‘We hacked the hackers’: Law enforcement disrupts Hive gang

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning. 

Justice Department officials announce a victory in their efforts to fight ransomware innovatively

Law enforcement agencies in the United States and Europe have announced the disruption of a major ransomware gang, the latest step by authorities to go on the offense and keep cybercriminals on their toes as they attempt to take on the scourge of ransomware.

The gang called Hive attacked hospitals, school districts, financial firms and others, stealing and sometimes publishing their data, Attorney General Merrick Garland said yesterday.

“Like some other prolific groups, Hive partnered with independent hackers who broke in through phishing or other means: The gang provided the encryption program and ransomware negotiations, and split the profits with the hackers,” Perry Stein, Joseph Menn and I wrote in a story about the announcement.

Justice Department officials described the operation as a major victory in their efforts to fight ransomware innovatively.

Officials said law enforcement was able to hack Hive and infiltrate its networks for seven months, stealing the decryption keys and quietly giving them to 336 victims before taking full control of Hive servers in the United States and Europe, knocking them offline and preventing new infections.

• In the past, the FBI has seized and returned ransoms to victims and obtained keys to decrypt systems, but not on the scale of the Hive operation, FBI Director Christopher A. Wray said.
• The FBI also gave more than 1,000 decryption keys to previous victims of the group, the Justice Department said.

International cooperation was apparently also key. German police and public prosecutors said in a statement that they were able to penetrate the hackers’ IT infrastructure as they investigated the hacking of a company based in southern Germany.

• Investigations of Hive were successful because victims didn’t pay the hackers’ ransom and instead filed criminal charges, the German statement said. 

The disruption of the Hive ransomware group is also the latest example of law enforcement officials using a strategy other than mere arrests to take them down.

“We hacked the hackers,” Deputy Attorney General Lisa Monaco said at a news conference. “We turned the table on Hive.” 

Monaco also called the operation a “21st century cyber stakeout.”

For years, officials have gone after notorious ransomware gangs. The Justice Department has set up a Ransomware and Digital Extortion Task Force and National Cryptocurrency Enforcement Team, and in a cyber review last year said that the Justice Department can be “impactful against these threats even before prosecution and arrest.”

In recent years, the Justice Department has announced the seizure of millions of dollars from the hackers involved in notorious ransomware attacks that affected U.S. organizations and businesses. Here are a few major examples:

• Officials arrested a NetWalker ransomware hacker in January 2021; he was convicted last year and ordered to forfeit $21.5 million. Law enforcement also seized hundreds of thousands of dollars worth of ransom payments and a dark web website used by the group.
• In June 2021, federal authorities recovered more than $2 million in ransoms paid to DarkSide, which infamously hacked Colonial Pipeline.
• In November 2021, authorities accused a Ukrainian national of launching a ransomware attack on IT software company Kaseya and seized more than $6 million in ransomware-related funds. But the FBI waited almost three weeks to help unlock the systems of victims impacted by that hack, The Washington Post first reported. Lawmakers raised concerns about the delay.
• Last year, the FBI recovered around $500,000 in cryptocurrency paid as ransoms to North Korean hackers.

But it doesn’t necessarily mean that it’s the end for Hive or its hackers. Hive could move to new infrastructure and regroup, as other gangs have done in the past.

A top U.K. cybersecurity official is set to leave his post this year

U.K. signals intelligence agency GCHQ said its director, Jeremy Fleming, will remain in his post until the summer and there will be a normal “internal civil service competition to identify a successor,” the Record’s Alexander Martin reports. 

“Fleming has been in the role as GCHQ head for almost six years, assuming the office in April 2017,” Martin writes. “His official page credits him with leading ‘a significant period of growth’ at the agency — citing the opening of a new secure facility in Manchester, as well as the launch of the National Cyber Force. He also championed a ‘focus on diversity and inclusion.’”

The industry for cryptocurrency laundering is consolidating

Cryptocurrency analytics firm Chainalysis found that just five cryptocurrency exchanges received around two-thirds of the illicit funds that the firm traced to exchanges, Wired’s Andy Greenberg reports. All told, Chainalysis found just 915 services for cashing out illicit crypto, the smallest such number since 2012.

“In fact, Chainalysis saw just 542 cryptocurrency deposit addresses receive more than half of the $6.3 billion in total illicit funds it tracked to those cash-out services in 2022, and just four addresses received $1.1 billion of those funds,” Greenberg writes.

A Treasury Department official who spoke with Wired on the condition of anonymity because of the sensitivity of sanctions policy coordination said that Chainalysis’s data may be incomplete and the consolidation may be the result of cryptocurrency exchanges going out of business during an industry downturn. The official also noted U.S. international authorities’ cryptocurrency enforcement work.

“The way you get at money laundering on a broad scale is you slowly whittle down the number of open vulnerabilities. Little by little you make the gaps fewer and fewer, smaller and smaller,” the official told Wired. “If you close up more gaps in the dam, more water flows through those open holes.”

Royal Mail resumes more international service after hack

The United Kingdom’s largest mail delivery service has resumed more of its international operations, telling customers weeks after it suffered a cyberattack that they can use more of its international letter services, Reuters’s Muvija M reports. The cyberattack, which appeared to be ransomware, has highlighted the risks of hacks on mail delivery services.

The incident doesn’t seem to be behind Royal Mail, which said on its website that it continues “to ask customers not to submit new parcels for export as our initial focus is to clear mail that has already been processed and is waiting to be [dispatched].”

Mastermind in JPMorgan hack left U.S. for Israel, his father says (Bloomberg News)

Head of Israeli cyber firm NSO Group reaffirms company commitment to spyware (Wall Street Journal)

Don’t use TikTok, Dutch officials are told (Politico Europe)

Google nukes 50,000 accounts pushing Chinese disinformation (Bleeping Computer)

Cyber Ninjas’ ties to Trump during Arizona election ‘audit’ revealed in messages (Arizona Republic)

Legislators renew efforts to protect consumers from an eavesdropping fridge (NextGov)

Thanks for reading. See you tomorrow.