LockBit's Disastrous Success + Banks Dragged Kicking and Screaming to Combat Fraud

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack. This newsletter is edited for Lawfare by Eugenia Lostri.

LockBit's Disastrous Success

Ransomware criminals continue to make hay despite increased government efforts worldwide to clamp down on the ecosystem. What's next?

Last week, the U.S. financial services division of China's biggest bank, the state-owned Industrial and Commercial Bank of China (ICBC), was hit by ransomware that reportedly affected trading in U.S. treasuries. According to the Financial Times, "the attack prevented ICBC from settling Treasury trades on behalf of other market participants" and that "with its systems compromised, ICBC Financial Services proposed sending a USB stick with trading data to BNY Mellon to help it settle trades." I mean, this is very serious, but lol.

This left ICBC's U.S. unit owing BNY Mellon US$9 billion for unsettled trades, with the subsidiary requiring a capital injection from its parent company to pay the debt. Yikes.

This hack was discussed in the diplomatic stratosphere, and U.S. Treasury Secretary Janet Yellen raised it with Chinese Vice Premier He Lifeng.

Ransomware gang LockBit claimed the attack and told Reuters over the Tox encrypted messenger that ICBC had paid a ransom. Reuters was not able to independently verify this particular claim, but LockBit's involvement was confirmed in reporting from the Wall Street Journal.

This is a very brazen attack, but we also think it's a risky one, at least for the people directly involved, as it is the kind of thing that motivates government officials to take action. And we're not talking about U.S. officials here, but Chinese ones.

Assuming LockBit has some Russian nexus (they advertise on Russian-language dark web forums), Chinese officials could have some influence over Russian law enforcement efforts. The leverage the People's Republic of China (PRC) has over Russia has increased since the Russian invasion of Ukraine, and, as Risky Business News reported last week, Russian officials can arrest cybercriminals when they are motivated to do so.

If the PRC does ask Russian officials to take action, however, we think this will likely just result in the arrest of a few ransomware affiliates. It will not significantly change the ransomware game.

ICBC isn't LockBit's only recent high-profile victim. Security researcher Kevin Beaumont reports that a LockBit "strike team" has been using a recent Citrix NetScaler vulnerability (known as Citrix Bleed) to get initial access to organizations and then passing that on to another team that ultimately deploys ransomware. (LockBit's use of Citrix Bleed to gain access to ICBC was reported in the Wall Street Journal).

Other organizations that Beaumont has found running vulnerable versions of NetScaler include British multinational law firm Allen and Overy, Boeing, and DP World Australia. LockBit has claimed credit for the ransomware attack on Allen and Overy and has leaked data purportedly from Boeing as well.

And DP World Australia was crippled by an attack last Friday. Per the Australian Financial Review:

The Middle Eastern-owned stevedore, which operates terminals in Sydney, Melbourne, Brisbane and Perth and handles about 40 per cent of the goods coming in and out of Australia was forced to shut down technology systems at 10am on Friday.

The shutdown prevented some 30,000 containers of goods from moving in or out of its terminals, including refrigerated containers that can hold anything from lobsters and wagyu beef to blood plasma.

While ships could still offload and pick up containers, the technology systems that allow trucks to share data with the stevedore were turned off, meaning trucks could not get into DP World’s terminals to collect or drop off containers.

There hasn't been an official confirmation of who breached DP World Australia or how they did it, but Beaumont's Citrix NetScaler compromise theory seems plausible or even likely. A patch for that vulnerability was released on Oct. 10.

The Australian government has a playbook for these kinds of serious cyber incidents where it rolls out a whole-of-government response coordinated by a "cyber disaster tsar" (aka the national cyber security coordinator). This approach uses an emergency response framework that was developed during the coronavirus pandemic and was first used in the case of a cyber incident when responding to the Medibank Private breach in late 2022.

From the point of view of a critical infrastructure company, part of this is great. If you are the victim of a significant cybersecurity incident, you'll get all kinds of government assistance! On the other hand, the government will learn if your cybersecurity posture was subpar. 

This essentially puts all critical infrastructure companies on notice to up their game.

That's a good thing, but what else can governments do? Back in November 2022, Australian Cyber Security Minister Clare O'Neil announced "an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups."

In January, we covered how LockBit's porous OPSEC made it "ripe for disruption," and in June, cyber security authorities in the Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States), France, and Germany issued a cybersecurity advisory warning about LockBit ransomware. We'd be stunned if these recent incidents don't make LockBit a priority target for state action.

Although we love writing about flashy government disruption operations involving website takedowns and press releases, we think operations that covertly degrade ransomware groups are more sensible. Flashy operations push ransomware affiliates to greener pastures, whereas discreet operations leave them toiling joylessly in the ransomware salt mines.

We think these kinds of offensive cyber disruption operations will make a difference, but they won't eliminate ransomware. Ultimately, the crime needs to be starved of funds, so efforts to prevent ransomware payments should be accelerated.   

Banks Dragged Kicking and Screaming to Combat Fraud 

Reuters reports that banks in the United States have begun refunding victims of "imposter scams" on payment app Zelle.

Imposter scams involve people being tricked into sending money to scammers. Prior to June 30, the banks that run Zelle did not refund victims of these scams, as the customers themselves were authorizing the transfers. This meant they weren't required to provide refunds under federal law. 

This reminds us of new U.K. rules for payment systems that come into effect next year. The U.K. rules apply to essentially the same type of fraud, although the Brits call it authorised push payment (or APP) fraud. On Britain's Faster Payments system, U.K. payment firms will split the cost of reimbursement fifty-fifty, giving both the sending and receiving firm incentives to crack down on fraud.

The documents the U.K.'s Payment Systems Regulator released regarding the change are very interesting, particularly its cost-benefit analysis. They leave us with the strong feeling that U.S. banks could do much more but have taken the steps they have to head off the possibility of more expensive regulations.   

Our question for U.S. regulators and lawmakers is, Who do you care more about? Banks or people?

Three Reasons to Be Cheerful This Week:

1. Phobos ransomware affiliates charged in France: French authorities have charged a Russian couple and allege that they have been working as affiliates for the Phobos ransomware gang. The couple are from Saint Petersburg, Russia, and were arrested in Italy and then extradited to France. Officials say the couple has worked with Phobos since 2020 and are linked to payments from more than 150 victims across the world.
2. Myanmar scam center progress: Over 160 Thai nationals will be returned to Thailand after being rescued from gangs running scam centers following a joint PRC-Myanmar law enforcement operation. Seriously Risky Business covered these type of "pig butchering" scam centers here.
3. Gene giants move to 2FA by default: Following the theft of user records from the 23andMe DNA testing firm, it and other companies in the sector, including Ancestry and MyHeritage, will start using multi-factor authentication for customers by default. For 23andMe, this is very much shutting the gate after the horse has bolted, but it is better than not shutting the gate at all.   

Shorts

Wired's Andy Greenberg has a good long read covering the story of the Mirai botnet and its three authors, who were teenagers when they started creating the software. Two of the three had originally started a distributed denial-of-service (DDoS) protection company, ProTraf Solutions, and created Mirai to launch DDoS attacks to drum up business.

It was a slippery slope that eventually ended up with Mirai taking out significant portions of the internet with the world's largest DDoS attacks at the time. The three were eventually tracked down by the FBI and cooperated with the agency in cases against other cybercriminals.

Ultimately, it's a story of redemption. The trio avoided jail time because of their cooperation with the FBI. While doing community service, they assisted in the creation of an "internet of things" malware honeypot for an anti-DDoS organization and have since gone on to jobs in finance and security research.

Some of the individuals in the Octo Tempest group, aka Scattered Spider, that we've referred to as Lapsus$-style hackers have reportedly been identified. But what’s next? According to Reuters:

For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.

The Reuters article quotes several cybersecurity experts who question why these individuals haven't been arrested.

We are willing to give the FBI the benefit of the doubt here, especially after reading Wired's investigation into Mirai (above). In that case, the arrests took place over many months but ultimately resulted in the trio assisting police investigations and being diverted from a potential life of crime.

The Australian Signals Directorate released its 2023 Cyber Threat Report on Tuesday and the U.K.'s National Cyber Security Centre released its 2023 Annual Review on the same day.

The two reports are same same but with slightly different flavors. Both emphasize the risk to critical infrastructure from state-backed hackers, although the U.K. report is far more explicit about the cybersecurity threat posed by the PRC. 

According to reporting from Axios and Bloomberg, Israeli security services are turning to the NSO Group spyware company and its Pegasus mobile spyware to help track hostages in Gaza who were kidnapped by Hamas.

Using mobile spyware like Pegasus to locate and possibly collect intelligence from hostages or suspected terrorists makes perfect sense in this situation. From the reporting, it appears the Israeli government has its own capability but is looking to Israeli spyware companies including NSO Group, Candiru, and others to provide extra capacity. 

Both NSO Group and Candiru were blacklisted by the U.S. government in 2021 because their spyware products had been used extensively to target civil society in a variety of countries. It looks like NSO Group is trying to redeem its reputation, and Axios also covers the company's recent lobbying efforts in the U.S.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify). In our last "Between Two Nerds" discussion, Tom Uren and The Grugq talk about international humanitarian law or the "rules of war" and whether they make any sense in cyberspace.

From Risky Biz News:

Clop is coming after your SysAid servers: The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug…

The recent attacks would make SysAid the fourth different enterprise software the gang has exploited this year after it previously targeted GoAnywhere and MOVEit file transfer servers and PaperCut print management servers.

[more on Risky Business News]

OCCRP journalists targeted with Pegasus: Two Indian reporters from the Organized Crime and Corruption Reporting Project have had their phones targeted with the Pegasus spyware. The attacks took place hours after the two reporters reached out for comment to the Adani Group, one of India's largest companies. The reporters were investigating the Adani Group's owners for possible market manipulation by secretly buying their own stocks. OCCRP reporters Ravi Nair and Anand Mangnale are two of the 20 Indians that Apple notified in October that their phones were targeted by state-sponsored malware.

Russia hacked 22 Danish critical infrastructure companies: Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyberattack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.

[more on Risky Business News]