• The Weekend Byte
  • Posts
  • Hacktivist Group Claims Hack against a US Nuclear Laboratory

Hacktivist Group Claims Hack against a US Nuclear Laboratory

Plus a new supply chain attack and bypassing fingerprint authentication

Greetings fellow cyber nerds,

I hope everyone celebrating Thanksgiving enjoyed the delicious food and time with your family. Of course, cyber does not rest, so we continue our pursuit of knowledge.

In this week’s newsletter, we’re covering:

  • North Korea behind yet another supply chain attack

  • Hacktivist group goes after a US Nuclear Laboratory

  • Security researchers bypass Microsoft Hello fingerprint authentication

I’m trying out a few new formats this week. Reply to this email to let me know what you like or don’t like!

-Jason

North Korea Behind Another Supply Chain Attack

Love It Ro GIF by Rosanna Pansino

Gif by RosannaPansino on Giphy

A supply chain attack occurs when attackers compromise one company that then grants access to their customers’ systems. While more challenging to pull off, compromising a single company can potentially give access to tens, hundreds, or thousands of other victims.

Background: Microsoft’s Threat Intelligence team detected a supply chain attack that impacted CyberLink Corp., an organization that develops multi-media software. The earliest evidence of activity dates back to October 20, 2023.

The Attackers: Microsoft refers to the North Korean hacking group as Diamond Sleet. According to Microsoft, the group targets media, defense, and IT industries. Their primary objectives include espionage, data theft, financial gain, and corporate network destruction…so basically everything.

The Attack: North Korean attackers modified the source code for the Promeo video and graphics editor. Microsoft identified the presence of the modified installer on at least 100 devices in Japan, Taiwan, Canada, and the United States.

The Malware: It first checks that it is running during a specified time and that security software for FireEye, CrowdStrike, and Tanium is not running on the system. The malware then connects to one of three hard-coded URLs to download a second-stage payload masquerading as a PNG image file. That malicious code then reaches out to additional domains for instructions. This allows the attackers to do almost anything with the compromised host.

Why This Matters: While the total number of impacted systems is low, North Korean attackers can now have access to 100 systems that may exist in organizations they can target. The attackers can expand their reach from those systems until they find targets worth pursuing.

Additional reading
Microsoft blog post

The Resurgence of Hacktivist Groups

Oh My God Wow GIF by reactionseditor

Giphy

Background

Twelve years ago, a hacking group known as Lulzsec came into existence. They claimed to be a hacktivist group who hacked for the “lulz.” They operated for over a year until law enforcement tracked them down and convinced one of their leaders to track down the other members.

While their time was brief, their impact was wide. This is true not only of the number of organizations they hacked and leaked data from but also of the ridiculous and often childish antics they would use as part of their attacks. The memes were strong with them.

Fast-forward to 2023, and similar groups are emerging. Some claim to align with geopolitical or religious philosophies, while others appear random and based on the victims they can access.

No matter the motivation, these groups have one thing in common…

They like to brag about their hacking activity.

Enter SiegedSec

SiegedSec, a relatively new hacktivist group, entered the spotlight this week after hacking the Idaho National Laboratory (INL). The INL is a nuclear research center run by the US Department of Energy, so any attack against it is bound to attract attention.

From the group’s X account

Before we discuss this, let’s see what this group has been up to before this…

Their Victim List

The group’s original Telegram channel no longer exists. According to them, NATO asked Telegram to take it down after an attack against them.

But fear not; this hacking group does not go down quietly. They created a new channel and ported over some of their favorite posts. This included the following victims:

  • Data Theft

    • US state government

    • NATO

    • Faroe Islands (North of the UK and between Iceland and Norway)

    • Atlassian

    • Unisoc (Chinese computer chip company)

    • Bezeq (Israeli telecom)

    • Cellcom (Israeli telecom)

  • Industrial Control Systems

    • Across the US

    • Israel infrastructure

    • Shufersal (Israeli supermarket chain)

So, how bad was the attack against INL?

INL Hack Details

The hacking group claims to have stolen data on thousands of IHL employees. The stolen data included:

  • Full names

  • Dates of birth

  • Email addresses

  • Phone numbers

  • Social Security Numbers (SSN)

  • Physical addresses

  • Employment information

IHL reported publicly that the hackers gained access to systems for their Oracle Human Capital Management (HCM) tool, a human resource tool to manage people.

At this time, it does not appear that other systems were compromised. This would mean that the hackers did not, thankfully, access systems containing information on nuclear research. Assuming it stays that way, that’s a good thing.

Now, at this point, you would expect these hackers to demand money in exchange for not releasing the stolen data…

But no…this group took a hard right turn on their demands…

Rose Mciver Reaction GIF by CBS

Gif by cbs on Giphy

Instead, they demanded that INL research “irl catgirls” in exchange for taking down the post…an obvious troll.

So yes, this is who we are defending against today…

Enter the Ridiculousness

You might wonder why a hacking group would demand the research of real “catgirls.” Well, SiegedSec claims to be “a collection of cats with access to the Internet.”

From SiegedSec X Post

As they post about victims, they include random things like how they ate Mac ‘n Cheese while hacking telecoms…

From SiegedSec’s Telegram Channel

So there we have it…this is who we’re defending our networks against today.

What Else Happened This Week?

  • An executive at a cyber security company pleaded guilty to hacking two hospitals in June 2021. Why did he do it? To drum up business 🤦 

  • According to PCrisk, a new Phobos ransomware variant frames the famous security researcher vx-underground.

  • Citrix provided updated guidance for responding to the Citrix Bleed zero-day impacting their NetScaler appliances. tl;dr - kill all active and persistent sessions after upgrading to the latest patch. Otherwise, attackers may still have access to the device.

  • Security researchers found flaws in Windows Hello fingerprint authentication, allowing them to bypass user logins. While it works, it’s a reasonably involved man-in-the-middle attack that needs physical access to the device.

See you next week…

Send me feedback, questions, or topics for future newsletters! Just reply to this email directly.

Not subscribed? Click here:

Share this with a friend!

Reply

or to participate.