19;08
John Riggi
Really an extraordinary opportunity. And we certainly appreciate Justin and the FBI making themselves available to speak with us about this very, very important takedown concerning this ransomware gang, which had been targeting, among others, hospitals and health systems. Just a quick word about Justin Crenshaw. Justin's been with the FBI as an FBI agent for over 19 years, serving in multiple field offices, in headquarters assignments.
00;04;08;09 - 00;04;34;12
Justin Crenshaw
He then exfiltrates or steals data and then encrypts as many computers as possible on the way out. From that point, the admin and the affiliate negotiate with victims on a dark Web site to try to get a ransom that's paid in Bitcoin. And this is what we call it's a double extortion model, where victims are expected to pay for decryption keys in order to restore their network, restore operations.
00;06;51;00 - 00;07;16;04
Justin Crenshaw
We know that there were over 1300 high victims. And at least 600 of them were in the United States. Of those 600, more than a hundred of the US victims were hospitals or other health care providers. We believe that HIVE targeted health care for a couple of reasons. First, we believe that they thought hospitals would be quick to pay in order to restore critical operations and be able to care for patients.
00;09;25;20 - 00;09;47;14
Justin Crenshaw
So we were able to provide decryption keys to that hospital and they were able to restore operations almost the same day. And because we were able to do it so quickly, they had not started negotiations with HIVE. They avoided paying a ransom. And to your point earlier, the hospital stated that our action, the quick action providing those decryption keys likely saved lives.
00;09;48;02 - 00;10;22;13
John Riggi
Extraordinary. Most people think that when the FBI becomes involved in response to a major cyberattack, that they're there simply to collect forensic evidence and conduct an investigation, make attribution. Not realizing that the FBI can actually directly assist the victim in recovery. And hopefully help from having to pay the ransom and ultimately helping save lives. So in this instance, really an extraordinary and unique investigation, which was an undercover operation.