March cyber summary

In a conversation with Recorded Future, the alleged leader of LOCKBIT said that the Operation Cronos takedown will only act as additional advertising for the group, and that it has no intention of disbanding, nor of stopping its operations.  

… but ALPHV/BLACKCAT is dead! (Maybe.) 

It appears, however, that the ALPHV/BLACKCAT ransomware group might have used up all its nine lives – or, at least, is doing a good job of playing possum.

Affiliates operating under the BLACKCAT Ransomware-as-a-Service (RaaS) model targeted Change Healthcare, the largest healthcare payment processor in the United States. The attack pushed pharmacies, healthcare providers, and patients to urgently seek alternatives for filling prescriptions.

After the affiliate crypto wallet received a US$22m payment, assumed to be from Change Healthcare, it ceased operations. A ‘This website has been seized’ notice appeared on its website, stating that the FBI had taken control of the site as the result of a co-ordinated effort with other agencies.

However, the UK’s National Crime Agency – one of the agencies named in the notice – denied its involvement and the FBI wouldn’t comment. A bit of digging by some suspicious cyber sleuths revealed that the seizure notice had in fact been copied and pasted from a different site that was seized back in December 2023.

There are two likely explanations for BLACKCAT’s disappearing act. The first is that the group was spooked by the operation against LOCKBIT. The second is that it is lying low for a while and will soon resume its RaaS activities under a new name.

This second explanation feels most plausible – especially as there is now online chatter that BLACKCAT vanished without paying its affiliate group a cut of the US$22m payment.

BLACKCAT was one of the most prolific ransomware groups, though unfortunately its disappearance will not make any major change to the ransomware landscape. Already, there are reports of new ransomware groups set to take its place, and existing groups are also actively running recruitment campaigns to attract former members of BLACKCAT and LOCKBIT.

UK calls out China for “malicious cyber activity”

In a joint statement issued on 25 March 2024, the UK’s National Cyber Security Centre and the UK government publicly accused China of state-backed cyber crime:

“The United Kingdom, supported by allies globally, have today identified that Chinese state-affiliated organisations and individuals were responsible for 2 malicious cyber campaigns targeting democratic institutions and parliamentarians.”

The joint statement named three individuals who are allegedly part of the APT31 group (APT = ‘advanced persistent threat’).

This is especially significant, as APT31 is accused of compromising the UK Electoral Commission between 2021 and 2022, and of attempted espionage against parliamentarians. (The Electoral Commission is the UK’s elections watchdog.) The Electoral Commission says it was not adversely affected by these efforts, and it does not seem that any parliamentary accounts were compromised.  

Even so, the Foreign Secretary, David Cameron, summoned the Chargé d’Affaires of the Chinese Embassy to respond to allegations that state-sponsored hackers from China had stolen data from the Electoral Commission, and conducted a surveillance operation targeting members of parliament.

Not just a UK problem

Describing Chinese “state-sponsored malicious cyber actors [as] one of the greatest and most persistent threats to US national security,” the US Treasury has also applied sanctions to members of APT31. 

In the US, APT31 has targeted some of its most vital critical infrastructure sectors, including the military, information technology, and energy sectors. The US claims that APT31 members have accessed data belonging to numerous Defense Industrial Base victims, including a contractor that made flight simulators for the US military, a Tennessee-based aerospace and defence contractor, and an Alabama-based aerospace and defence research company.

New Zealand, meanwhile, says that APT31 targeted its Electoral Commission around the same time as it was attacking the UK’s. 

Although a tiny country of around 5 million people, as a member of the Five Eyes alliance (with the UK, US, Canada and Australia) New Zealand is an obvious target for China to set its sights on. Furthermore, it has a history of fairly lax defences against foreign state interference.

Most notably, Jian Yang moved to New Zealand from China and became a citizen in 2004. Despite having reported connections to Chinese military intelligence, and despite having taught at a prestigious institution recognised for training Chinese intelligence operatives, Mr Yang was elected to the New Zealand parliament in 2011 and duly served as an MP until his retirement from politics in 2020.

Mr Yang has admitted that he taught English to students in China so that they could “monitor communications and collect information,” but denies that he was ever a spy himself.

CISA hacked 

It has come to light that the Cybersecurity & Infrastructure Security Agency (CISA) – the United States’s own cyber security agency – had to take two systems offline in February after vulnerabilities were detected in Ivanti software.

Fortunately, the attack affected only two of CISA’s machines. CISA urged organisations to review their patches for the Ivanti Connect and Ivanti Policy Secure gateways CVEs:

• CVE-2023-46805
• CVE-2024-21887
• CVE-2024-21893

CISA’s experience serves as a stark reminder that every organisation needs to prepare for a cyber attack, and that it is important that organisations are aware of their external footprints and apply relevant patches.