Welcome to The Cybersecurity 202! In the genre of doctors getting wrapped up in crime there are few better films than 1988’s “Frantic,” starring Harrison Ford.
Cybercriminals aren't just in Russia anymore
A truly bizarre hacking case from the Justice Department is shedding light on just how broad and diverse the cybercriminal community is becoming.
The defendant, Moises Luis Zagala Gonzalez, spent his days working as a cardiologist in Venezuela. But he allegedly spent his free time going by ominous screen names culled from Greek mythology and developing ransomware that wreaked havoc on victims.
Zagala’s ransomware tools were so effective they were even used by Iranian government-backed hackers to target Israeli businesses — something he bragged about to other clients that used his tools, according to a criminal complaint.
Going global
The case underscores how cybercrime is a large and growing problem far beyond Russia where some of the most notorious ransomware gangs are located. It also shows how the promise of fast and ample cash can lure people with other prospects into the lifestyle.
Zagala seems to be an oddity right now among prominent ransomware hackers who generally have longer histories with cybercrime and are more closely connected with organized gangs or cybercrime underground groups. But that could be changing.
- “We are just starting to understand how big the ransomware community is. Likely there are a lot more people like this doctor out there, and I think we will see more of this as law enforcement gets better about handing out indictments,” Allan Liska, director of threat intelligence at the cybersecurity firm Recorded Future, told me.
Tactics
Zagala had a flair for the literary and dramatic — to put it mildly.
- He allegedly used the online aliases “Nosophoros,” a Greek term meaning “disease bearing,” and “Aesculapius” the Greek god of medicine. According to the complaint, when he thought cybersecurity analysts were tracking him too closely, he switched his screen name to “Nebuchadnezzar” — an Old Testament king said to have destroyed Jerusalem.
- He allegedly developed a ransomware tool he called “Thanos” — a Marvel villain and seeming a reference to Thanatos the Greek mythological personification of death.
“The multitasking doctor treated patients, created and named his cyber tool after death [and] profited from a global ransomware ecosystem,” U.S. Attorney for the Eastern District of New York Breon Peace said in a colorfully worded news release accompanying criminal charges against Zagala.
One thing Zagala has in common with more conventional ransomware hackers — he’s unlikely to see the inside of a U.S. prison.
Zagala lives in Ciudad Bolívar, Venezuela, and has not been arrested by U.S. authorities. The Venezuelan government is frequently at odds with the United States and is not a party to the main treaty that guides international cooperation on cybercrime.
The doctor’s alleged ransomware tactics were especially malicious.
- Officials say he developed a ransomware called Jigsaw that included what he called a “doomsday” counter. It ticked off each time the victim tried to rid itself of the ransomware and deleted all files if there were too many attempts.
- “If the user kills the ransomware too many times, then it’s clear he won’t pay so better erase the whole hard drive,” he allegedly posted to an online cybercrime forum.
- Zagala’s ransomware also allegedly included a feature that automatically increased ransom demands over time.
- Officials said he offered two systems for hackers to buy his ransomware. They could either buy licenses to it for a specific period of time or they could agree to pay him a portion of the proceeds.
The keys
Conti ransomware gang says it wants to overthrow Costa Rica’s government
Conti’s threat comes four weeks after the gang’s ransomware began seizing up computers at more than two dozen Costa Rican government institutions. The group has issued a $20 million ransomware demand.
Costa Rica’s new president, Rodrigo Chaves, warned that he believes the Russia-based ransomware gang is working with collaborators inside Costa Rica. He has declared a national emergency in the country.
“We are at war and that’s not an exaggeration,” Chaves said.
- Nine institutions struck by the hackers are considered “very affected,” Chavez said, per Reuters.
- The total number of institutions hit now stands at 27, he said.
But experts are cautioning against taking Conti’s threats to overthrow the government too seriously, the Associated Press’s Javier Córdoba reports.
“We haven’t seen anything even close to this before and it’s quite a unique situation,” Emsisoft ransomware analyst Brett Callow told the AP. “The threat to overthrow the government is simply them making noise and not to be taken too seriously, I wouldn’t say.
House Intelligence Democrats press Facebook on Russian disinformation in Eastern Europe
Officials in Slovakia described an influx of “harmful,” pro-Russian disinformation on Facebook when lawmakers recently visited, House Intelligence Committee Chairman Adam B. Schiff (D-Calif.) and four Democrats on the House Intelligence Committee say.
They’re asking Facebook CEO Mark Zuckerberg to move swiftly to remove or fact-check the offending content in a new letter shared exclusively with my colleague Cat Zakrzewski.
One senior Slovak defense official described Facebook as “the main arena for Kremlin propaganda,” according to the letter. They called for the company to brief the committee on any investigation it’s conducting into the pro-Russian content and for details on its plans to address harmful misinformation moving forward.
A spokesman for Facebook parent company Meta said the company is removing content that violates its rules, and working with fact-checkers in the region to debunk false claims. “We are taking extensive steps to fight the spread of misinformation on our services in the region and continuing to consult with outside experts,” spokesman Kevin McAlister said.
A committee official, who spoke on the condition of anonymity to discuss committee plans, said Facebook responded and committed to set up a briefing.
North Korean IT workers pose insider threats, U.S. authorities warn
North Korea is secretly sending some of its IT workers to Western firms, where they earn money to fund the country’s nuclear and ballistic missile programs, U.S. officials warn in a new guidance document.
The IT workers have “used the privileged access gained as contractors” to enable North Korean hacking, though they “normally engage in IT work distinct from malicious cyber activity,” the FBI, State Department and Treasury Department said.
Details: The agencies hinted that North Korean IT workers have been involved in setting up cryptocurrency exchanges or websites and have provided largely logistical support to hackers.
Some of the IT workers — who often seek freelance contracts — hide their links to North Korea by posing as teleworkers who are based in the United States and other countries, the agencies said. Some use fake documents to hide their identities or “proxy accounts” to appear legitimate on freelancing websites, they said.
North Korea's been busy on the hacking front.
- They’ve targeted banks and financial institutions to help finance the country, which faces international sanctions.
- In recent years, North Korean hackers have turned their attention to cryptocurrencies. In April, the U.S. government said it had linked North Korean hackers to a $600 million heist targeting the video game Axie Infinity.
Hill happenings
The Hill’s focusing on government cyber protections today
U.S. cyber officials will testify about the federal government’s digital protections at a House Homeland Security Committee panel hearing.
The hearing comes about 18 months after discovery of the Solar Winds breach in which Kremlin-backed hackers stole reams of data from numerous federal agencies. It comes about a year after an executive order from President Biden aimed partly at cleaning up government cybersecurity.
Here are some top points from CISA’s Executive Assistant Director Eric Goldstein who will testify at the hearing, shared with us by a CISA spokesman.
- CISA has gained more centralized visibility into cybersecurity threats and risks — including by deploying tools to detect threats on government employee laptops and other devices and by proactively hunting for threats.
- The government is shifting toward a “zero trust” model, which presumes devices are compromised by hackers until they prove otherwise and limits the data that can be shared between computers systems as much as possible
- CISA is pushing for more transparency from digital contractors including by asking for full lists of all the software they’re deploying.
Global cyberspace
Cyber insecurity
Daybook
- The House Homeland Security Committee’s cybersecurity subcommittee holds a hearing on the cybersecurity of federal networks today at 2 p.m.
- The Senate Health, Education, Labor and Pensions Committee holds a hearing on the cybersecurity of the health and education sectors Wednesday at 10 a.m.
- Rep. Michael McCaul (R-Tex.), Rep. Elissa Slotkin (D-Mich.) and Bob Kolasky, a senior vice president for critical infrastructure at Exiger who previously led CISA’s National Risk Management Center, discuss cybersecurity at a Washington Post Live event Wednesday at 2:30 p.m.
- The Senate Rules Committee holds a hearing on election administration Thursday at 11 a.m.
- The U.S. Chamber of Commerce hosts a briefing on Russian cyberthreats with FBI and CISA officials Thursday at 2 p.m.
- Deputy Attorney General Lisa Monaco, National Cyber Director Chris Inglis and CISA Director Jen Easterly speak at an Institute for Security and Technology event on the first year of the Ransomware Task Force on Friday at 10:30 a.m.
Secure log off
Thanks for reading. See you tomorrow.
