Risky Biz News: Salt Typhoon's telco hacking spree keeps getting bigger - Risky Bulletin

Summary6 min read

Risky Business News: Salt Typhoon's Telco Hacking Spree Keeps Getting Bigger

Released on December 5, 2024 | Host: Claire | Prepared by Catalyn Kimpanu

1. Salt Typhoon's Expanding Cyber Assault on US Telecommunications

In the episode's lead story, Salt Typhoon, a notorious Chinese hacking group, has significantly escalated its cyberattacks on US telecommunications companies. According to Deputy National Security Adviser for Cyber, Anne Neuberger, these intrusions have been ongoing for two years, affecting at least eight US telcos and dozens of other countries. Neuberger stated at [02:15]:

"The hackers accessed a vast quantity of metadata while targeting specific calls and texts, indicating a highly strategic approach to their operations."

The FBI continues to combat these breaches, striving to remove Salt Typhoon from the compromised networks. SISA Director Jen Easterly announced that the Cybersecurity and Infrastructure Security Agency's (CISA) CSRB investigation into these hacks is set to commence on Friday [04:30], signaling a robust response to the threat.

2. Russian Influence Operations in Romanian Elections via TikTok

The European Commission has taken decisive action against TikTok, ordering the preservation of data related to the Romanian elections. This follows the declassification of top-secret documents by Romania's National Security Council, which uncovered a massive influence campaign orchestrated to sway the election outcome. The operation prominently promoted Kailyn Georgescu, propelling her from 1% to nearly a quarter of the vote in the polls within a month before the election.

In a statement released this week at [08:45], the U.S. State Department attributed the campaign to Russian operatives:

"The coordination and scale of this operation indicate direct involvement by Russian intelligence services aiming to destabilize democratic processes."

TikTok responded by removing two clusters of accounts implicated in promoting the Georgescu campaign, including accounts directly operated from Russia.

3. Iranian State-Sponsored Hackers Target Trump's Transition Team

Semaphore reported that Iranian state-sponsored hackers successfully infiltrated the communications of Kash Patel, who was nominated by Donald Trump for FBI Director. This breach extended to multiple members of the Trump transition team, highlighting ongoing vulnerabilities within high-profile political circles. The hacks, initially detected in June, demonstrate the persistent cyber threats posed by state actors targeting U.S. political figures.

4. UK Authorities Cracking Down on Money Laundering Networks

In a significant crackdown, UK authorities have dismantled two major money laundering networks tied to drug cartels, ransomware operations, and Russian espionage. A total of 84 individuals associated with Smart and TGR have been arrested. These organizations were responsible for laundering billions of dollars via cryptocurrencies and front companies. The U.S. Treasury Department has sanctioned six executives from Smart and TGR, including Ukrainian national George Rossi and Russian national Ekaterina Zhdanova, who has been on the sanctions list since last year for her involvement in laundering Ryuk ransomware payments.

5. Europol Takedowns Manson Market, a Major Cybercrime Hub

Europol successfully dismantled Manson Market, a cybercrime platform notorious for selling stolen personal and financial information. Operations spanning Austria and Germany led to the arrest of two suspects and the seizure of over 50 servers across Europe. The platform facilitated data theft through various tactics, including fake online stores and impersonation of bank employees, as reported at [15:20].

6. Arrest of Scattered SPIDER Group Member in the US

US authorities have apprehended Remington Ogletree, a Californian teenager suspected of being a member of the Scattered SPIDER hacking group. Ogletree is accused of hacking two telcos and disseminating millions of phishing links via SMS with the intent to steal cryptocurrency. This marks the sixth member of the group charged within the past month, as highlighted by Bloomberg [20:10]. Ogletree was detained last month and released on bail awaiting further legal proceedings.

7. French Hacker Charged for AWS Email Server Exploits

French authorities have brought charges against Sebastien Raoul, also known as Cezio Kaizen, a member of the Shiny Hunters hacking group. Raoul developed and sold malware designed to hijack AWS email servers, allowing unauthorized access and control. Between 2021 and 2022, Raoul marketed this malicious software online. Previously sentenced to three years in a US prison in January and recently extradited back to France, Raoul faces new charges, according to Paris Match [24:50].

8. Turla Exploits Pakistani APT’s Infrastructure for Broader Attacks

A sophisticated Russian cyber espionage group, Turla, has commandeered the infrastructure of Pakistan's Transparent Tribe (APT) to deploy their own malicious payloads. Research conducted by Lumen and Microsoft revealed that Turla operators infiltrated the command and control servers at the end of 2022, leveraging the existing network to target victims previously compromised by Transparent Tribe. Microsoft noted that Turla has targeted at least six other APTs over the past decade, with the last publicly known operation being against the Iranian APT Group Oil Rig in 2019 [29:35].

9. Meta Uncovers Additional Russian Entities in Operation Doppelganger

Meta's security team has identified a third Russian organization involved in the expansive influence campaign known as Operation Doppelganger. Recent Doppelganger activities have been traced to individuals affiliated with the Moscow State Institute of International Relations. Previously, Meta had associated Doppelganger's efforts with the Russian companies Structura and Social Design Agency, both of which are sanctioned by the US and EU.

10. Russian FSB Spyware Compremises Ukrainian Programmer's Device

The Russian FSB intelligence agency clandestinely installed Monocle, a mobile spyware strain developed by Russia's Special Technology Centre, on the device of an ethnic Ukrainian programmer, Kirill Perubets, at [35:00]. After Perubets was arrested in April for allegedly sending money to Ukraine, he was coerced into unlocking his phone under threat of treason and murder charges. He discovered the spyware 15 days post-release, leading to his and his wife's immediate flight from the country, as detailed in a joint investigation by Citizen Lab and First Department.

11. Stolly's Bankruptcy Amid Ransomware and Asset Seizures

Stolly, the American division of the vodka maker Stoli, has filed for bankruptcy in a Texas court. The company cited a ransomware attack in August and the seizure of its Russian assets as primary factors disrupting its operations. The ransomware incident forced Stolly to lose access to its ERP platform, crippling critical processes such as supply chain management, production, and order deliveries. Recovery efforts are projected to extend until March [38:45].

12. Zero-Day Vulnerabilities in IO Data Routers Exploited by Threat Actors

Threat actors are actively exploiting three zero-day vulnerabilities in routers from the Japanese vendor IO Data. These vulnerabilities allow hackers to modify settings, execute OS commands, and disable firewall protections. Reports of abuse surfaced in mid-November, prompting IO Data to release a fix for one of the vulnerabilities immediately, with patches for the remaining two scheduled for December. This ongoing threat underscores the critical need for timely security updates in networking hardware.

13. Malicious Code Injected into Solana's Official JavaScript SDK

A security breach has been identified within the Solana Cryptocurrency Project, where malicious code was injected into their official JavaScript SDK. The inserted code was engineered to steal private keys from applications utilizing the SDK, subsequently draining the targeted crypto assets. Solana has attributed the incident to a compromised developer account, emphasizing the importance of securing developer credentials to prevent such vulnerabilities.

Conclusion

This episode of Risky Business News delves deep into a myriad of cybersecurity challenges spanning global telecommunication breaches, election interference, sophisticated hacking groups, and critical vulnerabilities in widely-used technologies. With insights from key security officials and detailed reports on ongoing investigations, listeners gain a comprehensive understanding of the persistent and evolving threats in the digital landscape.

Loading summary

Transcript1 lines

[00:04]
Claire
Salt Typhoon hacked eight US telcos and dozens of other countries Declassified documents reveal Russia's election info ops in Romania. Another scattered SPIDER member is arrested in the US and TURLA hacks a Pakistani APT service. This is Risky Business news prepared by Catalyn Kimpanu and read by me Claire aired today is the 6th of December and this podcast episode is brought to you by Push Security. In today's top story, the White House says that at least eight US telcos have been hacked by the Chinese hacking group Salt Typhoon. Deputy National Security Adviser for Cyber Ann Neuberger says the hacks have been underway for two years and have also hit dozens of other countries. Neuberger says the hackers accessed a large quantity of metadata while hunting for the calls and texts of specific targets. The FBI said the intrusions were ongoing and they're still fighting to evict Salt Typhoon from the compromised networks. SISA Director Jen Easterly says the CSRB investigation into the Salt Typhoon hacks will begin on Friday. In other news, the European Commission has ordered TikTok to preserve data related to the Romanian elections. The order comes after Romania's National Security Council declassified top secret documents revealing a massive influence operation on TikTok that promoted a pro Kremlin candidate. The campaign boosted Kailyn Georgesko from 1% in the polls a month before the election election to winning almost a quarter of the vote. In a statement this week, the U.S. state Department attributed the campaign to Russia. TikTok said it removed two clusters of accounts that promoted the Georgescu camp, including one that was operated from Russia. Iranian state sponsored hackers are believed to have accessed the communications of Kash Patel, Donald Trump's nomination for FBI director, according to Semaphore. The hack hit multiple members of the Trump transition team. Iranian hackers also breached the Trump camp in June. UK authorities have disrupted two money laundering networks used by drug cartels, ransomware and Russian espionage operations. Officials have arrested 84 individuals linked to Smart and TGR, the two companies at the heart of the laundering operations. Smart and TGR allegedly laundered billions of dollars via cryptocurrencies and front companies. The U.S. treasury Department has sanctioned six smart and TGR executives, including their main administrators, identified as Ukrainian national George Rossi and Russian national Ekaterina Zhdanova. Zhdanova had been on the treasury sanctions list since last year for her role in laundering Ryuk ransomware payments. Europol has taken down Manson Market, a cybercrime platform that sold stolen personal and financial information. Two suspects were arrested in Austria and Germany and more than 50 servers were seized across Europe. Officials say cybercrime groups and online scammers used the Manson market to sell data they extracted from their victims. Tactics included fake online stores and calling victims posing as bank employees. US Authorities have arrested and indicted a Californian teen suspected of being a member of the Scattered Spider hacking group. US Officials claim that Remington Ogletree hacked two telcos and sent millions of phishing links via SMS in an attempt to steal cryptocurrency. Ogletree is the sixth member of the group that was charged in the US over the past month, according to Bloomberg. He was detained last month and released on bail. French authorities have charged a member of the Shiny Hunters hacking group with selling malware designed to hack AWS email servers. According to Lamont, Sebastien Raoul created software that could scan and hijack vulnerable mail servers running on AWS cloud infrastructure. He allegedly sold the Software Online between 2021 and 2022. Raoul is a hacker known as Cezio Kaizen, one of the three members of the Shiny Hunters group. He was sentenced to three years in a US prison in January, according to Paris Match. Raoul was extradited back to France this week to face the new charges. A Russian cyber espionage group hijacked the infrastructure of a Pakistani APT and used it to launch its own attacks. Researchers at Lumen and Microsoft say Turla operators hacked the command and control servers of Pak Pakistan's Transparent Tribe at the end of 2022. The group used the service to push its own payloads to victims previously infected by Transparent Tribe. Microsoft says Turla has hacked at least six other APTs in the last decade. The only previous public case is Iranian APT Group oil rig in 2019. Meta's security team has identified a third Russian organization behind the sprawling influence Operation Doppelganger. The social media giant says it tracked recent Doppelganger activity to individuals associ associated with the Moscow State Institute of International Relations. Previously, Meta linked doppelganger activity to two Russian companies named Structura and the Social Design Agency, both of which have been sanctioned by the US and eu. Russia's FSB intelligence agency secretly installed spyware on the device of an ethnic Ukrainian programmer. The spyware installed on his phone. After officials arrested Kirill Perubets in April on charges of sending money to Ukraine, he was forced to unlock his phone while being threatened with treason and murder charges. Perubets found the spyware 15 days after being released, according to a joint technical investigation from Citizen Lab and First Department. The device was infected with a version of Monocle, a mobile spyware strain developed by a Russian government contractor named the Special Technology Centre. Porubets and his wife fled the country shortly after the incident. The American division of vodka maker Stolly filed for bankruptcy last week in a Texas court. Stolli cited a ransomware attack in August and the seizure of its assets in Russia as the main issues that impacted its operations. The company said recovery from the ransomware attack would take until March. Stoli lost access to its ERP platform, which severely impacted its ability to control key processes such as supply, production and order deliveries. The company also cited the huge losses it faced when its Russian assets were seized by authorities following the invasion of Ukraine. Threat actors are exploiting three zero days in routers from Japanese vendor IO Data. The zero days include a bug that can allow hackers to modify settings, run OS commands and disable the router's firewall. IO Data says it received reports of abuse in the wild from customers in mid November. The company has already released a fix for one of the zero days, and fixes for the other two are scheduled for December. And finally, a threat actor has added malicious code to the Solana Cryptocurrency Project's official JavaScript SDK. The malicious code was designed to steal private keys from apps that use the SDK and then make off with their crypto. The Solana project blamed the incident on a compromised developer account, and that is all for this podcast edition. Today's show was brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks for your company.