Analysis | ‘We hacked the hackers’: Law enforcement disrupts the Hive gang

Justice Department Officials Announce Victory in Effort to Combat Ransomware in Innovative Ways

Law enforcement in the United States and Europe have announced the disruption of a major ransomware gang, the latest step by authorities to go on the offensive and keep cybercriminals on their toes as they attempt to tackle the scourge of ransomware.

The gang called Hive attacked hospitals, school districts, financial companies and others, stealing and sometimes releasing their data, the attorney general said. Merrick Garland said yesterday.

“Like other prolific groups, Hive partnered with independent hackers who broke in through phishing or other means: the gang provided the encryption program and ransomware negotiations, and split the profits with the Pirates.” Perry Stein, Joseph Menn and me wrote in a story on the ad.

Justice Department officials described the operation as a major victory in their efforts to tackle ransomware in innovative ways.

Officials said law enforcement was able to hack Hive and infiltrate its networks for seven months, stealing decryption keys and giving them discreetly to 336 victims before taking full control of Hive servers in the United States and Europe, taking them offline and preventing further infections.

• In the past, the FBI has seized and returned ransoms to victims and obtained keys to decrypt systems, but not on the scale of Operation Hive, FBI Director Christopher A. Wray said.
• The FBI also gave more than 1,000 decryption keys to previous victims of the group, the Justice Department said.

International cooperation was apparently also essential. German police and prosecutors said in a statement that they were able to penetrate hackers’ IT infrastructure while investigating the hack of a company based in southern Germany.

• Investigations into Hive were successful because the victims failed to pay the hackers’ ransom and instead filed criminal charges, according to the German statement.

The disruption of the Hive ransomware group is also the latest example of law enforcement officials using a strategy other than simple arrests to take them down.

“We hacked the hackers”, Deputy Attorney General Lisa Monaco said at a press conference. “We’ve turned the tide on Hive.”

Monaco also called the operation “cyber surveillance of the 21st century”.

For years, authorities have gone after notorious ransomware gangs. The Department of Justice has set up a Ransomware and Digital Extortion Task Force and a National Cryptocurrency Enforcement Team, and in a cyber exam last year, said the Justice Department could be “effective against these threats even before prosecution and arrest.”

In recent years, the Department of Justice has announced the seizure of millions of dollars from hackers involved in notorious ransomware attacks that affected American organizations and businesses. Here are some major examples:

• Officials stopped a NetWalker ransomware hacker in January 2021; it was sentenced last year and ordered to forfeit $21.5 million. Law enforcement also seized hundreds of thousands of dollars in ransom payments and a dark website used by the group.
• In June 2021, the federal authorities restored over $2 million in ransoms paid to DarkSide, which notoriously hacked Colonial Pipeline.
• In November 2021, the authorities accused a Ukrainian national of launching a ransomware attack on computer software company Kaseya and seizing more than $6 million in ransomware-related funds. But the FBI waited nearly three weeks to help unlock the systems of victims affected by this hack, the Washington Post first said. reported. Legislators raised concerns on the delay.
• Last year the FBI restored around $500,000 in cryptocurrency paid as ransom to North Korean hackers.

But that doesn’t necessarily mean it’s the end for Hive or its hackers. Hive could move to new infrastructure and regroup, as other gangs have done in the past.

Top UK cybersecurity official set to leave post this year

Britain’s signals intelligence agency GCHQ said its director, Jeremy Flemingwill remain in his post until the summer and there will be a “normal civil service internal competition to identify a successor”, the recordis Alexander Martin reports.

“Fleming has served as head of GCHQ for nearly six years, taking office in April 2017,” Martin writes. His official page credits him with leading a ‘significant period of growth’ at the agency – citing the opening of a new secure facility in Manchester, as well as the launch of the National Cyber ​​Force . He has also championed a “focus on diversity and inclusion”.

The Cryptocurrency Laundering Industry Consolidates

Cryptocurrency analytics firm Chainalysis found that just five cryptocurrency exchanges received around two-thirds of the illicit funds the firm traced to exchanges, Wiredby Andy Greenberg reports. In total, Chainalysis found just 915 services to cash in illicit crypto, the lowest number since 2012.

“In fact, Chainalysis saw just 542 cryptocurrency deposit addresses receiving more than half of the $6.3 billion in total illicit funds it tracked to these withdrawal services in 2022, and only four addresses received $1.1 billion from these funds,” Greenberg wrote.

A Treasury Department official who spoke to Wired on condition of anonymity due to the sensitivity of sanctions policy coordination said the Chainalysis data may be incomplete and the consolidation could be the result of the shutdown of cryptocurrency exchanges during an industry downturn. The official also noted the cryptocurrency enforcement work of US international authorities.

“The way you approach large-scale money laundering is to slowly reduce the number of open vulnerabilities. Little by little, the gaps are getting fewer and fewer, smaller and smaller,” the official told Wired. “If you close more holes in the dam, more water flows through those open holes.”

Royal Mail resumes more international service after hack

The UK’s largest mail delivery service has resumed more of its international operations, telling customers weeks after suffering a cyberattack that they can make more use of its international mail services, Reutersby Muvija M. reports. The cyberattack, which appeared to be Ransomwarehas Underline the risks of hacking on mail delivery services.

The incident does not appear to be behind Royal Mail, which said on its website that it continues “to ask customers not to submit new packages for export as our initial goal is to clear mail that has already been processed and is waiting to be [dispatched].”

JPMorgan hack mastermind left US for Israel, father says (Bloomberg News)

Head of Israeli cyber firm NSO Group reaffirms company’s commitment to spyware (Wall Street Journal)

Don’t use TikTok, say Dutch authorities (Politico Europe)

Google nukes 50,000 accounts pushing Chinese disinformation (Bleeping Computer)

Cyber ​​Ninjas’ ties to Trump in Arizona election ‘audit’ revealed in posts (Arizona Republic)

Lawmakers renew efforts to protect consumers from eavesdropping refrigerator (NextGov)

Thanks for reading. Until tomorrow.