Happy Friday, and thanks for stopping by our blog. It’s been another very active week.
Early in the week we learned that the US military is taking military actions against ransomware groups. General Paul M. Nakasone, head of US Cyber Command, confirmed the actions during a recent national security event. The General explained that his agency is working hand-in-hand with the NSA, FBI and other federal entities while during a talk at the Reagan National Defense Forum.
Australian government-owned energy company CS Energy has been responding to a ransomware incident that targeted its corporate network systems on November 27. Fortunately it appears the attack did not impact electricity generation at key power stations.
European supermarket chain SPAR was this week forced to close a number of stores following a cyber attack. More than 300 stores were affected by the incident. The cyber attack impacted all of the retailer’s IT systems and left staff without access to emails.
France’s national cyber-security agency, Agence Nationale de la Sécurité des Systèmes d'Information, (ANSSI) warned that the same cybercrime gang behind the SolarWinds hack has been targeting French organizations for nearly a year. While ANSSI has not determined how the group known as Nobelium (and other names) compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions.
On Friday we learned that Brazil’s Ministry of Health has suffered a major ransomware attack. Hackers claimed to have copied and deleted 50 TB worth of data from internal systems. The unfortunate result is that COVID-19 vaccination data for millions of citizens are now unavailable. The Lapsus$ Group has claimed responsibility for the attack.
That’s a wrap for the week. Have a great weekend!
Top Global Security News
ZDNet (December 10, 2021) Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes
"Websites under Brazil's Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens.
Following that attack that took place at around 1 am today, all of MoH's websites including ConecteSUS, which tracks the trajectory of citizens in the public healthcare system, became unavailable. This includes the COVID-19 digital vaccination certificate, which is available via the ConecteSUS app.
According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50 TB worth of data has been extracted from the MoH's systems and subsequently deleted. 'Contact us if you want the data returned', the message said, alongside contact details for the authors of the attack."
Reuters (December 9, 2021) Hackers make some Vestas' data public after ransomware attack
"Personal data stolen from wind turbine maker Vestas (VWS.CO) by hackers in a so-called ransomware attack last month has been made public, the firm said late on Wednesday.
A cyber security incident on Nov. 19 forced Vestas to shut down IT systems across multiple business units and locations to contain the issue.
The Danish company said it was able to continue operations but that data had been compromised.
'The hackers managed to retrieve data from the compromised internal file share systems and have made some of the compromised data public,' Vestas said in a statement."
Teiss (December 8, 2021) Australian energy giant CS Energy suffers a ransomware attack
"CS Energy, an Australian government-owned energy company located in Queensland, said in a statement that it is responding to a ransomware incident that targeted its corporate network systems on November 27.
The energy giant, which supplies over 3,500 MW of power to Australia’s National Electricity Market, said that the attack did not impact electricity generation at its Callide and Kogan Creek power stations and that the stations are continuing to generate and dispatch electricity to the market.
Andrew Bills, CEO of CS Energy, said that the company’s prime focus is to restore the security of its network and support employees, customers, and business partners with any questions they may have.
'CS Energy moved quickly to contain this incident by segregating the corporate network from other internal networks and enacting business continuity processes,' Bills said. 'We immediately notified relevant state and federal agencies, and are working closely with them and other cyber security experts.'"
Computer Weekly (December 7, 2021) Investigation mounted into Spar supermarket cyber attack
"The UK’s National Cyber Security Centre (NCSC) is investigating a security incident that has caused disruption at about 300 Spar stores in the north of England in a cyber attack that bears the hallmarks of a supply chain ransomware hit.
Based in the Netherlands, Spar operates a franchise model with more than 13,000 individual stores globally. It is some of these franchises that have been attacked by threat actors as yet unknown.
Among the victims is Lawrence Hunt & Co, which operates 25 stores in Lancashire. The firm described a 'total IT outage affecting all our stores' which forced them to remain closed on Sunday 5 December. The franchisee later confirmed an outage 'affecting tills, credit cards and back-office systems.'"
Bleeping Computer (December 6, 2021) France warns of Nobelium cyberspies attacking French orgs
"The French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last year's SolarWinds hack has been targeting French organizations since February 2021.
While ANSSI (short for Agence Nationale de la Sécurité des Systèmes d'Information) has not determined how Nobelium compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions.
In turn, French public orgs were also the targets of spoofed emails sent from servers belonging to foreign entities, believed to be compromised by the same threat actor."
CyberScoop (December 6, 2021) Cyber Command boss acknowledges US military actions against ransomware groups
"The U.S. military has taken offensive measures against ransomware groups, U.S. Cyber Command leader Gen. Paul Nakasone confirmed Saturday.
'Before, during and since, with a number of elements of our government, we have taken actions and we have imposed costs,' Nakasone told The New York Times in an interview. 'That’s an important piece that we should always be mindful of.'
CNN confirmed the offensive cyber-operations to disrupt foreign ransomware groups with a military spokesperson.
U.S. Cyber Command, the military’s top hacking unit, has reportedly been going after criminal groups dating back to before the 2020 election, when it attempted to knock out TrickBot, a network of infected computers used to deliver malware. More recently, the command had role in shutting down ransomware group REvil’s operations, working with foreign governments to redirect traffic from the group’s website, The Washington Post first reported in November."
ZDNet (December 6, 2021) Microsoft seizes domains used to attack 29 global governments
"Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean.
In two blog posts published on Monday, Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center said they have been tracking Nickel since 2016 and that a federal court in Virginia granted the company's request to seize websites the group was using to attack organizations in the US and other countries.
Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to 'cut off Nickel's access to its victims and prevent the websites from being used to execute attacks.'"
Other Industry News