Robin’s Newsletter #241

29 January 2023. Volume 6, Issue 5
Hive ransomware infrastructure seized by FBI. The concentration of the illicit crypto-currency market. GoTo confirms customer data stolen during November breach.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

FBI seizes the Hive ransomware group’s infrastructure

The FBI has seized infrastructure belonging to the Hive ransomware group. The operation, conducted with German and Dutch authorities, and supported by 13 other countries, is the culmination of months of effort.

Hive gained notoriety as a prolific cybercriminal enterprise that was comfortable targeting hospitals and healthcare organisations. Since June 2021, Hive has claimed over 1,500 victims in over 80 countries and extorted over $100 million in ransom payments, split 80/20 between the affiliate and Hive’s developers.

The FBI’s Tampa Field Office gained “clandestine, persistent access” to the ransomware-as-a-service’s control panel, where they then lurked for over seven months before the shutdown this week.

With access to the cybercriminal’s infrastructure, the agencies could access decryption keys and pass them to victims to unlock their files without paying. In doing so, the FBI says the operation helped to avert a further $130 million in ransom payments.

Perhaps more notable than the takedown is that the FBI had been lurking in the infrastructure for ‘months’, giving valuable intelligence into the criminal operations. The intelligence was also helpful in understanding the behaviour of victims, too, with just 20% choosing to notify law enforcement.

No individuals were charged as part of the culmination of the operation, however, the core members of the Hive group are believed to be Russian nationals and therefore protected from extradition.,

Interesting stats

50% or fewer of Whirlpool and LG customers are connecting the ‘smart’ dishwashers, ovens and fridges made by the manufacturers.

66% of 1,802 breach disclosures tracked by the Identity Theft Resource Center (ITRC) did not include victim or attack details. That’s down from two years ago, when 100% of disclosures included such information, leaving “hundreds of millions of people… in the dark about what has happened,” according to ITRC CEO Eva Velasquez.

1,000 password attacks per second ‘deflected’ by Microsoft’s identity systems, while only
28% of active users last month had multi-factor authentication enabled.

The marketplace for illicit crypto-currency transactions is small: 5 crypto-currency exchanges handle almost 68% of all black market cash-outs, according to Chainalysis, with 542 deposit addresses receiving over half of $6.3 billion in ‘illicit funds’ and just 4 of those addresses receiving over $1.1 billion of those funds.

Other newsy bits

  • NCSC says that Russian and Iranian state-linked actors are targeting British politicians, journalists and researchers at think tanks. The campaigns aimed at gaining access to the victim’s email accounts are sophisticated and, in one case, involved the threat actors providing the malicious link during a video conference with the victim.

  • While Royal Mail is “trialling operational workarounds” and “resuming” international services, small businesses are feeling the pinch in the wake of Royal Mail’s ransomware incident (vol. 6, iss. 3).,

  • GoTo, the parent company of LastPass, has announced that attackers also stole its customer data during the November data breach (vol. 5, iss. 49) at a ‘shared third-party cloud storage provider’. As with LastPass, the data stolen was backups and relates to Central, Pro,, Hamachi, and RemotelyAnywhere customers. While the backups were encrypted, the attackers also made off with an encryption key for some backups. The announcement came almost two months after GoTo (formerly LogMeIn) said it was investigating the matter. Both companies have been very sparing (vol. 6, iss. 3) in their communications.

  • Microsoft’s five-hour outage, affecting many of the company’s services, was caused by a router configuration change on one of their Wide Area Network (WAN) routers. The ‘planned change’ to an IP address of one of these routers caused the others to update their local routing tables. “During this re-computation process, the routers were unable to correctly forward packets traversing them,” said Microsoft.

  • Apple’s release of iOS 16.3 introduces hardware security key support, dubbed Security Keys for Apple ID. It allows Apple customers to use hardware tokens like YubiKeys to secure their iCloud accounts.

  • I’ve been looking at MITRE’s CREF Navigator tool this week. The Cyber Resiliency Engineering Framework (CREF) helps organisations build more resilient systems. The Navigator maps through from goals to objectives, techniques and approaches that link to various tactics and techniques in MITRE’s popular ATT&CK framework that describes adversary behaviours. Neat.

In brief

Attacks, incidents & breaches

  • The Killnet hacktivist group has launched denial of service attacks against German banks and organisations in retaliation for the German commitment to provide tanks to aid Ukraine to defend its country from Russia’s invasion. The effects appear to be limited, with a few websites offline but no impact on services.
  • US sports betting company FanDuel is warning customers that they were one of the ~130 companies affected by the recent MailChimp breach (vol. 6, iss. 3) and that their names and email addresses have been exposed.
  • the PLAY ransomware group attacked the UK car dealership chain Arnold Clark on 23rd December 2022, and the cybercriminals have now posted sensitive personal information on the dark web. The data includes names, emails, phone numbers, passport data, and a range of financial information, including National Insurance numbers, bank statements and car financing documents.
  • The municipal court of Circleville, Ohio, is investigating the theft of 500GB of data after it was posted on the LockBit ransomware group’s ‘leak site’. Fellow Ohio town, Mount Vernon, was also recently affected by a ransomware attack.
  • Details of approximately 500,000 Hilton Honors hotel loyalty programme members are for sale on the dark web. The hotel chain described the “unsecured” data as “reservation records” and previously denied that the company had been breached.
  • League of Legends developer Riot Games has received a ransom email following the theft of the source code (vol. 6, iss. 4) of its popular computer games. The games company does not intend to pay the demands and has engaged a “globally recognised” consulting firm to support its internal security team.
  • Details of 2.6 million DuoLingo profiles have been listed for sale on a cybercrime forum. The data was ‘scraped’ from the company’s application programming interface (API).

Threat intel

  • The FBI has accused North Korea’s Lazarus Group and APT38 of perpetrating the $100 million crypto-currency theft at Harmony’s Horizon bridge (vol. 5, iss. 26) in June last year. The ‘bridge’ supports conversion between different cryptocurrencies. Researchers are Proofpoint say they have seen an increase in phishing emails from North Korean actors targeting education, government and healthcare organisations.
  • Fake ads for software titles like WinRAR, VLC, FileZilla and LibreOffice are used by cybercriminals to infect victims with malware. Attackers can subsequently use the backdoor access in ransomware attacks.
  • New ‘Mimic’ ransomware variant uses Windows ‘Everything’ file search to find target files for encryption.
  • ESET attributed a new wiper malware, dubbed SwiftSliver and written in the Go programming language, to the Russian Sandworm advanced persistent threat (APT) group.


  • There are four vulnerabilities, including two critical, in VMware’s vRealize Log Insight tool. Both the directory traversal (CVE-2022-31706) and broken access control (CVE-2022-31704) score 9.8/10.0.
  • Microsoft says operators of on-premise Exchange servers “must” install the latest Cumulative Update and practice regular updates.

Cyber defence

  • CISA has released an advisory on protecting against malicious use of remote monitoring and management (RMM) software. The alert comes in the wake of a campaign identified by CISA that involved using legitimate RMM software (ConnectWise Control and AnyDesk) to conduct financial scams.
  • Microsoft will start blocking the ability to local Excel XLL add-ins from the internet from March.


  • New York’s attorney general is probing the user of Madison Square Garden Entertainment’s use of facial recognition systems (vol. 5, iss. 52) to ban lawyers from law firms engaged in legal action from attending events at its venues.

Public policy

  • The International Counter Ransomware Task Force (ICRTF) began operations last week. The coalition of 36 counties and the European Union joined forces following a summit at the White House in November last year (vol. 5, iss. 45).
  • Sir Jeremy Fleming has announced that he will leave his role as director of the UK’s signals intelligence agency, GCHQ, after six years.

Law enforcement

  • Denis Emelyantsev, a 36-year-old Russian national, has pled guilty to two computer crime charges centred around his operation of the ‘RSOCKS’ botnet that infected 2 million devices.

Mergers, acquisitions and investments

  • Strata Identity, an ‘identity orchestration’ provider, has raised a $26 million Series B round, led by Telstra Ventures, to fund expansion.
  • Anti-money laundering and fraud prevention platform Hawk AI has closed a $17 million Series B round to fund product development.
  • OpenAI has announced a “multi-year, multi-billion dollar investment” from Microsoft.

And finally

  • Russia is blocking access to the US Rewards for Justice websites operated by the FBI and CIA. The RFJ programme offers payment to individuals who share information on “terrorism, foreign-linked interference in U.S. elections, [and] foreign-directed malicious cyber activities against the United States” and those supporting the North Korean regime. The Rewards for Justice site is explicitly encouraging tips on Russian military intelligence officers in exchange for ‘up to’ $10 million.

  Robin's Newsletter - Volume 6

  Federal Bureau of Investigation (FBI) Hive Ransomware Seizure Crypto-currency Cybercrime Internet of Things (IoT) Smart Devices Data breaches Disclosure GoTo LastPass Microsoft Outage Cyber Resiliency Engineering Framework (CREF) Rewards for Justice