Latest news with #GoogleThreatIntelligenceGroup
Straits Times
03-07-2025
- Business
- Straits Times
North Korean tech workers infiltrating companies around world, US says
Sign up now: Get ST's newsletters delivered to your inbox WASHINGTON - The North Korean government, struggling under the weight of international sanctions , has for years seeded companies in the United States and elsewhere with remote tech workers camouflaged by false and stolen identifies to generate desperately needed revenue, federal prosecutors say. Taking advantage of the global demand for skilled tech employees and the rise in remote employment, the North Korean regime has found a way to work around UN and US sanctions imposed on it for its nuclear weapons program, the prosecutors said in two indictments unsealed in federal district courts in Massachusetts and Georgia. It has also used the access to steal both money and information, they said. 'Thousands of North Korean cyber-operatives have been trained and deployed by the regime to blend into the global digital workforce,' Ms Leah Foley, the chief federal prosecutor in Massachusetts, said in announcing the charges on June 30. She called the threat 'both real and immediate'. On June 30, federal law enforcement authorities took a series of actions across 16 states aimed at shutting down the scheme. Investigators seized dozens of financial accounts and fraudulent websites and searched 'laptop farms' that allowed North Korean operatives to gain access to the computers that companies provide their off-site employees, prosecutors said. In recent years, North Korean attempts to evade sanctions using false identities have increasingly been raising alarm. There is evidence that the operation has expanded geographically, targeting Europe in particular, according to a report from the Google Threat Intelligence Group in April. Top stories Swipe. Select. Stay informed. Singapore Singapore and Cambodia to expand collaboration in renewable energy, carbon markets and agri-trade Asia US, India push for trade pact after Trump strikes deal with Vietnam: Sources Business Microsoft cutting 9,000 jobs companywide in second major wave of layoffs this year Opinion How Apple gave 'the gift of fire' to Chinese electronics firms Life Sean 'Diddy' Combs to remain jailed ahead of sentencing, judge rules Singapore Granddaughter of Hin Leong founder O.K. Lim fails to keep 3 insurance policies from creditors' reach Asia Dalai Lama says only his organisation can name his successor; Beijing pushes back World Iran's nuclear programme degraded by up to two years, Pentagon says In 2024, the Justice Department and the FBI launched an initiative to identify people in the US believed to be helping North Koreans advance the plots, some of them without their knowledge. In one of the cases brought by federal prosecutors this week, American, Chinese and Taiwanese citizens were accused of involvement in a plot that compromised about 80 American identities. The falsified identities were used to help North Koreans get remote tech jobs with over 100 companies across dozens of states in a range of industries between 2021 and 2024. Prosecutors say the scheme generated about US$5 million (S$6.36 million) for North Korea, and cost American business some US$3 million in damage and expenses. It also exposed sensitive information, including some related to military technology, they said. The defendants are said to have used online background check services to cull personal information and create personas for the North Koreans so that they appeared authorized to work in the United States. They conducted records checks of hundreds of individuals, including dozens whose identities were stolen, prosecutors said. To bolster the falsified identities, participants in the scheme created fake companies, websites and bank accounts and arranged to receive the company laptops delivered to the remote workers in the United States, prosecutors said. Then, the authorities said, they granted remote access to the laptops to North Korean operatives working abroad. The second case unsealed this week, in the Northern District of Georgia, charges four North Koreans with theft and money laundering involving about US$900,000 in cryptocurrency. The remote workers used false identities from Malaysia to perpetrate the scheme and worked out of the United Arab Emirates, prosecutors say. The defendants sought jobs in the crypto industry, according to the indictment. One was hired as a developer at an Atlanta-based company, and another worked for a Serbian firm. Together they diverted nearly US$1 million in crypto from their employers, and their accused co-conspirators laundered the funds, according to the indictment. The American authorities have been raising alarms about the problem since at least 2022, when the FBI, along with the State and Treasury departments, issued an advisory warning to the international community about infiltration. Operatives working mostly in North Korea, China and Russia were relying on an expansive network abroad to get jobs, targeting Europe and East Asia, the advisory said. After the American warning, North Korean workers increasingly began seeking contracts elsewhere, according to an April report from a lead adviser to the Google Threat Intelligence Group in Europe, Mr James Collier. One North Korean worker ran at least 12 personas across Europe and the United States in late 2024, seeking jobs at defense companies and in governments, using fabricated references , the report says. There is also evidence of operatives and assistants working in Portugal, Germany and Britain. 'In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility,' Mr Collier said. That evolution, he said, suggests they will continue being able to run the financing schemes. NYTIMES
Politico
18-06-2025
- Business
- Politico
US critical networks are prime targets for cyberattacks. They're preparing for Iran to strike.
The organizations representing critical networks that keep the lights on, the water running and transportation systems humming across the U.S. are bracing for a possible surge of Iranian cyberattacks. Virtually every critical infrastructure sector is on high alert amid a deepening conflict between Iran and Israel, though no major new cyber threat activity has been publicly reported so far. As these groups proactively step up their defenses, it's unclear whether Washington is coordinating with them on security efforts — a change from prior moments of geopolitical unrest, when federal agencies have played a key role in sounding the alarm. 'Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions,' said John Hultquist, chief analyst for Google Threat Intelligence Group. As the conflict evolves — and particularly if the U.S. decides to strike Iran directly — 'targets in the United States could be reprioritized for action by Iran's cyber threat capability,' he said. During previous periods of heightened geopolitical tension, U.S. agencies, including the Cybersecurity and Infrastructure Security Agency, stepped up to warn the operators of vital U.S. networks about emerging threats. Ahead of Russia's full-scale invasion of Ukraine in 2022, CISA launched its 'Shields Up' program to raise awareness about potential risks to U.S. companies emanating from the impending war. Anne Neuberger, who served as deputy national security adviser for cyber and emerging tech at the White House under President Joe Biden, coordinated with CISA and other agencies, including the Office of the Director of National Intelligence, to support critical infrastructure sectors before Russia attacked Ukraine. She stressed that the government is crucial in helping these companies step up their defenses during a crisis. 'The government can play a very important role in helping companies defend themselves, from sharing declassified intelligence regarding threats to bringing companies together to coordinate defenses,' Neuberger said. 'Threat intel firms should lean forward in publicly sharing any intelligence they have. ODNI and CISA should do the same.' Spokespersons for CISA, the White House and the National Security Council did not respond to requests for comment on increasing concerns that cyber adversaries could target U.S. critical networks. Beyond federal resources, thousands of the nation's critical infrastructure operators turn to information sharing and analysis centers and organizations, or ISACs, for threat intelligence. The Food and Ag-ISAC — whose members include the Hershey Company, Tyson and Conagra — and the Information Technology ISAC — whose members include Intel, IBM and AT&T — put out a joint alert late last week strongly urging U.S. companies to step up their security efforts to prepare for likely Iranian cyberattacks. In a joint statement from the groups provided to POLITICO on Monday, the organizations cautioned that even if no U.S.-based companies were directly targeted, global interconnectivity meant that 'cyberattacks aimed at Israel could inadvertently affect U.S. entities.' ISACs for the electricity, aviation, financial services, and state and local government sectors are also on alert. Jeffrey Troy, president and CEO of the Aviation ISAC, said that in the past, companies in the aviation sector had been impacted by cyberattacks disrupting GPS systems, and that as a result, 'our members remain in a constant state of vigilance, sharing intelligence in real time and collaborating on prevention, detection, and mitigation strategies.' Andy Jabbour, founder and senior adviser for the Faith-Based Information Sharing and Analysis Organization, said his organization is monitoring potential efforts by Iranian-linked hackers to infiltrate the websites of U.S. religious groups or spread disinformation. Jabbour said his organization is working with the National Council of ISACs on scanning for these threats, and noted that the council had stood up a program following the first strikes by Israel on Iran late last week to monitor for specific threats to U.S. infrastructure. The National Council of ISACs did not respond to a request for comment on whether they are preparing for evolving Iranian threats. Concerns about attacks on U.S. critical infrastructure linked to conflicts abroad have grown in recent years. Following the Oct. 7, 2023, attack on Israel by militant group Hamas, Iranian government-linked hacking group Cyber Av3ngers hacked into multiple U.S. water facilities that were using Israeli-made control panels. The intrusions did not disrupt water supplies, but they served as a warning to utility operators about devices that could be easily hacked and potentially targeted first in a cyber conflict with Iran. 'If anti-Israeli threat actors make good on any claim of impacting critical infrastructure at this time … they're going to look for the low-hanging fruit, easily compromised devices,' said Jennifer Lyn Walker, director of infrastructure cyber defense at the Water ISAC. Walker said that while her team has not yet detected any enhanced threats to member groups since last week, the Water ISAC would be sending out an alert this week, encouraging organizations to stay vigilant. 'We don't want to cause any undo panic, but for those members that aren't already watching and aren't already vigilant, we definitely want to amplify the message that the potential exists,' Lyn Walker said. Some of these groups noted that the lack of federal support so far in preparing for Iranian cyberattacks may be due to widespread changes across agencies since President Donald Trump took office. CISA, the nation's main cyber defense agency, is expected to lose around 1,000 employees, and many of its programs have been cut or put on pause, including funding for the organization that supports the ISACs for state and local governments. CISA has also been without Senate-confirmed leadership since former Director Jen Easterly departed in January. 'CISA is in a state of transition,' Jabbour said, noting that while 'CISA is still accessible,' there had been no outreach to strengthen defenses against Iranian hackers since tensions erupted last week. It isn't a complete blackout. Lyn Walker said that the Water ISAC has 'received reporting from DHS partners who are striving to maintain continuity of operations and valuable information sharing during this challenging time.' There could also be another reason for the less visible federal response: 'Shields Up' advisories are still available from 2022, when CISA worked with organizations to prepare for an onslaught of Russian cyberattacks tied to the war in Ukraine. Kiersten Todt, who served as chief of staff at CISA when the program was stood up, said that its legacy has heightened awareness of potential cyber pitfalls across the nation's critical operations. 'Because the [cyber] threat is so serious, all of those things ended up sustaining,' Todt, current president of creative company Wondros, said. 'That 'Shields Up' mentality has now become part of the culture of critical infrastructure.' The enhanced level of vigilance reflects concerns that the threats from Iran could change quickly. Jabbour noted that a lot is in the hands of Trump as he weighs how heavily to assist Israel. 'The next 24-48 hours will be interesting in that sense, and his decisions and his actions could certainly influence what we see here in the United States,' Jabbour said.
Time of India
05-06-2025
- Business
- Time of India
Hackers abuse modified Salesforce app to steal data, extort companies, Google says
By AJ Vicens Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday. The hackers - tracked by the Google Threat Intelligence Group as UNC6040 - have "proven particularly effective at tricking employees" into installing a modified version of Salesforce 's Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said. The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader. If the employee installs the app, the hackers gain "significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments," the researchers said. The access also frequently gives the hackers the ability to move throughout a customer's network, enabling attacks on other cloud services and internal corporate networks. Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as "The Com," known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said. A Google spokesperson did not share additional details about how many companies have been targeted as part of the campaign, which has been observed over the past several months. A Salesforce spokesperson told Reuters in an email that "there's no indication the issue described stems from any vulnerability inherent in our platform." The spokesperson said the voice calls used to trick employees "are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices." The spokesperson declined to share the specific number of affected customers, but said that Salesforce was "aware of only a small subset of affected customers," and said it was "not a widespread issue." Salesforce warned customers of voice phishing , or "vishing," attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
Scoop
08-05-2025
- Business
- Scoop
Navigating The UNC3944 Threat: Strategic Imperatives For Business Resilience
The threat posed by UNC3944 and similar financially motivated actors demands a proactive, strategic, and business-centric approach to cybersecurity. Mandiant Incident Response Analysis The cyber threat landscape continues to evolve, demanding a proactive and strategic approach from businesses across all sectors. Among the persistent and adaptable threat actors is UNC3944, a financially motivated group with a history of targeting telecommunications for SIM swap fraud that has since expanded its operations to encompass ransomware and data theft extortion across a broader range of industries. Notably, recent targeting of financial services in late 2023 and food services in May 2024 signals a potential shift in focus, possibly driven by a desire for higher-profile victims. While observations from Google Threat Intelligence Group (GTIIG) suggest a possible temporary lull in UNC3944 activity following recent law enforcement interventions in 2024, businesses must not become complacent. Disruptions to threat actor operations are often temporary, and existing infrastructure and toolsets can be leveraged by other malicious actors within the cybercriminal ecosystem. Recent public reports linking tactics consistent with the Scattered Spider group to ransomware attacks on UK retail organizations, involving the DragonForce ransomware which reportedly gained control of the RansomHub RaaS affiliate program (a program UNC3944 was previously affiliated with), underscore the interconnectedness of the threat landscape. While direct attribution remains unconfirmed by GTIIG, the historical links and tactical overlaps warrant serious consideration for businesses, particularly within the retail sector. The increasing targeting of retail organizations for data theft and extortion is further evidenced by the rising percentage of retail victims listed on data leak sites (DLS). This figure has climbed steadily, reaching 11 percent in 2025, up from 8.5 percent in 2024 and 6 percent in the preceding two years. This trend highlights the growing financial incentive for cybercriminals to target the retail industry. For business leaders, understanding the evolving threat posed by UNC3944 and similar actors is paramount. A reactive, compliance-driven approach to cybersecurity is no longer sufficient. Organizations must adopt a strategic, risk-based framework that prioritizes proactive defense and business continuity. The following strategic imperatives are crucial for building resilience against these threats: 1. Implement a Zero-Trust Security Model: Embrace a security philosophy that assumes no user or device is inherently trustworthy. Implement strict access controls, micro-segmentation, and continuous verification across the network to limit the impact of potential breaches. 2. Invest in Advanced Threat Detection and Response Capabilities: Deploy and actively manage sophisticated EDR and Network Detection and Response (NDR) solutions. These technologies provide real-time visibility into endpoint and network activity, enabling early detection of malicious behavior and facilitating rapid incident response. 3. Prioritize Data Protection and Governance: Implement robust data loss prevention (DLP) strategies and enforce strict data governance policies. Understand where sensitive data resides, implement appropriate access controls, and establish procedures to prevent unauthorized access and exfiltration. 4. Cultivate a Security-Aware Culture: Invest in comprehensive and ongoing security awareness training for all employees. Educate them on the risks of phishing, social engineering, and other common attack vectors. Empower employees to be the first line of defense by fostering a culture of vigilance and responsible security practices. 5. Develop and Test a Comprehensive Incident Response Plan: A well-defined and regularly tested incident response plan is critical for minimizing the impact of a successful cyberattack. This plan should outline clear roles and responsibilities, communication protocols, and procedures for containment, eradication, and recovery. Specific attention should be paid to scenarios involving ransomware and data extortion. 6. Conduct Regular Risk Assessments and Penetration Testing: Proactively identify vulnerabilities and weaknesses in the security infrastructure through regular risk assessments and penetration testing. These exercises provide valuable insights into potential attack vectors and inform necessary security enhancements. 7. Foster Collaboration and Information Sharing: Engage with industry peers, threat intelligence providers, and government agencies to stay informed about emerging threats and best practices. Sharing threat intelligence can enhance collective defense and improve overall cybersecurity posture. 8. Ensure Business Continuity and Disaster Recovery Planning: Develop and regularly update comprehensive business continuity and disaster recovery plans. These plans should outline procedures for maintaining critical business functions in the event of a cyber incident, including data recovery and system restoration. 9. Evaluate and Manage Third-Party Risks: Understand the security posture of third-party vendors and service providers. Implement contractual requirements and conduct due diligence to ensure that external partners adhere to appropriate security standards. 10. Align Cybersecurity Strategy with Business Objectives: Cybersecurity should not be viewed as a purely technical function but rather as a strategic imperative that is aligned with overall business goals. Security investments should be prioritized based on potential business impact and risk mitigation. In conclusion, the threat posed by UNC3944 and similar financially motivated actors demands a proactive, strategic, and business-centric approach to cybersecurity. By prioritizing these strategic imperatives, organizations can build greater resilience, protect critical assets, and minimize the potential financial and reputational damage associated with sophisticated cyberattacks. Leadership must champion a culture of security and ensure that cybersecurity investments are viewed as essential for long-term business sustainability.
Indian Express
08-05-2025
- Indian Express
Google identifies new malware linked to Russia-based hacking group
The malware 'marks a new development in the toolset' of Cold River, Wesley Shields, a researcher with Google Threat Intelligence Group, said in a blog. Cold River, a name used to track hacking campaigns previously linked to Russia's Federal Security Service, is primarily known for stealing login credentials for high-profile targets, including those within NATO governments, non-governmental organizations and former intelligence and diplomatic officers, Shields said in the blog. The central goal was intelligence collection in support of Russian strategic interests.
