On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”
PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.
On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals, possibly leading to an increase in malspam campaigns distributing this malware strain in the future. Continue reading “PyLocky Ransomware Source Code Leaked Online”
On October 12, 2016, Anonymous Italia launched a cyber offensive against the Polizia Penitenziaria (the Italian penitentiary police) to protest against the “unjust” acquittal of all those involved in the trial of Stefano Cucchi’s, a young Italian citizen who died in 2009 under still unclear circumstances a week after being remanded in custody by the Italian police for alleged drug dealing. Continue reading “Anonymous Italia Robs the Police (Again)”
The #OpSafePharma is a hacktivist campaign targeting the Italian healthcare and pharma industries, protesting their treatment of ADHD. Hacktivists affiliated with Anonymous Italia perform DDoS attacks and leak information stolen from databases of websites related to the abovementioned sectors. The campaign, which started in March 2016, was relaunched at the beginning of June following a decrease in the number of attacks against Italian targets in the past month.
On August 21, 2016, Anonymous Italia and its affiliated hacktivist collective AntiSec-Italia, relaunched the campaign, this time dubbed #OperationSafePharma, targeting four different healthcare-related Italian institutions with website defacement attacks and substantial data leakages. The outcomes of the operation, namely the screenshots of the defaced websites and the addresses of the downloadable data leakages, uploaded on dedicated file sharing platforms, were announced on the social media outlets of AntiSec-Italia, specifically on their Facebook page and Twitter account.
The Data Leakage
The hacktivists leaked approximately 2.5 GB of data, stolen from the databases of two prominent Italian healthcare institutions, and provided links to file-sharing platforms where they uploaded the dumps.
We acquired the leaked databases and, upon verification, we assess that they mostly contain internal communications, as well as a great volume of personal data relating to the in-house personnel of the two healthcare institutions, mainly CVs of the physicians and administrative executives working in the facilities. We did not find any indications that medical records of patients treated in these healthcare facilities were disclosed or compromised during the data leakage. Notably, the most recent documents we detected within the stolen files are dated August 5, 2016.
The group defaced four distinct websites, explaining in a public statement – recycled from previous operations – the rationale underpinning the protest.
Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole. We base this assumption on the analysis conducted using our automated SMA (Social Media Analytics) toolset, which indicated a spike in the activity of the attackers.
Nonetheless, the achievements of the operation, in particular the exfiltration of sensitive databases belonging to prominent Italian healthcare institutions, display noteworthy technical capabilities by the initiators of the offensive.
As yet, we have not identified any preparations for future hacktivist campaigns against the Italian healthcare or financial sector, nonetheless we continue to monitor Italian hacktivist threat actors on a daily basis.