Hello and welcome to the March NewsScam!
This month was marked by the massive hack at US-based Change Health which has already cost the company billions of dollars.
The US government charged seven Chinese nationals for cyber espionage, meanwhile, alleged Russian hackers aren’t giving up on Microsoft so easily following their attack on executive emails late last year.
Governments in France and Germany also had quite a rough go of it this month, and there were lots and lots of data breaches. Let’s have a look at another busy month in cybersecurity.
The US Goes After Chinese Cybercrime Group APT 31 for Cyber Espionage
In a significant development, on March 25th the United States Department of Justice (DOJ) charged seven Chinese nationals for their alleged involvement in a broad cyber espionage campaign carried out on behalf of their government. The group charged is believed to be members of cybercrime gang Advanced Persistent Threat Group 31 (APT31), known to be highly skilled and capable of implementing sophisticated operations.
The US was aided by UK law enforcement in identifying the cybercriminals, all seven of whom are believed to reside in the People's Republic of China. Whether they can be extradited to the US is the big question that the DOJ needs to answer.
The DOJ’s unsealed indictments charge the accused with conspiracy to commit computer intrusions and wire fraud - allegedly with support from the Chinese government.
According to Reuters, APT31, also known as Zirconium, operated through the Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), at least as far back as 2010 until January 2024. APT31 and Chinese security authorities allegedly “targeted thousands of U.S. and foreign politicians, foreign policy experts” – even spouses of officials.
The Billion Dollar ALPHV Attack on Change Healthcare
One of the biggest stories throughout March was the devastating ALPHV/BlackCat ransomware attack at Change Healthcare. A unit of UnitedHealth, one of the largest providers in the US, Change Healthcare ended up paying a ransom to the tune of $22 million.
Disruptions from the cyber-attack are still costing healthcare providers as much as $1 billion a day. Not only that, the attack impacted thousands of medical offices and pharmacies throughout the country. For example, UnitedHealth’s pharmacies were forced to take most of its operations down after the February 21st attack and it wasn’t until March 8th that some services began coming back online.
ALPHV/BlackCat really hit the bullseye because it turns out that Change Healthcare is vital for making, and clearing, insurance claims. It also connects to other major US healthcare providers like Aetna and Humana. As a result, patients were unable to get prescriptions filled and some medical offices were not getting paid for their services.
According to the president and CEO of the American Hospital Association, the attack was “the most serious incident of its kind leveled against a U.S. health care organization.”
Naturally, it did not take very long for class-action lawsuits to be filed. To make matters worse, UnitedHealth Group has already paid out more than $2 billion in advances to assist affected health-care providers and some hospitals have been losing $24M a day due to the attack.
Hackers Hit French, German Government Agencies
March was a rough month for the governments of Germany and France after both faced new cybersecurity incidents.
Early in the month, a 38-minute-long audio recording of German military officers discussing the transfer of German Swedish Taurus air missiles to Ukraine was published by Russian state broadcaster RT. The audio reportedly originated from a call placed by a German official in a hotel room in Singapore using the Cisco-owned Webex web conferencing app. Defense Minister Pistorius seemed to downplay the event claiming the leak was caused by a Webex ‘application error’. But German Chancellor Olaf Scholz described the leak as "a very serious matter," and others raised concerns that the leak may have been just the "tip of the iceberg" and that Russian actors have accessed NATO secrets.
In France, government unemployment agency France Travail experienced a massive data breach, sparking fears it may impact 43 million people. Formerly known as Pôle Emploi, France Travail warned that hackers breached its systems and may leak or exploit the personal details of millions of people. The incident, which took place between February 6th and March 5th is the second such incident the agency has experienced since last summer.
There was another attack in France in March, this one at the hands of Anonymous Sudan, a Russian-speaking hacktivist group. As a result of the attack, carried out via a distributed denial of services (DDoS), several French government services were disrupted. In an official post on Telegram, the group announced it had “conducted a massive cyberattack on the infrastructure of the French Interministerial Directorate of Digital Affairs (DINUM), and that “The damage will be widespread as core digital government endpoints have been hit and the French know the details very well.” The incident also impacted the Directorate General of Civil Aviation, Ministry of Health and Social Affairs, National Geographic Institute, Ministry of Economy, Finance and Industrial and Digital Sovereignty, and Ministry of Ecological Transition and Territorial Cohesion.
Russian Hackers Stick Like Glue to Microsoft
Also this month, Microsoft admitted in a U.S. Securities and Exchange Commission (SEC) filing that it is still being dogged by elite Russian government hackers who broke into executive email accounts back in November. The incident was discovered in January. Since the attack began, the hackers have been trying to breach customer networks with the illegally obtained data. Apparently the hackers are from Russia’s SVR foreign intelligence service, which is also known as Midnight Blizzard, APT29 and Cozy Bear. The illegally obtained data from the November incursion was meant to compromise some source code repositories and internal systems. In this AP story, a spokesperson from Microsoft was not able to provide what source code was accessed. But the spokesperson did say the hackers “stole secrets from email communications between the company and unspecified customers”, including cryptographic secrets such as passwords, certificates and authentication keys.
Data Breaches Here There and Everywhere
Talk about March Madness.
In the last month, we learned about data breach activity at tech titan Fujitsu, sneaker company Vans and Nation’s Direct Mortgage. (And that’s not even a full listing of all the breaches this month.)
On March 15th, technology giant Fujitsu announced the discovery of malware on its systems, with a warning that hackers may have gotten away with personal and customer information. The $25 billion company says it does not appear the bad actors have misused the stolen information and no ransom demands were made. That’s as of March 25th. But the company has yet to explain details such as how it was infected by malware, the attack vector, or the length of time of the cyber intrusion.
Following a December cyberattack, Vans could be looking at a breach impacting 35 million people. The apparel company that owns major brands such as Timberland and The North Face emailed its customers the week of March 20th. According to the email, the company’s investigation revealed that “some personal information of our customers, that we normally store and process in order to manage online purchases,” was affected. It added that, “in certain cases, the affected data may also include order history, total order value, and information about what payment method was used for the purchases.” However, Vans’ emphasized it never collects or retains in their IT systems “any detailed payment/financial information,” making it extremely unlikely detailed financial information was exposed during the incident.
Also this month, US housing loan lender Nations Direct Mortgage began informing more than 83,000 individuals their personal information was compromised last year. The data breach took place on December 30th. According to Security Week, the incident resulted in “unauthorized access to certain systems containing clients’ personal information and other Nations Direct data.” The company is offering affected individuals 24 months of free identity monitoring services through Kroll.
Let’s hope April will be much kinder.
But Wait There’s More
17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns - HelpNetSecurity
Teamcity supply chain bugs receive massive exploitation – CSO Online
LockBit ransomware affiliate gets four years in jail, to pay $860k – Bleeping Computer
Visa spends ‘billions’ battling cybersecurity threats – Cybersecurity Dive
Nearly 13 Million Secrets Spilled Via Public GitHub Repositories - Infosecurity
Alabama Under DDoS Cyberattack by Russian-Backed Hacktivists – Dark Reading
Belgian village whose brewery was hit by cyberattack faces another on its coffee roastery – The Record
British Library’s legacy IT blamed for lengthy rebuild – The Register
Typosquatting Wave Shows No Signs of Abating – Dark Reading