Foiled cyberattack targeted Tesla. New Zealand's stock exchange disrupted by DDoS attacks. More mercenary groups conducting corporate espionage.

Foiled cyberattack targeted Tesla.

A Russia-based hacker group tried and failed to recruit a Tesla employee to install malware on the car manufacturer's internal corporate networks, Teslarati reports. The FBI arrested a 27-year-old Russian national on Monday in Los Angeles in connection with the scheme. The Justice Department didn't name the company in question, but Elon Musk confirmed on Twitter that it was Tesla.

According to the criminal complaint, the defendant, Egor Igorevich Kriuchkov, allegedly contacted a Russian-speaking Tesla employee with whom he had previously been acquainted and arranged to meet with the employee while Kriuchkov was vacationing in the US. Kriuchkov socialized with the employee and the employee's friends for several days in Nevada and California, with Kriuchkov covering all their expenses. After a few days, while the two were drinking heavily at a bar, Kriuchkov revealed that he was working for a "group" on a "special project," and offered the employee $500,000 (later upped to $1,000,000) to plant custom-made malware within Tesla's network. Kriuchkov said the group was paying $250,000 to develop the malware specifically for Tesla's network. The attackers' plan was apparently to steal sensitive files and threaten to publish them unless the company paid a ransom of several million dollars. The group would also launch a DDoS attack to distract Tesla's security team while the data was being exfiltrated. 

After Kriuchkov revealed his intentions, the employee reported the incident to Tesla and worked with the FBI to record subsequent meetings with Kriuchkov. During these meetings, Kriuchkov said his group had successfully extorted at least two other companies in this manner. Kriuchkov was arrested on August 22nd while trying to leave the US and has been charged with one count of conspiracy to intentionally cause damage to a protected computer.

Brett Callow from Emsisoft noted in a comment to WIRED, "This is what happens when you hand billions to ransomware groups. If they can’t access a network via their usual methods, they can afford to simply buy their way in. Or try to. Tesla got lucky."

US warns of financially motivated attacks from North Korea.

CISA, US Cyber Command, the Department of the Treasury, and the FBI have issued a joint warning regarding a North Korean hacking group they're calling the BeagleBoyz (in an apparent homage to the homophonically named Mickey Mouse comic villains). The advisory states, "Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019."

The BeagleBoyz are a subgroup of the Hidden Cobra threat actor, although it overlaps "to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima." The group has targeted financial institutions in at least thirty-eight countries since 2015, successfully making off with hundreds of millions of dollars. The advisory says the group's activities "are likely a major source of funding for the North Korean regime."

Interestingly, the advisory says the BeagleBoyz may sometimes buy access to compromised networks from criminal actors, including TA505 (also known as Evil Corp), the Russia-based cybercriminal group behind the Dridex banking Trojan and the WastedLocker ransomware.

New Zealand's stock exchange disrupted by DDoS attacks.

New Zealand’s NZX stock exchange continued to sustain crippling distributed denial of service (DDoS) attacks on Friday, the Guardian reports. The attacks, which began on Tuesday, caused the exchange to intermittently halt trading throughout the week as it struggled to recover connectivity. The Associated Press says New Zealand's Government Communications Security Bureau intelligence agency has been brought in to assist with the incident.

The Australian Broadcasting Corporation quotes the country's finance minister Grant Robertson as saying, "I can't go into much more in terms of specific details other than to say that we as a government are treating this very seriously. NZX is a private company. We recognise that it is important that the government works with private companies like them, when they are faced with issues like the cyber attack that they are currently experiencing. There are limits to what I can say today about the action the government is taking behind the scenes due to significant security considerations."

The attackers' motive is unclear, as is their identity. The AP notes that "[n]either the NZX nor Robertson said if the attackers sought a ransom, as some have speculated."

More mercenary groups conducting corporate espionage.

Kaspersky describes "DeathStalker," a threat actor that primarily targets law firms and companies in the financial sector to steal sensitive business information. Notably, Kaspersky suspects that this is the same group that operates the Evilnum malware analyzed by ESET last year. Kaspersky also identified similarities between Powersing, Evilnum, and another malware family called "Janicab." The researchers assess "with medium confidence" that all three malware families are operated by the same threat actor. The group doesn't limit its activities to any particular region, and the researchers conclude that "any company in the financial sector could catch DeathStalker's attention, no matter its geographic location."

Bitdefender has identified another mercenary group that targeted a company "engaged in architectural projects with billion-dollar luxury real-estate developers in New York, London, Australia, and Oman." The group gained entry to the company's networks using maliciously crafted plugin for the widely used 3D computer graphic tool Autodesk 3ds Max. The plugin exploits a recently disclosed vulnerability to deploy a backdoor, which then exfiltrates a list of files based on their extensions. The attackers then "look at the file listings from each of their victims and then compile a HdCrawler binary specific to the victim."

FBI and CISA issue warning about GoldenSpy.

The FBI and CISA have distributed a joint flash alert concerning the GoldenSpy malware embedded in tax software that businesses operating in China are required to use, Infosecurity Magazine reports. The alert states that the malware operators' attempt to stealthily deploy uninstallers for the malware following its discovery "reveals the actors' high level of sophistication and operational awareness. The software service providers have not provided a statement acknowledging the software supply chain compromise. The FBI assesses that the cyber-actors’ persistent attempts to silently remove the malware is not a sign of resignation. Rather, it is an effort to hide their capabilities. Organizations conducting business in China continue to be at risk from system vulnerabilities exploited by the tax software and similar supply chains."

Israel’s Ministry of Defense disclaims responsibility for Psy-Group.

The Times of Israel says that Israel’s Ministry of Defense is distancing itself from Psy-Group, an Israeli company the US Senate cited in its recent report on foreign attempts to influence the 2016 US election (p. 679). The report indicated that Psy-Group had worked for Russian operators. Israel’s Ministry of Defense disclaims any involvement; a spokeswoman for the Ministry told the Times of Israel, "Psy-Group does not appear on any of our lists. What this means is that they do not have a defense product that requires regulation. They are not on our list and it is not our responsibility to oversee them."

In principle, these connections involve dual-use products and services: whatever Psy-Group may have been up to, at one level of abstraction it's just marketing. But in this case it's allegedly marketing in Russian battledress. Israeli government supervision of cyber exports seems likely to remain a matter of domestic debate for the foreseeable future.

For more, see the CyberWire Pro Disinformation Briefing.

New sophisticated ransomware gang.

A cyber gang that says it's composed of former affiliates who've already made a pile through extortion has announced that it’s now working its own strain of ransomware, which it calls "DarkSide." According to BleepingComputer, the gang's communiqué says, "We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn't find the perfect product for us. Now we have it."

WIRED sees DarkSide's operators as "corporate" and "cruel," a distillation of underworld trends toward deliberate target selection, careful calibration of demands to offer a painful but tempting option to pay, and with ruthless reprisal against victims who refuse them. Like other sophisticated ransomware crews, they offer professional customer service to their victims, the better to ensure that the victim feels confident that they'll get their data back.

For more, see the CyberWire Pro Privacy Briefing.

Rookie ransomware group operating from Iran.

Group-IB says a new cybercriminal group operating from Iran is using the Dharma ransomware-as-a-service toolkit against companies in Russia, Japan, China, and India. The hackers are thought to be inexperienced (Group-IB calls them "greeners" and "script kiddies"), although their techniques have been effective. They use Masscan to identify hosts with exposed RDP ports and weak credentials, then brute-force their way in with NLBrute. They use additional publicly available tools to perform reconnaissance, move laterally, and disable antivirus software. The hackers then manually deploy the ransomware and demand one to five bitcoins in payment.

While the group is inexperienced, the researchers believe its emergence is significant because it "suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals." Cybercriminal gangs have in the past been primarily associated with Russia and to a lesser extent China.

For more, see the CyberWire Pro Research Briefing.

Palantir files its S-1.

Palantir submitted its S-1 filing on Wednesday to take the company public. The company revealed that it had a net loss of $580 million in 2019 and similar losses in 2018. The New York Times notes that Palantir is "the latest in a string of tech companies to offer shares on Wall Street well before turning a profit." As part of its growth strategy, the company says it's seeking to grow its customer base in the private sector, while becoming "the default operating system for data across the U.S. government."

In an introductory note to the S-1, CEO Alex Karp defended his company's positions and criticized its Silicon Valley peers, shedding more light on the company's decision to move its headquarters to Denver, Colorado:

"We embrace the complexity that comes from working in areas where the stakes are often very high and the choices may be imperfect. The more fundamental issue is where authority to resolve such questions — to decide how technology may be used and by whom — should reside. Our society has effectively outsourced the building of software that makes our world possible to a small group of engineers in an isolated corner of the country. The question is whether we also want to outsource the adjudication of some of the most consequential moral and philosophical questions of our time. The engineering elite of Silicon Valley may know more than most about building software. But they do not know more about how society should be organized or what justice requires.

"Our company was founded in Silicon Valley. But we seem to share fewer and fewer of the technology sector’s values and commitments. From the start, we have repeatedly turned down opportunities to sell, collect, or mine data. Other technology companies, including some of the largest in the world, have built their entire businesses on doing just that. Software projects with our nation’s defense and intelligence agencies, whose missions are to keep us safe, have become controversial, while companies built on advertising dollars are commonplace. For many consumer internet companies, our thoughts and inclinations, behaviors and browsing habits, are the product for sale. The slogans and marketing of many of the Valley’s largest technology firms attempt to obscure this simple fact.

"The world’s largest consumer internet companies have never had greater access to the most intimate aspects of our lives. And the advance of their technologies has outpaced the development of the forms of political control that are capable of governing their use. The bargain between the public and the technology sector has for the most part been consensual, in that the value of the products and services available seemed to outweigh the invasions of privacy that enabled their rise. Americans will remain tolerant of the idiosyncrasies and excesses of the Valley only to the extent that technology companies are building something substantial that serves the public interest. The corporate form itself — that is, the privilege to engage in private enterprise — is a product of the state and would not exist without it. Our software is used to target terrorists and to keep soldiers safe. If we are going to ask someone to put themselves in harm’s way, we believe that we have a duty to give them what they need to do their job. We have chosen sides, and we know that our partners value our commitment. We stand by them when it is convenient, and when it is not."

M&A and investment news.

M&A always needs legal counsel. In this week's business news, Sidley Austin LLP represented Palo Alto Networks in its acquisition of The Crypsis Group, ConvergeOne in its acquisition of Altivon, and KKR in its major investment in ReliaQuest.

More business news can be found in the CyberWire Pro Business Briefing.

Crime and punishment.

The Wall Street Journal reports that US authorities are moving toward civil forfeiture of cryptocurrency stolen by North Korean government hackers.

Courts and torts.

The NonProfit Times reports that a class action suit has been filed in South Carolina against Blackbaud, the provider of CRM services to the not-for-profit and educational sectors. The plaintiffs allege that the cyberattack Blackbaud sustained has caused its customers "ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack." Blackbaud disputes this, saying, "Blackbaud disagrees with the allegations and intends to demonstrate they are without merit."

Policies, procurements, and agency equities.

Thailand's Minister of Digital Economy and Society said Wednesday that his department is cracking down on online content deemed illegal in the country, the Washington Post reports. On Monday, the Thai government forced Facebook to block a group that was critical of the nation's monarchy (the group is still accessible outside of Thailand). A Facebook spokesperson told TechCrunch, "After careful review, Facebook has determined that we are compelled to restrict access to content which the Thai government has deemed to be illegal. Requests like this are severe, contravene international human rights law, and have a chilling effect on people’s ability to express themselves. We work to protect and defend the rights of all internet users and are preparing to legally challenge this request."

In a Foreign Affairs essay, General Nakasone, commander of US Cyber Command and director of the National Security Agency, explained his organizations’ increasingly assertive doctrine of persistent engagement in cyberspace: "We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it."

For more, see the CyberWire Pro Policy Briefing.