Cybersecurity news headlines for January 2022
In this year’s first edition of cybersecurity news headlines, we discuss 4 stories. More specifically, the arrest of REvil gang members, a cyberattack on Ukraine’s government websites, hackers stealing $34 million from Crypto.com, and a cyberattack on the Red Cross organization. For some, it’s been a particularly devastating start of the year, with stolen money and exposed data. However, Russian authorities apprehending members of the notorious REvil cyber gangs are certainly good news.
Without further ado, here’s what made the biggest headlines in January 2022.
Russian authorities arrest REvil gang members
Following requests by the US, Russian authorities have taken down the REvil ransomware gang responsible for the massive Kaseya VSA ransomware attack. The takedown is the result of joint action by Russia’s Federal Security Service (FSB) and the Ministry of Internal Affairs of Russia. The threat actor responsible for the Colonial Pipeline attack was also arrested during one of the raids.
REvil’s most notorious cyberattack targeted software company Kaseya. On July 2, 2021, hundreds of managed service providers were forced to deal with ransomware that got in using Keseya’s desktop management software. This affected over 1500 small and medium-sized companies. The REvil gang initially demanded $70 million in ransom for a universal decryptor, though it’s not entirely clear whether Kaseya paid or not. They did eventually get a decryptor from a “trusted third party”, however. Considering the scale of the attack, REvil caught the eye of US law enforcement and the government. US President Biden, on a phone call with Russian President Putin, demanded that Russia take action to deal with ransomware operating from Russia, despite them not operating on state orders. REvil’s whole infrastructure disappeared soon after but arrests were not made until months later. REvil is also believed to be responsible for the cyberattack against food supplier JBS.
According to reports, the FSB and Ministry of Internal Affairs of Russia raided 25 different locations in Moscow, St. Petersburg, and Lipetsk. They were able to arrest 14 individuals associated with REvil, as well as an unnamed attacker from another cyber gang DarkSide, which is responsible for the Colonial Pipeline cyberattack. Roman Muromsky and Andrei Bessonov, two members of REvil, were among those detained during the raids. At least 8 of the 14 detained people have been hit with charges. They are now facing up to seven years in prison and a fine of about $13,000 under Part 2 of Article 187 of Russia’s Criminal Code. During the raid, authorities seized 20 luxury cars, 426 million rubles (~$5.6 million), $600,000, and €500,000, as well as computers and cryptocurrency wallets.
The REvil cybergang has long been suspected to be operating from Russia but the country has, until now, done little to take action against it. Previous arrests have been made in Romania and Ukraine but Russia has been hesitant to help deal with cybergangs operating from its soil. The fact that not only did Russia take action but also specify that they did that at the request of US authorities has some believe the arrests to be politically motivated.
Cyberattack takes down Ukraine government websites
On January 14, 2022, more than a dozen of Ukraine’s government websites were taken down by a cyberattack. Reportedly, around 70 government websites were taken down. The sites for the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council were among them. The attacks involved hackers displaying messages in Russian, Ukrainian, and Polish about stolen data being uploaded on the Internet. Hacked sites were taken offline soon after and were fully restored within hours.
“Ukrainian! All your personal data has been uploaded to the public network. All data on your computer is being erased and won’t be recoverable. All information about you has become public, fear and expect the worst. This is being done to you for the your past, present and future,” is the message that greeted those visiting Ukraine’s Foreign Ministry and other websites after they were attacked.
Despite the attacker’s claims that personal data has been stolen during the attack, such claims were denied by the Ukrainian government.
A top Ukrainian security official told Reuters that the hackers responsible for the attack used software administration rights of a third-party company that developed the sites that were hacked. It is not currently clear whether access was acquired externally or using an insider. The software in question has been used to create government websites since 2016.
“According to the preliminary conclusions of our experts … today’s attack occurred due to the use by third parties of access to the software administration rights of a company that had an advantage in developing websites for government agencies,” deputy secretary of the national security and defense council Serhiy Demedyuk told Reuters.
According to Reuters, Kyiv believes the hacker group responsible for the attack has links to Belarusian intelligence. Demedyuk told Reuters that Ukraine has blamed the attack on a hacker group known as UNC1151. Earlier reports link UNC1151 to Ghostwriter, a hacker group believed to be operating from Russia.
The cyberattack warning Ukrainian citizens to “be afraid and expect the worst” came at a time when tensions between Ukraine and Russia were at an all-time high. While Russia has denied having such intentions, there are fears of a military assault on Ukraine by Russia’s forces.
Crypto.com cyber attack leads to $34 million worth of cryptocurrency stolen
On January 20, cryptocurrency trading platform Crypto.com confirmed that it was a victim of a major security breach. After speculations of something going on by users, Crypto.com confirmed the incident with a statement, revealing that malicious actors were able to gain access to accounts of 483 users. In total, the intruders took off with around $34 million worth of cryptocurrencies.
According to the released statement, on January 17, a small number of users had unauthorized withdrawals on their accounts. To be precise, 483 Crypto.com accounts were affected. 4,836.26 ETH, 443.93 BTC, and around $66,200 in other cryptocurrencies were stolen. At the time of the incident, that was around $34 million. As soon as the trading platform learned of the unauthorized access, it suspended withdrawals for all tokens and started an investigation.
“No customers experienced a loss of funds. In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the statement reads.
Crypto.com noticed unauthorized access when its risk monitoring system detected transactions being approved without the 2FA authentication control being inputted by account holders. Immediately, all withdrawals were suspended, and all 483 impacted accounts were restored. Crypto.com also revoked all customer 2FA tokens and required all of its users to re-login and set up their two-factor authentication token. The incident caused 14 hours of downtime for the trading platform.
In addition to migrating to a new 2FA infrastructure, Crypto.com also introduced a mandatory 24-hour delay between registration of a new whitelisted withdrawal address and first withdrawal. Users will be informed about new withdrawal addresses and have enough time to react if something was wrong.
While the trading platform did not give details about how exactly the incident happened, they did take full responsibility and refunded all affected users.
Cyberattack on Red Cross compromises data of 515,000 highly vulnerable people
International humanitarian organization Red Cross has been a victim of a cyberattack during which attackers took off with sensitive information of more than 500,000 “highly vulnerable” people. In what’s referred to as a sophisticated cyberattack, the personal information of many vulnerable people, including victims of war, has been taken. According to reports, the information came from more than 60 Red Cross and Red Crescent national societies all over the world. The humanitarian organization has pleaded with the attackers to not share or sell the information.
The Internation Committee of the Red Cross (ICRC) released a statement on January 17 revealing the incident.
“The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention,” the statement reveals.
Due to the sensitive nature of the information stolen, the ICRC is concerned the attackers could share the information and put the already vulnerable people at further risk.
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data,” ICRC’s director-general Robert Mardini pleaded with attackers.
The ICRC also runs a program that reunites families separated by conflict, disaster, or migration called Restoring Family Links. Because of the attack, the organization was forced to essentially shut the program down temporarily, affecting its ability to reunite families. The official website for Restoring Family Links remains down more than 10 days after the attack.
As of yet, the perpetrators of the attack have not identified themselves. But it does not appear that the stolen information has been shared.
- Robyn Dixon, Ellen Nakashima. Russia arrests 14 alleged members of REvil ransomware gang, including hacker U.S. says conducted Colonial Pipeline attack. The Washington Post.
- At least 8 REvil ransomware hackers pressed with criminal charges – Moscow court. TASS Russian News Agency.
- Pavel Polityuk. Hackers likely used software administration rights of third party to hit Ukrainian sites, Kyiv says. Reuters.
- Pavel Polityuk. Ukraine suspects group linked to Belarus intelligence over cyberattack. Reuters.
- Crypto.com Security Report & Next Steps. Crypto.com
- Sophisticated cyber-attack targets Red Cross Red Crescent data on 500,000 people. Internation Committee of the Red Cross.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.