Search This Blog

Showing posts with label Government. Show all posts

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities


Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors


The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.

QUAD Nations to Assist Each Other in Taking Action Against Malicious Cyber Activities


On Saturday, the leaders of India, the United States, Japan, and Australia, known as the Quad, vowed to work together to ensure the security and resilience of regional cyberinfrastructure.

Following a meeting on the sidelines of the UN General Assembly session in New York, the leaders of the four countries issued a joint statement on the subject. External Affairs Minister S Jaishankar, along with his counterparts Penny Wong of Australia, Hayashi Yoshimasa of Japan, and US Secretary of State Tony Blinken, issued a statement urging states to take reasonable steps to address ransomware operations originating from within their borders.

The Quadrilateral Security Dialogue, comprised of India, the United States, Japan, and Australia, was established in 2017 to counter China's aggressive behaviour in the Indo-Pacific region. According to the statement, the leaders believe that focused initiatives to strengthen Indo-Pacific countries' cyber capabilities will ensure the security and resilience of regional cyberinfrastructure.

"The transnational nature of ransomware can adversely affect our national security, finance sector and business enterprise, critical infrastructure, and the protection of personal data. We appreciate the progress made by the 36 countries supporting the US-led Counter Ransomware Initiative and the regular, practical-oriented consultations against cybercrime in the Indo-Pacific region," they said.

The ministers emphasised that practical cooperation in countering ransomware among Indo-Pacific partners would result in ransomware actors in the region being denied a safe haven.

Recalling the last Quad Foreign Ministers' Meeting on February 11 of this year, the ministers stated their commitment to addressing the global threat of ransomware, which has hampered Indo-Pacific economic development and security.

Cyberspies Drop New Infostealer Malware on Govt Networks in Asia


Security researchers have discovered new cyber-espionage activity targeting Asian governments, as well as state-owned aerospace and defence companies, telecom companies, and IT organisations.
The threat group behind this action is a different cluster earlier associated with the "ShadowPad" RAT (remote access trojan) (remote access trojan). In recent campaigns, the threat actor used a much broader set of tools.

As per a report by Symantec's Threat Hunter team that dives into the activity, the intelligence-gathering attacks have been underway since at least early 2021 and are still ongoing. The current campaign appears to be almost entirely focused on Asian governments or public entities, such as:
  • Head of government/Prime Minister's office
  • Government institutions linked to finance
  • Government-owned aerospace and defense companies
  • State-owned telecoms companies
  • State-owned IT organizations
  • State-owned media companies
Symantec uses an example of an April 2022 attack to demonstrate how the espionage group breaches its government targets. The attack starts with the installation of a malicious DLL that is side-loaded by launching the executable of a legitimate application in order to load a.dat file.

The legitimate application abused by the hackers, in this case, was an 11-year-old Bitdefender Crash Handler executable. The initial.dat payload contains encrypted shellcode that can be used to directly execute commands or additional payloads from memory.

The threat actors installed ProcDump three days after gaining backdoor access to steal user credentials from the Local Security Authority Server Service (LSASS). The LadonGo penetration testing framework was side-loaded via DLL hijacking on the same day and used for network reconnaissance.

The attackers returned to the compromised machine two weeks later to install Mimikatz, a popular credential stealing tool.
Furthermore, the hackers attempted to elevate their privileges by exploiting CVE-2020-1472 (Netlogon) against two computers on the same network.

To load payloads on additional computers in the network, the attackers used PsExec to execute Crash Handler and the DLL order hijacking trick. A month after the intrusion, the threat actors gained access to the active directory server and mounted a snapshot to access user credentials and log files.

Finally, Symantec observed the use of Fscan to attempt CVE-2021-26855 (Proxylogon) exploitation against Exchange Servers in the compromised network.

Ukrainian Government Websites Shut Down due to Cyberattack


Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.

The United States and the West are Afraid of Possible Cyber Attacks by Russian Hackers


According to CNN, the FBI has warned American businessmen about the growth of possible cyberattacks using ransomware by Russian hackers against the background of sanctions that US President Joe Biden imposed against Russia in connection with the situation around Ukraine. 

Earlier, Jen Easterly, head of the U.S. Agency for Cybersecurity and Infrastructure Protection, said that Russia might consider taking measures that could affect critical U.S. infrastructure in response to U.S. sanctions. She urged all organizations to familiarize themselves with the steps the agency has developed to mitigate cybersecurity risks. In addition, David Ring, head of cybersecurity at the FBI, said that Russia is allegedly a favorable environment for cybercriminals, which will not become less against the background of the confrontation between Russia and the West over the situation around Ukraine. According to CNN, briefings on such topics have been held by the FBI and the Department of Homeland Security for the past two months. 

It is important to note that Polish Prime Minister Mateusz Morawiecki decided to introduce a special high-level security regime for telecommunications and information technology in the country. 

On February 21, he signed a decree introducing the third level of the Charlie– CRP warning throughout the country. This level is introduced if there is an event confirming the probable purpose of a terrorist attack in cyberspace or if there is reliable information about a planned event. 

The Polish Law on Anti-terrorist actions provides that in the event of a terrorist attack or its threat, the head of government may introduce one of four threat levels: Alfa, Bravo, Charlie, and Delta. The highest level, Delta, can be announced if a terrorist attack occurs or incoming information indicates its high probability in Poland. 

Similar levels marked with CRP relate to threats in cyberspace. They are introduced to strengthen the control of the security level of information systems in order to monitor the possible occurrence of violations in their work. 

The Russian Federation has repeatedly rejected the accusations of Western countries in cyberattacks, calling them unfounded, and also stated that it is ready to cooperate on cybersecurity. 

Earlier, CySecurity News reported that CNN reported citing US administration sources that representatives of the White House, US intelligence, the US Department of Homeland Security (DHS), and other agencies have discussed preparations to repel cyber attacks that could be carried out in the United States and Ukraine.

UK Foreign Office Suffered ‘Serious Cyber Security Incident’


A "serious incident" compelled the Foreign Office of the United Kingdom to seek immediate cybersecurity assistance. A recently released public tender document confirmed the incident. According to a document released on February 4, the Foreign, Commonwealth and Development Office (FCDO) sought "urgent business support" from its cybersecurity contractor, BAE Applied Intelligence, 

The FCDO paid the company £467,325.60 — about $630,000 — for its services after issuing a contract for "business analyst and technical architect support to assess an authority cyber security incident" on January 12, 2022, according to the notice. However, the incident's facts, which had not previously been made public, remain unknown. 

The document stated, “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. Due to the urgency and criticality of the work, the Authority was unable to comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.” 

The Stack was the first to report on the BAE contract. According to an FCDO's spokesperson who did not give their name stated that the office does not comment on security but has measures in place to detect and protect against potential cyber events. Further queries about the incident, such as whether classified information was accessed, were declined by the spokesperson. 

TechCrunch also contacted the United Kingdom's data protection authority to see if the event had been reported, but is yet to hear back. The announcement of the apparent incident came only days after the British Council, an institution that specialises in international cultural and educational opportunities, was found to have suffered a severe security breach. Clario researchers discovered 144,000 unencrypted files on an unsecured Microsoft Azure storage server, including the personal and login information of British Council students. 

Following an investigation by the UK's National Cyber Security Center, Wilton Park, a Sussex-based executive agency of the FCDO, was hit by a cyberattack in December 2020, which revealed that hackers had access to the agency's systems for six years, though there was no proof that data had been stolen.

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats


An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.

Israel Limits Cyberweapons Export List from 102 to 37 Nations


The Israeli government has limited the number of nations to which local security businesses can sell surveillance and offensive hacking equipment by nearly two-thirds, reducing the official cyber export list from 102 to 37. 

Only nations with established democracies are included in the new list, which was obtained by Israeli business publication Calcalist earlier today, such as those from Europe and the Five Eyes coalition: 

Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US. 

Autocratic regimes, to which Israeli corporations have frequently sold surveillance tools, are strikingly absent from the list. Spyware produced by Israeli businesses such as Candiru and the NSO Group has been attributed to human rights violations in tens of nations in recent years, with local governments using the tools to spy on journalists, activists, dissidents, and political opponents. 

The government has not issued a comment on the list's update, according to Calcalist journalists, and it is unclear why it was cut down earlier this month. The timing, on the other hand, shows that the Israeli government might have been driven it to make this choice. 

The list was updated a week after a covert meeting between Israeli and French officials to address suspicions that NSO Group malware was deployed against French President Emmanuel Macron. The announcement coincided with the US sanctioning of four monitoring firms, including Israel's Candiru and NSO Group. 

The penalties are reported to have sent NSO into a death spiral, with the business sliding from a prospective sale to French investors to losing its newly-appointed CEO and perhaps filing for bankruptcy as it has become company-non-grata in the realm of cyberweapons. 

Azimuth Security co-founder Mark Dowd discussed Israeli-based surveillance distributors and their knack for selling to offensive regimes in an episode of the Risky Business podcast last month, blaming it on the fact that these companies don't usually have connections in western governments to compete with western competitors. 

With the Israeli Defense Ministry tightening restrictions on cyber exports to autocratic regimes, the restricted cyber export list is likely to make a significant hole in Israel's estimated $10 billion surveillance sector.

As per a study released earlier this month by the Atlantic Council, there are roughly 224 firms providing surveillance and hacking tools, with 27 of them located in Israel.

Cyberattack Disrupts Gas Stations Across Iran, Government Says


A software failure suspected to be the result of a cyberattack has affected gas stations across Iran and defaced gas pump displays and billboards with gas prices. 

The problem, which occurred on Tuesday had an impact on the IT network of  National Iranian Oil Products Distribution Company (NIOPDC), a state-owned gas distribution firm that control gas stations throughout Iran. The network, which has been supplying oil products for over 80 years, consists of more than 3,500 stations across the country.

According to local media sources and as well as photographs and videos posted on social media, the cyberattack led NIOPDC gas stations to display the words "cyberattack 64411" on their screens. The gas pumps could have been used to refill automobiles, but NIOPDC staff shut them off once the firm learned it couldn't trace and charge consumers for the fuel they poured in their vehicles. 

Additionally, NIOPDC-installed gas pricing signs in key cities displayed the same "cyberattack 64411" message, along with "Khamenei, where is the gas?" and "Free gas at [local gas station's name]." 

The phone number 64411 is for the office of Supreme Leader Ayatollah Ali Khamenei. The same number was also displayed on billboards at Iranian train stations during a cyberattack on July 9, when passengers were instructed to phone Iran's leader and inquire as to why their trains had been delayed. The July attack on Iranian train stations was eventually connected to Meteor, a type of data-wiping malware. 

Despite a flood of evidence shared on social media, the Ministry of Oil spokesperson dismissed reports of a "cyberattack" in an official statement made later and attributed the occurrence to a software glitch, according to Jahan News. The same publication later claimed that refuelling operations at impacted gas stations had resumed. 

Government officials also held an emergency conference in response to the event, and after getting a reprimand from the Iranian leadership, several Iranian news agencies deleted reports of a cyberattack.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes

The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 

The Russian Railways information system got hacked in 20 minutes

Specialists of Russian Railways will conduct an investigation after the statement of the Habr user that he hacked the Wi-Fi network during a trip on the Sapsan high-speed train and gained access to the data of all its users in 20 minutes. According to the company, the hacked network did not contain personal data, but only entertainment content.

On Friday, November 15, user keklick1337 on the portal was returning from Saint-Peterburg, where he visited the ZeroNights information security conference, to Moscow. The programmer became bored, and he decided to check the reliability of the Wi-Fi and easily gained access to the hidden data of Russian Railways. He noted that " the same passwords and free security certificates are used everywhere, and the data is stored in text documents."

"It is not difficult to access the data of the passengers of the train and it takes at most 20 minutes", noted the author of the post.

"The server of the information and entertainment system of Sapsan trains does not store personal data of passengers. The multimedia portal provides information and entertainment content: news of Russian Railways, movies, books, music and other information, " — said the representative of Russian Railways.

According to the spokesman, for authorization in the system, the user must enter only the last four characters of the document, which he used to buy a ticket, as well as the rail car and the seat number. These data are not personal and in accordance with the current legislation of the Russian Federation are stored on the server for no more than one day.

"The infotainment system server is not connected to the internal network of Russian Railways or other internal control services on the train, it is designed exclusively for entertainment and information topics and does not store any confidential customer data," added the company.

The Russian Railways plans to conduct a technological investigation on the fact of hacking the train system Sapsan.

Earlier, E Hacking News reported that the personal data of 703 thousand employees of Russian Railways, from the CEO to the drivers, were publicly available.

Lake County government shuts down servers after ransomware attack

After the massive cyberattack in Texas, officials from Lake County, Illinois revealed on Friday, August 23 that the county has been hit by a cyberattack that forced the shutdown of email service and several internal applications.

The officials also mentioned that the breach came in the form of ransomware, which is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access.

Mark Pearman, director of county's information technology office said that on Thursday, August 22, the IT staff was installing cybersecurity software on 3,000 individual employee laptops and working on the process to remove the ransomware malware from 40 county servers.

The ransomware attack was first noticed by systems administrators on Thursday and to prevent it the IT staff started taking encrypted and unencrypted servers off the network.

However, the official clarified that there was no evidence of data theft from county servers and restoring the systems will take the entire week and more information about the attack will be known by Monday, August 26.

As reported, the IT department is working with the county's cybersecurity contractor, Crowdstrike to conduct a damage assessment. This process includes scanning of all the servers, almost 3,000 computers to determine those infected by the ransomware.

Almost a month ago, LaPorte County, Indiana also suffered a similar breach and the authorities paid a ransom of $132,000 worth of Bitcoins to the hackers to restore the access to affected systems.

Another ransomware hit 22 Texas town governments and recently Louisiana was also forced to declare a state of emergency after some of its school districts' networks were hacked. Now, Texas' 22 town government has become the victim of ransomware.

After all these events, National Guard Chief Gen Joseph Lengyel called the events a "cyber storm." He also mentioned that these multi-state cyber attack reiterates the need for more standardized policies and training for cyber units across the force.

Twitter removes nearly 4,800 accounts linked to Iran government

Twitter has removed nearly 4,800 accounts it claimed were being used by Iranian government to spread misinformation, the company said on Thursday.

Iran has made wide use of Twitter to support its political and diplomatic goals.

The step aims to prevent election interference and misinformation.

The social media giant released a transparency report that detailed recent efforts to tamp down on the spread of misinformation by insidious actors on its platform. In addition to the Iranian accounts, Twitter suspended four accounts it suspected of being linked to Russia's Internet Research Agency (IRA), 130 fake accounts associated with the Catalan independence movement in Spain and 33 accounts operated by a commercial entity in Venezuela.

It revealed the deletions in an update to its transparency report.

The 4,800 accounts were not a unified block, said Yoel Roth, Twitter's head of site integrity in a blog detailing its actions.

The Iranian accounts were divided into three categories depending on their activities. More than 1,600 accounts were tweeting global news content that supported the Iranian policies and actions. A total of 248 accounts were engaged specifically in discussion about Israel. Finally, a total of 2,865 accounts were banned due to taking on a false persona which was used to target political and social issues in Iran.

Since October 2018, Twitter has been publishing transparency reports on its investigations into state-backed information operations, releasing datasets on more than 30 million tweets.

Twitter has been regularly culling accounts it suspects of election interference from Iran, Russia and other nations since the fallout from the 2016 US presidential election. Back in February, the social media platform announced it had banned 2,600 Iran-linked accounts and 418 accounts tied to Russia's IRA it suspected of election meddling.

“We believe that people and organizations with the advantages of institutional power and which consciously abuse our service are not advancing healthy discourse but are actively working to undermine it,” Twitter said.