Internet investigators are tracking down alleged scammers in connection with a series of hacks.
Article Content
(Bloomberg) — A hacker behind a cybercrime campaign that affected as many as 165 companies this summer is still at large and has recently breached a “swarm” of new organizations, a cybersecurity expert at Alphabet Inc.’s Google said.
The attacker, who previously stole data from customers of cloud analytics company Snowflake Inc., has since targeted U.S. companies and breached critical infrastructure organizations in Russia and Bangladesh, said Austin Larsen, a senior threat analyst at Google who has been investigating the campaign for months.
Advertisement 2
This ad has not yet loaded, but your article continues below.
Article Content
Victims in the United States work in the health care, technology and telecommunications sectors, Larsen said.
The fact that these active hackers have managed to evade law enforcement despite bragging about the attacks to journalists and security researchers in recent months is a clear example of the challenge that cross-border cybercrime poses to law enforcement, thanks to anonymous communications services and a thriving criminal market for stolen documents.
Larsen said an analysis of the hackers’ online interactions suggested they were likely a Canadian-based man in his 20s with Nazi sympathies. Larsen declined to identify the hackers by name or say whether their identity had been passed to law enforcement.
Larsen said the hacker recently posted screenshots of stolen records from critical infrastructure companies in Russia and Bangladesh on Telegram, including sensitive customer data. Some of the hacks are ongoing, he added.
The attacker gained access to victim organizations by logging into web-based login portals or services using stolen passwords purchased from the dark web. Larsen said the hacker, who may be working with others, has a “massive amount of stolen credentials” totaling at least hundreds of thousands from many organizations around the world. Once inside, they could steal data and extort victims, Larsen warned.
Advertisement 3
This ad has not yet loaded, but your article continues below.
Article Content
“The actor continues to cause harm, put additional businesses at risk, and, in some cases, extort,” Larsen said.
In June and July, companies including AT&T Inc., Live Nation Entertainment Inc. and Advanced Auto Parts Inc. revealed they were affected as part of a campaign in which a hacker stole the personal data of millions of people. The cybercrime campaign occurred after a hacker breached Snowflake’s improperly configured systems to access sensitive data.
The hacker is no longer targeting Snowflake-related data but is exploiting tools from another software provider, which Larsen declined to name.
Larsen presented his findings Friday at the LABScon cyber conference in Arizona.
In June, someone claiming to be the same hacker — and using a pseudonym verified by Larsen — told Bloomberg News in an online chat that he expected to receive $20 million for the entire trove of Snowflake customer data. There’s no evidence that anyone bought the trove. At one point, the hacker made the mistake of posting a video exposing some of the technical infrastructure that Mandiant, a Google Cloud unit, used to help identify them, Larsen said.
Article Content