Last week, Anonymous Sudan, identified by Flashpoint and others as a Russia-aligned threat actor spoofing an Islamicist hacktivist group, attacked another western financial institution. This time, it did so reportedly in concert with the pro-Russia denial-of-service hacker group Killnet and possibly Russia-based ransomware-as-a-service REvil. The June 19 attack against the European Investment Bank may have been a salvo aimed at thwarting financial pipelines supporting Ukraine’s war effort, although the motives of the threat groups are still subject to speculation, experts say.
The latest distributed denial-of-service attack in 2023 by these threat groups, as well as the Russian-speaking extortion ransomware group Clop, follows exploits against Microsoft, the U.S. Department of Energy and many more organizations in a growing list of targets constituting a widening fan of targeted sectors. Those who have tracked these three threat actors and new groups of botnet purveyors reported the attacks on EIB and its subsidiary, European Investment Fund, were aimed at ruffling the feathers of the Society for Worldwide Interbank Financial Telecommunication system, from which Russian institutions were banned in 2022.
Also reported in a Flashpoint blog: Clop published on its data leak site last week a list of 64 organizations, including U.S. government entities, that the group attacked by exploiting a critical vulnerability in MOVEit managed file transfer software. The vulnerability allows threat actors to gain access to MOVEit Transfer’s database without authenticating, at which point they can alter or delete entries in the database using SQL maneuvers.
SEE: Ransomware makes high profits — just look at LockBit (TechRepublic)
In one 24-hour period in March, the Clop group reportedly attacked Shell Global, Bombardier Aviation, Stanford University and other institutions of higher education.
Tim West, head of cyber threat intelligence at WithSecure, said Clop stated that government data will be deleted and not retained or shared. “This is almost certainly in an effort to not ‘poke the bear’ and fall below a line that invites action from competent authorities, although it’s unlikely that their word alone will cut much mustard,” he said.
Anonymous Sudan seeks the spotlight
Flashpoint noted that Anonymous Sudan, which has been active since January 2023, has launched DDoS attacks against organizations in Sweden, the Netherlands, Denmark, Australia, France, Israel, Germany, UAE, the U.S. and Iran. The group’s attacks have targeted financial services, aviation, education, healthcare, software and government entities.
WithSecure, a Finland-based security and threat intelligence company, noted that Anonymous Sudan has attacked targets in that nation, as well as hospitals in Denmark and airports, hospitals and schools in France. In its May 2023 report, the company noted the threat actor had ensnared Scandinavian Airlines, demanding a $3 million ransom to cease the attack, and had begun focusing on the transportation sector, favoring several small airlines and train operators.
Partly politics, mostly money
West said he takes with a grain of salt the notion that Killnet, Anonymous Sudan, REvil and threat groups like them are either forming strong collaborations amongst themselves or are motivated solely by loyalty to Russia.
“I guess I would refute the point that they are all ‘aligned.’ I would probably agree that, in reality, the truth is nuanced. Broadly, while they may be aligned with Russia as a ‘hacktivist’ collective, they are each financially motivated, certainly,” he said, adding that Killnet is an exception, objectively, as there have been assessments showing a level of coordination with Russian authorities.
In any case, he asserted, groups like these may have murky political sympathies, but their financial objectives are limpid. Anonymous Sudan’s ransom attack against Scandinavian Airlines speaks volumes about them being at least as motivated by lucre as by love of country.
“Anecdotally, they are also targeting transportation and travel more frequently,” West said, adding that the attacks on European financial institutions in the SWIFT network may be as much about generating noise and attention for themselves as creating force majeure to make a political statement.
“SWIFT is the interbank payment system, and a lot of banks around the world rely heavily on the vast quantities of money SWIFT handles across the globe, so it has been a target for cybercriminals for a long time, but it is a hard target — one that is very difficult to take down. What I think we are seeing with Anonymous Sudan are attempts to make lofty claims against relatively large names in the financial ecosystem, in generating noise and publicity,” West said.
Mirroring Mirai: Botnets on the rise
WithSecure said botnets are becoming the preferred attack vector by threat actors, noting that a Killnet splinter group deployed Mirai botnet variants.
Indeed, a new Akamai report points to Mirai-like botnet attacks. Akamai reported that the Mirai botnet, which first broke big with a 2016 attack on DynDNS, has spawned numerous copycats. The latest example reported on June 13 was an exploitation of a critical command injection vulnerability discovered in March. With a Common Visibility Scoring System rank of 9.8 (on a 1-10 scale of severity), this vulnerability has significant potential for damage, both to the infected device and the network on which it resides.
Akamai said the vulnerability lets an attacker send a crafted request to the affected wireless routers, allowing them to execute commands on the infected device. The security firm reported that one of the commands injects and executes Mirai, and “Since that time, there have been numerous variants and botnets influenced by the Mirai botnet, and it is still making an impact”.
SEE: Akamai spotlights botnets attacking commerce (TechRepublic)
West commented, “It goes to show that even large government organizations are enterprise organizations too and need to employ third-party services for certain tasks. It’s likely they will have third-party/supplier reviews, but zero-day code vulnerabilities are unknown unknowns that are by definition not able to be directly remediated.”
With increasing threats, there is a greater need for training
In the current dangerous cybersecurity climate, enterprise data security is critical, and some degree of threat savvy is imperative, whether you are in a SOC, an IT center or even in management. Whether you would like to develop valuable security skills for yourself, employees or others, you can now get lifetime access to an InfoSec4TC Platinum Membership: Cyber Security Training through TechRepublic Academy.