• VOLTZITE Espionage Operations Targeting U.S. Critical Systems -

  VOLTZITE is a Dragos designated threat group. This threat group shares overlaps with the adversary described by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in May 2023, and the Microsoft threat group Volt Typhoon. VOLTZITE has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and defense industrial bases.

• Top UK Universities Recovering Following Targeted DDoS Attack - Top UK universities have had their services impacted by a DDoS attack, which has been claimed by the Anonymous Sudan hacktivist group.

  The University of Cambridge’s Clinical School Computing Service revealed the incident in a post on its X (formerly Twitter) account on February 19, stating that internet access will be intermittent.

  It said that the attack started at 15.00 GMT on February 19, with “multiple universities” impacted.

• Tool of First Resort, Israel-Hamas War in Cyber - Iran extensively employed cyber operations to gather information and cause disruption in the years before the attack and continues to do so after the attack. Disruptive operations focused on Israel, where Iran has long conducted cyber attacks against key Israeli organizations, but also affected American critical infrastructure.
  Iran’s espionage operations likewise focused on Israel and the United States, but also impacted other countries in the region.

  ---

Insight

Google's Latest Report Sheds Light on the Dark World of Commercial Surveillance Vendors

How the commercial surveillance industry works and what can be done about it

In a revealing report by Google's Threat Analysis Group, the spotlight has been cast on the shadowy world of Commercial Surveillance Vendors (CSVs), unveiling a concerning trend in the proliferation of spyware and its profound impacts on high-risk individuals. While a few CSVs have drawn public scrutiny, Google's analysis points out that numerous lesser-known entities are significantly contributing to the spyware landscape, posing a persistent threat to privacy and security worldwide. 

The report, in collaboration with Google's Jigsaw unit, shares compelling narratives from three high-risk users, shedding light on the palpable fear and professional isolation resulting from targeted spyware attacks. These accounts underscore the chilling reality of surveillance technologies and their capability to infiltrate the lives of those working in sensitive or oppositional roles, often leading to self-censorship and a re-evaluation of digital communication norms. 

Highlighting a shift in the cyber power dynamic, the Google TAG report asserts that the private sector, once considered a secondary player in the development of cyber capabilities, now stands at the forefront of creating and deploying some of the most advanced and sophisticated tools identified by security experts. This evolution marks a significant departure from a time when state actors were predominantly viewed as the principal sources of cyber threats. 

Of particular concern is the finding that CSVs are responsible for half of the known zero-day exploits targeting Google products, including devices within the Android ecosystem. This statistic not only emphasizes the technical prowess of these vendors but also highlights the direct threat they pose to Google users and the broader digital community. 

In response to these escalating threats, Google has reaffirmed its commitment to safeguarding its user base. Through rigorous detection efforts and strategic partnerships, Google aims to disrupt the activities of CSVs and mitigate the risks associated with commercial spyware. This initiative is part of a broader commitment to enhancing digital security and fostering a safer online environment for all users, particularly those at heightened risk of targeted surveillance. 

As the digital landscape continues to evolve, the emergence of CSVs as key players in the cyber threat arena underscores the need for vigilant security practices and international cooperation to address the complex challenges posed by commercial spyware. Google's ongoing efforts to combat these threats reflect a proactive stance in the fight for digital privacy and the protection of vulnerable individuals around the globe. t

Special Report - LockBit

We’re changing our Scammer’s Corner this week to feature the potential return of the notorious Lockbit ransomware group. As most will know, ransomware remains a clear and present danger to consumers and enterprises alike despite ongoing efforts from the cybersecurity community and law enforcement. 

They’re Back, Baby!

In a brazen display of cyber resilience, the infamous LockBit ransomware group has announced its swift return to operations following a coordinated international law enforcement action that dismantled its infrastructure and recovered decryption keys for over a thousand victims. 

LockBit, known for its disruptive cyberattacks, has claimed it is back in action mere days after a significant international law enforcement effort resulted in the seizure of the gang's servers and websites. This aggressive move comes alongside the retrieval of more than 1,000 decryption keys intended to assist victims in recovering from the group's attacks. 

And They’re Bad! 

The latest development was broadcasted on Saturday when LockBit unveiled a new leak site that listed over a dozen alleged victims, strikingly including the Federal Bureau of Investigation (FBI), several hospitals, and Georgia's Fulton County. This revelation has sent shockwaves through the cybersecurity community and law enforcement agencies, who are still grappling with the fallout of the group's previous operations. 

Fulton County, which is still recovering from the January cyber incident that crippled its phone, email, and other critical IT systems, was notably mentioned as a victim before the recent takedown of LockBit's infrastructure. Both the UK's National Crime Agency (NCA) and the FBI were instrumental in the previous week's operation that aimed to neutralize the gang's capabilities. 

Despite these efforts, LockBit has reemerged, defiantly displaying Fulton County on their Tor-based site, complete with a countdown timer set to expire on March 2. This ultimatum serves as a grim reminder to government officials of the looming deadline to meet the ransom demands or face potential consequences. 

The ransomware gang's resurgence is a disturbing testament to the persistent and evolving threat posed by cybercriminals. LockBit's ability to quickly regroup and launch a new platform for its illicit activities highlights the challenges law enforcement agencies faces in creating lasting disruptions to these nefarious networks. 

Lockbit Aims Punches at the FBI 

The listing of the FBI as an alleged victim is particularly audacious and underscores the brazen nature of the LockBit group. While details of the purported breach have not been disclosed, such a claim, if substantiated, could have significant implications for US national security and the ongoing battle against cybercrime. 

The plight of Fulton County serves as a stark reminder of the tangible impact of ransomware attacks. The county's ongoing struggle to recover from the January intrusion has had a palpable effect on public services, with the latest developments suggesting the situation may deteriorate if the ransom is not paid. 

LockBit's activities have been under intense scrutiny since the gang introduced an automated service last year that allows affiliates to launch ransomware attacks using its platform, effectively franchising cybercrime. This model has made it increasingly difficult to combat as it decentralizes operations and empowers a broader base of cybercriminal actors. 

The latest incident also raises questions about the effectiveness of law enforcement actions against decentralized and sophisticated cybercrime syndicates. While significant resources are being deployed to combat these threats, the agility of groups like LockBit allows them to adapt and rebound from setbacks with alarming speed. 

As the countdown clock ticks toward the March 2 deadline, the pressure mounts on Fulton County officials to navigate the delicate balance between standing firm against cyber extortion and ensuring the restoration of critical services for their constituents. 

Reality Bites and Insanity Laughs 

LockBit’s resurgence serves as a sobering reminder of the perpetual arms race between cybercriminals and law enforcement. With the stakes higher than ever, the international community watches closely as the situation unfolds, hoping for a breakthrough that will turn the tide in this ongoing cyber struggle.  

The madness of the arms race continues.  

The Deep Dive

A New Age of Hacktivism Spreads Chaos Online

In the shadow of the ongoing wars and geopolitical tensions of the past two years, the world has seen a marked increase in hacktivism activities, with the conflict in Ukraine serving as a significant catalyst. The convergence of non-state actors and state-backed entities into newly formed or existing hacker collectives highlights the evolving landscape of digital activism and cyber warfare. 

Hacktivism is recognized as a form of cyber operation where computer hacking is employed to advance political or social objectives. Unlike traditional activism, which uses the internet for peaceful advocacy like online petitions or fundraising, hacktivism employs disruptive tactics without aiming to inflict serious harm. These include data breaches, website defacements, redirections, and Denial-of-Service attacks. However, as the digital realm becomes increasingly enmeshed with physical conflict, the distinction between hacktivism and cyberterrorism—where operations intend to cause physical damage, significant economic losses, or even loss of life—has grown fainter. 

The ongoing wars have thrown cyberspace into a complex state of disorder. The once-clear demarcation between the physical and cyber domains is eroding, leading to a battleground where digital strikes are just as significant as those in the physical realm. The burgeoning trend of hacktivism signifies not only a new front in modern warfare but also raises profound questions about the ethics and legality of such operations. 

As the global community grapples with these challenges, the surge in hacktivism has underscored the need for robust cybersecurity measures. Nations and organizations are urged to bolster their digital defenses and establish clear policies to distinguish between acceptable forms of digital protest and acts of cyber aggression. 

In the digital age, hacktivism has emerged as a powerful form of expression and resistance. However, as the line between activism and terrorism continues to blur, it is imperative that international norms and laws evolve to keep pace with these changing dynamics, ensuring that cyberspace remains a domain for peaceful advocacy rather than a new theater of war. 

Hacktivism – Expression, Resistance, or Just Digital Vandalism? 

Hacktivism as a form of expression and resistance is a modern phenomenon that sits at the intersection of digital technology and social or political activism. It represents a digital-era twist on traditional forms of protest, allowing individuals or groups to express their stances on various issues through the strategic use of computer networks and skills. Hacktivism is not merely a tool of disruption; it's a means of conveying a message when conventional platforms are inadequate or suppressed. 

In its essence, hacktivism is driven by the belief that the internet is a public space where freedom of expression should reign supreme. Hacktivists often target websites and online services to make a statement, expose wrongdoings, or bring attention to causes that may be marginalized or ignored by mainstream media. The acts, such as website defacements or redirections, are typically symbolic in nature, akin to the digital equivalent of protest graffiti or sit-ins. 

This form of digital activism has gained prominence due to its ability to transcend geographical boundaries, enabling a global audience to witness and participate in acts of resistance. It democratizes protest by providing a platform for those who might otherwise lack the resources or physical space to voice their opposition. Hacktivism can amplify the reach and impact of a message, rallying support across diverse and dispersed communities. 

Moreover, hacktivism can be a powerful tool for resistance against oppressive regimes or organizations. In places where traditional media is censored or protests are met with violence, hacktivism offers a relatively safer avenue to resist and push for change. By exposing information, like government corruption or corporate malfeasance, hacktivists can ignite public discourse and potentially drive policy changes or social reform. 

However, the tactics used by hacktivists are subject to ethical and legal scrutiny. While the intent might be to avoid serious harm, the methods can sometimes cross into gray areas, impacting innocent third parties or unintentionally escalating into cybercrime. This raises questions about the legitimacy and morality of hacktivism, particularly when it comes to unauthorized access or data leaks. 

Despite these concerns, hacktivism continues to evolve as a form of resistance. As long as there is perceived injustice and a need for societal change, it is likely that individuals will turn to the tools at their disposal—increasingly, these are digital. The challenge for the global community is to recognize the potential of hacktivism as a legitimate form of protest while also setting boundaries to prevent abuse and harm. 

In this digital age, hacktivism stands as a testament to the power of technology as a lever for social change. It is a call to those in power to listen and respond to the digital populace, and it is a reminder that in the interconnected world of the internet, every voice has the potential to be heard. 

What To Do if You Find Your Organisation a Target?  

If you or your organization becomes the target of hacktivism, it's essential to handle the situation with a strategic and measured approach. Here's a multi-step strategy that you might consider: 

Assess the Situation: 

• Determine the scope and scale of the attack. Is it a website defacement, a denial-of-service attack, data breach, or something else? 
• Assess the impact on operations, data integrity, and customer trust. 

Secure Your Systems: 

• Immediately begin containment procedures to limit the damage. This might involve taking certain systems offline, blocking suspicious IP addresses, or changing access credentials. 
• Engage your IT team or a cyber-security firm to secure your networks and prevent further unauthorized access. 

Legal Considerations: 

• Report the incident to the appropriate law enforcement authorities. Hacktivism can involve illegal activities such as unauthorized access and data theft. 
• Consult with legal experts to understand the implications and to prepare for any potential legal actions that may need to be taken. 

Communication: 

• Be transparent with stakeholders, including customers, employees, and partners. Provide them with information about what happened and what steps are being taken. 
• Prepare a public statement that addresses the incident without giving away sensitive information that could exacerbate the situation or lead to additional attacks. 

Data Protection: 

• If data has been compromised, take steps to protect affected individuals, including providing credit monitoring services if financial information was involved. 
• Review and enhance data encryption and protection strategies to prevent future breaches. 

Understand the Cause: 

• Try to understand the motive behind the hacktivism. Was it a protest against company policies, actions, or perceived injustices? 
• Engaging with the issues raised (without necessarily engaging with the attackers) can sometimes address the underlying cause and prevent future incidents. 

Review and Learn: 

• After the immediate threat has passed, conduct a thorough review of the incident. What vulnerabilities were exploited? How can they be addressed? 
• Update your incident response plan and conduct regular security audits and drills. 

Strengthen Defenses: 

• Invest in cybersecurity defenses, including firewalls, intrusion detection systems, and security information and event management (SIEM) systems. 
• Regularly update and patch systems and software to protect against known vulnerabilities. 

Staff Training: 

• Train employees on cybersecurity best practices, as human error is often the weakest link in security. 
• Conduct regular phishing exercises and provide updates on new cyber threats. 

Engage with the Community: 

• If appropriate, engage with your community to discuss their concerns. Sometimes a dialogue can prevent further attacks and can build a better relationship with the public. 

Backup and Redundancy: 

• Ensure that you have robust backup and recovery procedures. Regular backups can minimize the damage caused by data tampering or loss. 

Monitor for Aftermath: 

• Continue to monitor your networks for signs of persistent threats or additional breaches. 
• Hacktivists may leave backdoors to re-enter the system at a later date. 

Remember:

Each incident of hacktivism is unique, and the response should be tailored to the specific situation. It's crucial to balance the need for security with the understanding that hacktivism might be a sign of larger social or ethical issues that should be addressed by your organization. 

And Finally ….

Over the past week, the digital frontlines have witnessed significant turbulence as cyberwarfare, espionage, and extortion activities continue to evolve and intensify: 

• In the geopolitical cyber arena, the ongoing conflict between Ukraine and Russia extends beyond physical borders into the cyber realm. Ukrainian defenses are not only repelling ground invasions but also countering sophisticated cyberattacks targeting governmental and financial sectors. These digital skirmishes, blending espionage and misinformation tactics, aim to undermine the state's stability and gain strategic footholds, reflecting a modern warfare aspect where cyber operations become as critical as conventional military strategies. 
• Meanwhile, the global semiconductor industry, a cornerstone of technological advancement and economic power, has found itself in the crosshairs of cybercriminals. The past year has seen an alarming spike in ransomware attacks and extortion schemes against top semiconductor firms, including industry giants like NVIDIA, AMD, and Samsung. Perpetrators, identified as notorious groups such as LockBit, Cuba, and Lapsus$, exploit the sector's pivotal role, orchestrating financially driven cyberattacks that, beneath the surface, hint at possible state-sponsored espionage endeavors. These incidents have raised concerns about the theft of intellectual property and the potential involvement of nation-state actors under the guise of criminal enterprises. 
• Adding to the cybersecurity storm, the infamous Lapsus$ Group resurfaced with a recent attack attributed to them by Uber, signaling the persistent threat posed by high-profile cyber extortionists. The group's comeback underscores the ongoing challenge businesses face in protecting sensitive data and maintaining operational integrity against increasingly bold and sophisticated cyber adversaries. 

These developments underscore the intricate and perilous landscape of global cyber threats, emphasizing the critical need for fortified cybersecurity defenses across both public and private sectors. As the line between cybercrime and state-sponsored cyber activities blurs, the urgency for advanced, comprehensive security measures becomes ever more apparent. 

Being informed has never been more important, so join us next week when we’ll discuss the huge increase in election tampering, the rise in Subdomain email fraud, and of course, news headlines that have come our way and serve as the ice cubes in the water indicating that somewhere ahead, is something that will rip the keel off our ship. 

Thanks for reading Cyberwarfare, Espionage & Extortion! Subscribe for free to receive new posts and support my work.

Follow My Socials

- Computercrime on LinkedIn
- X (formerly Twitter)
- That Fraud Guy on Mastodon
- Read my stuff on Dark Reading