Tracking & Law Enforcement

Europol Signs Cybersecurity Agreement With EU Agencies, WEF

Europol this week signed two memorandums of understanding related to cybersecurity cooperation - one with the World Economic Forum (WEF) and one with the European Union Agency for Network and Information Security (ENISA), the European Defence Agency (EDA), and the EU's Computer Emergency Response Team (CERT-EU). The memorandum of understanding (MoU) signed on Wednesday between Europol, ENISA, EDA and CERT-EU establishes a cooperation framework on cyber security and cyber defense. The agreement focuses on cyber exercises, education and training, exchange of information, strategic and administrative matters, and technical cooperation.

The MoU also allows cooperation in other areas that may turn out to be important for all four organizations. "EDA supports Member States in the development of their defence capabilities. As such, we also act as the military interface to EU policies," said Jorge Domecq, chief executive of the EDA. "Today's Memorandum of Understanding is an important step towards increased civil-military cooperation and synergies in the area of cyber security and cyber defence."

"The EU institutions, bodies and agencies rely on the specialised skills and tools in threat intelligence and incident response of CERT-EU. But, we don't maintain these capacities by acting alone. That is why acting together with our peers and partners in the other signatories to this Memorandum is so important," stated Ken Ducatel, acting head of CERT-EU.

As for the MoU signed on Friday by Europol and the WEF, it focuses on establishing a cooperation framework whose goal is to make cyberspace safe for individuals, businesses and organizations. The WEF and Europol recently announced the launch of a Global Cyber Security Centre located in Geneva, Switzerland. As part of the new agreement, Europol and WEF will collaborate on the implementation of projects in common areas of interest, best practices, technical information on cybercrime, and statistical data.

Related: World Economic Forum Announces New Fintech Cybersecurity Consortium

Related: Europol Looks to Solve IP-Based Attribution Challenges

Related: World Economic Forum Publishes Cyber Resiliency Playbook

Russian Police Arrest Man Involved in Android Banking Trojan Scheme

Law enforcement authorities in Russia have arrested an unnamed 32-year-old man who is believed to be part of a cybercrime ring that made up to £8,000 per day using Android banking Trojans. According to Russia-based cybersecurity firm Group-IB, the suspect is an unemployed Russian national who had previously been convicted for arms trafficking. He was arrested earlier this month and reportedly already confessed.

The cybercrime group used a malicious Android app named "Banks at your fingertips" to trick the customers of Russian banks into handing over their financial information. The banking Trojan was disguised as a tool that claimed to allow users to access all their bank accounts from one Android app. It offered users the possibility to view balances, transfer money between payment cards, and pay for online services.

The malicious app, distributed via spam emails since 2016, instructed users to enter their card details, which were then sent to a server controlled by the attackers. The cybercrooks transferred between £1,500 and £8,000 per day from victims' bank accounts, £200-£500 at a time. The criminal proceeds were laundered using cryptocurrencies.

The malware also helped the attackers intercept the SMS confirmation codes sent by banks, at the same time blocking all text messages confirming transactions in an effort to avoid raising suspicion. While Russia has occasionally collaborated with Western law enforcement agencies to bring down global cybercrime operations, it has often turned a blind eye to the activities of hackers who have mainly targeted the United States. Four Russian nationals are currently on the FBI's Cyber Most Wanted list, including the alleged administrator of a massive cybercrime scheme involving the Zeus Trojan, and three people believed to have been involved in attacks on Yahoo that resulted in roughly 500 million accounts getting compromised.

The Russian government has defended some of the alleged hackers arrested by the United States - in one case Moscow accused Washington of abducting the son of a lawmaker.

On the other hand, the government has been known to crack down on cybercrime rings that target Russian citizens.

Police have arrested 50 hackers believed to have used the Lurk Trojan, the creator of the Svpeng Android malware, and nine people who allegedly stole £17 million from bank accounts.

U.S. Disrupts Russian Botnet of 500,000 Hacked Routers

The US Justice Department said Wednesday that it had seized an internet domain that directed a dangerous botnet of a half-million infected home and office network routers, controlled by hackers believed tied to Russian intelligence. The move was aimed at breaking up an operation deeply embedded in small and medium-sized computer networks that could allow the hackers to take control of computers as well as easily steal data. The Justice Department said the "VPNFilter" botnet was set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group.

The group is blamed for cyber attacks on numerous governments, key infrastructure industries like power grids, the Organization for Security and Co-operation in Europe, the World Anti-Doping Agency, and other bodies. Related: Massive Russia-Linked Botnet Raises Concerns of New Attack on Ukraine US intelligence agencies also say it was involved in the operation to hack and release damaging information on the Democratic Party during the 2016 US presidential election, and has engineered a number of computer network disruptions in Ukraine.

"According to cybersecurity researchers, the Sofacy Group is a cyber-espionage group believed to have originated from Russia," the Department of Justice said in a court filing. "Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means," it said. The Justice filing did not say who was behind Sofacy Group, but US intelligence has in the past linked it to Russia's GRU military intelligence agency, and numerous private computer security groups have made the same connection.

In Wednesday's action, the Justice Department said it had obtained a warrant authorizing the FBI to seize a computer domain that is part of the command and control system of the VPNFilter botnet. The botnet targets home and office routers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network. In a report released in parallel to the Justice announcement, network equipment giant Cisco said VPNFilter had infected at least 500,000 devices in at least 54 countries.

It has targeted popular router brands like Linksys, MikroTik, NETGEAR and TP-Link. "The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials," Cisco said. It also has "a destructive capacity that can render an infected device unusable, which can be triggered on individual victim machines or en masse."

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain. The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.

Related: Russia-Linked Spies Deliver Malware via DDE Attack

Related: Russian 'Fancy Bear' Hackers Abuse Blogspot for Phishing

Related: Kaspersky Details APT Trends for Q2 2017