Russia's Invasion of Ukraine and CISA/FBI's New Era of Transparency

BLUF: Bottom Line Up Front

I want to start this post with the most important thing right up top:

The CISA.gov/Shields-Up page starts with this statement.  PLEASE take it seriously, and escalate to your top management:

"Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack."

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.

Second "Bottom Line Up Front" BLUF point:  CISA has released TTP's of Russian threat actors known to attack US Critical Infrastructure.  If you work there, skip this blog and go read their report first!
"Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."

CISA/FBI and the New Era of Transparency

 Anyone who has seen one of my presentations recently knows that I am a huge cheerleader for CISA.gov, the Cybersecurity & Infrastructure Security Agency at DHS, which replaced the National Protection and Programs Directorate (NPPD) that previously led private sector engagement and interaction for DHS.

Previously, I've asked people to make sure someone in their organizations was watching four critical information sharing pages at CISA.  

• https://www.cisa.gov/uscert/ncas/current-activity
• https://www.cisa.gov/uscert/ncas/alerts
• https://www.cisa.gov/uscert/ncas/bulletins
• https://www.cisa.gov/uscert/ncas/analysis-reports

I had already said publicly many times that they are doing a PHENOMENAL job of sharing information - unprecedented in my 22 years of working with the government on Critical Infrastructure Protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), serving on the national boards of InfraGard and the Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare), and REN-ISAC (Research and Education).  But now CISA (and the FBI) has taken Information Sharing to a whole new level.

The White House on Russian Cyber Threats

It started with the White House.  On March 21st, President Biden stated that there was "evolving intelligence that the Russian Government is exploring options for potential cyberattacks." Based on this new intelligence, the administration gave the order that thing that were not previously shared needed to be shared at an even higher level of detail and specificity, including things that were previously deemed too sensitive to share in an unclassified environment. 

That same day, Press Secretary Jen Psaki brought in Anne Neuberger, the Deputy National Security Advisor over Cyber and Emerging Technologies.  She stated that in the past week, CISA and the FBI had held meetings with 100+ Critical Infrastructure Companies to determine a best course forward in helping to protect critical infrastructure, including encouraging them to participate in the CISA Shields-Up! program. 

The White House also released a FACT SHEET: Act Now to Protect Against Potential Cyberattacks

• Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
• Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
• Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
• Back up your data and ensure you have offline backups beyond the reach of malicious actors;
• Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
• Encrypt your data so it cannot be used if it is stolen;
• Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
• Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

After this set of announcements, CISA.gov's director, Jen Easterly, convened a meeting that was attended by more than 13,000 Critical Infrastructure stakeholders from all across the United States, including every sector and every size. A recording of the CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES has been shared on their YouTube page!

During the call, which included FBI Deputy Assistant Director for Cyber, Tonya Ugoretz, and CISA Deputy Executive Assistant Director for Cyber, Matt Hartman,  Director Easterly committed to push to have even more sensitive data released to the public if it would possibly help protect American Critical Infrastructure.  And today, we see a great example of that!

Documentation of Two Historical Hacking Campaigns Against Critical Infrastructure

The FBI and the Department of Justice released the legal side, in the form of an extremely detailed press release about Russian hacking campaigns targeting Critical Infrastructure at hundreds of companies in 135 countries.

https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

The Press Release was accompanied by two indictments: 

The first, "USA v. Evgeny Viktorovich Gladkikh," (17-page indictment) details the origins, creation, and distribution of the "TRITON" malware.  This attack framework was described in great depth in December 2017 by Mandiant in their report "Attackers Deploy New ICS Attack Framework 'Triton' and Cause Operational Disruption to Critical Infrastructure." While Mandiant described the malware as "an attack framework built to interact with Triconex Safety Instrumented System controllers," they could only say they believed it was "activity consistent with a nation state preparing for an attack." 

Through the new transparency we are seeing, the full details of the indictment are now unsealed and we learn the attacks were conceived and executed from the Russian Ministry of Defense, Federal Service for Technical and Expert Control, in a lab known as the Applied Development Center, which was in turn part of TsNIIKhM, the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics.  

The second indictment, "USA v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov," (36 page indictment) is targeted at members of the Federal Security Service (FSB)'s "Military Unit 71330" also known as "Center 16." Members of this lab are better known by their flamboyant APT Designations:  Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti.  In particular, this indictment addresses their attacks in 2017 which attempted to target and compromise critical infrastructure and energy companies worldwide, including in the USA generally, and in Kansas in particular (the home office of the indictment.) 

Again, the new transparency shows us that these attacks, also known as Dragonfly, Havex, and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors which would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the US and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In 2.0, malware was delivered via Spear-phishing attacks and Watering hole attacks targeting employees of such companies. At least 3,300 systems were compromised using this methodology as well. 

Some of the groups attacked in this way included the Nuclear Regulatory Commission, WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy, in Topeka, Kansas, and the Kansas Electric Power Cooperative. 

Again, Havex was known to the security community.  Trend Micro wrote about it in their report "HAVEX Targets Industrial Control Systems" back in July 2014, and in more detail in their white paper "Who's Really Attacking Your ICS Equipment?"  Dragonfly 2.0 was similarly discussed, for example by Symantec, in their report "Dragonfly: Western energy sector targeted by sophisticated attack group" in October 2017.  WIRED magazine also wrote about the group Berzerk Bear in October 2020 in their article "The Russian Hackers Playing Chekov's Gun with US Infrastructure." 

But now, in a coordinated Information Sharing To Protect Our Nation blitz, CISA, working with the FBI and the Department of Energy, have released "Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."

BEC Still #1, but Investment Fraud passes Romance Scams

https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

The FBI's Internet Crime Complaint Center (ic3.gov) has released their 2021 Internet Crime Report.

The number of complaints increased by 7% to 847,376 from 2020 to 2021, however the reported losses increased by 64% year over year to $6.9 Billion!

For several years, the #1 Cybercrime type has been Business Email Compromise followed by the #2 of Romance Scam. But this year, we had a change!  The criminals have discovered how many people don't understand investing in cryptocurrency and have turned Investment Scams into a new money factory. 

#1 is still Business Email Compromise, but with only a 3% increase in victims, there was a 28% increase in reported financial losses.  That's an average loss of $120,000 per victim, compared to last year's $96,700 per victim. 

#2 dislodges Romance Scams by Investment Scams for the first time ever with a dramatic increase!  Investment Scams went from 8,788 complaints to 20,561 complaints, while losses increased 333% from $33.6 Million dollars to $1.45 Billion dollars!  THat's an average loss of $70,810 per victim, up from $38,287 per victim last year!

#3 Romance Scams was quite similar to 2020 in the number of complaints, however the amount of losses still increased by 59%.  In 2020, the average victim lost $25,272, but in 2021, the average victim lost $39,344.  And these victims tend to be senior citizens! 

Crime Type	2021 Losses	2020 Losses	Change in Loss	2021 Victims	2020 Victims	Change in Victims
BEC/EAC	$2,395,953,296	$1,866,642,107	28%	19954	19369	3%
Investment	$1,455,943,193	$336,469,000	333%	20561	8788	134%
Confidence Fraud/Romance	$956,039,739	$600,249,821	59%	24299	23751	2%
Personal Data Breach	$517,021,289	$194,473,055	165%	51829	45330	14%
Real Estate/Rental	$350,328,166	$213,196,082	64%	11578	13638	-15%
Tech Support	$347,657,432	$146,477,709	137%	23903	15421	55%
Non-Payment/Non-Delivery	$337,493,071	$265,011,249	27%	82478	108869	-24%
Identity Theft	$278,267,918	$219,484,699	27%	51629	43330	19%
Credit Card Fraud	$172,998,385	$129,820,792	33%	16750	17614	-5%
Corporate Data Breach	$151,568,225	$128,916,648	18%	1287	2794	-54%
Government Impersonation	$142,643,253	$109,938,030	30%	11335	12827	-12%
Advanced Fee	$98,694,137	$83,215,405	19%	11034	13020	-15%
Civil Matter	$85,049,939	$24,915,958	241%	1118	968	15%
Spoofing	$82,169,806	$216,513,728	-62%	18522	28218	-34%
Other	$75,837,524	$101,523,082	-25%	12346	10372	19%
Lottery/Sweepstakes/Inheritance	$71,289,089	$61,111,319	17%	5991	8501	-30%
Extortion	$60,577,741	$70,935,939	-15%	39360	76741	-49%
Ransomware	$49,207,908	$29,157,405	69%	3729	2474	51%
Employment	$47,231,023	$62,314,015	-24%	15253	16879	-10%
Phishing/Vishing/Smishing/Pharming	$44,213,707	$54,241,075	-18%	323972	241342	34%
Overpayment	$33,407,671	$51,039,922	-35%	6108	10988	-44%
IPR/Copyright and Counterfeit	$16,365,011	$5,910,617	177%	4270	4213	1%
Health Care Related	$7,042,942	$2,904,2515	-76%	578	1383	-58%
Malware/Scareware/Virus	$5,596,889	$6,904,054	-19%	810	1423	-43%
Terrorism/Threats of Violence	$4,390,720	$654,7449	-33%	12346	20669	-40%
Gambling	$1,940,237	$3,961,508	-51%	395	391	1%
Re-Shipping	$631,466	$3,095,265	-80%	516	883	-42%
Denial of Service/TDoS	$217,981	$512,127	-57%	1104	2018	-45%
Crimes Against Children	$198,950	$660,044	-70%	2167	3202	-32%

Investment Scam Examples

What does an Investment Scam look like?  The most common ones these days are promising a guaranteed rate of investment. Thousands of such Investment Scam sites have been created and most of them are being pushed on social media.  People who claim to be successful on the sites are often only trying to earn a commission by referring others to the site.

It only took a couple hours to find more than 500 live Investment Scam sites last month.  Many of these sites are still live today.

Many of the sites are unlikely to attract real investors because of how ridiculous their rates are.  No one believes that they can earn 50% per hour ... however this site promises that if you can trick your associates into investing, you'll get 5% of whatever they deposit.  This is quite common. 

Crypto-Trades[.]uk 

A more believable site promises a much lower rate, such as 3% per day for investments up to $4,999 dollars.  If the site owners believe they have a big fish, they may actually PAY the 3% for a small investment, using that as proof that the system works in order to lure a larger investment.  This site, and many like it, then offer 6% daily profits for investments of at least $5,000, or 9% daily profits for investments of at least $30,000. 

The site pictured above claims to be "Crypto-Trades[.]uk" and offers proof of their legitimacy by providing a link to their "Certificate of Registration."

Crypto-Trades dot UK

claiming to be the British Corporation, "Crypto Ltd" which is a real company, just not them. 

They are regularly abused in that way.  CryptSparkFX[.]com, Crypto-binary[.]com, CryptoTrust[.]ltd, CryptoAlphas[.]uk, CryptoHive[.]uk, Webull-Investments[.]com, ExploreFX[.]uk, Crypto-Gain[.]ltd, Slushpool-investment[.]com, Intrex-invest[.]com, and FedelityFunds-Crypto[.]com are some of the other Investment Scam sites that use their address, hoping to gain credibility from it. 

Intrex-Invest[.]com

FedelityFunds-Crypto[.]com

Slushpool-investment[.]com

CryptoHive[.]uk

A True Victim Story

A successful businessman in my area came to me to ask for help.  He had originally joined a group such as those above called CryptoHood[.]io which later became CryptoHood[.]co.  He invested a small five figure number on their site, and got scammed, losing it all.  When he was complaining about being scammed, someone in a Facebook investment group let him know they too had been scammed by those people.  But good news!  He had found a legitimate company that really paid out!  EasonFXPro[.]com! Because he had been burned already, he put in a smaller investment this time.  $2,500.  An amount that this CEO "could afford to lose."

The scammers let him know that because he was a VIP investor, they were going to let him use their "special" app, so that he could watch his trades in real time.  The theory was that their advanced Artificial Intelligence was doing Bitcoin trading to make amazing profits.  The app they used was in the Google Play store ... but the VIP version was only available via their special URL.  They convinced him to download the app from "blockchain.en.uptodown[.]com/android/download/2264221." That was his "personalized" version.  He was truly amazed by the bot, and could enter "his" bitcoin address into any blockchain explorer to see his earnings.  (We checked the address, and it was doing HUGE volumes of small transactions ... it just wasn't his wallet.   He was led to believe that the transactions were "the AI doing trades" for him.  Within a couple months, his bitcoin address had funds worth nearly $250,000!  So he decided to cash out.

In order to cash out, he just had to pay them a "Sigma Fee" of 10%.  He refused ($25,000!?!?!?!) 

They then offered to let him withdraw just $50,000, for a Sigma Fee of only $5,000.

He was harassed on the phone for a while by "Elizabeth Frances" and "Evelyn" and "Mark Gerrard" and "Steven Williams" but chose to file an IC3.gov report about his experiences and walk away from Crypto Investments for a while.

The Appeal of Easy Money

With 1100 "likes" it must be real, right?

And they provide screenshots as proof that they are really getting paid!  So, it's guaranteed, right?

Chinese Call Center "Runner" Pleads Guilty in Georgia

This week the Department of Justice received a guilty plea from Jianjie Liu, a Chinese citizen living in Texas. 

https://www.justice.gov/usao-ndga/pr/chinese-national-pleads-guilty-money-laundering-scheme

In Call Center Frauds, there are many roles to be played.  One of these roles is often referred to as "Runner." When people in other countries are the ones running the phones and Facebook accounts used in fraud, they often need someone in the United States to pick up packages and open bank accounts.  From that perspective, Liu was a Runner.

The case began when Liu was arrested at a Walmart in Duluth, Georgia after attempting to purchase "a suspicious number of gift cards."  During that arrest, her 2016 black Nissan Altima was searched, and was found to have 718 gift cards, mostly WalMart, Vanilla Mastercard, and American Express gift cards. he also had a deposit slip showing that she controlled a JP Morgan Chase Bank account ending in #5887. The bank account was tied to her business license in Gwinnett County, Georgia fro "A&J Commercial Services" which used an address at 16634 Roseglade Drive, Cypress, TX 77429. 

The 16,000 images on her phone were reviewed, and found to contain many images of gift cards along with their accompanying purchase receipts. 

From May 30, 2019 until September 30, 2019, Liu deposited at least $70,400 into her Chase account from elderly fraud victims.  Those funds were all seized by the U.S. Secret Service, however there were many other victims and victim types described in the court records:

In a "Government Grant Scam" an elderly "J.B." received a message from a Facebook friend, who told him about a $150,000 government grant he could receive.  He sent $2,500 cash to an address in Heath, Ohio; 4,000 to an address in Atlanta, Georgia; $4,500 to an address in Newark, New Jersey, and was later instructed to purchase gift cards at a Walmart in Washington and message them to "Agent Walter" (which were then forwarded to Liu, who used those cards to purchase OTHER gift cards!)

In an "Inheritance Scam" a woman using a Facebook account in the name "Fola V. Williams Fly" asked a 64-year old man from Cheyenne, Wyoming to help her receive a multi-million dollar inheritance by paying various fees.  He sent two cashier's checks for $10,000 each payable to Jianjie Liu at the address 3182 Steve Reynolds Blvd, #105, Duluth, GA 30096. 

In a "Computer Support Scam" someone claiming to be "Allen Johnson" from Microsoft took control of a victim's computer, claiming he needed remote access to her bank account to process a $300 refund.  Instead he pretended to deposit $3,000, claiming it was in error.  He then asked the victim to refund $2,600 of the erroneous funds, by sending three money orders to Liu in Duluth, Georgia. 

An identical process was used by someone claiming to refund $555, but "accidentally" depositing $20,555 instead.  The victim, an 89-year old priest in St. Paul, Minnesota, sent the "accidental" $20,000 via cashier's check to Joy Liu, A&J Commercial Services, 3182 Steve Reynolds Blvd, Duluth, GA.

In a "Grandparent Scam" "Sergeant Jonathan Parker" called one of the elderly victims claiming their teenaged grandson had been arrested for assaulting a police officer and was required to post $9,000 bail.  He sent a box with $9,000 cash in it to an address in Las Vegas, Nevada.  Days later, Sergeant Parker demanded an additional $15,000 to settle the matter out of court.  He again sent a box of cash to Las Vegas.  Then he was asked to send $5,000 to pay the medical bills of "Officer Joyce Phillips" and this time sent a personal check to "Joyce Phillips" of A&J Commercial Services, 3182 Steve Reynolds Boulevard, Duluth, GA 30096. 

In a "Compromised SSN Scam" another elderly victim was told he was being investigated by the IRS, and that during the investigation, to protect his funds, he needed to convert all of his cash to Gift Cards, which would be held in escrow pending the results of the investigation.  These gift cards were used by Liu to purchase the gift cards in the Walmart in Duluth, Georgia. 

Liu posted $10,000 bail, and shockingly, failed to appear in court again.  

She was re-arrested in Pearland, Texas on 06JAN2021 for theft, where it was discovered that she had an outstanding warrant.