Ronin Hack: North Korea’s Lazarus Behind $540 Million Ax Infinity Breach

Early this week, the Ukrainian Computer Emergency Response Team and Slovakian cybersecurity firm ESET warned that the infamous Russian GRU Sandworm hackers had targeted high-voltage electrical substations in Ukraine using a variant of their blackout-inducing Industroyer malware, also known as Crash Override. Days later, the U.S. Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly issued a recommendation on a new hacking toolset for industrial control systems of unspecified origin, called Pipedream, which has apparently not been deployed against targets, but which industrial system operators must proactively block.

Russia’s war on Ukraine has led to massive data breaches in which spies, hacktivists, criminals and ordinary people seeking to support Ukraine have gathered and publicly released vast amounts of information about the Russian military, government and other Russian institutions. And conflict aside, WIRED has looked at the true impact of source code leaks in the grand scheme of cybercrime breaches.

Additionally, DuckDuckGo has finally released a version of its privacy browser for desktop, and WhatsApp is expanding to offer a Slack-like group chat organization scheme called Communities.

And there’s more! We’ve rounded up all the news that we haven’t discussed or discussed at length this week. Click on the headlines to read the full stories. And stay safe out there.

Blockchain analytics researchers from Elliptical and chain analysis said Thursday they traced the massive amount of cryptocurrency stolen from the Ronin network bridge last month to the North Korean Lazarus hacking group. The US Treasury Department also announced extensive sanctions against North Korea, Lazarus and the group’s subsidiaries. The attackers stole large amounts of the Ethereum currency ether and some USDC stablecoin totaling $540 million at the time. (The value of the stolen money has since risen to more than $600 million.) Lazarus hackers have engaged in cybercrime for years, hacking into businesses, organizing scams and generally collecting profits to fund the Hermit Kingdom.

NSO Group, the Israeli developer of the powerful and widely used spyware Pegasus, was declared “worthless” in files in British court this week. The review, described as “abundantly clear,” came from the third-party consultancy Berkeley Research Group that manages the fund that owns NSO. As a staggering number of autocrats and authoritarian governments have bought NSO tools to target activists, dissidents, journalists and other at-risk groups, the spyware maker has been denounced and (repeatedly) sued by tech giants in an effort to limit its reach. Targeted surveillance is big business and a nexus where espionage and human rights issues come together. For example, Reuters reported this week that senior EU officials were targeted by unspecified Israeli-made spyware last year.

T-Mobile confirmed it had been breached (for what felt like the millionth time) last year after hackers put the personal data of 30 million customers up for sale for 6 bitcoins, or about $270,000 at the time. However, recently unsealed court documents show that the telecom company hired an outside company as part of its response, and the company paid the attackers about $200,000 for exclusive access to the treasure in hopes of containing the crisis. Paying hackers through third parties is a well-known but controversial tactic for dealing with ransomware attacks and digital extortion. One of the reasons it’s frowned upon is that it often fails, as was the case with T-Mobile’s data, which attackers kept selling.

In a report this week, researchers at Cisco Talos said a new type of information-stealing malware called “ZingoStealer” is spreading rapidly on the Telegram app. The cybercriminal group known as Haskers Ganghe distributes the malware for free to other criminals or anyone who wants it, researchers said. The group, which may be based in Eastern Europe, regularly shares updates and tools on Telegram and Discord with the cybercriminal “community”.

More great WIRED stories

This post Ronin Hack: North Korea’s Lazarus Behind $540 Million Ax Infinity Breach

was original published at “”