Meet the cybercrime group that appears to do cyberespionage on the side - Source: www.proofpoint.com

Welcome to The Cybersecurity 202! When I looked out my window Thursday, I didn’t see all the fuss about the smoke hitting D.C. and other cities. Then I walked outside for a second. That was … rough.

Below: Biden administration officials deny reports that Cuba and China agreed to establish a spy base, and Julian Assange loses an appeal against U.S. extradition. First:

First seen snooping in cyberspace about Ukrainian refugees, Asylum Ambuscade may actually primarily be about crime

It’s not uncommon for nation-linked hacking groups to moonlight as cybercriminals to supplement their cyberespionage work.

It’s less common for it to be the other way around.

Researchers at cybersecurity company ESET said in a report out Thursday that one such group previously known as a cyberespionage gang has, in fact, been more of a cybercrime gang all along.

“Even though the group came into the spotlight because of its cyberespionage operations, it has been mostly running cybercrime campaigns since early 2020,” Matthieu Faou, a malware researcher at ESET, wrote in a blog post. “It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations.”

Other researchers have suspected that the group, known as Asylum Ambuscade, has ties to Russian ally Belarus. Proofpoint last year found the group targeting European government officials aiding Ukrainian refugees.

Those two factors also give it a connection to the ongoing Russia-Ukraine war, in which Ukraine launched a counteroffensive this week. That conflict has seen any number of cyber precedents and innovations.

When cybersecurity company Proofpoint last year reported on some of the origins of spearphishing emails sent to European government staffers, it dubbed the campaign of emails — rather than the group itself — as Asylum Ambuscade.

The company did see some overlap with groups and attacks that researchers previously identified as having connections to the government of Belarus.

Here’s who the hackers targeted, according to the firm:

“The Proofpoint-observed email messages were limited to European governmental entities,” wrote Michael Raggi and Zydeca Cass of the company’s threat research team.
“The targeted individuals possessed a range of expertise and professional responsibilities,” they wrote. “However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.”
“This campaign may represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,” it continued.

The group that ESET called Asylum Ambuscade has hit at least 4,500 victims, by ESET’s count. Most of them have been in North America — the United States is historically the most popular target for cybercrime gangs — but the group has also hit victims in Africa, Asia, Europe and South America, ESET said.

Its crime targets mostly include cryptocurrency traders, small and medium businesses (SMBs) and individuals.

“While the goal of targeting cryptocurrency traders is quite obvious — stealing cryptocurrency — we don’t know for sure how Asylum Ambuscade monetizes its access to SMBs,” Faou wrote. “It is possible the group sells the access to other crimeware groups who might, for example, deploy ransomware.”

One of the reasons ESET thinks the same group conducted the cybercrime and cyberespionage campaigns is that they attack in a similar way, using similar tools. They’re tools that, while not terribly sophisticated, haven’t been known to be sold to other groups, ESET said.

“It appears to be branching out, running some recent cyberespionage campaigns on the side, against governments in Central Asia and Europe from time to time,” Faou wrote.

It’s the biggest shooting war to date with a persistent cyber dimension. The alleged Russian hacks began even before the bombs dropped and the tanks advanced.

But the online aggression has taken aim at Russia, too.

Earlier this week, Russia said that an emergency address where President Vladimir Putin apparently declared martial law over the radio and TV that aired in parts of Russia near the Ukrainian border was, instead, a deepfake created by hackers using artificial intelligence. No one appears to have claimed credit for the deepfake.
Cyberattacks have knocked down Russia’s YouTube equivalent and defaced Russian TV stations’ websites to display pro-Ukrainian messages.

Belarus has sometimes been in the crossfire.

Ukraine accused Belarus government-linked hackers of launching a cyberattack on Ukrainian government websites just before the war began.
A group that has identified itself as pro-democracy Belarusian hacktivists has claimed multiple attacks on Belarusian Railways to “slow down the transfer of occupying forces and give the Ukrainians more time to repel the attack.”
Researchers have accused Ghostwriter, another Belarus government-connected group, of launching disinformation campaigns focused on Ukraine.

And cybersecurity researchers are still waiting to see how big a role the cyber dimension plays in Ukraine’s long-awaited counteroffensive, which began this week.

Biden administration officials deny reports of Cuba hosting Chinese spy base

Biden administration officials have denied reports that Cuba and China agreed to establish a spy base for China on the island nation that could allow Chinese operatives to gather information on activities in the southeastern United States.

“China has agreed to pay cash-strapped Cuba several billion dollars to allow it to build the eavesdropping station and that the two countries had reached an agreement in principle,” the Wall Street Journal’s Warren P. Strobel and Gordon Lubold first reported, citing officials familiar with the matter.
The base would reportedly allow China to grab U.S. electronic communications including emails and phone calls and monitor ship traffic, according to the officials familiar with the highly classified matter who described the intelligence as convincing.

After publication of the Journal’s story, National Security Council spokesperson John Kirby said: “This report is not accurate” and did not provide additional details. “We remain confident that we are able to meet all our security commitments at home and in the region.”

The night before the Wall Street Journal published its story, Kirby “said he couldn’t comment on the details … but noted that the U.S. was monitoring and taking steps to counter the Chinese government’s efforts to invest in infrastructure that might have military purposes,” Strobel and Lubold write.
Pentagon spokesperson Brig. Gen. Patrick Ryder told Reuters: “I can tell you based on the information that we have, that that is not accurate, that we are not aware of China and Cuba developing a new type of spy station.”
The CIA declined to comment to CNN’s Natasha Bertrand and the New York Times’s Karoun Demirjian and Edward Wong. The Office of the Director of National Intelligence declined to comment to the Times.

Officials from Cuba and China also weighed in:

The Cuban Embassy in Washington said the Journal’s story was “totally mendacious and unfounded information.” Cuban Deputy Foreign Minister Carlos Fernandez de Cossio denied the reports, calling them “totally untrue” and “slanders,” Bertrand reported.
Chinese foreign ministry spokesperson Wang Wenbin said that “spreading rumours and slander is a common tactic” of the United States and said that the “United States is also the most powerful hacker empire in the world, and also veritably a major monitoring nation,” Reuters’s Liz Lee reports.

The development comes amid ongoing U.S. concerns of Chinese espionage including recent spy balloon incidents and global scrutiny of the China-linked TikTok app. Secretary of State Antony Blinken could visit China this month, which would come weeks after CIA Director William J. Burns reportedly visited the country.

“China and the United States routinely conduct surveillance operations on one another,” Demirjian and Wong write, later adding that “American officials have accused China in recent years of ambitious hacking attacks against the U.S. government and corporations, trying to recruit agents and assets inside and outside the United States and monitoring and threatening Chinese dissenters overseas.”

WikiLeaks founder Assange loses U.S. extradition appeal

WikiLeaks founder Julian Assange lost an appeal to the U.K. High Court against extradition to the United States, Chris Pollas and Rebecca Camber report for the Daily Mail.

The founder of the famed website known for publishing classified documents was indicted by the United States in 2019 and 2020 for charges mainly stemming from WikiLeaks’s 2010 and 2011 leaks of thousands of pages of classified records about the wars in Afghanistan and Iraq that were shared by former Army private Chelsea Manning.
Assange has also been charged in the United States with conspiring to hack a protected computer — an attempt to help Manning break a Pentagon password in 2010.

Assange in December appealed the extradition to the European Court of Human Rights (ECHR), but to halt the extradition a judge would have to issue a rare interim order to suspend it. “Between 2020 and 2022, the ECHR granted 12 of 161 applications for ‘interim measures’ against the UK government,” Pollas and Camber write.

Assange’s wife, Stella Assange, said that Assange plans to contest the decision. “On Tuesday next week my husband will make a renewed application for appeal to the High Court,” she said in a tweet.

Some news organizations, including the New York Times, have argued that the case could “undermine America’s First Amendment and the freedom of the press.”

“If [President] Biden lets this case proceed, future administrations will surely use the precedent of the Assange prosecution, and the unconstitutional authority to criminalize newsgathering that Biden is claiming, to go after journalists they don’t like,” Freedom of the Press Foundation advocacy director Seth Stern said.

State Department offering $5 million reward linked to Swedish seller of encrypted FBI phones

The State Department is offering $5 million for information leading to the arrest of Swedish national Maximilian Rivkin, who was accused in an indictment of being an administrator and influencer behind an encrypted phone service that law enforcement agencies secretly snooped on, Joseph Cox reports for Motherboard.

“Many underground phone sellers sold Anom devices without knowing the company was actually an FBI plot,” Cox writes.
Rivkin’s “communications on the platform implicated him in several nefarious activities, including his alleged participation in drug trafficking, money laundering, murder conspiracy and other violent acts,” the State Department said.

The announcement comes around two years after U.S. and Australian intelligence agencies began publicly unveiling the Anon operation. The United States in 2021 unveiled charges against Rivkin and 16 others for operating the Anon enterprise, Cox writes.

The Anom business grew to around 12,000 devices in over 100 countries and impacted more than 300 criminal organizations, the Justice Department said.
Multiple operators have recently been extradited, the Vice report notes.

Thanks for reading. See you next week.

Original Post URL: https://www.proofpoint.com/us/newsroom/news/meet-cybercrime-group-appears-do-cyberespionage-side