Russian hackers attack unknowing victims! Heimdal™ Security, an Odense-based online security provider, has recently flushed out a hacking group nested around Moscow. The threat group, which has yet to be identified, was scheming to exfiltrate, encrypt and demand ransom for company-sensitive information from a Danish IT Reseller, as well as other Danish and US businesses.
The method used in the attempted data-harvesting operation was a cryptanalytical attack called a brute-force. The type of cyber-aggression consists of ‘bombarding’ a machine’s Internet-facing ports with password combinations in the hopes that one of them might ‘open the safe’.
So far, 2020 was a lucrative year for hackers. From the coronavirus phishing campaigns of March, to the Grubman Shire Meiselas & Sack data leak, illicit data extraction shows no signs of slowing down. The recent proves that companies are still preferential targets for hackers looking for a quick way to earn money.
Reached out for comments, Martin Mikael Lauritzen of Harbor IT, the Danish company involved in the incident, declared that the hackers were attempting to force their way into the host server, but were detected and stopped by the Heimdal™ software, in what then became a race against time for the reseller to prevent any loss of data or claim for ransom. Ransomware compromise is catastrophical as it both has a potential severe financial, but also GDPR implications for the business involved.
Both Heimdal™ Security and the victims have confirmed that the data centers remain intact and not one bit of client/company-sensitive-info has leaked out.
The recent Russian attack is the dawning of a new type of no-loose-ends cybersecurity posture. “We take no prisoners” spells out this emergent cyber-philosophy, where the ambition to demand ransom for encrypted files is the clear goal.
A window to kill. Rebuilding the incident’s timeline
On the 14th of October, Heimdal™ Security’s Incident Response Team was informed of a hacking attempt (brute-force attack) directed at the Danish reseller. In reviewing the data, Heimdal™ Security’s staff discovered that all of the brute-force attempts were carried out in the early hours of the morning (i.e. 9 AM).
For Harbor IT, over 1000+ password-cracking attempts were registered and attackers were extremely persistent in their ambition to penetrate the systems. All the important numbers, as well as the IPs involved in this attack, are represented in this picture. As the reader can see, eight distinct, IPs were used throughout this brute-force session. All of them were pinpointed to Moscow and its outskirts
The Technical Details
“More than one-quarter of the attacks tracked to the same IP“
Over 30% of brute-force attempts originated from one IP address. The digital forensic analysis revealed that the same IP – 45.141.87.18 – was involved in attacks conducted against three other companies (i.e. one of them is also headquartered in Denmark). This means that the Russian hackers are targeting multiple companies in the Western world, just looking for an easy kill.
According to Heimdal’s intelligence report, the primary attack IP address (45.141.87.18) was first sighted three months ago, when a US-based contractor reported similar occurrences.
Interestingly enough, in the case of the US attack, only the primary attack IP address was used. It’s only natural to assume that the group may have used the data gathered during the North American assault to brute-force its way into the Danish company’s database. This fact can be deduced by comparing the number of attempts during each attack:
1000+ (Danish retailer) vs. 20,000+ (US company)
The fifth IP on the list (185.202.0.117) has been used to attack a personal email address. Around 30 brute-force attempts against the Gmail address were registered. The email address in question is not in any way connected to any of the companies targeted by the hackers. Therefore, this couldn’t have been a case of insider threat. It may simply have been another criminal group thousands of miles away, looking for illegal gains.
Important takeaways
Lessons learned or even more unanswered questions? Hackings are seldom random. There’s always a pattern, but to see it, we need to take one step back. The recent Harbor IT attack teaches up that…
A learning curb is involved..
If we look closely at the numbers associated with the US and the DK attacks, we can conclude that the purpose of the first attack was to learn more about approaching a high-profile target. In other words, while the first attempt was similar to meatball surgery, the latter was with a detail level closer to brain surgery.
Criminal group at work..
Attacks conducted against large targets are seldom the work of a lone wolf. There may be more than one individual involved in this operation. Factoring in the number of brute-force attacks and the target’s high profile, we can easily conclude that this may be the beginning (of the end) of a malicious campaign directed to the business sector.
Wrap-up
The attack was successfully averted. At least for the time being. There’s no indication that hackers will stop attacking high-profile targets or any other target for that matter. The COVID pandemic certainly did not slow them down. On the contrary; we are witnessing more attacks on both home and business targets now compared to the beginning of the pandemic, some industries being more affected than others.
To name a few, we have the Hammersmith Medicines Research incident in late March, which led to hackers disclosing patient info after HMR refused to pay the ransom, the attack on the Ruhr University Bochum in May, or the vicious assault on Cognizant in late April. Unfortunately, the list goes on, with experts believing that is the proverbial iceberg tip.
Heimdal Security recommends keeping your antivirus software up-to-date, performing frequent system scans, and reviewing your firewall’s outbound and inbound rules. For home users, it’s enough to have an antivirus solution installed on your devices like desktop computers, laptops, tablets, or smartphones. Additional information on brute-force attack protection can be found in this Brute-Force guide.
Heimdal Security interviews Martin Mikael Lauritzen on Harbor IT incident (redacted)
Heimdal Security: ‘Tell us about your experience with the recent incident.’
M.M. Lauritzen: ‘Harbor IT is an IT Company specialized in cloud computing and IT Infrastructure solution. About the incident; it really took us a bit by surprise. That morning, I was just about to start working on some maintenance updating, when I saw an unusual high CPU load from the Heimdal app. One of our hosted servers was unusually slow and had a high CPU Usage. A couple of minutes later, we got a call from Heimdal, telling us that we’ve been attacked by hackers. The Heimdal dashboard confirmed that someone tried to brute-force attack us. As we went through the security center of our Azure platform, we could also see suspicious authentication activity.
To be honest, we were somewhat concerned about the implications of such an event. The Heimdal account manager assured us that these attacks are common, but normally very ineffective. We took the necessary precautions to ensure that the data is safe – switched on the Just in Time feature and rerouted the Internet-facing ports. From where we stand, this a lesson learned in cybersecurity – letting your guard down isn’t a good idea. Not in business, and certainly not when it comes to data security.’