The Good | Global Police Disrupt Encrypted Cybercriminal Chat Service & Billion-Dollar Laundering Networks
Law enforcement groups took a hard strike at cybercriminals this week, dismantling MATRIX, an encrypted messaging platform used to coordinate illicit activities, as well as two Russian money laundering networks associated with ransomware gangs.
In ‘Operation Passionflower’, investigators took down MATRIX through the phone of a suspect linked to an attempted assassination of journalist Peter R. de Vries in July 2021. Authorities, led by Europol, monitored some 2.3 million intercepted messages in 33 languages over three months, many of which will support ongoing police cases. The MATRIX infrastructure served at least 8000 users and offered transaction tracking services, encrypted calls, and anonymous browsing. So far, raids across Europe have led to 970 phones seized, approximately $677,000 in cash and cryptocurrency combined, and five arrests – one of which is allegedly the owner of the platform.
In a separate operation dubbed ‘Destabilize’, U.K.’s National Crime Agency (NCA) led a collaborative effort with several partners to disrupt two money laundering networks linked to criminal enterprises globally, including ransomware gangs like Ryuk. These networks were also key to helping cybercriminals to evade sanctions and support Russian media and weapons-related activities.
Investigations reveal that the two networks (‘Smart’ and ‘TGR’) belonged to a billion-dollar laundering operation that had remained hidden from regulators and police forces until recently. The takedown is the first confirmation of links between Russian elites, crypto-backed cybercriminals, and drug cartels based in the U.K. 84 Russian-speaking suspects tied to Smart and TGR have since been arrested while alleged network leaders, Ekaterina Zhdanova and George Rossi, and other key members face sanctions by OFAC.
The Bad | Russian Hacking Group Exploits Pakistani Threat Actor’s Infrastructure to Launch Cyberattacks
Security researchers have uncovered a dog-eat-dog situation that pits Russian cyberespionage group, Turla (aka Secret Blizzard or UNC4210) against Pakistani-based threat actor, Storm-0156. Since December 2022, Turla has been hijacking Storm-0156’s servers to carry out their own attacks on already compromised networks.
Russia’s Turla hackers hijacked 33 command servers operated by Pakistani hackers who had themselves breached Afghanistan and Indian targets.https://t.co/TMZWFXWxuy
— Ryan Naraine (@ryanaraine) December 4, 2024
Researchers tracking the Pakistani actor’s campaigns discovered that Turla had taken over Storm-0165’s command-and-control (C2) nodes, infiltrating the actor’s breaches on Afghan and Indian government entities to deploy their own malware payloads, including several backdoors. Turla also leveraged this to move laterally into Storm-0165’s workstations, gaining access to the actor’s malware tools, data, and stolen credentials.
Turla has employed this parasite-like strategy since 2019 with the primary goal of exploiting rival actors’ infrastructure to collect intelligence, hide their own toolsets, complicate attribution, and shift the blame. The Russian state-sponsored group previously repurposed Iranian threat group OilRig’s malware and infrastructure to launch new attacks and steal sensitive data from OilRig’s own systems in the process. Other past incidents involve deploying backdoors to ‘Andromeda’ malware victims in Ukraine and exploiting backdoors stolen from Storm-0473 in 2023.
Cybercriminals themselves are vulnerable to being hacked due to their inability to use modern security solutions that reveal their exploits and tools. Turla’s deliberate approach of commandeering other hackers’ systems allows its operators to establish footholds on targets of interest with relatively minimal effort and maintain extensive visibility into rival tooling and TTPs. While Turla may collect information unrelated to its own interests or risk being exposed should its hacker-turned-victim trigger alerts during initial compromise, its strategy reflects creativity and a willingness to try unique methods to secure plausible deniability and save on resources.
The Ugly | China-Backed Cyber Espionage APT Targets Global Telecommunication Providers
A new joint advisory warns of a widespread, China-backed campaign targeting telecommunications networks in dozens of countries, including eight U.S. providers. The attacks are attributed to the state-sponsored threat actor known as Salt Typhoon (aka GhostEmperor, UNC2296, FamousSparrow) and have been in progress for at least one to two years. Though no classified communications have been compromised according to White House officials, the full scope of the campaign remains unclear.
Salt Typhoon has been associated with a string of attacks aimed at Southeast Asian government entities and telecoms since 2019. The actor is known for exploiting vulnerabilities in telecom systems to access sensitive data, intercepting private communications, law enforcement requests, and customer call records by wiretapping the platforms. Telecom vendors are an especially lucrative target, offering attackers a strategic advantage for intelligence gathering and exerting geopolitical influence with an amplified reach.
CISA confirmed the latest breaches in October, advising U.S. citizens to move to encrypted messaging and voice communication platforms for better protection. Some of the breaches were reported to have lasted for months at a time, allowing attackers to steal valuable internet traffic from ISPs that serve millions of users and businesses.
To mitigate the risk of further attack, CISA, the FBI, NSA, and international partners issued guidance to help network engineers and defenders harden their telecom infrastructures. Recommendations to engineers include patching vulnerable systems, investigating configuration modifications to network devices, monitoring user account logins for anomalies, employing strong network segmentation, and ensuring that traffic is end-to-end encrypted. Network defenders are advised to enforce configuration management, disable unused and exploitable (plaintext) services and protocols, and implement RBAC, MFA, and IAM policies.
