Risky Business News: Salt Typhoon's Telco Hacking Spree Keeps Getting Bigger

Released on December 5, 2024 | Host: Claire | Prepared by Catalyn Kimpanu

1. Salt Typhoon's Expanding Cyber Assault on US Telecommunications

In the episode's lead story, Salt Typhoon, a notorious Chinese hacking group, has significantly escalated its cyberattacks on US telecommunications companies. According to Deputy National Security Adviser for Cyber, Anne Neuberger, these intrusions have been ongoing for two years, affecting at least eight US telcos and dozens of other countries. Neuberger stated at [02:15]:

"The hackers accessed a vast quantity of metadata while targeting specific calls and texts, indicating a highly strategic approach to their operations."

The FBI continues to combat these breaches, striving to remove Salt Typhoon from the compromised networks. SISA Director Jen Easterly announced that the Cybersecurity and Infrastructure Security Agency's (CISA) CSRB investigation into these hacks is set to commence on Friday [04:30], signaling a robust response to the threat.

2. Russian Influence Operations in Romanian Elections via TikTok

The European Commission has taken decisive action against TikTok, ordering the preservation of data related to the Romanian elections. This follows the declassification of top-secret documents by Romania's National Security Council, which uncovered a massive influence campaign orchestrated to sway the election outcome. The operation prominently promoted Kailyn Georgescu, propelling her from 1% to nearly a quarter of the vote in the polls within a month before the election.

In a statement released this week at [08:45], the U.S. State Department attributed the campaign to Russian operatives:

"The coordination and scale of this operation indicate direct involvement by Russian intelligence services aiming to destabilize democratic processes."

TikTok responded by removing two clusters of accounts implicated in promoting the Georgescu campaign, including accounts directly operated from Russia.

3. Iranian State-Sponsored Hackers Target Trump's Transition Team

Semaphore reported that Iranian state-sponsored hackers successfully infiltrated the communications of Kash Patel, who was nominated by Donald Trump for FBI Director. This breach extended to multiple members of the Trump transition team, highlighting ongoing vulnerabilities within high-profile political circles. The hacks, initially detected in June, demonstrate the persistent cyber threats posed by state actors targeting U.S. political figures.

4. UK Authorities Cracking Down on Money Laundering Networks

In a significant crackdown, UK authorities have dismantled two major money laundering networks tied to drug cartels, ransomware operations, and Russian espionage. A total of 84 individuals associated with Smart and TGR have been arrested. These organizations were responsible for laundering billions of dollars via cryptocurrencies and front companies. The U.S. Treasury Department has sanctioned six executives from Smart and TGR, including Ukrainian national George Rossi and Russian national Ekaterina Zhdanova, who has been on the sanctions list since last year for her involvement in laundering Ryuk ransomware payments.

5. Europol Takedowns Manson Market, a Major Cybercrime Hub

Europol successfully dismantled Manson Market, a cybercrime platform notorious for selling stolen personal and financial information. Operations spanning Austria and Germany led to the arrest of two suspects and the seizure of over 50 servers across Europe. The platform facilitated data theft through various tactics, including fake online stores and impersonation of bank employees, as reported at [15:20].

6. Arrest of Scattered SPIDER Group Member in the US

US authorities have apprehended Remington Ogletree, a Californian teenager suspected of being a member of the Scattered SPIDER hacking group. Ogletree is accused of hacking two telcos and disseminating millions of phishing links via SMS with the intent to steal cryptocurrency. This marks the sixth member of the group charged within the past month, as highlighted by Bloomberg [20:10]. Ogletree was detained last month and released on bail awaiting further legal proceedings.

7. French Hacker Charged for AWS Email Server Exploits

French authorities have brought charges against Sebastien Raoul, also known as Cezio Kaizen, a member of the Shiny Hunters hacking group. Raoul developed and sold malware designed to hijack AWS email servers, allowing unauthorized access and control. Between 2021 and 2022, Raoul marketed this malicious software online. Previously sentenced to three years in a US prison in January and recently extradited back to France, Raoul faces new charges, according to Paris Match [24:50].

8. Turla Exploits Pakistani APT’s Infrastructure for Broader Attacks

A sophisticated Russian cyber espionage group, Turla, has commandeered the infrastructure of Pakistan's Transparent Tribe (APT) to deploy their own malicious payloads. Research conducted by Lumen and Microsoft revealed that Turla operators infiltrated the command and control servers at the end of 2022, leveraging the existing network to target victims previously compromised by Transparent Tribe. Microsoft noted that Turla has targeted at least six other APTs over the past decade, with the last publicly known operation being against the Iranian APT Group Oil Rig in 2019 [29:35].

9. Meta Uncovers Additional Russian Entities in Operation Doppelganger

Meta's security team has identified a third Russian organization involved in the expansive influence campaign known as Operation Doppelganger. Recent Doppelganger activities have been traced to individuals affiliated with the Moscow State Institute of International Relations. Previously, Meta had associated Doppelganger's efforts with the Russian companies Structura and Social Design Agency, both of which are sanctioned by the US and EU.

10. Russian FSB Spyware Compremises Ukrainian Programmer's Device

The Russian FSB intelligence agency clandestinely installed Monocle, a mobile spyware strain developed by Russia's Special Technology Centre, on the device of an ethnic Ukrainian programmer, Kirill Perubets, at [35:00]. After Perubets was arrested in April for allegedly sending money to Ukraine, he was coerced into unlocking his phone under threat of treason and murder charges. He discovered the spyware 15 days post-release, leading to his and his wife's immediate flight from the country, as detailed in a joint investigation by Citizen Lab and First Department.

11. Stolly's Bankruptcy Amid Ransomware and Asset Seizures

Stolly, the American division of the vodka maker Stoli, has filed for bankruptcy in a Texas court. The company cited a ransomware attack in August and the seizure of its Russian assets as primary factors disrupting its operations. The ransomware incident forced Stolly to lose access to its ERP platform, crippling critical processes such as supply chain management, production, and order deliveries. Recovery efforts are projected to extend until March [38:45].

12. Zero-Day Vulnerabilities in IO Data Routers Exploited by Threat Actors

Threat actors are actively exploiting three zero-day vulnerabilities in routers from the Japanese vendor IO Data. These vulnerabilities allow hackers to modify settings, execute OS commands, and disable firewall protections. Reports of abuse surfaced in mid-November, prompting IO Data to release a fix for one of the vulnerabilities immediately, with patches for the remaining two scheduled for December. This ongoing threat underscores the critical need for timely security updates in networking hardware.

13. Malicious Code Injected into Solana's Official JavaScript SDK

A security breach has been identified within the Solana Cryptocurrency Project, where malicious code was injected into their official JavaScript SDK. The inserted code was engineered to steal private keys from applications utilizing the SDK, subsequently draining the targeted crypto assets. Solana has attributed the incident to a compromised developer account, emphasizing the importance of securing developer credentials to prevent such vulnerabilities.

Conclusion

This episode of Risky Business News delves deep into a myriad of cybersecurity challenges spanning global telecommunication breaches, election interference, sophisticated hacking groups, and critical vulnerabilities in widely-used technologies. With insights from key security officials and detailed reports on ongoing investigations, listeners gain a comprehensive understanding of the persistent and evolving threats in the digital landscape.