Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Google’s cyber security subsidiary has observed an established financial crime group engaging in a widespread email-based campaign.
Cyber security firm Mandiant has warned of an ongoing and broad email campaign with links to the prolific cyber extortion group, Clop.
“Mandiant and Google Threat Intelligence Group are actively tracking recent activity involving an actor claiming affiliation with the Clop extortion group,” Charles Carmakal, CTO at Mandiant – Google Cloud, said in a 2 September statement.
“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts, and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running, financially motivated threat group known for deploying ransomware and engaging in extortion.”
FIN11, also tracked as UNC902 and TEMP.Warlock, has been around since 2017, when it was known for deploying point-of-sale malware. Since then, the group has gone through several evolutions, from ransomware to hybrid extortion. It’s been known to use mass email phishing campaigns to find its targets, picking victims based on their security posture, geolocation, and industry.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site (DLS),” Carmakal said.
“This move strongly suggests there’s some association with Clop and they are leveraging the brand recognition for their current operation.”
Mandiant does note that while FIN11’s tactics are in line with its usual extortion motives, and that’s the claim the actor is making, the Google Threat Intelligence Group doesn’t have evidence that the hackers are being upfront about their claims.
“Attribution in the financially motivated cyber crime space is often complex, and actors frequently mimic established groups like Clop to increase leverage and pressure on victims,” Carmakal said.
“We recommend targeted organisations investigate their environments for evidence of threat actor activity.”
Cyber Daily has seen an email that purports to be from Clop, warning targeted executives that the hackers have accessed their Oracle E-Business Suite, which is highly likely the campaign Mandiant is warning of.
“We are CL0P team. If you haven’t heard about us, you can google about us on internet,” an alleged Clop spokesperson said in an email published by Dark Web Informer.
“We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.
“But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.”
The emails contain contact emails and claim that successful payment will lead to complete data erasure. Non-payment will lead to publication.
Dr Chris Pierson, former DHS cyber security official and CEO/founder of executive protection firm BlackCloak, said that the targeting of executives was becoming more common.
“Extortion attempts like this highlight the reality that executives are increasingly being singled out as the soft underbelly of the corporation for cyber criminals. Cyber criminals recognise that targeting the C-suite creates urgency, exposes them to high risk, and instils fear that can lead to other issues,” Pierson said.
“The challenge for organisations is twofold: hardening the systems that store the most sensitive corporate data, and ensuring executives are prepared with the right playbook when extortion attempts land in their inbox.
“The companies that come out ahead are those that treat digital executive protection as part of their overall cyber security posture rather than an afterthought.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
