GlobalSign Blog

Losses for LockBit and Creepy Cranes – February NewsScam

Losses for LockBit and Creepy Cranes – February NewsScam

Hello and welcome to GlobalSign’s February NewsScam. 

This month saw a slew of cybercriminal arrests culminating with authorities descending upon one major criminal gang. There was plenty of other news, especially in the medical/healthcare arena, so let’s jump right in. 

Hacker Arrests and Indictments Everywhere, All at Once 

In early February, Interpol arrested more than 30 criminals involved in ‘Operation Synergia’ operation. As a result, 31 suspected cybercriminals were arrested and 1,300 malicious servers used to carry out phishing attacks and distribute malware were discovered. 

On February 14th, Ukrainian police arrested a 31-year old man for selling bank accounts of US and Canadian users and then selling them on the dark web. Among the items confiscated various items during three separate searches was a luxury Mercedes-Benz SUV worth around $65,000.

The following day, February 15th, the FBI arrested a Ukrainian national who ran two notorious malware gangs and was one of the agency’s ‘cyber most wanted’ for nearly ten years. Vyacheslav Igorevich Penchukov pled guilty in US federal court to racketeering and wire fraud charges. He was behind the 2020 IcedID attack on University of Vermont Medical Center, which cost the facility more than $30 million and left it “unable to provide many critical patient services for over two weeks,” the according to the Justice Department.

All the arrests this month closed with a big bang, when a global collection of cybersecurity sleuths seized the ransomware operations of prolific cybercriminal gang, LockBit, on February 20th. The international law enforcement operation was led by Britain’s National Crime Agency and the FBI. According to the director general of Britain’s National Crime Agency, “We have hacked the hackers,” and “taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.”

‘Operation Cronos’ resulted in the indictment of two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondraty, charging them with  deploying LockBit ransomware against numerous companies and groups worldwide. (And hospitals, such as the children’s hospital in Chicago, Illinois last month, and prior to that Toronto's SickKids hospital.)  

As the cyber criminals may be on the run the US Department of State is offering a reward of up to $10 million for information leading to the location of Sungatov and Kondraty, and up to $5 million for information leading to the arrest of their affiliates. ‘Cronos’ took place just in time. It is reported that LockBit developers were building a new version of their destructive file encrypting malware, which was likely LockBit 4.0.

In addition to the indictments, authorities in Ukraine and Poland each arrested a LockBit affiliate, a Polish father and son who are believed to be behind numerous attacks, including French healthcare facilities. France was particularly eager for some payback after another, significant January 2022 incident at the French Ministry of Justice. 

ALPHV/BlackCat Could be Next

Yet another well-known ransomware gang, ALPHV/Blackcat, is in the hotseat. Just as with indicted LockBit criminals, the US government is also offering financial reward for information leading to the arrest of key leaders of this other notorious cybercrime gang. ALPHV/Blackcat attack says it is behind the recently disclosed cyberattacks against LoanDepot and Prudential Financial. 

Targeted ransomware attacks underscore hacker’s unhealthy obsession with medicine

Romanian hospitals were deeply impacted by a ransomware attack this month. At one point 100 different institutions were involved. Romania’s Pitesi Pediatric Hospital was the first known victim of what is essentially a domino-effect cyberattack on Feb. 10th, and then other hospitals were hit on February 11th and12th.

In France, a hospital in Armentieres was attacked in early February. As a result, the hospital was forced to close its emergency department for a day and redirect patients to other hospitals. Also in France, the personal information of 33 million of its citizens may have been exposed following data breaches at two separate organizations. On February 1st, Viamedis, France’s top provider for medical third-party payments, confirmed it had suffered a data breach. Just four days later, Almerys - another third-party payment operator - announced it, too, experienced a data breach. Bleeping Computer has the story on both organizations.

In the US, healthcare insurance giant UnitedHealth Group’s subsidiary Optum was impacted by a nation-state attack. Optum was forced to shut down IT systems and numerous services after the cyberattack on its Change Healthcare platform, the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system. The attack caused prescription delays and the American Hospital Association also began urging healthcare facilities to disconnect from Optum until it’s been determined that it is safe to reconnect.

Creepy Cranes

On February 21st we learned it is possible that Chinese-made cranes at U.S. ports are spying on us, posing maritime cyber threats. This news came after President Biden issued an executive order following warnings from U.S. national security officials that China-linked hacking group Volt Typoon could be spying on the US through 200 or so cranes

Schneider Electric Hackers Post Snapshot of American Passports

The Cactus ransomware gang claimed responsibility for last month’s attack on French manufacturer Schneider Electric. The ransomware group posted 25 megabytes of the data online as proof of its attack. On Feb 19th Schneider Electric confirmed on their website that “certain data” from its Sustainability Business Division was obtained by the threat actor. While the full extent of the data stolen was not 100% certain, published reports said the Cactus posted snapshots showing American passports and scans of non-disclosure agreements.

The attorney general’s office in the great state of Maine recently shared a false data breach notification, which included a misspelling of “Saint Louis”, Missouri, was submitted by someone claiming to own not only the police department, but the entire state of Missouri. The posting was however deleted several days later.

But Wait, There’s More

Chinese hackers breached Dutch Ministry of Defense - HelpNetSecurity
Southern Water cyberattack expected to hit hundreds of thousands of customers - The Register
Fifth of British Kids Have Broken the Law Online - InfoSecurity
Battery maker Varta halts production after cyberattack - HelpNetSecurity
Clorox says cyberattack caused $49 million in expenses - Bleeping Computer
Funerals reportedly canceled due to ransomware attack on Austrian town - The Record
Cyberattacks on state and local governments rose in 2023, says CIS report - Cyberscoop
No, 3 million electric toothbrushes were not used in a DDoS attack - Bleeping Computer

Share this Post

Recent Blogs