Anonymous leak; Russian hackers

 NewsBytes#43: Anonymous leaks Nestle 10GB database; Russian hackers formally charged for 2012-18 attacks by the US 

Written By: Austin Miller

Anonymous leaks Nestle 10GB database

In a continued protest against the Russian-Ukrainian conflict, hackers working under the Anonymous name have turned their attention to organizations that are refusing to stop trading in the Russian Federation. This includes the controversial confectionary company Nestlé, who have found a 10GB database leaked. 

Up until Thursday 25th March, Nestlé had refused to leave Russia and Anonymous stated that they would take down the corporate giant. As to be expected from a company of that size, government direction was ignored. 

Nestlé’s reaction so far has been to deny that a hack has happened at all, instead stating that the data leak was an accidental data dump on their behalf. Still, they have decided to stop selling their biggest products in the region. It seems that hacktivism seems to be working in this conflict. 

Russian hackers formally charged for 2012-18 attacks by the US

Within the last 24 hours, four Russian government employees have been charged with cyberattacks on the global energy sector. These attacks have nothing to do with the ongoing Russia-Ukraine conflict, but it is presumed that Russo-American relations being at an all time low contribute to the timing of these charges. 

From a technical perspective, the allegations state that the Russian government employees had installed backdoors and launched malware aimed at energy facilities, including the 2017 Triton attack against Saudi Arabia and the TRISIS malware launched against Schneider Electric. Although there have been loud whispers about the role of the Russian government in APTs coming from Eastern Europe, this has been a declaration from the US that these are government-backed nation-state attacks. 

U.S. hackers found to attack Russia through computers in China

Of course, when one accusation comes out, they all come out. China has waded into the cyber-warfare fray and accused hackers originating in the US of using Chinese systems as a jump box, i.e. using a RAT or other means to take control of remote systems and use them to launch cyberattacks. 

The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) found the hacks and linked them with IP addresses in places like Illinois, New York, Germany, and South Holland. 

IP addresses

CNERT/CC shared that 36Gb of data is sent every second and that 87% of these attacks are targeting Russia. The hacktivists behind this attack may be working as nation state backed hackers or as renegade individuals targeting Russian infrastructure, but CNCERT/CC declined to divulge much more information.  

Tardigrade: an APT on the vaccine manufacturing industry

Biomanufacturers – including vaccine producers – should now be on red alert thanks to a new malware which is targeting companies in that sector. It appears to be an advanced persistent threat (APT) and has been named Tardigrade by its discovers, after the microanimal

Discovered by BIO-ISAC, the malware has a surprising degree of autonomy and metamorphic capabilities. This implies that the team behind the polymorphic malware, especially when you investigate the technical details: 

  • The code changes to account for the infected system 
  • Each instance of the malware communicates with the command-and-control server in a unique way 
  • It recompile its loader from memory and does not leave a consistent signature 

It appears that the malware is delivered through phishing attacks and infected USB drive attacks. To defend your organization against Tardigrade, it is advised that you follow defensive advice against known malware loaders such as SmokeLoader and Dofoil.  

Although the purpose isn’t known yet, it is expected that the malware was developed as a keylogger and data exfiltrator. More will be known in the coming weeks when a sample is captured and examined. 

Another Wiper appears in Ukraine

Keeping up with the number of wiper viruses targeting Ukrainian infrastructure is a challenge in itself, let along analyzing them. The DoubleZero virus has been identified and seems to have very similar tactics and procedures that were used by CaddyWiper, HermeticWiper, and WhisperGate over the last few months. 

CISCO Talos is still analyzing the details, but there is evidence that the wiper targets the following files: 

  • <Root_drive>\Windows\Microsoft.NET 
  • <Root_drive>\Windows 
  • <Root_drive>\\Users\\\\.*?\\\\Local Settings.* 
  • <Root_drive>\\Users\\\\.*?\\\\AppData\\\\Local\\\\Application Data.* 
  • <Root_drive>\\Users\\\\.*?\\\\Start Menu.* 
  • <Root_drive>\\Users\\\\.*?\\\\Application Data.* 
  • <Root_drive>\\ProgramData\\\\Microsoft.* 
  • <Root_drive>\\Users\\\\.*?\\\\AppData\\\\Local\\\\Microsoft.* 
  • <Root_drive>\\Users\\\\.*?\\\\AppData\\\\Roaming\\\\Microsoft.* 
  • <Root_drive>\Documents and Settings 
  • <Root_drive>\ProgramData\Application Data 
  • <Root_drive>\Users\All Users 
  • <Root_drive>\Users\Default User 
  • <Root_drive>\system\drivers 
  • <Root_drive>\Windows\NTDS 

As of yet, only a small number of antiviruses are capable of dealing with the threat. For organizations in Ukraine or working with industries in Ukraine, both CISCO and ClamAV are currently capable of dealing with the issue. Pay close attention to your antimalware for updates over the next few days. 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.