TechSec’s Bi-Weekly Tech News Digest: April 22, 2022

By Daniel Haltmeier

Dear Reader,

Welcome to the fourth bi-weekly Tech News Digest, provided by the GISA Technology and Security Initiative (TechSec). Our goal here is to give you an easy to read update of what has been happening lately in the world of technology and security. To do so, we pick the top news stories from the last two weeks and present a short summary. Should you be interested in knowing more, just follow the links below the respective paragraphs.

A Swiss Army Knife for Hacking

Much of our critical infrastructure relies on one central element: industrial control systems (ICS). Water facilities, power grids and much more would simply shut down if these ICSs were to be taken out. However, this is no news. What is worth mentioning is the fact that the US authorities have recently found a new type of malware that doesn’t target one specific type of ICS, but can potentially target all of them. 

The Pipedram malware doesn’t only disrupt the functionality of ICSs, but also has components that attempt to take over certain functions of specific devices. While the currently investigated version of the Pipedream malware targets a few specific ICSs, including electrical grids and oil refineries, it could easily be modified to conduct broader attacks against many other types of critical infrastructure. Hence, it is a true “Swiss Army Knife” of malware. Luckily, the malware has been detected before it has been deployed for malicious purposes. This is good news, as malware targeting ICSs is rarely discovered in general, and even more rarely before wreaking havoc. 

The malware is most likely to originate from an APT – an “Advanced Persistent Threat” – which usually refers to state sponsored hacker groups. The precise origin of the malware or identity of the APT is, however, still unknown. 

Read more about this on WIRED and TechCrunch. 

NATO and other militaries practice full-scale cyberwar

NATO is playing cyberwar and the non-member country Switzerland is participating with pleasure. What might sound like a happy-clappy get-together of geeks and nerds to play war is in reality an extremely intense exercise called “Locked Shields”, stretching over multiple days and simulating a large-scale attack on critical infrastructure. A total of 33 nations and their militaries with about 2’000 cyber experts created 24 teams that attempt to defend 5’500 targets categorised ascritical infrastructure against a total of 8’000 devastating attacks. This year’s target of attackers and object of defenders: power grids and financial messaging systems. 

Twenty-four members of the 42nd Swiss Armed Forces Cyber Battalion are currently fighting amongst the NATO member states and other contributing nations such as Austria, Finland, South Korea or Ukraine. Their goal is to defend the fictional Island of Berylia against a deteriorating cybersecurity situation. 

The NATO exercise doesn’t mimic Russian cyber operations in the ongoing war in Ukraine because the planning was done before February 24th, but the backdrop of this war is still looming over the exercise and all its participants. Let’s hope, for all our sakes, that the cyber defenders don’t need to apply their gained experience in real life anytime soon. 

Read more about this on THE WALLSTREET JOURNAL and SWISSINFO. 

The Ronin Heist – No, we’re not talking of rogue Samurais

Last month hackers stole around 540 million dollars worth of the cryptocurrencies “ether” and “stablecoin” from the Ronin network bridge. Old news. The stolen cryptocurrencies would now already have a value of more than 600 million dollars, but that’s also not what makes this news story “TechSec digest worthy” (yes, that’s an expression we will recurrently use from now on). 

What makes this story a top story from the last two weeks is that the two cybersecurity companies Elliptic and Chainanalysis have found out who the hackers are: The North Korean Lazarus Hacking Group, a group of rogue hackers that has been terrorizing cyberspace for several years now with breaches of important companies, scams and other cybercrime activities. Their goal: filling the treasury of North Korea and its leader Kim-Jong Un. According to the United Nations, North Korea has used stolen funds from cybercrime to finance its military development. Hence, it might be the case that the Lazarus Group has succeeded in financing the next round of North Korean missile tests. 

Read more about this on BBC and ELLIPTIC.

T-Mobile fails spectacularly in buying back stolen customer data

Hackers steal data. Hackers sell data. Hackers are happy because they have more money. The more money hackers earn from selling the data, the happier they are. This chain of events is not difficult to understand. How on earth, one might ask, could it then happen that T-Mobile believed the following plan was a good one: Buy back stolen data of 30 million customers from a hacker trying to sell the data on the darknet markets for around 270’000$.

Unsealed court documents now confirm what most people with at least a tiny bit of criminal energy might have suspected: The hacker “SubVirt” tried to sell the dataset on the now shut-down darknet market “RaidForums” and was approached by a third party company which T-Mobile had hired to take mitigation measures after the hack. This third-party company posed as a normal buyer on the darknet forum and bought the dataset for 200’000$ on the condition that SubVirt would not sell it to anyone else. And what did SubVirt do? Continue to sell the same data anyways. What might sound like a spectacularly bad idea from T-Mobile and the third-party company actually seems to be industry practice and (apparently) works from time to time.

Well played SubVirt. I mean, you’re clearly the bad guy in this story and may punishment rain down on you hard… but well played.

Read more about this on VICE and TECH TIMES.
If you would like to hear more tech news, participate in events related to technology and security or learn practical technology skills, consider following us on Instagram, LinkedIn or join our Initiative as a member!