Cyber Week in Review: April 22, 2022

Pegasus spyware detected at Prime Minister Boris Johnson’s office 

A report released by the Citizen Lab details the infection of networks belonging to the United Kingdom’s Prime Minister’s Office and the Foreign and Commonwealth Office with Pegasus spyware. The Citizen Lab report attributed the infection to a Pegasus operator with ties to the United Arab Emirates (UAE), and concluded that multiple intrusions occurred in both 2020 and 2021. The NSO Group denied any knowledge of the attack, while the UAE declined to comment. This news follows last year’s finding by a British court that the UAE used Pegasus spyware to surveil the ex-wife of Mohammed bin Rashid al-Maktoum, the ruler of Dubai, while she resided in the United Kingdom. 

Spyware campaign targeting Catalan separatists revealed 

The devices of at least sixty-five pro-independence Catalans were targeted with Pegasus and Candiru spyware, according to a new Citizen Lab report. Most of the incidents occurred between 2017 and 2020, amid rising tensions over Catalan separatism and the 2017 Catalan independence referendum. The Citizen Lab found evidence of “zero-click” exploits on the victims’ devices, which infect phones and computers even without users clicking on malicious links. The identified victims include the president of the Catalan government, members of the European Parliament, Catalan legislators, and activists. Though Citizen Lab declined to conclusively attribute the attack, the report noted that there is “strong circumstantial evidence” linking Spanish authorities to the incident. 

NATO to conduct Locked Shields cyber defense exercise 

On Tuesday, over two thousand individuals from sixty five countries gathered in Tallinn, Estonia, to take part in NATO’s annual Locked Shields cyber defense exercise. The exercise is aimed at fostering international cooperation and coordination as participants work to help a fictional country respond to real-time cyberattacks. This year’s event has a heightened sense of significance, as international attention has turned to the barrage of cyberattacks related to the ongoing Russia-Ukraine conflict. In March, NATO nations unanimously voted to admit Ukraine to the NATO Cooperative Cyber Defence Centre of Excellence, as a “contributing participant,” enabling Ukrainian experts to take part in the exercise and to access the NATO-accredited cyber knowledge hub. While Locked Shields presents an opportunity to assess countries’ operational capabilities, experts note numerous challenges in running cyber exercises, including the difficulty in creating realistic training environments. 

North Korea’s Lazarus Group linked to major cryptocurrency heist  

The North Korean-linked Lazarus Group have been blamed for a massive cryptocurrency heist, stealing more than $600 million dollars from the Axie Infinity video game. The hackers infiltrated Ronin Network, a decentralized finance platform, which is responsible for the game’s underlying blockchain. The U.S. Treasury’s Office of Foreign Assets Control acted swiftly to implement sanctions against the Lazarus Group, using an Ethereum address to attribute that attack to the group. Lazarushas used a cryptocurrency mixer, Tornado Cash, to launder about 18% of the stolen funds thus far. Cryptocurrency theft has become a significant source of funding for the North Korean government, with state-sponsored attacks netting as much as $400 million in 2021. 

REvil Leak Site Reactivated, New Victims Identified 

The infamous ransomware group REvil, which disbanded after its servers were taken over by U.S. Cyber Command, has apparently resumed operating. Fourteen REvil affiliates were arrested in January 2022 by the Russian Federal Security Service (FSB). REvil’s leak site, where it posts the names and data of companies, added two new entries over the past week, Oil India and French marketing firm Visotec. The group also appears to be actively recruiting new affiliates. REvil was one of the most high-profile ransomware gangs over the past three years, perpetrating several major attacks, perhaps most notably against the IT provider Kaseya in June 2021, which spread REvil ransomware to many of Kaseya’s clients.