Posted on 06-12-2020.
This spring, an array of European countries faced a massive cyberattack campaign, with nearly 80 critical infrastructure institutions in Eastern and Central Europe affected. The attacks reportedly were in favor of Russia’s and China’s interests in Europe. A credential dump related to the attacks was discovered by a researcher from Trend Micro, a cybersecurity and defense company, who wanted to remain anonymous. After discovering the credential dump cleaned with almost 8 million lines of email/password combinations and analyzing it, they shared their findings with forklog.media. The malicious schemes deployed by the threat actors included a botnet operation, identity spoofing, using phishing infrastructure, as well as espionage.
“I take the data, create an edgelist, and turn it into the directed multigraph. Then I run various calculations using the SNA/CNA methods. This helps to understand the hidden dynamics in the dataset. By doing so, I detected statistically significant communities that supported the hypothesis about bots/cybercrime and about the real origin of these credentials. This analytical approach is based on graph theorem and helps to process data with more contextual information. From the outside, it looks like regular statistics, which it in fact is, but the inner dynamics are different. Even the database architecture has to be different than regular SQL DB.”
“In case of email reoccurrence in the dataset, there are several possible hypotheses. Either the email was used more times with different passwords, or it posed significant importance for the attackers so that they put all known existing credentials versions of the victim, or possibly the user was hacked multiple times and therefore more of his passwords have leaked. However, in case of high numbers like ~20+, chances are that the attackers simply put all available relevant password versions for the victim email into the list to be sure to succeed,” the report further read.Bot statistics According to the researcher, if the password is used with a higher number of usernames and/or if the username is used with a higher number of domains and has the password which is also reused frequently, it is considered suspicious.
“By the time of finding, governments, hospitals, power plants, and other crucial parts of infrastructure were targeted with a cyber attack, accompanied by strong propaganda on social networks. The circumstances, therefore, suggest a nation state-sponsored threat actor. This hypothesis can be stated with a high level of confidence,” they added.They, however, noted that it can be that somebody only wanted the attack to be attributed to Russia and China and therefore chose timing and targets suggesting the origin of the attacks. Just recently, a hacking group linked with the Russian government has reportedly carried out a series of attacks on energy, water, and power sectors of Germany. German authorities tend to believe that the efforts to compromise the country’s critical infrastructure were taken by the Berserk Bear hacking group. Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.