The Good | Russian Criminals Sanctioned & Authorities Arrest Suspected Member of The Com
Threat actors targeting major U.S. infrastructures and industries were brought to justice this week.
The U.S. government has sanctioned two Russian cybercriminals, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for launching attacks on water treatment and energy facilities across the U.S. and Europe. As key members of the Russia-aligned hacktivist group Cyber Army of Russia Reborn (CARR), they initially targeted Ukraine and its allies via DDoS attacks before escalating to targeting critical industrial systems by late 2023.
In January, CARR claimed responsibility for breaching a U.S. energy firm’s SCADA system and manipulating a Texas water storage unit. Despite causing no major damage, the risks stemming from these activities prompted legal sanctions, blocking their U.S.-based assets to disrupt their operations and deter other hackers.
In the U.K., police arrested a suspected member of The Com (aka Scattered Spider) hacking collective involved in the 2023 MGM Resorts ransomware attack. The arrest was part of a larger investigation into a hacking group linked to ransomware attacks, extortion schemes, and data breaches. The 17-year-old teenager was arrested for violating the Blackmail and Computer Misuse Act and has been released on bail pending further investigation.
The Com is described as a network of individual actors working within a fluid structure that allows them to evade detection. The outfit comprises young English-speaking hackers who communicate via Telegram, Discord, and hacker forums and are known to collaborate with Russian-linked ransomware gangs such as BlackCat, Qilin, and RansomHub.
The Bad | DPRK-Backed Threat Actor Caught Posing as IT Employee in Hiring Fraud Scheme
KnowBe4 has revealed their lessons learned from a startling case involving identity fraud, AI exploitation, and cyber threat. The Florida-based cybersecurity company recently hired a Principal Software Engineer who was later discovered to be a North Korean state actor tasked with installing infostealing malware on company devices. While KnowBe4 was able to detect the threat in time, preventing any data breach, the incident serves as a warning against the persistent threat of skillful, state-backed North Korean IT workers defrauding U.S. businesses.
The FBI has repeatedly cautioned organizations of this persistent threat since 2023 as more DPRK-based actors disguise their identities to secure jobs across the tech industry in order to funnel revenue into funding state weapons programs and cyber operations while gathering intelligence. A rewards program was recently established by the FBI in exchange for information on such schemes.
In the case highlighted by KnowBe4, the company followed its usual process of background checks, verifying work references, and conducting a series of video interviews with the individual. The state actor was later determined to have stolen the identity of a U.S. citizen before leveraging AI tools to fake their profile picture and appearance during the calls.
Suspicion arose when KnowBe4’s Endpoint Detection and Response (EDR) flagged an attempt to load malware coming from the Mac workstation that had been sent to the new hire. Designed to extract data stored on web browsers, the malware was likely targeting credentials or other useful information left over from previous provisioning or device users. After being confronted, the actor stopped all communications after initial excuses.
KnowBe4 explained how these schemes often involve tricking employers into shipping the new workstations to ‘IT mule laptop farms’ where actors use VPNs to mimic U.S. working hours while performing data extraction, malware installation, and more. The key takeaways shared by the company urge others to implement network segmentation, use sandbox environments as the new hire is trained, and to watch out for inconsistencies in shipping addresses during the onboarding process.
The Ugly | 3000 Fake GitHub Accounts Spread Malware Via ‘Stargazers Ghost’ DaaS
GitHub’s extensive community and features make it a continued target for threat actors. This week, security researchers identified a network of 3000 fake GitHub accounts pushing infostealing malware through the platform’s repositories as well as compromised WordPress sites. The malware Distribution-as-a-Service (DaaS), dubbed ‘Stargazers Ghost Network’, delivers variants of RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer, all packaged in password-protected archives.
Attributed to a threat actor known as ‘Stargazer Goblin’, the exposed DaaS operation
marks the first instance of such a sophisticated and wide-reaching scheme found running on GitHub. Threat actors exploit the platform’s well-trusted reputation and bank on users to be less suspicious of links and downloads.
The DaaS works by creating hundreds of repositories with 300 ‘ghost’ accounts that star, fork, and subscribe to these repositories, boosting their visibility and perceived legitimacy on GitHub. Each fake account has a specific role: one serves phishing templates, the second provides phishing images, and the third distributes the malware. When a malware-serving account is banned, Stargazer Goblin updates phishing repositories with new links to maintain the resilience of the operation.
Researchers estimate that the operation has clawed in over $100,000 in funds since its launch and note how Stargazer Goblin has been ramping up promotion of their services across the darkweb since June 2023. The actor has also been observed diversifying how they funnel traffic such as malvertising, Telegram, social media and even YouTube tutorials directing viewers to repositories managed by Stargazers Ghost Network.
Despite GitHub’s efforts to remove over 1,500 malicious repositories since May, researchers note that more than 200 remain active. GitHub users are once again advised to be cautious as malware distribution methods, especially those powered by AI, continue to develop and launch complex and targeted campaigns.