Geopolitical Cybercrime: LockBit attack on the ICBC
2023-11-11 23:31:55 Author: blog.bushidotoken.net(查看原文) 阅读量:107 收藏

Geopolitical Cybercrime: LockBit attack on the ICBC

 

What happened?

On 8 November 2023, the Industrial and Commercial Bank of China (ICBC) was attacked by the LockBit ransomware group. The ICBC is one of the world’s largest banks and is a Chinese state-owned asset. Financial media sources, such as the Financial Times and Bloomberg reported that the wider financial system was impacted as certain trades on the US Treasury market were unable to clear because of the LockBit attack. Reuters also reported that the impact on ICBC’s network was significant enough that the bank had to resort to manual processes to perform trades in the billions of US dollars.

At the time of writing, ICBC has not appeared on LockBit’s data leak site. However, in a conversation over the TOX messaging application with VX-Underground, a LockBit representative did confirm that they attacked ICBC.

Additional context

LockBit is currently the most prolific ransomware group in the world. They claim to be a “multinational” organization and the threat actor “LockBitSupp” (who may even be reading this blog, hello 👋) maintains a semi-public persona on the Russian-speaking underground forums and often interacts with journalists and researchers over TOX messenger, an end-to-end encrypted chatting application. Because of this semi-public persona, LockBit is able to recruit dozens, possibly more than a hundred, affiliates to use their Ransomware-as-a-Service (RaaS) platform to launch attacks.

LockBit’s claim that they are “multinational” is reasonably true. LockBit affiliates have been arrested or reported on in multiple countries outside of Russia, including Canada, the US, and China. However, it is not yet clear or publicly known which affiliate group is responsible for the attack on the ICBC.

  • In November 2022, a Russian and Canadian national, Mikhail Vasiliev, was arrested after joint FBI operation while still having access to the LockBit affiliate panel.
  • In June 2023, another LockBit affiliate who is a Russian-Chechen national, Ruslan Magomedovich Astamirov, was also arrested in Arizona, the United States, of all places.
  • In January 2022, Microsoft confirmed that LockBit also has a Chinese-speaking affiliate group, which it tracks as DEV-0401 (or Storm-0401 now). Plus, Secureworks noted in June 2022, that DEV-0401 (aka BRONZE STARLIGHT) also has numerous technical overlaps with the Chinese Ministry of State Security-affiliated threat group known as APT10 (aka BRONZE RIVERSIDE). 

The ICBC is also not the first Chinese state-owned asset hit by LockBit. In May 2023, LockBit also added China Daily HK as a victim to its infamous Tor data leak site. This victim was notable as it is an English-language daily newspaper owned by the Central Propaganda Department of the Chinese Communist Party (CCP).


It is also important to remember that China is by no means innocent when it comes to launching cyber-espionage campaigns against Russia. While not destructive in nature, Russia likely does not appreciate them. 

  • In April 2022, Secureworks shared that BRONZE PRESIDENT (aka Mustang Panda), a Chinese cyber-espionage group, launched a spear-phishing campaign against Russian officials, using Russia’s invasion of Ukraine-themed lure documents.
  • In early May 2022, Google TAG disclosed that Curious Gorge, a group TAG attributes to China's PLA SSF, targeted Russia, in long running campaigns against multiple government organizations have continued, including the Russian Ministry of Foreign Affairs. Google TAG also identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.
  • In mid-May 2022, Russian cybersecurity firm Positive Technologies (a firm sanctioned by the US for working with the Russian foreign intelligence service or SVR) also shared a report about a Chinese state-sponsored threat group, dubbed Space Pirates, which targeted IT services, aerospace, and electric power industries located in Russia, Georgia, and Mongolia in an intelligence-gathering campaigns.

The Implications

The fallout from this LockBit attack on the ICBC has broad geopolitical implications. It directly creates tension and causes issues between China and Russia. This is the second significant Chinese state-owned asset that a Russian ransomware gang has attacked in 2023. It is interesting to observe a Russian state-permitted ransomware gang attack a key ally of Russia, and especially one of China’s largest assets. The ICBC attack has likely caused significant financial losses directly for CCP members in Beijing, who are powerful individuals that will likely demand answers from the Kremlin.

The question is, has Russia lost control over their ransomware groups? Or was this a state-directed attack on China in retaliation for the numerous cyber-espionage campaigns targeting Russian government entities? To be honest, we may never know the answer, but it is interesting to think about.

It is difficult to predict the future, but perhaps we may see the Russian FSB may perform another round of token arrests, similar to what happened to REvil, and takedown LockBit as a favour to their Chinese allies reeling from the ICBC attack. Nevertheless, organizations of all sizes shall have to continue monitoring LockBit campaigns in the foreseeable future. The ransomware group is still around for now, but hopefully will go the way of REvil or Ragnar Locker soon.

Popular posts from this blog

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Image

After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor

Tips for Investigating Cybercrime Infrastructure

Image

I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence .  While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating. Figure 1: Screenshot of the FUD Crypter website I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Image

Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e


文章来源: https://blog.bushidotoken.net/2023/11/geopolitical-cybercrime-lockbit-attack.html
如有侵权请联系:admin#unsafe.sh