Threat Reports

Monthly Cyber Summary – Jan 2016

Giving you a taste of what Silobreaker has to offer, this report focuses on a selection of the top trending hacker groups, hacker ops and malware over the past month. Using visualisations within Silobreaker’s Time Series feature with a 30 day view, we’ve selected various cyber entities that have been trending in recent weeks.

Using our Time Series feature Silobreaker users are able to transform the data that interests them into meaningful charts. Time Series helps you understand how stories and events have broken, evolved and spread. And by exploring further, through industry, sector or standard view, it tells you why specific people, companies, places, products or groups are trending.

Malware

Silobreaker’s Time Series feature showing trending malware over the past 30 days (28.12 – 27.01)

Silobreaker’s Time Series feature showing trending malware over the past 30 days (28.12 – 27.01)

1. Black Energy Malware

Malicious software Black Energy has dominated trending malware statistics over the last 30 days. The Trojan Horse has been integral in cyber attacks that have disrupted and disabled Ukrainian power grids since December 23rd.

Black Energy targeted power companies in western Ukraine, using SSH backdoors to access and seize control of computer systems and wipe critical files, crippling capacity and disabling functionality. It is reported to contain a KillDisk component, designed to prevent systems from rebooting to subvert the malware. Ultimately, Black Energy is a piece of software coded specifically to commit industrial sabotage.

The Sandworm Team, a hacker group with strong ties to Russia, are reported to have designed the malware. Their attacks are widely thought to be a further act of aggression against Ukraine, committed by Russia. The sophisticated cyber raid left thousands of Ukrainian’s without power, and is a high profile example of the damage hacker groups can cause when targeting industrial systems.

2. Ransom32

Ransom32 is the first JavaScript-powered Ransomware affecting Windows and potentially Mac and Linux machines. Mainly been distributed via email it’s located on a dark web site and is simple in its operation. Ransom32 enables anyone to download and distribute their own copy of the ransomware as long as they have a Bitcoin address. The malware’s developers take a 25% cut of all ransom payment before forwarding the remaining 75% to the affiliate adversary’s Bitcoin address.

There’s been a huge amount of chatter around Ransom32 since it was discovered a few days into the New Year and it truly is a daunting prospect. The reason being that there’s currently no way to decrypt the infected files for free and because Javascript runs equally well on Mac, Linux and Windows. Equally significant is the fact that it is not necessary for a cyber criminal to have technical skills to use Ransom32 attacks. Below is an example of what an infected system looks like.

Screenshot of Ransom32 in action. Image source: www.bbc.com

Screenshot of Ransom32 in action. Image source: www.bbc.com

3. CryptoWall

As ransomware becomes ever more prevalent, it stands to reason that malware authors will set their sights even higher. CryptoWall has become known for targeting businesses rather than consumers, encrypting spreadsheets, images and documents before demanding a hefty fee, payable in bitcoins, for the decryption key.

As is usual for ransomware, CryptoWall gains access to individual computer systems via an unassuming email tailored to its target audience, such as a job application or payment invoice. The email will also have an attachment, which when opened will execute malicious code and begin encrypting files.

CryptoWall has a history of criminal use, but its current popularity is a result of its integration into the Angler Exploit Kit. Angler serves up malware by directing browsers to compromised or malicious web addresses. Popular with criminal organisations, Angler will automatically search for vulnerable browsers and attempt to exploit them.

Delivered by Angler, CryptoWall is set to become more troublesome than ever.

 

Hacker groups

Silobreaker's Time Series feature showing trending hacker groups over the past 30 days (28.12 - 27.01)

Silobreaker’s Time Series feature showing trending hacker groups over the past 30 days (28.12 – 27.01)

1. Anonymous Group

It’s no surprise that Anonymous lead the way in terms of mentions over the past 30 days. Though they’ve been in operation since 2003, it wasn’t until the international hacktivist network was galvanised by ISIS’ terror attacks that they really became a household name.

Mainly utilising DDoS attacks, Anonymous commonly target government, religious and large corporation websites. Previous high profile acts by the group include supporting Wikileaks leader Julian Assange, taking down Scientology websites and more recently, their war on ISIS.

Apart from doing their bit to take down ISIS, the past 30 days have seen Anonymous mentioned for shutting down Tokyo Narita airport’s website in response to Japanese detention of an anti-whaling activist and calling for Michigan’s governor to be charged with manslaughter after unsafe water potentially poisoned residents of Flint. These are just two examples of a plethora of stories that have made Anonymous the top trending hacker group over the past 30 days.

2. Sandworm Team

The Sandworm Team, an infamous collective of hackers with strong connections to the Russian government, are the second highest profile hacker group of the last 30 days. Behind Anonymous, Sandworm are responsible for 9.1% of all Silobreaker traffic relating to Hacker Groups.

Sandworm have been dubbed an APT, or Advanced Persistent Threat, demonstrating the power the collective are thought to wield. Widely reported to be a proxy of the Russian government, they have engaged in numerous cyber attacks against western governments and companies over the last 12 months.

Sandworm have dominated news coverage over the last 30 days due to their high profile attack on Ukrainian power grids. Using Black Energy Malware, they successfully took down power networks across western Ukraine. It was a highly sophisticated campaign that highlighted the vulnerability of industrial networks in Europe, causing mass damage and chaos. The attack highlighted the susceptibility of utilities to hacker groups, something security experts have been forewarning for years.

3. DD4BC

Established in mid 2014, financial fraud specialists DD4BC have been making headlines over the past month or so. Targeting ransoms in Bitcoin, the group have taken aim at a series of high profile companies including large banks with DDoS attacks.

Typically, the group use simple methods involving rendering target websites inoperable and threatening to use more powerful attacks if a specified Bitcoin ransom is not paid. Unlike other similar groups, DD4BC are known to promise that they’ll leave a company or website alone once the ransom is paid (see the image below).

Perhaps DD4BC’s best known attacks hit two of Hong Kong’s largest banks back in May last year. Attacks like this have concerned government and law enforcement agencies in a host of countries as well as EUROPOL and INTERPOL. According to an announcement by EUROPOL on January 12th 2016, their investigations lead to the arrest of two people in connection with DD4BC’s cyber crimes.

An example DD4BC threat messsage. Image source: www.cointelegraph.com

An example DD4BC threat message. Image source: www.cointelegraph.com

Hacker Operations

Silobreaker's Time Series feature showing trending hacker operations over the past 30 days (28.12 - 27.01)

Silobreaker’s Time Series feature showing trending hacker operations over the past 30 days (28.12 – 27.01)

1. #OpFlint

One of Anonymous Group’s latest hacker operations, #OpFlint is a response to the much-publicised “toxic-water” crisis occurring in the city of Flint, Michigan. Reports are suggesting that as many as 90,000 people have been exposed to potentially life threatening lead poisoning. Anonymous are leading the public’s call for answers from the authorities as to how such a matter was occurred.

The hacktivist collective are calling for the blame to be placed on Michigan’s Governor Rick Snyder. They want the politician to face criminal charges of “either voluntary or involuntary manslaughter” for allowing the people he was elected to serve and represent to suffer in such a way.

2. #OpBeast

Once again the Anonymous collective is behind this operation aiming cyber attacks at websites that showcase and promote animal cruelty. Hacktivists involved in #OpBeast are uniting to take down as many of these sites as possible.

Anonymous’ efforts in this area began back in April last year as they targeted Denmark for its bestiality laws which enabled animal depravity websites to exist and operate without legal repercussion. The campaign has since expanded into #OpBeast as more activists joined in and the groups efforts took international aim beyond Denmark.

3. #OpWhales

#OpWhales is an Anonymous inspired hacktivist campaign targeting companies that are associated with nations who conduct whale and dolphin hunting. The campaign is spearheaded by Anonymous, the loose hacking collective.

The wider #OpWhales has targeted any company that is associated with Japan, Norway or Iceland, the last three countries in which whaling remains legal. Designed to disrupt company activities and raise awareness, the campaign tactic tends to encompass cyber hacktivism and vandalism, rather than malicious attacks designed to steal data and make financial gain.

Whilst only attracting 0.2% of the last 30 day’s HackerOps traffic, OpWhales did have a major story unfold. The main website of Nissan was taken offline by hacktivists acting under the #OpWhales banner. There is no suggestion Nissan have any direct involvement in whaling, but rather they were targeted due to their status as a major Japanese company. Nissan’s global sites were taken down voluntarily after being targeted, with the company seeking to protect customer data. The sites remained down for over 24 hours, as Japan’s status as the world’s premier whale hunting nation began to affect one of its best known businesses.  

More News

  • Silobreaker Daily Cyber Digest – 23 January 2019

      Malware New ransomware family Anatova discovered on private peer-to-peer network McAfee researchers discovered ransomware, dubbed Anatova, that ciphers files before requesting a ransom...
  • Silobreaker Daily Cyber Digest – 22 January 2019

      Malware New STOP ransomware variant distributed through software cracks and adware bundles A new STOP ransomware variant is being bundled with adware and...
  • Silobreaker Daily Cyber Digest – 21 January 2019

      Malware Check Point release an update on GandCrab variant Check Point have published an update to their previous report on GandCrab, reviewing how...
View all News

Request a demo

Get in touch