We‘re counting down now. It won’t be long before Father Christmas is on his way. So now it’s time for the second part of our Advent blog. Do you still remember part one? It's where I talked about Christmas presents - but not for you, for cybercriminals who will be getting lots of presents in December. Specifically, I talked about the hidden risks of blockchain technology, crypto-money laundering, the connection with ransomware and, of course, why the comparison with Christmas presents works as a metaphor. Part two continues with insights from the world of cybercriminals, starting with “Father Frost”...
You probably no longer believe in Father Christmas anymore either, but as a child you probably believed in the chubby man dressed in red with a snow-white beard, or in Switzerland, it’s the Christ Child, right? In other countries like Russia, the equivalent figure is “Father Frost.” He is accompanied by his daughter Snegurotschka (translated as the Snow Maiden or Snowflake) and he gives presents to children on New Year's Eve.
The belief in Father Christmas or Father Frost is somehow linked to the attribution of attacker groupings, i.e. the ascription of different attack methods to certain groupings. Specifically, this means when you go beyond the assignment of groupings and want to ascribe them to their origins. It is not uncommon to hear rumours that the Chinese or the Russians have a hand in it, occasionally also the North Koreans, and even good old Uncle Sam (USA).
When we carry out our investigations, we are always tempted to attribute the attack geographically too. It is easier to explain to the victims of the attack that they have been hacked by a country than to point to a corresponding grouping. Time and again, we find interesting indicators that allow us to assign the attack this way. In incident response cases for example, we have already had to deal with groups that closed their offices on Russian national holidays; or when attackers try to log into a system using Cyrillic alphabet user names such as "Матиас", the assumption is that the attacker is probably familiar with the Cyrillic script, so if you think it's Russian Father Frost in a case like this, you're probably not that far off the mark. Even the tone of the negotiations over the ransom allows us to draw conclusions about the attackers' cultural background. Similarly, the time of day the attackers were active in the victim's systems and answered most quickly in the "negotiation chats" – they exist, no kidding!
All these clues ultimately help to unmask the attackers, like when you were a child and you heard noises in the hallway late at night. It wasn't Father Christmas you suspected, but your parents putting the presents under the tree.
That is why it became clear relatively quickly during the Colonial Pipeline Hack that the Darkside ransomware very likely originated from someone who was using the Cyrillic alphabet. After Joe Biden put pressure on the Russian government, a short time later Darkside disappeared from the scene. The group later re-emerged under the name "Blackmatter", but has since ceased operations again. In the end, the whole thing was a big headache for those behind it and hopefully also marked the end of Darkside/Blackmatter. But the blame for the whole story laid with the so-called affiliates. You will find out why and what is meant by this in a few days, in the final part of the Advent story. Either way, we can assume that there will always be attackers like Darkside / Blackmatter. Unfortunately, there are still countries in where attacker groups can operate with no major fear of sanctions and from where they can send ransomware, so long as it does not affect their own country. So you can see that it's not just Father Christmas who comes around every year...
Don’t want to miss out on the final part? Then you can either subscribe to our blog updates and/or follow us on LinkedIn – that way, you always stay up-to-date, and not just during Advent.