Global Law Enforcement:  The Empire Strikes Back

Or, Is it all just batting practice?

The words of New Testament author, Matthew, have resonated with believers and non-believers alike over the centuries.  Surely, as the literati in the eighteenth century viewed the wars of conquest between rival European powers that raged on three continents signaled the coming of the end times, all the ongoing battles for command and control over nations' computer networks and resources, may herald the end times for computing as we know it.  Overblown? Maybe... But, it cannot be denied that, as noted by John Love, in an essay entitled, A Brief History of Malware — Its Evolution and Impact, April 5, 2018:

Most wars involve a specific set of countries and have a defined beginning and end. Regrettably, the war with malware impacts everyone across the globe and has no end in sight.  According to CNBC, cyberattacks are the fastest growing crime in the United States (and it’s easy to speculate, the fastest growing crime in the rest of the world as well).

As global conflict rages on, alliances, and exactly who is friend and who is foe, often change.  Proving this point, on January 14, 2022, Russia Arrests REvil Ransomware Gang Responsible for High-Profile Cyber Attacks

In an unprecedented move, Russia's Federal Security Service (FSB), the country's principal security agency, on Friday disclosed that it arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations.

The surprise takedown, which it said was carried out at the request of the U.S. authorities, saw the law enforcement agency conduct raids at 25 addresses in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions that belonged to 14 suspected members of the organized cybercrime syndicate.

Now REvil is not the mythical 400 pound kid sitting on his bed with a souped up Commodore 128.  REvil's most notorious exploit was when REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States.

Again, this past week, January 22, 2022, TASS announced that the Russian FSB: [ed: No link to TASS.]

The Russian Federal Security Service (FSB) has arrested the administrator of the UniCC carding forum and one of the members of the Infraud cybercrime cartel.

Prior to his arrest, Novak was known on underground cybercrime forums under nicknames such as Faxtrod, Faaxxx, and Unicc, and was the administrator of UniCC, a forum where threat actors gathered to buy or sell stolen payment card data.

The carder site was already shuttered. And, on January 12, 2022, the site announced "it would voluntarily close down, citing the administrators’ intention to retire, and advised users to withdraw their funds within ten days."

Meanwhile, while all this goodwill on the cyber front is being exhibited by our good buddy, Vlad, Russia unleashed a coordinated cyber attack on Ukraine.  "Dozens of Ukrainian government sites have been hit by an ominous cyberattack, with hackers warning people to "be afraid and expect the worst."  As security blogger, Brian Krebs, reported:

Experts say there is good reason for Ukraine to be afraid. Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

So while Russia is making moves to placate US and European law enforcement, North Korea is also turning the tables in the cyber war alliances.  At the end of last year, North Korea-linked APT group Konni targets Russian Federation’s Ministry of Foreign Affairs (MID) with new versions of malware implants.  APT is an acronym that sands for Advanced Persistent Threat.  Researchers believe this new campaign is less espionage and more common crime for financial gain.  By focusing its hacking on stealing credentials,  "North Korean has focused much of its efforts on espionage campaigns and targeting organizations for financial gain, with cryptocurrency a common target of attacks."

And finally we have the stuff from where rumors originate.  A cyber threat so menacing that once infected with this malware even replacing the hard drive won't remove the infection.  This attacker infects a computer's UEFI firmware tht runs BEFORE THE OPERATING SYSTEM, and thus will reinfect the computer at each start up. 

"Due to its emplacement on SPI flash, which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement."

Although it is not exactly known who is behind this malware, Chinese hackers are suspected.  The malware responsible for the stealth attack is known as Moonbounce.  A Chinese hacking group known as APT 41 is believed responsible for MoonBounce.

Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.

The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.

The Cybersecurity firm, Mandiant, has published an indepth report on the nefarious activities of APT 41.

APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China's Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

So why would Chinese hackers want to brick their victims computers?  Maybe simply to increase the sales of new PCs, which are for the most part all made in China.  Another possible answer maybe to simply to prove they can.  This is known as a Proof Of Concept (POC).  A successful POC is more often than not a harbinger of more excitement to come. So stay tuned.

The title of the blog is Dispatches From the Front.  Trouble with this war is that we are all on the front lines of the conflict whether we know it or not.

But you tell me over and over and over again, my friend
Ah, you don't believe we're on the eve of destruction
— Barry McGuire, Eve of Destruction

Gerald Reiff