Tag Archives: Cybercrime

London City Council Implements Emergency Plan Following Trio of Cyber Attacks

Posted on by
Reply

Three councils in London have experienced cyberattacks, leading to the activation of emergency plans to determine if any data was compromised.

The Royal Boroughs of Kensington and Chelsea, which share portions of their IT infrastructure, along with Westminster City Council, reported that several systems, including telephone communications, were impacted across both councils. As a precaution, the city council disabled several computer systems to prevent additional harm.

The Information Commissioner’s Office confirmed that the London borough of Hammersmith and Fulham also reported being affected by the attack. Collectively, these three councils serve over 500,000 residents in London. In 2020, Hackney City Council was hit by a ransomware attack that encrypted 440,000 files, leading to disciplinary measures from the ICO.

Engineers from RBKC worked tirelessly through Monday and Tuesday to address the incident. They noted that services such as checking council tax bills and paying parking fines could face restrictions, and the website might be temporarily suspended on Wednesday while security measures are implemented.

In a statement from the council, it was mentioned: “We do not have all the answers yet, as we are still managing this incident. However, we are aware that there are concerns among the public, and we will provide updates to our residents and partners in the coming days. At this point, it is too early to determine the perpetrator or motive, but we are investigating whether any data may have been compromised. This is standard procedure.”

The agency and the City of Westminster have stated they are collaborating with cyber incident specialists and the National Cyber Security Center, focusing on safeguarding systems and data, restoring systems, and sustaining essential public services.

These boroughs share some IT resources with Hammersmith and Fulham, and it remains unclear how significantly they were impacted.

RBKC added: “We have activated our business continuity and emergency protocols to ensure that we can continue providing vital services to our residents, especially for the most vulnerable.”

Westminster City Council shared in a statement: “We apologize for any inconvenience to our residents and appreciate your patience and understanding. There may be delays in our responses and services over the coming days. We are committed to working closely with our cyber experts and the NCSC to restore all systems promptly. We will inform you as soon as more details become available, and we strive to keep you updated on any service changes.”

Skip past newsletter promotions

The incident was identified on Monday morning, raising concerns in other councils. Hackney, located in east London and previously affected by a land survey, housing, and planning services disruption in 2020, stated to its staff: “We have received reports that several London councils have been targeted by cyber-attacks in the last 24 to 48 hours, which could cause disruptions to their systems and services.”

Rob Miller, former IT director at Hackney City Council and now senior director at consultancy Public Digital, remarked: “When such an event occurs, you feel an immediate sense of dread as you realize the challenges in getting everything back on track. It’s an incredibly distressing experience.”

Source: www.theguardian.com

From Play to Purpose: A Cautionary Tale on Cybercrime for My Teenage Self

Posted on by
Reply

In 2016, a 19-year-old Daniel Kelly faced charges for computer hacking, extortion, and fraud linked to a significant data breach at a British telecom firm, resulting in a four-year prison sentence. Post-release, he has collaborated with over 35 cybersecurity firms to create campaigns and thought leadership pieces.
The reality of digital threats.

As a teenager, gaming dominated my life. I spent upwards of 12 hours daily immersed in it. My focus was entirely on video games, as school didn’t captivate me and my offline social interactions were minimal. Gaming became my world, a means of escape, and my community.

Trouble began around 2011 or 2012 when I was competing in an online multiplayer game and experienced a sudden internet disconnection just before the match. It turned out that my opponent had managed to trace my IP address and launched a Distributed Denial of Service (DDoS) attack against me. This incident sparked my curiosity to understand how it was accomplished, leading me to an online hacking forum—not out of malicious intent, but pure curiosity.

Delving into video game cheating sparked my interest in the workings of websites, prompting me to learn about hacking web applications. I began reporting vulnerabilities to various companies and ultimately gained a position as a security researcher with Microsoft.

What deterred me from pursuing that path was the sense of futility I felt. At that time, formal bug bounty programs—incentives for responsible hackers who discover vulnerabilities—were non-existent, and many companies failed to grasp the concept of responsible disclosure. Consequently, those who reported issues were often ignored or even threatened. For a teenager yearning for acceptance and community, this was transformative.




“I would tell my younger self not to cross certain lines.” (Photo of model posing) Composite: Stocksy/Guardian Design

From 2012 to 2015, things intensified. I forged connections on hacking forums, and the discussions gradually shifted from curiosity to darker topics. I found myself leaning towards cybercrime without fully realizing how far from my initial intentions I had strayed.

Following my arrest, I faced endless legal battles and delays while on police bail for four years.

My first prison experience was at HMP Belmarsh, an environment that felt chaotic and unpredictable. For the initial weeks, I remained hyper-alert—not from fear, but due to the atmosphere. Eventually, you adapt to the prison’s daily rhythm, which also forces you to deeply reflect on your choices. It wasn’t entirely negative, but it was certainly isolating.

The sensation of being liberated can be most simply described as “weird.” You expect freedom to be an emotional high point, but it’s often disorienting. After months or years of being told what to do and when, emerging back into society comes with the expectation of returning to normalcy. Adjusting took time; I had to reacquaint myself with making small decisions and rebuild my confidence.

My sentence included a Serious Crime Prevention Order, which I still abide by more than a decade later. It impacts nearly every aspect of my life, imposing restrictions on my technology use and online activities. The awareness that one misstep could lead to loss of freedom creates a constant tension.

Since being released, I’ve found a way to merge two realms I know intimately: cybersecurity and cyber threat intelligence. Many cybersecurity marketing teams lack technical skills, while many tech experts struggle to communicate their work to the public effectively. I’ve built a bridge between these areas. The same knowledge that once led me astray now serves as the bedrock of my business—an odd yet positive twist.




Kelly’s business now leverages his skills for profitability. Composite: Getty Images/Guardian Design

If you have talents but feel isolated, it’s easy to gravitate toward communities that seemingly accept you but ultimately lead you astray. During my youth, I attempted to apply my skills positively. Had there been a more structured and constructive avenue for young individuals to showcase their abilities, my trajectory might have been different. I wasn’t predisposed to commit typical crimes; it was indeed a valid case where no one intervened to guide my potential for legal use. This lack of guidance combined with innate talent can be hazardous.

Fergus Hay, founder of The Hacking Games, aims to reshape the narrative surrounding hacking from one viewed solely as criminal to one seen as constructive when applied correctly. The partnership between Co-op and The Hacking Games offers young minds an outlet to hone their digital skills toward ethically sound careers—precisely the preventative approach we need. It provides young people with technical skills a positive direction. As a member of The Hacking Games Virtue Community, I strive to guide the next generation in avoiding my past mistakes and using their skills for societal protection.

I would advise anyone passionate about technology to not overlook the opportunities that come from being open about your learning journey. The Internet can connect you with individuals who recognize your potential and provide opportunities. The essential aspect is to focus your energy on mastery rather than mischief. Be mindful of the motives of those around you. If someone suggests that laws are irrelevant or that all laws are inconsequential, it’s a warning sign. The boundary between curiosity and crime can blur quickly without guidance.

My thoughts on what advice I would give my younger self continue to evolve. The obvious response would be, “Please don’t.” Yet, the reality is that everything I experienced has fundamentally shaped who I am and my current endeavors.

Still, I would advise my younger self, “Don’t cross that line.” Avoid threatening or extorting businesses—that remains my greatest regret. I’d also emphasize the importance of considering the outcomes and realizing how many lives are impacted by rash actions. While curiosity itself isn’t wrong, the way it was wielded was flawed.

learn more

Ensure young people are safe online with Barnardo’s guidance on safety.

Source: www.theguardian.com

Empowering Young Gamers: Harnessing Online Skills to Combat Cybercrime and How Parents Can Support Them

Posted on by
Reply

The rapid technological advancements can widen the gap between parents and teens. Gen

Moreover, a rise in cyberattacks affecting major companies has been frequently reported. Interestingly, many of those who face these hacks are young individuals equipped with advanced digital skills. In fact, the National Crime Agency reports that one in five children engages in unlawful activities under the Computer Fraud Act, which penalizes unauthorized access to computer systems or data. This statistic rises to 25% among gamers.

To combat this, co-ops adopt a unique preventive strategy. As part of our long-term mission to empower young people to harness their technology skills, Co-op has teamed up with a hacking game aimed at helping talented gamers secure positions in the cybersecurity sector.

This collaborative model is crucial because, as Greg Francis, former senior officer at the National Crime Agency and director of 4D Cyber Security, puts it, “A digital village is necessary to nurture digital natives.” Early intervention is essential, and parents play a pivotal role. “Parents are vital as they wield significant influence, but they shouldn’t remain passive. They should grasp the fundamentals of the hacker universe,” notes Francis, who also serves as Hacking Game’s Cyber Ambassador. So, where to begin?

Show Interest Without Judgment

First and foremost, having an interest in hacking isn’t inherently negative.

“Ethical hacking is an exhilarating and rapidly evolving domain, making it completely understandable for children to find it intriguing,” says Lynne Perry, CEO of children’s charity Barnardo’s. The organization collaborates with co-ops to generate funds to support young individuals in forging positive futures.

Maintaining an open dialogue is just as critical as beginning discussions early. “The ideal moment to start is now,” states Perry. “Once your child shows an interest in online technology, it’s time. Frequent, age-appropriate discussions are essential to keep the lines of communication open.”

Activities that seem innocuous can lead to a path towards cybercrime. Composite: Stocksy/Guardian Design

Perry advises involving children in online activities from a young age. “Explore technology together and discuss what to do if something unusual or concerning occurs. As kids mature, they may seek more independence, but regular interaction allows them to steer conversations, ask questions, and express concerns.”

For parents who grew up in a simpler digital age, grasping the complexities of today’s online gaming, dominated by franchises like Roblox, Minecraft, and Call of Duty, might seem daunting. However, both Francis and Perry emphasize that you don’t need to have all the answers to provide support.

Parents should check game age ratings and utilize parental controls, such as friend-only features, to enhance the security of in-game chats. For online resources, check Ask About Games for detailed information on popular games and guides to setting up safety measures.

It’s also beneficial to inquire if your young gamer has ever experienced being “booted” offline. Booting refers to a DDoS (Distributed Denial of Service) attack, where someone hacks another gamer’s IP address and floods it with data, causing an Internet outage. While booting may seem innocuous among gamers, it is a serious issue. Francis clarifies: “They may not realize this infringes on the Computer Misuse Act.” In fact, booting is identified as one of the initial steps towards cybercrime, as noted during Francis’s work with various prevention programs.

Asking questions aligns with observing potential warning signs like excessive gaming, social withdrawal, unexplained tiredness, unusual purchases of equipment or technology (especially if you’re unaware of how it was paid for), and multiple email addresses. While one sign alone might not be serious, a combination of them can be concerning.

Mary* faced these warning signs firsthand. “I had a son engaged in hacking on the darknet. He isolated himself and avoided sleep. I truly had no clue about his activities,” she shares. “After consulting a cybersecurity expert and discussing my challenges, I discovered he was attempting to delve into the cryptocurrency world on the darknet at just 13 years old.”

Guidance from trusted sources inspires talented young individuals to utilize their skills positively. Composite: Getty Images/Guardian Design

A Transformative Path for Neurodivergent Youth

Particularly for neurodivergent youth, engaging with games and spending time online can yield significant advantages in terms of socialization and emotion regulation. Yet, it’s crucial to recognize that with these benefits come potential drawbacks, including the considerable risks of internet or gaming addiction and the associated allure of cybercrime.

However, over 50% of technology professionals identify as neurodivergent, according to the Tech Talent Charter, indicating vast opportunities for neurodivergent young individuals in this sector. This is why The Hacking Games directly targets “digital rebels” showcasing “raw talent” and “unconventional thinking,” matching them with cybersecurity job opportunities, mentors, and fostering community through Discord group chats.

As Mary can confirm, mentorship and career awareness can be life-changing. “Cyber experts supported my son as a credible source of information and ultimately coached him on my behalf,” she states. “They helped him realize that he could channel his skills for impactful purposes. Consequently, he began assisting others.”

While this situation may seem alarming, there are numerous ways for parents to intervene positively. Approaching the subject with curiosity and care, rather than judgment, is paramount for guiding your child in the right direction. Here are some suggestions for parents who are concerned about their kids.

1 Begin conversations regarding online gaming safety early, approaching the topic with sensitivity rather than judgment. Remaining calm fosters open communication.

2 You don’t need to be fully informed, but a genuine interest can lead to insightful discussions. Ask your child about their games and online activities. Just as you would inquire about who they play with at a park, ask the same about their online friends. Be vigilant for warning signs like strangers trying to befriend them, offering freebies, or inviting them to unfamiliar worlds or games, as these could indicate grooming.

3 Take proactive measures. Pay attention to age ratings for games, which are significant. The best way to ascertain what is suitable for your child is to play the game together or at least observe them while they play. Remember, just like in Call of Duty, children can also be recruited in games like Minecraft. Games with community or “freemium” options can entice young players seeking extra income through in-game purchases or upgrades.

4 Monitor for warning signs such as social withdrawal, excessive gaming, lack of sleep, unusual tech purchases, and multiple email accounts.

5 Engage with your child’s school. Consult their computer science teacher to learn how they promote digital responsibility. Teachers often have insight into which students may require specific support to enhance their skills. This could serve as an early opportunity to channel their talents positively through initiatives like Cyber First and Cyber Choices or coding communities such as Girls Who Code.

*Mary’s name has been changed to protect her family’s anonymity.

Discover more

Ensure online safety for children and young individuals with Barnardo’s online safety guidance

Source: www.theguardian.com

Shedding 25 Pounds in 20 Days: My Experience on the Front Lines of a Global Cyberattack

Posted on by
Reply

Tim Brown will always remember December 12, 2020.

This was the day SolarWinds, a software company, learned it had been hacked by Russia.

As the chief information security officer, Brown quickly grasped the impact. The hack could potentially affect any of the company’s more than 300,000 customers globally.

The breach enabled hackers to remotely access systems of customers using SolarWinds’ Orion networking software, which included the U.S. Department of the Treasury, the National Telecommunications and Information Administration, and numerous businesses and public organizations.


Brown mentioned he was “running on adrenaline” during the initial days following the breach.

Amid full-time remote work due to the COVID-19 pandemic, the company’s email system was compromised, rendering it unusable for internal communication.

“We stopped taking calls, and everyone came into the office for COVID-19 testing,” Brown recalled. “I lost 25 pounds in about 20 days. I just kept going.”

He has been featured on CNN and 60 Minutes, along with major newspapers.

“The world is on fire. We’re working to inform people about what is secure and what isn’t.”

Brown indicated the company moved to Proton email and Signal during the email breach, as he received calls from companies and government entities worldwide, including the U.S. military and the COVID-19 vaccine initiative, Operation Warp Speed.

“People prefer spoken communication to written communication. That’s a crucial lesson. You can document things, but people want personal interaction,” said Brown during a talk at Cybercon in Melbourne.

“They want to hear the nuances, so it’s vital to be ready for that kind of response.”

How did the cyberattack unfold?

The notification of the breach came via a call from Kevin Mandia, the founder of cybersecurity firm Mandiant, to SolarWinds’ then-CEO, Kevin Thompson.

Mandia informed Thompson that SolarWinds had “shipped contaminated code” within its Orion software, which aids organizations in monitoring their networks and servers for outages.

According to Mandia, the exploits in Orion were utilized to infiltrate government agencies.

“What you can see from that code is that it wasn’t ours, so we realized right away this was serious,” Brown recalled.




Brown stated that SolarWinds was not the main target of the hack but served as a “conduit to it.” Photo: Sean Davey/The Guardian

The Texas-based company discovered that 18,000 people had downloaded the contaminated product, and hackers, later attributed to Russia’s Foreign Intelligence Service, managed to inject it into Orion’s build environment where the source code is converted into software.

The news broke on a Sunday, and SolarWinds released the announcement before the stock market opened on Monday.

Initial estimates suggested that as many as 18,000 customers might be impacted, which later adjusted down to approximately 100 government agencies and businesses that were truly affected.

“I wish I had known that on the first day, but that’s the reality,” Brown says. “We weren’t specifically the target; we were merely a gateway to it.”

SolarWinds enlisted the help of CrowdStrike, KPMG, and law firm DLA Piper to respond and investigate.

Aftermath: heart attack

For the next six months, SolarWinds suspended the development of new features and redirected its team of 400 engineers to focus on systems and security to restore the company’s stability.

“We prioritized transparency—how can we ensure people understand what threats there are, how those actors operate, how they gather information, how they execute attacks, and how they withdraw?”

Brown noted that the company’s customer renewal rate dropped to around 80% in the aftermath but has since risen back to over 98%.

However, legal consequences soon followed.

In 2021, the Biden administration enacted sanctions and expelled Russian diplomats in response to the attack.

In 2022, SolarWinds settled a class action suit related to the incident for $26 million. The Securities and Exchange Commission (SEC) initiated a lawsuit against SolarWinds and Brown personally in October 2023, alleging that the company and Brown misled investors regarding cybersecurity measures and failed to disclose known vulnerabilities.




Mr. Brown has remained with SolarWinds since the cyberattack. Photo: Sean Davey/The Guardian

Brown was in Zurich when he became aware of the charges.

“As I ascended a hill, I felt out of breath, my arms were heavy, and my chest was tight—I wasn’t getting enough oxygen,” he recalled. “I made a poor decision and flew home. I couldn’t walk from the terminal to my car without pausing; it was a journey I had made countless times.”

He was experiencing a heart attack. Upon returning home, his wife took him to the hospital for surgery, after which he recovered.

“The stress continued to mount, leading me to think I was handling it well without proactively visiting a doctor,” he explained.

Now, Brown is advocating for companies facing similar crises to engage psychiatrists to assist employees in managing stress.


“My stress levels were at a peak, and I was really close to the edge, though the pressure had been building for a while.”

A proposed confidential settlement with the SEC was announced in July but still awaits approval. The finalization of the agreement has faced delays due to the U.S. government shutdown.

Mr. Brown has remained with SolarWinds throughout this entire ordeal.

“This happened on my watch, and that’s how I perceive it. There are factors that contributed, like a state-sponsored attack, but it still occurred under my supervision,” he reflected.

“I admit I can be stubborn, but it was paramount for us to navigate this entire process, and leaving before it was resolved wasn’t an option.”

Source: www.theguardian.com

UK Security Officials Report 50% Surge in Cyberattacks Over the Past Year | Cybercrime Insights

Posted on by
Reply

‘Extremely serious’ cyber-attacks have surged by 50% over the past year, with UK security agencies now addressing a new nationally significant attack every two days, according to the latest data from the National Cyber Security Center (NCSC).

In what officials are calling a “call to arms,” national security leaders and ministers are encouraging all organizations, from small businesses to major corporations, to develop contingency strategies for the possibility that their “IT infrastructure is compromised.” [is] Tomorrow, all screens could potentially be rendered [go] Blank.”

The NCSC, a division of GCHQ, stated in its annual report released on Tuesday that a “highly sophisticated” China, along with a “competent yet reckless” Russia, Iran, and North Korea, represent the primary national threats. This rise is fueled by ransomware attacks from profit-driven criminals and society’s growing dependence on technology, resulting in more potential targets for hackers.

Prime Minister Rachel Reeves, Security Secretary Dan Jarvis, and Technology and Business Secretaries Liz Kendall and Peter Kyle have contacted the leaders of hundreds of the UK’s largest companies, urging them to elevate cyber resilience to a board-level concern and cautioning that hostile cyber activities in the UK are becoming “more intense, frequent, and sophisticated.”

“We must not make ourselves an easy target,” stated Anne Keast-Butler, GCHQ’s director. “It’s critical to prioritize cyber risk management, integrate it into governance, and set a tone from the top.”

The NCSC dealt with 429 cyber incidents from the past year up to September, with nearly half considered to be of national significance, a figure that has more than doubled in the last year. Among these, eighteen incidents were categorized as “very serious,” indicating they profoundly affected governments, essential services, the public, and the economy. Many of these were ransomware attacks, with Marks & Spencer and Co-op Group among those heavily impacted.

“Cybercrime poses a significant threat to our economy’s security, businesses, and the lives of individuals,” Jarvis remarked. “We are working tirelessly to combat these threats and support organizations of all sizes, but we cannot do this alone.”

The NCSC refrained from commenting on reports suggesting it is investigating possible Russian involvement in the severe attack on Jaguar Land Rover, which has halted production. This report indicated that Russia is encouraging unofficial “hacktivists” to target the UK, the USA, as well as European and NATO nations.




Last month, a cyberattack disrupted passenger services at numerous European airports, including London Heathrow.
Photo: Isabel Infantes/Reuters

Overall, the number of attacks up to September signifies the highest level of cyber threat activity recorded by the NCSC in the last nine years. For the first time in a year, the UK and its allies have detected Russian military units executing cyber attacks, provided recommendations against a China-linked campaign affecting thousands of devices, and raised alarms over cyber attackers affiliated with Iran, as noted by the NCSC. Domestic threats also persist, with two 17-year-old boys arrested in Hertfordshire last week following an alleged ransomware hack of children’s data from the Kido nursery chain.


Hackers are increasingly incorporating artificial intelligence (AI) to enhance their activities, and although the NCSC has not yet encountered an AI-driven attack, they predict that “AI will almost certainly present cyber resilience challenges by 2027 and beyond.”

“We observe attackers improving their capacity to inflict significant damage on the organizations they compromise and those dependent on them,” commented Richard Horne, NCSC’s chief executive. “Their disregard for their targets and the harm they cause is clear. This is why all organizations must take action.”

He emphasized the psychological toll inflicted on victims of cyberattacks, stating, “I have been in numerous meetings with individuals profoundly affected by cyberattacks on their organizations. I am aware of the anxiety, the sleepless nights, and the consequent turmoil caused by such disruptions for employees, suppliers, and customers.”

quick guide

Contact us about this story

show

The best public interest journalism relies on first-hand reporting from those in the know.

If you have something to share on this matter, please contact us confidentially using the methods below.

Secure messaging in the Guardian app

The Guardian app has a tool to submit story tips. Messages are end-to-end encrypted and hidden within daily activities performed by all Guardian mobile apps, obscuring your communication from potential observers.

If you haven’t yet downloaded the Guardian app, you can do so here (iOS/android). Access the menu and select “Secure Messaging.”

SecureDrop, instant messenger, email, phone, mail

If you can use the Tor network securely, you can send messages and documents to the Guardian via our SecureDrop platform.

Additionally, our guide at theguardian.com/tips outlines various secure ways to contact us and discusses the pros and cons of each method.

Illustration: Guardian Design/Rich Cousins

Thank you for your feedback.


Source: www.theguardian.com

60% of British Secondary Schools Targeted by Cyberattacks in the Past Year | Cybercrime

Posted on by
Reply

Last month, when hackers targeted UK nursery schools and leaked child data online, they faced accusations of reaching a new low.

Nonetheless, the wider education sector is more familiar with being a target.

As per the British Government Survey, educational institutions are at a higher risk of cyberattacks or security breaches than private businesses.

Over the past year, six out of ten middle schools have experienced attacks or breaches, while more than 80% of universities and 90% of higher education institutions have faced similar issues. In contrast, only four out of ten companies reported violations or breaches, a statistic comparable to elementary schools.

Toby Lewis, global threat analysis director at cybersecurity firm Darktrace, notes that the UK education sector isn’t necessarily a specific target. “They are caught in the dragnet of cybercrime,” he explained, mentioning the “element of randomness and opportunism” involved in cybercrime victim selection.

Last week, the BBC highlighted that Kido, a nursery business targeted by hacking groups identified as Shinekase, had its system compromised after “early access brokers” sold access to Kido’s system, a scenario common in cybercrime circles.

Data from the annual Cybersecurity Violation Survey is derived from over 30 higher education institutions, almost 300 secondary and elementary schools in the UK, and various universities. The survey defines a cyberattack as an “attempt” to breach a target IT system, which includes sending “phishing” emails designed to deceive recipients into disclosing sensitive information, such as passwords.

Phishing emails constitute the most prevalent type of attacks on universities and schools.

Ransomware attacks have become widely recognized forms of cybercrime in the UK, wherein attackers encrypt IT systems to steal data and demand Bitcoin payments for decryption and the return of data.

The West Lothian Council’s education network has encountered ransomware attacks this year, resulting in data being obtained from several schools, with recent attacks also reported at Newcastle University, Manchester University, and Wolverhampton University.

Lewis suggests that state schools might be more susceptible due to funding pressures and a lack of expertise, while universities also face risks because they contain thousands of young students who may not be cybersecurity-savvy, along with computer networks designed to facilitate academic collaboration.

Colleges appear to be a favored target, and higher education institutions are reportedly the most frequently affected, with three in ten experiencing violations or attacks weekly, according to government data. Nonetheless, the education sector may be more conscious of government initiatives on cybercrime prevention than businesses and charities.

Pepe Dilacio, general secretary of the British Schools Association and the Association of University Leaders, remarked that ransomware attacks pose a “major risk” and emphasized the ongoing efforts to safeguard systems and data.

James Bowen, assistant secretary at the National Association of Principals, welcomed additional government funding to assist school leaders in identifying and responding to cyber threats.

The Ministry of Education stated that the school’s support includes a dedicated team to handle cyber incidents and collaborate closely with the UK’s National Cybersecurity Centre to provide complimentary training for school staff. “We take cybersecurity in schools seriously and understand the significant disruption attacks can cause, and we offer a wide range of support to schools,” said a spokesperson.

Following backlash from the hack, Kido hackers have deleted data obtained from the company, including child profiles.

However, government data indicates that the education sector continues to be a target. Ministers are preparing schools, the NHS, and local councils to potentially pay ransoms under government proposals aimed at combating hackers. In the meantime, attacks continue.

Source: www.theguardian.com

Kido Nursery Hackers Claim to Have Removed Stolen Data | Cybercrime

Posted on by
Reply

Cybercriminals who compromised the personal information and photos of thousands of nursery children have since removed the data following a public outcry.

The group responsible for the breach has erased details of children from the UK-based Kido nursery network.

Screenshots reviewed by the Guardian show that the child’s profile from the breach is no longer visible. Currently, the Kido logo is displayed with “More” under “More,” but sources in cybersecurity report that the link is non-functional, indicating that the data has been removed.

A spokesperson for Kido confirmed that the attacker had indeed deleted the previously exposed information.

The spokesman stated: “We are adhering to guidance from authorities regarding ransom payments to prevent incentivizing further criminal activities. We are collaborating closely with families, regulatory bodies, law enforcement, and cybersecurity experts to ensure our data is permanently removed.”

The BBC first reported on the data deletion and mentioned a hacker who expressed remorse, stating, “I’m sorry for hurting the child.”

Targeting children has drawn widespread condemnation, with cybersecurity experts labeling the breach as “crossing a line” and “testing ethical boundaries.” A parent of a child at Kido in London remarked that the hackers were “sinking to new lows.”

The Guardian has also found indications of notorious gang members in underground cybercrime forums being advised by their peers to avoid attacking minors.

On Wednesday, members of Nova, a faction that offers hacking services to other criminals, cautioned a persona named Radiant on an anonymous Russian forum, saying, “reputation matters, so do not target children.” Radiant responded, “We have not been allowed to cease any operations concerning them,” adding, “data of those under 19 who attended has been deleted.”

The leak site and forum posts were documented by analysts at the cybersecurity firm Sophos.

Hacking teams are acutely aware of the impact of negative publicity, which can lead to increased scrutiny from law enforcement and disrupt internal relationships within the hacking community.

Sophos researcher Rebecca Taylor noted: “Even criminals understand that there are lines they shouldn’t cross. We have discovered that stealing data from minors not only draws attention but also damages credibility.”

Taylor emphasized, “credibility is crucial” for groups that demand ransoms for stolen information. The BBC reported that Radiant had sought £600,000 in Bitcoin from Kido for the return of the data, but Kido refused to comply.

“The deletion of data was not an act of benevolence, but rather a move for damage control. This was an unusual instance where morality and self-interest briefly aligned,” Taylor remarked.

However, the revamped Radiant Leak site, a portal for such data, appears to be more user-friendly, featuring a search bar to locate companies targeted by the group and contact information through TOX, an encrypted messaging platform.

Radiant demonstrates proficient English in communication, but analysts suspect this group may not be Western-based. Most ransomware groups originate from former Soviet states. Analysts believe that Radiant may represent a new entity in the cybercrime landscape.

Before the data was deleted, one woman informed the BBC that she received a threatening call from a hacker who claimed they would publish information about her child online unless she pressured her child to comply with ransom demands. Kido operates 18 locations in London, along with nurseries in the US, India, and China.

Radiant boasted about having sensitive information on over 8,000 children and their families, including incident reports, protection records, and billing information. All Kido nursery locations in the UK reported being affected by the breach.

One cybercriminal told the BBC: “All child data has been removed. There is nothing left, and this should reassure parents.”

Source: www.theguardian.com

Kido Nursery Hackers Threaten to Release Additional Children’s Profiles | Cybercrime Update

Posted on by
Reply

A hacker threatens to release personal information and photographs of thousands of nursery children online unless a ransom is paid.

Identified by the alias Shine, the hacker compromised the UK-based Kido Nursery chain and revealed the profiles of 10 children online on Thursday. Their Dark Web site features a “Data Leak Roadmap,” indicating plans to “publish 30 profiles of personal data for each child and 100 employees.”

A cybersecurity briefing reviewed by the Guardian suggests that Radiant is a new entity within the cybercrime landscape, “pushing the limits of morality and practicality.”

The group’s online content demonstrates proficient English skills; however, there are hints they may not be Western, attributed to a “slight awkwardness” in their phrasing, the analysis indicates.

The Radiant Gang’s “leak sites”—a common strategy in ransomware attacks displaying victim data on the dark web—contain 10 Kido customer profiles for parents, which include the child’s name, date of birth, parent’s and grandparent’s names, as well as address and phone number.

The site claims to possess sensitive information on over 8,000 children and their families, documenting incidents, protection reports, and claims. All Kido nurseries in the UK have reported being impacted.

The leak site mentioned its efforts to negotiate with Kido, stating, “It’s slowly leaking, which undermines the entire company and prompts them to continue the dialogue.”

A spokesperson from Kido stated: “We have recently identified and responded to cyber incidents. We are collaborating with external experts to investigate and determine the details of what occurred. We will promptly inform both our families and relevant authorities and maintain close communication with them.”

The nursery chain is collaborating with authorities, including the intelligence committee’s office, Ofsted, and the Metropolitan Police, which is currently conducting an investigation.

An email from Kido UK CEO Catherine Stoneman, reviewed by the Guardian, noted a “complex” forensic investigation and emphasized treating the incident as a “first priority.” She suggested that the breach involved “two third-party systems responsible for processing certain data.”

Stoneman elaborated: “If we confirm that family information has been compromised, affected families have been contacted. If you have not received direct communication, that means there is no forensic evidence indicating your data has been impacted.”

With 18 locations across London, the US, India, and China, Kido informed parents that the breach occurred due to criminal access to data hosted on a software service known as Famly.

Famly’s CEO, Anders Laustsen, stated: “We will conduct a comprehensive investigation into this matter to ensure that Famly’s security and infrastructure have not been compromised.

One parent shared with the BBC that she received a threatening phone call from a hacker.

Sean, whose child attends Kido Nursery in Tooting, southwest London, expressed that neither he nor any parents he knew had been directly informed by the nursery about the potential compromise of their children’s data. “How could they obtain details for specific kids, not just generally? That’s the real issue,” he remarked.

Sean noted that he viewed the risk of real-time information regarding children—such as through cyberattacks—as a necessary trade-off for using the app. He empathized with nursery staff who bear the brunt of parental complaints, pointing out that the app provider should be held accountable.

“One of the obviously alarming aspects is that anyone could stoop to such depths to extort money from a nursery while using children as leverage,” he said.

Authorities are cautioning businesses against paying hacker ransoms to help prevent the perpetuation of criminal activities, as cyberattacks continue to escalate in frequency.

Recent high-profile victims include Co-ops, Marks & Spencer, and Jaguar Land Rover. Many of these attacks have been linked to an English-speaking cybercrime group known as “scattered spiders.”

The M&S hack utilized ransomware commonly associated with Russian-speaking cyber gangs, including software designed to lock target IT systems.

The BBC communicated with criminals via the Signal messaging app, found them fluent in English but learned that it wasn’t their primary language, and they employed others for calls.

The hacker remarked, “We do it for profit, not just for the sake of being criminals. I know I’m committing crimes and this isn’t my first or my last.”

They added that the public scrutiny was too intense, leading them to refrain from targeting nurseries again.

Source: www.theguardian.com

Hackers Allegedly Breach Kido Nursery Chain, Exposing Photos of 8,000 Children

Posted on by
Reply

Approximately 8,000 names, photos, and addresses of children were allegedly taken from the Kido Nursery chain by a group of cybercriminals.

According to the BBC, these criminals are demanding ransoms from companies operating 18 sites in London, as well as additional locations in the US, India, and China.

The hackers also accessed details about the children’s parents and caregivers, claiming they were securing notes. They reached out to several individuals by phone, employing tactics associated with the Frightor.


Kido has been approached for comment but has yet to confirm the hackers’ assertions. The company has not released an official statement regarding the incident.

A nursery employee informed the BBC that she had been made aware of the data breach.

The Metropolitan Police indicated that they were alerted on Thursday “following reports of ransomware attacks on a London-based organization,” adding that “enquiries are ongoing and remain in the initial phase within Met’s cybercrime division. No arrests have been made to date.”

A spokesperson for the Intelligence Committee office stated that “Kido International has reported the incident to us and we are currently assessing the provided information.”

Many organizations have experienced cyberattacks recently. The Cooperative reported a £80 million decline in profits due to a hacking incident in April.

Skip past newsletter promotions

Jaguar Land Rover (JLR) was unable to assemble vehicles at the start of the month following a cyberattack that compromised their computer systems.

As a result, the company had to shut down most systems used for tracking factory components, vehicles, and tools, impacting their luxury Range Rover, Discovery, and Defender SUV sales.

The company has since reopened a limited number of computer systems.

Quick Guide

Please contact Guardian Business about this story

The best public interest journalism depends on firsthand accounts from informed individuals.

If you have any insights on this topic, confidentially reach out to the business team through the following means:

Secure Messages in Guardian App

The Guardian app features a tool for sending tips about stories. All messages are encrypted and embedded within routine uses of the Guardian app, ensuring no one can detect your communication with us.

If you haven’t installed the Guardian app yet, download it (iOS/Android), navigate to the menu, scroll down, and click Secure Messaging. Choose Guardian Business when prompted about whom you wish to contact.

SecureDrop, Instant Messenger, Email, Phone, and Mail

If you can safely access the TOR network without being detected, you can send messages and documents to the Guardian through our SecureDrop platform.

Lastly, our guide at theguardian.com/tips provides various secure communication methods while discussing their respective advantages and disadvantages.


Illustration: Guardian Design / Rich Cousins

Thank you for your feedback.


Source: www.theguardian.com

British Student Jailed for Selling Phishing Kits Tied to £100 Million Scam | Cybercrime News

Posted on by
Reply

A 21-year-old student has been sentenced to seven years in jail for designing and distributing online kits responsible for £100 million worth of fraud.

Ollie Holman created phishing kits that replicated the websites of governments, banks, and charities, enabling criminals to steal personal information from unsuspecting victims.

In one instance, the kit was used to create a fake donation page for a charity, resulting in the theft of credit card details from individuals attempting to make contributions.

Based in East Court, northwest London, Holman produced and distributed 1,052 phishing kits targeting 69 organizations across 24 countries. He also offered tutorials on how to use the kits and established a network of nearly 700 contacts. The counterfeit websites included in the kits could store sensitive information such as login credentials and banking details.

It is believed that Holman marketed these kits from 2021 to 2023, earning approximately £300,000, with distribution carried out via the encrypted messaging platform Telegram.

Holman, who pursued a degree in electronics and computer engineering at the University of Kent in Canterbury, laundered the proceeds through a cryptocurrency wallet.

The London Police’s specialized card and payment crime unit initiated an investigation following intelligence from WMC Global regarding the sale of fraud kits online.

Holman was arrested in October 2023, with a search of his university accommodation leading to the seizure of his devices. Despite his arrest, he continued to provide support to kit buyers through his Telegram channel, prompting a re-arrest in May 2024.

Detectives found links between Holman’s computer and the creation of the kits, which were distributed throughout Europe; one kit was tied to a scam totaling around 1 million euros (£870,000).

Holman pleaded guilty to seven charges, including producing materials for fraud, aiding a criminal enterprise, and possessing criminal property. He received a seven-year sentence at Southwark Crown Court.

Following the sentencing, DS Ben Hurley remarked that Holman facilitated extensive global fraud. “The financial losses associated with Holman’s actions are in the millions. Despite his substantial profits from selling the software, he failed to comprehend the harm caused to victims,” he stated.

Sarah Jennings, a specialist prosecutor with the Crown Prosecutor’s Office, expressed her hope that the verdict serves as a warning to other fraudsters. “No matter how advanced your methods are, you cannot conceal yourself behind online anonymity or encrypted platforms,” she commented.

The CPS has indicated plans to return Holman to court to recover the illicit profits he earned from his criminal activities.

Source: www.theguardian.com

Louis Vuitton Reports Cyberattack Compromising UK Customer Data | Cybercrime

Posted on by
Reply

Louis Vuitton has announced that data from some of its UK customers has been compromised, making it the latest retailer to fall victim to cyber hackers.

The prestigious brand, part of the French luxury conglomerate LVMH, reported that an unauthorized third party gained access to the UK operations system, retrieving personal information such as names, contact information, and purchase histories.

Last week, Louis Vuitton informed customers that its South Korean business was experiencing similar cyber incidents and reassured them that financial data, including bank information, remained secure.

“Currently, there is no evidence of misuse of your data; however, you may encounter phishing attempts, fraud attempts, or unauthorized use of your information,” the email stated.

The company has reported the breach to the appropriate authorities, including the intelligence committee.

As reported by Bloomberg, the hack occurred on July 2nd and marked the third breach of the LVMH system within the past three months.

In addition to the incidents involving Louis Vuitton, LVMH’s second-largest fashion brand, Christian Dior Couture, disclosed in May that hackers also had access to customer data.

On Thursday, four individuals were arrested in connection with a cyberattack involving Marks & Spencer, The Co-op, and Harrods.

Those arrested included a 17-year-old British male from the West Midlands, a 19-year-old Latvian male also from the West Midlands, a 19-year-old British male from London, and a 20-year-old British female from Staffordshire.

M&S was the initial target of this wave of attacks back in April, which led to the online store’s closure for nearly seven weeks. The Co-op was similarly attacked that month, forcing a shutdown of several IT systems.

Harrods reported being targeted on May 1, which resulted in restricted internet access across its website following attempts to gain unauthorized entry to the system.

The chairman of M&S, Archie Norman, stated that days after the arrests, two other large UK companies had also experienced unreported cyberattacks in recent months.

Louis Vuitton has been contacted for further comments.

Source: www.theguardian.com

Russia-led Cybercrime Network Taken Down in Global Operations

Posted on by
Reply

Cybercrime investigators from Europe and North America have announced the dismantling of a major malware operation run by Russian criminals, following extensive collaboration with law enforcement agencies from the UK, Canada, Denmark, the Netherlands, France, Germany, and the US.

International arrest warrants have been issued for 20 suspects, with charges against 16 individuals sealed by European investigators based in Russia.

According to reports, the operation also involves the infamous Qakbot and Danabot malware leaders, Rustam Rafailevich Gallyamov, 48, known as Jimmbee, and Artem Aleksandrovich Kalinkin, 34, known as Onix, as stated by the US Department of Justice.

Cyberattacks aimed at government destabilization, financial theft, or phishing emails are becoming increasingly severe. Recently, high street retailer Marks & Spencer fell victim to such an attack in the UK.

The Bundeskriminalamt (BKA), led by the German crime agency, has launched a public appeal to locate 18 suspects allegedly linked to the Qakbot malware family as well as another malware known as Trickbot.

The BKA and its international partners report that many of the suspects are Russian nationals. Among them is Vitalii Nikolayevich Kovalev, 36, who has already been indicted in the US, and is among the BKA’s most wanted individuals.

Kovalev is believed to be behind the Conti group, which is regarded as one of the most sophisticated and organized ransomware syndicates. German investigators describe him as “one of the most notorious and successful email attackers in the history of cybercrime.”

Using aliases like Stern and Ben, the BKA alleges he has targeted hundreds of companies globally, extracting significant ransom payments.

Kovalev, 36, originally from Volgorod, is thought to reside in Moscow, where several companies are registered under his name. In 2023, US investigators identified him as a member of Trickbot.

Authorities also believe he leads other criminal groups, including Conti, Royal, and Blacksuit (established in 2022). His reported Cryptowallet holds approximately 1 billion euros.

The BKA, along with its international partners, has determined that there is enough evidence to issue 20 arrest warrants for 37 individuals involved.

A US law firm in California has sealed the details of charges against 16 defendants accused of “developing and deploying Danabot malware.”

The criminal activities targeting victims’ computers have been “managed and executed” by Russia-based cybercriminal organizations, which have infected over 300,000 computers globally, with significant incidents reported in the United States, Australia, Poland, India, and Italy.

The malware was advertised on a Russian criminal forum and has been linked to “espionage activities aimed at military, diplomatic, governmental, and non-governmental organizations.”

As a result of this variant, separate servers have been established for storing data stolen from these victims, presumably in the Russian Federation.

In Europe, the BKA’s most wanted list includes Roman Mikhailovich Procop, a 36-year-old Russian-speaking Ukrainian, who is suspected to be associated with Qakbot.

Operation Endgame was initiated by German authorities in 2022. BKA President Holger Münch has stated that Germany is a significant target for cybercriminals.

The BKA is specifically investigating the alleged involvement of suspects in gang-related activities and commercial terrorism, along with their association with transnational criminal organizations.

Between 2010 and 2022, the Conti Group primarily targeted US hospitals, with a noticeable increase in attacks during the COVID pandemic. US authorities have offered a reward of $10 million for information leading to their capture.

Most suspects are believed to be operating within Russia, though some may also be active in Dubai. While Münch noted that extradition to Europe or the US is unlikely, their identities remain crucial in the ongoing investigations.

“We have once again demonstrated that our strategy can be effective even in the anonymous darknets with Operation Endgame 2.0.”

Source: www.theguardian.com

Protecting Your Data Post-Cyber Attack: Essential Strategies Against Cybercrime

Posted on by
Reply

A new cyberattack has made headlines, compromising personal information from hundreds of thousands of legal assistance applicants in the UK and Wales.

Following the recent cyber incidents that severely impacted Marks & Spencer and co-ops, reminders are circulating about the increased risk of suspicious activities.

If you’re concerned that your data may have been exposed, here are some tips to help safeguard yourself.

Update Your Password – Ensure It’s Strong

Always ensure you use a strong password and avoid reusing passwords across multiple accounts.

If you’ve interacted with a company or organization that has suffered a cyberattack, promptly change the password for that particular website or app.

“Consider using a password manager to create and securely store strong, unique passwords,” suggests the online security firm Nordvpn.

Two-factor authentication (2FA) adds an extra layer of security to your critical accounts by requiring a code sent via text or email for access. Be sure to enable 2FA on all services that offer it.

Exercise Caution with Unsolicited Emails, Calls, and Messages

Avoid clicking on links or attachments in unsolicited emails, texts, or social media messages, as they may lead to phishing sites or contain malware designed to steal your identity.

Phishing scams often leverage current events, like cyberattacks, to lure unsuspecting customers into providing sensitive information.

Scammers might possess personal details they obtained through breaches, making their communications seem more credible.

If someone claims to represent a company you use, verify their identity by ignoring their contact and checking official contact details instead.

Monitor Your Credit Report

In case your personal data gets compromised, regularly monitoring your credit report is crucial to detect any fraudulent attempts to create loans or acquire other products in your name. Several Credit Reference Institutions offer access, both free and paid.

We recommend checking your credit report periodically. You can access your credit data through the Credit Committee.

Credit Karma and Clear Score both provide free access to your credit report.

Be vigilant for signs of identity theft, such as being denied financial products unexpectedly or not receiving bank statements despite having a good credit rating. Additionally, receiving collection letters for debts you didn’t incur or items on your bank statement that you didn’t buy are clear red flags.

Most financial fraud is said to begin on social media and technology platforms. Remain cautious, as scammers may have enough information to impersonate someone you know.

The rise of “Hi Mom” scams, where criminals pretend to be relatives asking for urgent financial assistance via messaging apps like WhatsApp, has surged in recent years.

Even under pressure, take your time to verify the identity of anyone requesting money, ensuring you’re truly communicating with your loved ones.

Safeguard Your Devices

Keep your laptops and devices updated by ensuring they receive the latest software and security patches.

Only use official app stores and software update services for your downloads.

Source: www.theguardian.com

Google: Britain’s Dispersed Spider Hackers Are “Encouraging” Cyberattacks

Posted on by
Reply

As reported by Google, members of the UK-based spider-hacking community are actively “promoting” cyberattacks amid the increasing disruption faced by UK retailers in the US market.

A hacker collective known as the “scattered spiders” has been connected to attacks on British retailers such as Marks & Spencer, Co-op, and Harrods. Google Cybersecurity experts have now warned that unidentified retailers in the Atlantic region are also under threat.

Charles Carmakal, the chief technology officer for Google’s Mandiant Cybersecurity division, noted that the threat has shifted to the US, following a pattern commonly observed with scattered spider attackers.


“They focus on a specific industrial sector and geographic location for a short period, before moving on to a new target,” he explained. “Currently, their attention is on retail organizations. They began in the UK and have now extended their focus to firms in the US.”

When asked about the involvement of British members in the M&S hacking, he stated, “While I can’t name specific victims, it’s clear that UK-based scattered spider members are promoting and facilitating these incursions.”

On Friday, it was disclosed that M&S alerted employees that some personal data may have been compromised during a cyber attack last month. Sources informed the Daily Telegraph that staff members were notified that their email addresses and full names were potentially exposed in the breach.

Earlier this week, M&S reported that hackers had accessed personal information of thousands of customers.

In light of these attacks on UK retailers, cybersecurity agencies have urged businesses to remain vigilant and aware of specific tactics employed by scattered spiders.

In an advisory notice, the National Cyber Security Center recommended businesses to leverage IT support to assist staff in resetting their passwords. One tactic associated with scattered spiders—named for a set of hacking tactics rather than a unified group—involves calling help desks to gain access to corporate systems while impersonating an employee or contractor.

“We have observed instances where they call the help desk, masquerade as employees, and convince the staff to reset their passwords,” Carmakal explained.

Carmakal also noted that these calls to help desks are sometimes made by younger members of the scattered spider network.

“It’s not always the threat actor themselves making the call… some tasks are outsourced to other community members, often younger individuals looking to earn some quick money through various schemes and inconsistencies,” he shared.

Skip past newsletter promotions

Scattered spiders primarily consist of native English speakers from the UK, US, and Canada, which sets them apart from other ransomware groups. Karmakal mentioned that he has received reports of “numerous calls” made by scattered spider hackers to corporate employees.

Ransomware gangs typically infiltrate target computer systems with malware that effectively locks users out of their internal files. These groups usually originate from Russia or former Soviet states.

Carmakal’s remarks coincided with French luxury brand Dior disclosing that “fraudulent external parties” had accessed some customer data. The Paris-based brand has yet to clarify the nature or extent of the attacker’s incursions.

This week, Google’s cybersecurity team affirmed that scattered spiders have shifted their focus to US retailers.

“We are dedicated to offering a variety of services to our customers,” stated John Hultquist, chief analyst at Google Threat Intelligence Group. “The group that originally targeted retail in the UK, after a significant hiatus, has a track record of concentrating on one sector at a time, and we anticipate they will continue to prioritize this sector in the near future. US retailers should exercise caution.”

Source: www.theguardian.com

Top US Crypto Exchange Estimates Recent Cyberattack Costs Could Hit $400 Million: Our Response to Cybercrime

Posted on by
Reply

The leading cryptocurrency exchange in the U.S. estimates that cyber attacks compromising account information for a “small subset” of users will incur costs ranging from $180 million to $400 million. Coinbase noted that this estimate does not factor in the $20 million ransom demanded by hackers, which the firm opted not to pay.

As the largest platform for cryptocurrency transactions in the United States, Coinbase reported that while attackers accessed sensitive information like names, addresses, and emails, they did not acquire login credentials or passwords. Nevertheless, the company is refunding customers who were tricked into sending funds to the attackers.

The hackers engaged various contractors and employees based outside the U.S. to extract information from internal systems. In response, Coinbase promptly terminated the implicated employee.


Furthermore, Coinbase has also declined to pay the ransom and is actively collaborating with law enforcement. Instead, they have offered a $20 million reward for information regarding the perpetrator.

“We are committed to investigating this case, enhancing security measures, and providing reimbursements to affected customers instead of funding criminal activities,” the company stated in its blog post.

On May 11, the company received an email from an unidentified threat actor claiming to possess information about certain customer accounts and internal documents. This revelation comes just days before Coinbase is poised to enter the Benchmark S&P 500 Index, representing a historic milestone in the cryptocurrency sector.

Security remains a significant issue for the cryptocurrency industry. In February, BYBIT, the second-largest cryptocurrency exchange globally, disclosed that an attacker had stolen approximately $1.5 billion worth of digital tokens.

Skip past newsletter promotions

In 2024, the total amount of funds stolen from hacking of cryptocurrency platforms reached $2.2 billion, according to a report from the blockchain analytics firm Chain Orisys. This marks the fourth year in a row that such hacks have surpassed $1 billion.

Source: www.theguardian.com

Pro-Russian Hackers Claim Responsibility for Attacks on Multiple UK Websites

Posted on by
Reply

A hacking group supportive of Russia has announced that they targeted various UK websites during a three-day campaign, which included local councils and the Police and Crime Commissioners’ Association.

Through a series of posts on social media, the group, known as NonMaMe057 (16), claimed many sites were temporarily inaccessible, although reports indicate that the attack was not entirely successful.

The hackers attempted to overwhelm several websites with traffic in a type of attack known as a distributed denial of service (DDoS). They stated on platform X: “Ukraine disputes, and we are cutting that resource.”

Despite the group’s claims of success, Blackburn with Darwen and Exeter councils reported that their websites remained unaffected.

Many other targeted organizations, such as the Police and Crime Commissioners’ Association, Harwich International Port, and Cardiff City Council, were unable to comment on the situation.

Officials mentioned that if a website experienced temporary unavailability due to sudden traffic surges, it would typically be operational again within hours.

A spokesperson for Arun District Council commented, “On Tuesday morning, from around 7:15 am, our website was fully operational by 11:30 am. We are aware of the claims made on X and are continuing to investigate.”

National Highways also encountered a DDoS attack but stated that their website would soon return to normal functionality.

This incident mirrors an attempt to disrupt multiple council websites last October. While resident data was not compromised, the websites were briefly disabled due to overwhelming traffic.

The National Cyber Security Center (NCSC) noted at that time that they “provided guidance” to the affected local authorities. “Although DDoS attacks tend to be less sophisticated and impactful, they can cause significant disruption by blocking legitimate users from accessing online services,” they added.

Since its inception in 2022, NONAME057 (16) has employed such tactics to disrupt the functioning of various Ukrainian, European, and American governmental entities and media outlets. In January 2023, they targeted the website of a Czech presidential candidate, marking their first political attack.

A survey by cybersecurity firm Bridewell last summer revealed that 63% of government sector companies experienced ransomware attacks over the past year. The National Audit Office cautioned in January that “cyber threats to the UK government will pose serious risks and evolve rapidly.”

Recently, the NCSC was compelled to issue new guidance on retailer cyber attack vulnerabilities, which appeared to originate from criminals targeting help desks. This included attacks on well-known retailers such as Marks & Spencer, the Co-op, and Harrods.

Criminals focused on these help desks to alter passwords and reset authentication processes in order to gain access to systems.

Regarding the attacks on retailers, the NCSC stated, “We are not in a position to determine whether this is connected, whether it represents a coordinated campaign by a single actor, or if there is no connection at all.”

Source: www.theguardian.com

How “Native English” Scattered Spider Groups Are Connected to M&S Attacks

Posted on by
Reply

One significant distinction between certain members of the dispersed spider hacking community and their ransomware counterparts is their accent.

The scattered spiders are connected to the cyberattacks on the British retailer Marks & Spencer. Unlike typical ransomware attackers, the individuals involved seem to be native English speakers, rather than hailing from Russia or former Soviet nations.

This linguistic advantage supports one of their techniques, which Russian hackers may find difficult to emulate. They can infiltrate systems by calling company desks and impersonating employees or by contacting employees while posing as someone from their company desk.

“Being a native English speaker can foster immediate trust. Even internal staff and IT teams may let their guard down slightly due to perceived familiarity,”

Last November, the U.S. Department of Justice shed light on some suspected spider members by charging five individuals for targeting an unidentified American firm through a phishing text message.

The DOJ alleged that the accused sent fraudulent texts to employees, tricking them into divulging sensitive information, including company logins. This breach resulted in the theft of sensitive data, including intellectual property, and significant sums of cryptocurrency from digital wallets.

All the accused were in their 20s at the time of the allegations, with four of them aged between 20 and 25, and Tyler Buchanan, 23, from Scotland, who was extradited from Spain to the U.S. last week. He is set to appear in court in Los Angeles on May 12th.

The U.S. Cybersecurity Agency detailed the scattered spider IT desk strategy in an advisory released in 2023.

Notable ransomware victims of scattered spider attacks include casino operators MGM Resorts and Caesars Entertainment, which were targeted in 2023. Following the attacks, the West Midlands police arrested a 17-year-old in Walsall last year. They have been contacted for further updates on this incident.

The scattered spider was identified as responsible for the M&S breach by BleepingComputer, a high-tech news platform. The report indicated that the attackers employed malicious software known as Dragonforce to compromise parts of the retailer’s IT network.

These incidents are categorized as ransomware attacks because the attackers typically demand substantial payments in cryptocurrency to restore access to compromised systems. Leveraging ransomware from other gangs is a common occurrence, known as the model of ransomware-as-a-service.

Analysts from cybersecurity firm Recorded Future remarked that “scattered spiders” is more of an “umbrella term” rather than a specific group of financially motivated cybercriminals. They noted it stemmed from “The Com” rather than “monolithic entities,” and is engaged in various criminal activities, including sextortion, cyberstalking, and payment card fraud.


“We operate within a channel and affiliate marketing framework, primarily on platforms like Discord and Telegram, mostly in exclusive invitation-only channels and groups,” stated the analyst.

Ciaran Martin, former head of the UK’s National Cybersecurity Centre, remarked that scattered spiders are “unusual” given their non-Russian origins.

“The vast majority of ransomware groups originate from Russia. [Scattered Spider] seems to have utilized Russian code for this attack with Dragonforce, but notably, they appear to be based here and in the U.S., which may facilitate their arrest.” Martin, now a professor at Brabatnik Government School at Oxford University, added:

Martin further emphasized that the youthful infamy of scattered spiders should not diminish the threat they pose. “They are indeed a rare but quietly menacing group,” he noted.

Source: www.theguardian.com

British Cybersecurity Agency Issues Warning About Quantum Hacker Threats In Relation to Cybercrime

Posted on by
Reply

By 2035, the UK cybersecurity agency is urging organizations to protect their systems from quantum hackers, as the prospects for a strong computing breakthrough threaten digital encryption.

The National Cyber Security Center (NCSC) has issued new guidance recommending large entities, including energy and transport providers, to introduce “post-Quantum encryption” to prevent quantum technology from infiltrating their systems.

NCSC warned that quantum computers, although still in development, pose a serious threat to encryption as they can solve complex mathematical problems that underpin public key cryptography. Quantum Computing’s ability to compute at incredible speeds is a major concern for encryption.

“Today’s encryption methods are used to protect everything from banking communication, but rely on mathematical problems that quantum computers could solve much faster, posing a threat to current encryption methods,” the agency stated.

NCSC recommends that large organizations, critical national infrastructure operators, and businesses with bespoke IT systems implement post-Quantum encryption to combat this threat.

Organizations must identify services that require upgrades by the 2028 deadline, undergo essential overhauls by 2031, and complete migration to a new cryptographic system by 2035 according to the guidance provided.

Skip past newsletter promotions

Traditional computers use bits to represent information as 0 or 1, but quantum computers can simultaneously encode various combinations of 1 and 0, enabling them to perform much larger calculations at incredible speeds.

However, qubits, the building blocks of quantum computing, are highly sensitive to interference such as temperature changes and cosmic rays, hindering the development of large quantum computers despite significant investments. NCSC hopes its guidance will give organizations ample preparation for the future arrival of quantum computers.

“There is now a new way to encrypt public keys, making it prudent to act now rather than wait for the threat to materialize,” said Alan Woodward, a cybersecurity professor at the University of Surrey.

Source: www.theguardian.com

Global ransomware payments expected to drop by one-third following crackdown on cybercrime.

Posted on by
Reply

Ransomware payments have dropped by over one-third compared to last year, totaling $813 million, as victims are now refusing to pay cybercriminals and law enforcement. The trend has been cracked.

This decline in cyber attacks involves computers or data being blocked with a demand for money to release it, despite notable cases in 2024 in the UK and the US, including the well-known donut company Krispy Kreme and NHS Trust.

Last year’s ransomware payments have decreased from the recorded $1.250 million in 2023, with a research company analyzing payment data and stating that payments dropped significantly in the second half of the year due to actions taken and the resistance to paying cyber criminals.

The total for 2024 was lower than the $1.1 billion recorded in 2020 and 2019, coming in at $999 million. In ransomware attacks, criminals gain access to the victim’s IT system, steal data, encrypt it, and demand a ransom payment in bitcoin to decrypt the files and return the data.

Jacqueline Burns Koven, head of cyber threat intelligence at Chain Dissolving, noted that the decrease in ransomware payments signifies a shift in the ransomware landscape. She mentioned the effectiveness of measures, improvement in international cooperation, and the impact on attackers and victims.

However, Burns Koven cautioned that the downward trend in payments is fragile, and ransomware attacks continue to be prevalent.

Further evidence shows that victims refusing to comply with attackers’ demands lead to an increase in ransomware attacks demands by cyber gangs, exceeding actual payments by 53%.

During the same period, the number of ransom-related “on-chain” payments (terms in the blockchain recording encryption transactions) decreased, indicating less compliance from victims.

One expert mentioned an international operation that successfully took down the Lockbit ransomware gang in February, as well as the disappearance of another cyber criminal group called Blackcat/Alphv.

Lizzy Cookson from a Ransomware-compatible company stated that the current ransomware atmosphere is influenced by newcomers focusing on smaller markets with modest ransom demands.

In the UK, there’s consideration to ban schools, NHS, and local councils from paying ransomware demands. Private companies would need to report payments to the government, which could potentially block them. Reporting ransomware attacks may also become mandatory if legal changes are implemented.

Source: www.theguardian.com

China government dismisses allegations of hacking US Treasury | Cybercrime

Posted on by
Reply

The Chinese government has responded to allegations linking Chinese government-supported attackers to the recent cyber breach at the U.S. Treasury Department, dismissing the accusations as “baseless.”

The breach was carried out through a third-party cybersecurity service provider, according to a letter from the Treasury to lawmakers. The hackers were able to access keys used by vendors to bypass certain parts of the system.

The Treasury Department confirmed that the incident took place earlier in the month, allowing the attackers to remotely access the workstation and obtain some unclassified documents.

China refuted the claims on Tuesday, stating that it opposes all forms of hacker attacks and especially rejects the propagation of false information for political motives.

Speaking on behalf of the Foreign Ministry, Mao Ning said, “We have consistently refuted these unfounded accusations without supporting evidence.”

The Treasury Department reported the breach to the U.S. Cybersecurity and Infrastructure Security Agency after being informed by the third-party provider and is collaborating with law enforcement to assess the situation.

A department spokesperson stated, “The compromised services have been disabled, and there is no indication that the attackers continued to infiltrate Treasury systems or data.”

In a letter to the Senate Banking Committee leadership, the Treasury Department stated, “Based on available evidence, this incident appears to be the work of a Chinese state-sponsored Advanced Persistent Threat (APT) actor.”

APT refers to a cyber attack where an intruder gains unauthorized access to a target and remains undetected for an extended period.

The ministry did not disclose the extent of the impact of the breach but promised to provide further details in a subsequent report.

“The Treasury Department treats any threat to our nation’s systems and data with utmost seriousness,” the spokesperson emphasized.

Several countries, including the United States, have expressed concerns about Chinese government-supported hacking campaigns targeting their governments, militaries, and enterprises.

While the Chinese government has denied the allegations, it has previously stated that it opposes and cracks down on all forms of cyber attacks.

In September, the U.S. Department of Justice announced the neutralization of a global cyber attack network affecting 200,000 devices, allegedly operated by Chinese government-backed hackers.

In February, U.S. authorities revealed the dismantling of a hacker network called Bolt Typhoon that targeted critical public infrastructure at China’s direction.

In 2023, Microsoft disclosed that China-based hackers had infiltrated email accounts at numerous U.S. government agencies in search of intelligence information.

The hacker group “Storm-0558” breached the email accounts of around 25 organizations and government agencies, including the State Department and Commerce Secretary Gina Raimondo.

Source: www.theguardian.com

Car dealerships in US and Canada face third consecutive day of shutdown due to cyberattack

Posted on by
Reply

A cyber outage at a major retail software provider for auto dealerships entered its third day on Friday, causing delays in car sales across North America, the affected company said, with software provider CDK saying there is no end in sight.

“The CDK outage is affecting auto dealers across the United States and Canada, including some BMW Group dealers,” a BMW North America spokesman told Reuters.

CDK, which provides a range of software to auto dealerships, said it experienced another cyber incident on Wednesday that caused it to proactively shut down most of its systems, but that it is working to restore services and get dealers’ business back to normal soon. CDK sent a letter The company responded to customers by saying that it was unclear how long it would take to resolve the issue.

The company did not disclose in its statement how many dealerships would be affected. But according to its website, CDK works with more than 15,000 retailers in North America. Representatives from major automakers including Ford, Volkswagen and Mercedes-Benz said: Confirmed by Bloomberg They were working with dealers affected by the outage.

“Dealers are extremely committed to protecting customer information and are proactively receiving information from CDK to help determine the nature and scope of the cyber incident and respond appropriately,” the National Automobile Dealers Association said. Independently owned car dealer Holman also said the outage affected its phone system.

Investment firm Brookfield Business Partners acquired CDK in April 2022 for $6.41 billion in cash, taking private the last major publicly traded company that provides software to auto dealerships and manufacturers.

Source: www.theguardian.com

Experts warn of increasing cyberattacks tied to Chinese intelligence agencies

Posted on by
Reply

Warning analysts have highlighted the increasing power and frequency of cyberattacks linked to Chinese intelligence as foreign governments test their response. This comes in the wake of revelations concerning a large-scale hack of British data.

Both the British and American governments disclosed that the hacking group Advanced Persistent Threat 31 (APT 31), supported by Chinese government spy agencies, has been targeting politicians, national security officials, journalists, and businesses for several years. They have been accused of carrying out cyber attacks. In the UK, hackers potentially accessed information held by the Electoral Commission on tens of millions of British voters, and cyber espionage targeted vocal MPs on the threat posed by China. Sanctions have been announced against Chinese companies and individuals involved by both the US and UK governments.

New Zealand’s government also expressed concerns to the Chinese government about Beijing’s involvement in attacks aimed at the country’s parliamentary institutions in 2021.

Analysts informed the Guardian that there are clear indications of a rise in cyberattacks believed to be orchestrated by Chinese attackers with ties to Chinese intelligence and government.

Chong Che, an analyst at Taiwan-based cyber threat analysis firm T5, stated, “Some hacking groups often rely on China to carry out attacks on specific targets, such as the recent iSoon Information incident. It’s an information security company that has a contract with intelligence agencies.” T5 has observed an increase in constantly evolving hacking activity by Chinese groups in the Pacific region and Taiwan over the past three years.

Chong also mentioned that while there isn’t enough information to directly trace activities to China’s highest leadership (with the Chinese government denying the allegations), activity can’t be discounted considering the Chinese system that does not differentiate… They believe that their objective is to infiltrate specific targets and steal critical information and intelligence, whether political, military, or commercial.

Several analysts noted that Western governments have become more willing to attribute cyberattacks to China after years of avoiding confrontation with the world’s second-largest economy.

David Tuffley, senior lecturer in cybersecurity at Australia’s Griffith University, remarked, “We’ve shifted from being less critical in the past to being more proactive, likely due to the increased threat and scale of actual intrusions. They are now a much more significant threat.” Cyberattacks are part of China’s gray zone activities, actions that approach but do not reach the threshold of war.

Tuffley highlighted that while much of the cyber activity is regionally focused on Taiwan and countries in the South China Sea with territorial claims, the cyberattacks are widespread. China aims to cause instability in the target country and test adversary defenses, rather than engage in violent war.

Tuffley warned of the risk of escalation, noting that other governments like the US and UK also possess sophisticated cyber espionage capabilities but have not publicly threatened action against China. US authorities charged individuals with conducting cyberattacks in violation of US law, suggesting a deep level of knowledge about the attacks.

Adam Marais, chief information security officer at Arctic Wolf, commented, “If you’ve been involved in cybersecurity for many years, this report from UK authorities won’t surprise you at all. Beijing continues to view cyber as a natural extension of its national strategy and has little fear of using cyber technology to advance its national interests.”

Source: www.theguardian.com

Ransomware group issues warning that UK state is not profitable target | Cybercrime

Posted on by
Reply

Ransomware gangs have targeted the UK state after reports emerged that the British Library successfully withstood a damaging cyberattack without succumbing to the demands of the hackers responsible for the ransomware. The library has made it clear that they did not pay any ransom to the attackers or engage with them in any way.

In a statement released as part of their review of the incident, the library emphasized, “The library has not made any payments to the criminals who carried out the attack nor is it associated with them in any way. Ransomware gangs looking to target publicly funded institutions in the future need to be aware of the UK’s national policy as outlined by the NCSC [National Cyber Security Centre], which clearly prohibits such payments.”

Public institutions around the world, including governments, hospitals, schools, and universities, are frequent targets of ransomware attacks. These attacks often involve encrypting or stealing sensitive data and demanding a ransom for its release or to restore access. Prompt ransom payments have been a common response due to insecure cybersecurity practices and the urgent need to restore operations.

The incident report from the British Library highlights that the National Cyber Security Centre is escalating efforts to combat ransomware threats despite previous government discouragement of ransom payments. The aftermath of the attack has left the library operating below capacity, with research services still incomplete months later.

While the library maintains secure copies of its digital collections, the lack of viable infrastructure for restoration has hindered the recovery process. Efforts to combat ransomware have faced challenges with Russia’s withdrawal from international cybercrime cooperation following its invasion of Ukraine.

Recent crackdowns on ransomware gangs by international law enforcement agencies have shown some success, including the seizure of equipment belonging to the Rockbit gang. However, concerns have been raised by the government’s handling of the ransomware threat, with calls for increased attention and resources to address the growing cyber-attack landscape.

Source: www.theguardian.com

Russian LockBit ransomware hacker launches comeback attempt | Cybercrime

Posted on by
Reply

The LockBit ransomware gang is re-emerging, following a recent international crackdown that severely disrupted its operations.

Based in Russia, the group has created new dark web sites to showcase a few alleged victims and release stolen data. The gang is now under investigation by the National Crime Agency in Britain, as well as the FBI and other law enforcement agencies. This comes after a joint operation led by Europol to target the group last week.

In a statement issued in English and Russian, LockBitSupp, the group’s administrator, claimed that law enforcement agencies hacked their previous dark web site by exploiting vulnerabilities in PHP, a commonly used programming language for websites. They assured that other servers with backup blogs not using PHP would continue leaking data from targeted companies.

The statement also mentioned personal negligence and irresponsibility, along with expressing support for Donald Trump in the U.S. presidential election. The group even offered a job to the individual who hacked their main site. Law enforcement confirmed that LockBitSupp does not reside in the U.S. and is cooperating with authorities.

Despite the disruption, the NCA stated that LockBit remains compromised, but they are vigilant as the group may attempt to reorganize. Additionally, the U.S. has indicted two Russians for deploying LockBit ransomware globally. Ukrainian police also arrested suspects related to attacks carried out using LockBit’s malicious software.

The renewed Rockbit website has issued threats against U.S. government sites and listed more alleged hacking victims. Security experts indicate that the group is attempting to resume operations but will face challenges due to the damage caused by international law enforcement actions.

LockBit operates on a ransomware-as-a-service model, leasing software to criminal organizations in exchange for a cut of the ransom payments. Despite the setback, the group needs to rebuild its reputation within the criminal community to attract affiliates following the recent law enforcement activities.

Ransomware attacks involve hackers infiltrating a target’s system, disabling it with malware, and encrypting files for ransom. Recent trends include extracting sensitive data like personal and customer information and demanding payment in cryptocurrency, mainly Bitcoin, to decrypt files or delete stolen data copies. Last year saw a record $1.1 billion paid in ransomware payments.

Source: www.theguardian.com

Chinese Hackers for Hire Exposed in Major Cybersecurity Breach | The Dark Reality of Cybercrime

Posted on by
Reply

The recent data breach from a Chinese cybersecurity company has exposed national security agencies paying substantial amounts of money to collect information about a variety of targets, including foreign governments, while hackers gather vast amounts of data on individuals and organizations that might be of interest to potential customers for their companies.

A set of over 500 leaked files from the Chinese company, I-Soon, has been posted on the developer’s website Github, with cybersecurity experts confirming their authenticity. The targets discussed in the leaked files include NATO and the UK Foreign Office.

The leak provides an unprecedented glimpse into the world of Chinese-employed hackers, with Britain’s security chief describing it as a “significant” challenge for the country. The leaked files consist of chat logs, company prospectuses, and data samples, revealing the scope of China’s intelligence-gathering operations and highlighting the market pressures faced by Chinese commercial hackers in a sluggish economy.

Yisun is believed to have collaborated with another Chinese hacking organization, Chengdu 404, which has been indicted by the U.S. Department of Justice for cyberattacks not only in the United States but also on companies in China and Hong Kong democracy activists.

Other targets discussed in the I-Soon leak include the British think tank Chatham House, public health agencies of Asean countries, and foreign ministries. The leak also indicates that certain data has been collected according to specifications, while in other cases special agreements have been made with the Chinese Public Security Bureau to collect specific types of data.

Chatham House has expressed concern over the leaked data, emphasizing the importance of safeguarding their data and information. Similarly, NATO has acknowledged the persistent cyber threats and stated that it is investing in large-scale cyber defense. However, the British Foreign Office declined to comment.

I-Soon’s services range from gaining access to email inboxes to hacking accounts, obtaining personal information from social media platforms, retrieving data from internal databases, and compromising various operating systems. The leaked files also suggest that the Chinese state is collecting as much data as possible.

Isun’s office building in Chengdu, Sichuan Province, southwest China. Photo: Kang Dak/AP

The leaked documents further reveal that I-Soon has sought “anti-terrorism” support and has claimed to have obtained data from various organizations. The company was also involved in discussions about sales practices and the company’s internal situation.

The leaked data also includes screenshots and chat logs where employees discuss the company’s operations and the impact of the COVID-19 pandemic on their business. The company’s CEO expressed concerns about the loss of core staff, the subsequent impact on customer confidence, and the loss of business.

Source: www.theguardian.com

“Hackers from UK and US team up to take down Rockbit criminal organization” – Cybercrime

Posted on by
Reply

Britain’s National Crime Agency (NCA) seized control of international ransomware group LockBit’s “command and control” infrastructure on Tuesday in a major law enforcement operation. The NCA plans to reuse its technology to expose the group’s activities to the world.

The joint operation by the NCA, FBI, Europol, and an international coalition of law enforcement agencies was revealed in a post on Rockbit’s own website. The post stated, “This site is currently under the control of the UK National Crime Agency, working closely with the FBI and international law enforcement agency Operation Kronos.”

Two people associated with LockBit were arrested in Poland and Ukraine, and two defendants believed to be related to the company were arrested and charged in the United States. Two more names have been released, but the Russian nationals are still at large. Authorities also froze more than 200 cryptocurrency accounts associated with the criminal organization.

According to the NCA, the disruption to LockBit operations is much more extensive than initially revealed. The agency not only seized control of the public website but also controlled Rockbit’s primary administrative environment, the management, and deployment of the hacking techniques it used to extort companies and individuals around the world. They also took control of the enabling infrastructure.

“Through close collaboration, we hacked the hackers. We took control of the infrastructure, seized the source code, and obtained keys to help victims decrypt their systems,” said NCA Director General Graham Biggar.

“As of today, LockBit is locked out. We have undermined the ability of a group that relied on secrecy and anonymity, and most importantly its credibility.”

The organization pioneered the ‘ransomware-as-a-service’ model, outsourcing the actual target selection and attack to a network of semi-independent ‘affiliates’, providing the tools and infrastructure, and paying ransom fees in return.

While ransomware typically works by encrypting data on an infected machine and demanding payment for the decryption key, LockBit copies the stolen data and releases it publicly if the fee is not paid. They threatened to do so and promised to delete the copies once the ransom was received.

However, the NCA said that promise was false. Some of the data found on LockBit’s systems belonged to victims who paid the ransom.

Home Secretary James Cleverley said: “The NCA’s world-class expertise has delivered a huge blow to those behind the world’s most prolific ransomware.”

Skip past newsletter promotions

“The criminals operating LockBit are sophisticated and highly organized, but they have not escaped the clutches of UK law enforcement and our international partners.”

The “Hackback” campaign has also recovered over 1,000 decryption keys intended for victims of LockBit’s attacks, and plans to contact victims to assist them in recovering their encrypted data.

In a blog post last month, Ciaran Martin, former director of the National Cyber Security Center, said: Announcement of involvement of Russian hackers Cybercrime undermines many common law enforcement tactics. “Impose costs where you can. There are things you can do to harass and harass cybercriminals,” he warned. “But as long as Russian safe havens exist, this will not be a strategic solution.”

Source: www.theguardian.com

“Collaborative UK, US, and EU Effort Takes Down Major Cybercrime Syndicate” – Cybercrime

Posted on by
Reply

Rockbit, a notorious cybercrime organization that holds victims’ data for ransom, has been thwarted in an extraordinary international law enforcement operation by the UK’s National Crime Agency, the FBI, Europol and the International Federation of Police Agencies. This was revealed in a post from the organization. Blackmail website.

“This site is currently under the control of the UK National Crime Agency, working closely with the FBI and the international law enforcement force Operation Chronos,” the post said on Monday.

An NCA spokesperson confirmed the NCA had disrupted the gang and said the operation was “ongoing and evolving”. A Rockbit representative did not respond to a request for comment from Reuters, but posted a message on an encrypted messaging app saying the company has backup servers that are immune to law enforcement actions.

The U.S. Department of Justice and FBI did not respond to requests for comment.

The post also names other international police organizations in France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

LockBit and its affiliates have hacked some of the world’s largest organizations in recent months. The gang makes money by stealing sensitive data and threatening to leak it unless victims pay exorbitant ransoms. Its affiliates are like-minded criminal groups recruited to carry out attacks using LockBit’s digital extortion tools.

Ransomware is malicious software that encrypts data. LockBit forces targets to pay a ransom to decrypt or unlock their data using a digital key.

LockBit was discovered in 2020 after its malicious software was discovered on a Russian-language cybercrime forum, and some security analysts believe the gang is based in Russia.

However, the gang does not profess support for any government, and no government has officially attributed it to any particular country. On its now-defunct dark web site, the group said it was “based in the Netherlands, completely apolitical and only interested in money.”

“They’re the Walmart of ransomware groups, and they run it like a business. That’s what makes them different,” said John DiMaggio, chief security strategist at US-based cybersecurity firm Analyst1. talk. “They are probably the largest ransomware group today.”

LockBit has attacked more than 1,700 organizations across nearly every industry, and U.S. officials say the group is the world’s largest ransomware threat. Last November, Rockbit released internal data from Boeing, one of the world’s largest defense and space contractors.




Delete the notice issued to Rockbit by the global intelligence group. Photo: Reuters

In early 2023, Royal Mail faced severe disruption following an attack by the group.

According to cybersecurity research website vx-underground, Rockbit said in a Russian-language statement shared on the encrypted messaging app Tox that the FBI attacked a server running in the programming language PHP. .

The statement, which could not be independently verified by Reuters, added that there is a backup server that does not include PHP and “has not been touched.”

Skip past newsletter promotions

In X, a screenshot shared by vx-underground showing the control panel used by LockBit affiliates to launch attacks was replaced with a message from law enforcement. “We have the source code, details of the victims you attacked, amounts extorted, stolen data, chats, etc.”

“I may contact you soon. Have a nice day.”

Prior to its removal, LockBit’s website displayed an ever-growing gallery of victim organizations updated almost daily. Next to their names was a digital clock indicating the number of days left until the ransom payment deadline given to each organization.

On Monday, LockBit’s site displayed a similar countdown, but the law enforcement agency that hacked the hackers said: “Please return here on Tuesday, February 20th at 11:30 GMT for more information.” A message was displayed.

Don Smith, vice president of Secureworks, a division of Dell Technologies, said LockBit is the most prolific and dominant ransomware operator in the competitive underground market.

“To put today’s takedown in context, LockBit had a 25% share of the ransomware market based on leak site data,” Smith said. “Their closest competitor was BlackCat at about 8.5%, but then it really started to fragment.

“LockBit is dwarfing all other groups, and today’s action is critical.”

Source: www.theguardian.com

Cybercrime: Record $1.1 billion paid in ransom by hacking victims last year

Posted on by
Reply

Ransomware gangs experienced a resurgence last year, with victims paying $1.1 billion to hackers, a record high according to a study.

Following a lull in 2022, cybercriminals intensified operations in 2023, targeting hospitals, schools, and major corporations worldwide.

Chainalysis, a cryptocurrency research firm, reported that ransom payments doubled compared to 2022, with $567 million paid out that year.

The report highlighted the “big game hunting” aspect of attacks last year, with a higher proportion of ransom payments exceeding $1 million as wealthier companies were targeted.

“2023 will be the year of a major resurgence in ransomware, with record payout amounts and a significant increase in the scope and complexity of attacks. This is a significant reversal from the decline observed in 2022,” Chainalysis said.

In a ransomware attack, hackers typically infiltrate a target’s computer system, infect it with malware, and encrypt files, rendering them inaccessible. New trends involve attackers extracting data such as staff and customer details from IT systems and demanding payment to unlock the files or delete stolen data copies.

Chainalysis attributed the decline in payments in 2022 to factors including Russia’s invasion of Ukraine. Most ransomware groups are linked to Eastern Europe, the former Soviet Union, and Russia. Some fraudsters have been disrupted or turned ransomware into politically motivated cyberattacks.

The FBI disrupted the Hive ransomware group by obtaining their decryption keys and preventing victims from paying a $130 million ransom. Chainalysis also cited research showing a rise in the number of attackers and ransomware variants involved in attacks over the past year.

“The main thing we’re seeing is an astronomical increase in the number of attackers conducting ransomware attacks,” said Alan Liska, an analyst at cybersecurity firm Recorded Future.

According to Recorded Future, 538 new ransomware variants are expected in 2023, indicating the emergence of new and independent groups. The Clop group emerged as a key player last year by claiming responsibility for the hack of payroll provider Zellis, affecting customers like British Airways, Boots, and the BBC.

The British Library is still recovering from a ransomware attack by the rebranded group Rhysida that targeted the library in October.

The growth of ‘ransomware-as-a-service’, renting malware to criminals in exchange for a share of the profits, and the activity of ‘initial access brokers’ who sell vulnerabilities in potential targets’ networks to ransomware attackers have become trends.

Ellie Ludlum, a partner specializing in cybersecurity at British law firm Pinsent Masons, anticipates the rise in attacks to continue. “This increase is expected to continue in 2024, with continued focus on mass data exfiltration by threat actor groups, which may result in increased ransom payments by affected companies,” she stated.

Source: www.theguardian.com

Cybercrime: Credit Agency Warns of Growing Threat to UK Drinking Water from Hackers

Posted on by
Reply

Credit rating agency Moody's has warned that water companies face a “high” risk from cyber-attacks targeting drinking water as they await approval from industry regulators to increase spending on digital security.

Hackers are increasingly targeting infrastructure companies such as water and wastewater treatment companies, and the use of artificial intelligence (AI) could accelerate this trend, Moody's said in a note to investors.

Southern Water, which serves 4.6 million customers in the south of England, claimed last month that the Black Basta ransomware group had accessed its systems and posted a “limited amount” of data to the dark web. announced. The same group hacked outsourcing company Capita last year.

Separately, South Staffordshire Water I apologized In 2022, after hackers steal customers' personal data.

Moody's warned that the increasing use of data logging equipment and digital smart meters to monitor water consumption is making businesses more vulnerable to attacks. Systems used at water treatment facilities are typically separated from a company’s other IT departments, including customer databases, but some systems are more closely integrated to improve efficiency, he said.

After a hack, companies typically have to hire specialized cybersecurity firms to repair systems and communicate with customers, and they can also face penalties from regulators. The UK's Information Commissioner's Office can fine companies up to 4% of group turnover or €20m (£17m), whichever is higher.

Moody's said the cost of system remediation, including re-securing and strengthening existing cyber defenses and paying potential fines, would typically result in only a “modest increase” in debt levels if the incident is short-lived.

But Moody's warned that “the greater risk to our industry and society is if malicious actors were able to gain access to operational technology systems and harm drinking water or wastewater treatment facilities.”

The agency said water suppliers, governments and regulators need to strengthen their cyber defenses “as attacks against critical infrastructure become more sophisticated and state-aligned actors are now increasingly becoming cyber attackers.” He said he was aware of his gender.

More about the digital security of Britain's infrastructure assets, including the £50bn project to build vast underground nuclear waste repositories and the Sellafield nuclear facility in Cumbria, where the Guardian revealed a series of cybersecurity issues. There is widespread concern.

Moody's report comes as water companies in England and Wales hope to receive allowances from Ofwat to increase spending on cyber defense. The regulator is assessing plans to raise the bill from 2025 to 2030 to cover investments.

Ofwat's decision, to be announced later this year, comes at a critical juncture for an industry that has come under fire for sewage dumping, inadequate leak records and high executive pay.

Skip past newsletter promotions

In October last year, companies announced that they would be required to fund a record £96bn investment in fixing raw sewage leaks, reducing leaks and building reservoirs. submitted a five-year business plan detailing price increases.

Moody's analysis shows that businesses want to increase their total spending on security from less than £100m to nearly £700m over the next five years. Increased scrutiny of the industry and the hack into Southern Water could strengthen its case, the credit agency said.

The department said costs to South Staffordshire Water related to the hack could reach £10 million, including potential civil action.

Moody's warning about the potential impact on water companies’ debt comes amid growing concerns over leverage in the water sector, where up to 28% of bill payments are used for debt servicing in regions of England. .

Industry body Water UK announced last week that average annual bills have risen by 6% since April, outpacing the current rate of inflation.

Source: www.theguardian.com