A Hacker's Retirement Party

Plus: Celebrities getting duped into Russian propaganda

Good morning. I had a fun LinkedIn post on Friday sharing my go-to music. It was interesting to see what others listen to for focus music or just working out. There was one clear winner though…Hans Zimmer. The man is a legend with movie scores.

Now, onto cyber…today we’re covering:

  • Russia enlisting unwitting celebrities into disinformation campaigns

  • Celebrating a hacker’s early retirement

  • How much crypto has North Korea stolen?

-Jason

Spotlight
The Russian Propaganda Machine

Microsoft’s Threat Analysis Center released a bi-annual report on Russian digital threats. The report sheds light on how Russia continues to mix kinetic, cyber, and propaganda in its war effort against Ukraine.

One area that stood out to me was the use of spoofed news clips that push pro-Kremlin narratives, oftentimes trying to paint Ukrainian President Volodymyr Zelensky as a corrupt drug addict.

One interesting tactic included tricking American actors into participating in this disinformation. Cameo is a popular website where celebrities can send personalized video messages to users who pay a fee.  Russian actors tricked celebrities into sending video messages pleading for “Vladimir” (which can sound like Volodymyr) to seek help for substance abuse.

The threat actor modified the videos to include emojis, links, and even logos of news outlets. These were then circulated through social media to bolster Russian claims that Zelensky is a drug addict…which he is not.

Russia continues disinformation campaigns against Ukraine as part of its standard playbook. It’s something the US is familiar with from the last election cycle. And something we need to be on the lookout for as we head into 2024…

Deep Dive
A Hacker’s Retirement Party?

Lying Cedric The Entertainer GIF by CBS

Gif by cbs on Giphy

Killmilk, the leader of the Killnet hacktivist group announced his “retirement” this week. In the flare that only a self-proclaimed hero could muster, he claimed his retirement was due to Russia’s war on Ukraine, saying it had “taken a toll on my nerves and strength. I did everything I could.”

As you undoubtedly have figured out, there’s more to the story than this.

Killnet is a Russian-aligned hacktivist group that gained notoriety shortly after Russia invaded Ukraine in early 2022. They have been unsophisticated in their attack techniques, relying largely on DDoS attacks, data leaks, and misinformation.

While there are no explicit ties to Russia’s government, Killnet has come out in direct support of Russia and their targets have closely aligned with Russia’s geopolitical priorities.

Killmilk’s retirement is unsurprising in one respect. Just weeks ago, Russian media ousted Killmilk’s alleged true identity as a 30-year-old married man who owns two cars (A BMW 520i and Porsche Panamera, if you’re curious).

The media report goes into great detail on how the self-anointed cyber star began rubbing other cyber criminals the wrong way. Those cyber criminals turned on him and began unearthing all of the problems he had caused and delivered that straight to the media.

Most interesting to me was the potential DDoS attack against the Russian security company Zecurion. This turn against a Russia-based organization may have been the final straw for protection against Killmilk.

While Killmilk attempted to identify the source of the leak, he gave up and opted instead to just call for an early retirement, which he posted on Telegram. Here’s the translated post:

From now on I am not a Killnet! I’m retiring, it’s time to babysit my grandchildren and gain health. The SVO consumed my nerves and strength. I did everything I could.

I recreated hacktivism all over the world, I showed everyone that it is simple and what it is by my example, I pleased hundreds of hack groups in the Russian Federation 😁 (my method and truth - work guys)!

Killnet is moving to a new stage of development, under the auspices of a new team!

I'm tired in short. I am turning over a new clean sheet in my life. Take care of yourself guys 🙏

I leave you with a smile and a calm soul!

See you kittens ❤️
WE ARE KILLNET

Fear not, though, for a succession plan is in place. The new leader is known as Deanon Club. The new leader didn’t waste any time in setting a new direction. A few interesting notes from the announcement:

  • A shift away from political targets

  • Doubling down on foreign companies or projects that “harm our world” (which I’m sure will be up for debate).

  • The new leader does not like gambling

Here’s the full translated Telegram post:

🆘 New KILLNET:

Hello everyone! The new owner of KILLNET - Deanon Club - is in touch ! You are subscribed to this channel, and you have the right to know what will happen in it in the future (near) future...


- First of all, we are moving away from the political format. Now we are not working for a good idea, we will show the world what we are capable of!

- Secondly, the main emphasis will be on foreign companies, as well as projects that in one way or another harm our world! Also, the gambling world will come under our gaze, which I rightfully consider more dangerous than drugs!

- Thirdly, many people know that I am associated with Darknet, but I will try to broadcast my prohibited movements in this channel as little as possible!

- Fourthly, a new gathering of the KILLNET team will take place soon. The new team will allow us to reveal all the existing abilities of our guys!

This will be something to keep an eye out for…

News
What Else is Happening?

🧬 23andMe reported that the previously reported credential stuffing attack that impacted 14K users led to data the impact of 6.9M additional victims. This is due to users opting into the DNA Relative’s feature, which shares your information with other users. The company also slyly updated its terms of service to curb future lawsuits.

🌵 Threat actors are leaning into malvertising for initial access into organizations. Microsoft saw a surge in malicious ads serving up the Danabot trojan, which ransomware actors use to deploy CACTUS ransomware.

💰 Recorded Future reported that North Korea has stolen over an estimated $3 billion (yes billion) worth of cryptocurrency since 2017. They estimate that in 2022 alone, North Korean hackers stole $1.7 billion. That’s 5% of the country’s economy or 45% of their military budget.

🐈‍⬛ Rumors are flying that law enforcement has taken down BlackCat/ALPHV’s leak site. If accurate, it could disrupt one of the more prominent ransomware-as-a-service (RaaS) groups, sending affiliates to find another provider. We’ll see how this progresses over the coming weeks.

Before You Leave
Tabletop Exercises

Have you used your professional training budget this year? If not, check out Lester Chng’s book on cybersecurity exercise playbooks (also known as tabletop exercises).

Tabletop exercises are a great way to identify problems across your entire security program before an incident happens. Lester has great insights into improving the effectiveness of these exercises so you can maximize the time and impact.

Check it out with the link below.

Not subscribed? Don’t miss a week by subscribing with the button below.

 

Reply

or to participate.