Summary5 min read

Risky Bulletin: US Indicts i-SoOn and APT27 Hackers

Episode Title: Risky Bulletin: US Indicts i-SoOn and APT27 Hackers
Host: Claire Aird
Release Date: March 7, 2025

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in cybersecurity, highlighting significant indictments, cyberattacks, and disruptions in the digital landscape. Prepared by Catalyn Kimpanu, the bulletin delves into the intricate activities of hacking groups, law enforcement actions, and emerging threats that shape the current cybersecurity environment.

US Indicts Chinese Hacking Groups ISOON and APT27

At the forefront of today's news, the U.S. Department of Justice has unsealed charges against twelve Chinese nationals associated with cyber espionage activities. These individuals are linked to two notorious hacking groups: ISOON and APT27. Claire Aird reports:

"The Justice Department claims ISOON was behind a hacking campaign that broke into the foreign ministries of at least four countries" ([00:00]).

Among the indicted, two are officers from China's Ministry of Public Security who orchestrated ISOON's operations, while the remaining ten are ISOON employees involved in both personal profit-driven hacks and more sanctioned cyber espionage missions. Notably, an APT27 member, Inkeqiang, is accused of hacking the U.S. Treasury Department in December 2024.

Seizure of Russian Cryptocurrency Exchange Garantex

In a significant blow to cybercriminal financial operations, US and European law enforcement agencies have seized the website of the Russian cryptocurrency exchange Garantex. Claire Aird details:

"Authorities also seized $27 million worth of tether coins from the company's crypto wallets" ([00:02]).

Garantex was previously sanctioned by the U.S. in April 2022 for money laundering activities linked to dark web marketplaces and ransomware operations. The European Union followed suit with its sanctions last month. This coordinated crackdown underscores the international effort to dismantle financial channels facilitating cybercrime.

Data Breach at Japanese Telco Giant NTT

Japanese telecommunications leader NTT has reported a breach of its internal network last month, resulting in the theft of data pertaining to nearly 18,000 corporate customers. Claire Aird notes:

"The company also suffered a major breach in 2020" ([00:03]).

This incident marks a recurring security challenge for NTT, highlighting the persistent threats faced by large corporations and the importance of robust cybersecurity measures.

Arrests Over Taylor Swift Concert Ticket Theft

Cybercriminal activities have also infiltrated the entertainment industry. Authorities have apprehended two members of a cybercrime group responsible for stealing and reselling approximately 1,000 concert tickets for Taylor Swift's ERAS tour. Claire Aird explains:

"Tyrone Rose and Shamarra P. Simmons allegedly made more than $600,000 reselling the tickets on the black market" ([00:04]).

The charges reveal that Rose exploited his access to computer systems at a partner company for StubHub, redirecting already sold tickets to themselves for illegal resale. This case underscores the diverse targets and methods employed by cybercriminals.

Extradition of Nigerian Man for Cybercrimes and Tax Fraud

The U.S. has successfully extradited Matthew A. Akunde, a Nigerian national residing in Mexico, to face charges related to cybercrimes and tax fraud. According to Claire Aird:

"Officials claim Akunde hacked a Massachusetts tax preparation firm and filed fraudulent tax returns" ([00:05]).

Akunde's five-year scheme allegedly resulted in over $1.3 million in fraudulent tax refunds, representing a significant financial loss and highlighting the global nature of cyber fraud.

Unmasking of a Massive Cybercrime Cartel

A coordinated effort by 32 media outlets has unveiled a vast cybercrime cartel responsible for stealing an estimated $275 million from over 32,000 victims. Claire Aird details the operation:

"The group operated call centers that scammed people into investing in non-existent cryptocurrencies" ([00:06]).

The investigation was sparked by a Swedish TV station receiving 1.9 terabytes of leaked data from an anonymous source. The scam involved call centers across Eastern Europe, Israel, and Georgia, showcasing the extensive and organized infrastructure behind large-scale cyber fraud.

Disruption of the Bad Box Botnet

Security firms have made significant strides in disrupting the Bad Box botnet, thwarting its malicious activities once again. Claire Aird reports:

"The company sinkholed botnet traffic and took down 24 malicious Android apps" ([00:07]).

Human Security identified four threat actors collaborating within the botnet's new incarnation, which has infected over a million devices. The botnet was primarily used for relaying malicious traffic and executing ad fraud. This marks a continuation of efforts to dismantle Bad Box, following German authorities' successful sinkhole of an earlier version last year.

North Korean Supply Chain Attacks Targeting South Korea

South Korea's intelligence agency has issued warnings to local companies about ongoing supply chain attacks orchestrated by North Korean hackers. Claire Aird explains:

"The attacks have targeted a groupware platform and a mobile identity verification system" ([00:08]).

These sophisticated attacks focus on IT service providers and emphasize the need for heightened vigilance among administrators to protect critical infrastructure from state-sponsored cyber threats.

Emergence of "Evil Loader" Telegram Exploit

A new threat has emerged in the form of a Telegram exploit named Evil Loader, which has been available for purchase since January. Claire Aird details:

"The tool crafts video files that prompt Telegram users to run malicious code or install dodgy apps" ([00:09]).

This exploit leverages an unpatched bug affecting only the Android version of Telegram, allowing malicious actors to disguise harmful apps and code within seemingly innocuous fake video files, thereby posing a significant risk to users.

Resignation of Cyber Reason CEO Eric Gann

In corporate news, Cyber Reason CEO Eric Gann has resigned following disputes with investors. Claire Aird reports:

"In February, Gann sued investment firm SoftBank and former U.S. Treasury Secretary Steven Mnuchin for blocking Cyber Reason's refinancing efforts" ([00:10]).

Gann claimed that these actions pushed the company to the brink of bankruptcy, leading to the cancellation of its planned merger with U.S. security firm Trustwave. This development marks a turbulent period for Cyber Reason as it navigates financial and leadership challenges.

This episode of Risky Bulletin offers a thorough overview of critical cybersecurity incidents and trends, reflecting the dynamic and often perilous nature of the digital security landscape. From indictments of international hacking groups to the disruption of sophisticated botnets, the bulletin underscores the ongoing battle between cybercriminals and those working to safeguard digital assets and infrastructure.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
The US indicts the ISOON and APT27 hackers, the bad Box botnet gets disrupted again, authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets. This is a risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 7th of March and this podcast episode is brought to you by cloud security company prowler. The U.S. department of justice has unsealed charges against 12 Chinese nationals linked to cyber espionage. Two individuals were linked to the APT27 hacking group. Two were officers from China's Ministry of Public security who directed Isun's operation, and the rest were Isoon employees. Both APT27 and Isoon carried out hacks for personal profit alongside more legitimate cyber espionage. The Justice Department claims ISOON was behind a hacking campaign that broke into the foreign ministries of at least four countries. US officials say one APT27 member, Inkeqiang, hacked the US Treasury Department in December 2024. In other news, US and European law enforcement agencies have seized the website of Russian cryptocurrency exchange Garantex. Garantex claims that Authorities also seized $27 million worth of tether coins from the company's crypto wallets. The US sanctioned Guarantex in April 2022 for laundering funds linked to dark web marketplaces and RANSO activity. The EU imposed its own sanctions on the exchange last month. Japanese telco giant NTT says hackers breached its internal network last month. The company says hackers stole data relating to almost 18,000 corporate customers. The company also suffered a major breach in 2020. If you've still got bad blood over missing out on Taylor Swift tickets, you might be pleased to hear US Authorities have arrested two members of a cybercrime group charged with stealing and reselling close to 1,000 concert tickets. Most of those were for the ERAS tour. Tyrone Rose and Shamarra P. Simmons allegedly made more than $600,000 reselling the tickets on the black market. The charges claim that Rose abused his access to computer systems while working at a partner for ticket reseller StubHub. The pair are said to have redirected emails containing tickets that had already been sold to themselves and relisted them for sale. The US has extradited a Nigerian man living in Mexico to face charges for cybercrimes and tax fraud. Officials claim Matthew A. Akunde hacked a Massachusetts tax preparation firm and filed fraudulent tax returns. The five year scheme allegedly netted Akunde more than $1.3 million in fraudulent tax refunds. The scam empire cybercrime cartel has been unmasked by 32 media outlets that coordinated their coverage on Wednesday. Investigators estimate the cybercrime has stolen at least $275 million from more than 32,000 victims. The group operated call centers that scammed people into investing in non existent cryptocurrencies. The scams were traced back to call centres in Eastern Europe, Israel and Georgia. Reporters began investigating after a Swedish TV station received 1.9 terabytes of leaked data from an anonymous source detailing the scam. A handful of security firms have disrupted a new version of the Bad Box botnet. The company sinkholed botnet traffic and took down 24 malicious Android apps. Human Security says it identified four threat actors working together and operating different parts of the botnet. This new incarnation of Bad Box has infected more than a million devices. The botnet was used to relay malicious traffic and carry out ad fraud. German authorities sinkholed an earlier version at the end of last year. South Korea's intelligence agency has warned local companies that North Korean hackers are conducting software supply chain attacks. The attacks have targeted a groupware platform and a mobile identity verification system. The warning also highlights attacks on IT service providers and has urged administrators to be vigilant. Hackers are selling a Telegram exploit that can disguise malicious apps and code as fake video files. The exploit, Evil Loader, has been on sale since January. The tool crafts video files that prompt Telegram users to run malicious code or install dodgy apps. The bug the tool uses is still unpatched, but only affects the Android version of Telegram. And finally, Cyber Reason CEO Eric Gann has resigned after clashing with investors. In February, Gann sued investment firm softbank and former U.S. treasury Secretary Steven Mnuchin for blocking Cyber Reason's refinancing efforts. He claimed their actions had brought the company to the edge of bankruptcy. Cyber Reason has scrapped its planned merger with US Security firm trustwave, and that is all for this podcast edition. Today's show is brought to you by our sponsor Prowler. Find them@prowler.com thanks for your company.