Ronin Hack: North Korea’s Lazarus Behind $540 Million Axe Infinity Breach

Early this week, the Ukrainian Computer Emergency Response Team and Slovakian cybersecurity firm ESET warned that Russia’s notorious GRU Sandworm hackers had targeted high-voltage electrical substations in Ukraine using a variation of their blackout-inducing Industroyer malware, also known as Crash Override. Days later, the US Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new industrial control-system hacking tool set of unspecified provenance, dubbed Pipedream, that seemingly hasn’t been deployed against targets but that the operators of industrial systems need to proactively block.

Russia’s war on Ukraine has resulted in massive data leaks in which spies, hacktivists, criminals, and regular people looking to support Ukraine have grabbed and publicly released huge quantities of information about the Russian military, government, and other Russian institutions. And separate of the conflict, WIRED took a look at the true impact of source code leaks in the big picture of cybercriminal breaches.

Plus, DuckDuckGo finally released a version of its privacy browser for desktop, and WhatsApp is expanding to offer a Slack-like group chat organizational scheme called Communities.

And there’s more! We’ve rounded up all the news that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Blockchain analysis researchers from Elliptical and Chainalysis said on Thursday that they had traced the massive quantity of cryptocurrency stolen last month from the Ronin network bridge to the North Korean Lazarus hacking group. The US Treasury also announced expanded sanctions against North Korea, Lazarus, and the group’s affiliates. The attackers stole large quantities of the Ethereum currency ether and some USDC stablecoin totaling $540 million at the time. (The value of the stolen funds has since risen to over $600 million.) Lazarus hackers have been on a cybercriminal rampage for years, breaching companies, orchestrating scams, and generally gathering profits to bankroll the Hermit Kingdom.

NSO Group, the Israeli developer of the powerful and widely used spyware Pegasus, was declared “valueless” in filings in British court this week. The assessment, described as “abundantly clear,” came from the third-party consultancy Berkeley Research Group that has been managing the fund that owns NSO. As a stunning number of autocrats and authoritarian governments have purchased NSO tools to target activists, dissidents, journalists, and other at-risk people, the spyware maker has been denounced and sued (repeatedly) by tech giants in an attempt to limit its reach. Targeted surveillance is big business and a nexus where espionage and human rights issues converge. Reuters reported this week, for example, that senior EU officials were targeted last year with unspecified Israeli-made spyware.

T-Mobile confirmed it had been breached last year (for what felt like the millionth time) after hackers put the personal data of 30 million customers up for sale for 6 bitcoins, or about $270,000 at the time. Recently unsealed court documents show, though, that the telecom hired a third-party firm as part of its response, and the firm paid the attackers about $200,000 for exclusive access to the trove in the hopes of containing the crisis. Paying hackers through third parties is a known but controversial tactic for dealing with ransomware attacks and digital extortion. One of the reasons it is frowned upon is that it often doesn’t succeed, as was the case with the T-Mobile data, which attackers continued to sell.

In a report this week, researchers from Cisco Talos said that a new type of information-stealing malware called “ZingoStealer” is spreading rapidly on the app Telegram. The cybercriminal group known as Haskers Ganghe is distributing the malware for free to other criminals or anyone who wants it, researchers said. The group, which may be based in Eastern Europe, frequently shares updates and tools on Telegram and Discord with the cybercriminal “community.”


More Great WIRED Stories

www.wired.com

Leave a Reply