“Whole of Government” Anti-Ransomware Campaign on Full Display | Davis Wright Tremaine LLP

November 8, 2021, may have been the most significant single day in the United States’ “whole of government” anti-ransomware campaign. The Department of Justice, Department of the Treasury, and Department of State all announced major actions—most of which were targeted against the REvil criminal hacking group.

Since 2019, REvil (also known as Sodinokibi) has been one of the most notorious and prolific perpetrators of ransomware attacks, including the attack against international meat processor JBS in May 2021 and the attack targeting Kaseya and up to 1,500 users of the company’s VSA software in July 2021.

We summarize the Monday’s major activities here.

Department of Justice: Indictments Against REvil Leaders and Seizure of $6.1M

The Department of Justice announced indictments in the Northern District of Texas against two individuals associated with REvil: Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia. The two are charged with several counts of conspiracy to commit fraud, violate the Computer Fraud and Abuse Act, and launder money.

Vasinskyi was arrested in Poland on October 8, 2021, and is being held there as the United States seeks his extradition. The federal government alleges that Vasinskyi was responsible for REvil’s attack against Kaseya, headquartered in Austin, Texas, among other attacks dating back to 2019.

Polyanin, who has not been detained, is alleged to have perpetrated attacks against numerous companies in Texas throughout 2019. In addition to the indictments against Polyanin, the Department of Justice announced the seizure of $6.1 million in funds traceable to alleged ransom payments from his account with FTX, a cryptocurrency exchanged based in the Bahamas.

The cases against Vasinskyi and Polyanin are part of the Department of Justice’s Ransomware and Digital Extortion Task Force created last spring. The Department of Justice credited an international effort with the arrest of Vasinskyi and the indictments and the seizure of Polyanin’s funds.

Also on November 8, 2021, the European Union Agency for Law Enforcement Cooperation (commonly known as “Europol”) announced that Romanian authorities arrested two other individuals for suspected…


Ontario government worker charged in COVID-19 vaccination data breach

Suspects from the Ottawa and Montreal areas, one of whom worked at a government vaccination call centre, were arrested Tuesday in connection with an OPP investigation into a security breach of Ontario’s COVID-19 immunization system.

The province’s cybercrime team said it started an investigation into a possible data breach on Nov. 17 when the Ontario government flagged reports from the public about spam text messages received after residents booked COVID-19 vaccine appointments or downloaded their vaccination certificates.

On Monday, OPP executed search warrants in Ottawa as well as in Quebec with help from the Sûreté du Québec.

Police said they seized several computers and electronic devices.

Click to play video: 'Ministry confirms possible data breach at Pickering Long-term care home'

Ministry confirms possible data breach at Pickering Long-term care home

Ministry confirms possible data breach at Pickering Long-term care home – May 11, 2020

Ayoub Sayid, a 21-year-old from Gloucester, Ont., is facing charges of unauthorized use of a computer. OPP said in a statement that the suspect is a government employee who worked in the province’s vaccine contact centre.

Story continues below advertisement

Rahim Abdu, 22, of Vaudreuil-Dorion, Que., faces the same charges.

Both accused have been released with future court dates.

A spokesperson for Ontario Solicitor-General Sylvia Jones said Tuesday that Sayid was working in the call centre through a third-party vendor, “but is no longer employed by the government.”

Spokesperson Stephen Warner also confirmed that “no personal health information was accessed” as part of the breach.

Jones told reporters on Monday that the public can feel secure in using the online vaccination portal.

Read more:
LifeLabs failed to protect personal information of millions, says B.C. and Ontario report

“When we hear of potential breaches, we investigate thoroughly,” she said at a press conference Monday.

“We have confidence in the booking system, that there are no concerns.”

An OPP spokesperson said the cybersecurity unit is still investigating to determine how…


Ontario government employee among two charged in COVID-19 vaccine portal security breach

A government employee is among two people charged following an investigation into a security breach related to Ontario’s COVID-19 immunization system.

Ontario Provincial Police (OPP) say they were first asked to investigate the breach on Nov. 17 after the government received reports of spam text messages received by individuals who scheduled appointments or accessed vaccine certificates through the COVID-19 immunization system.

The security breach was confirmed publicly on Monday, with the Solicitor General’s office telling CTV News Toronto that the reported texts were “financial in nature.”

CTV News Toronto spoke with two residents who received phishing text messages they believe could have been related to the breach. Both messages were addressed to their children using their full names.

“What really triggered it for me was the spelling of her name. It was her name, her full name with middle name, and her middle name was fully capitalized and the only time I’ve ever seen that was on her vaccine passport,” Toronto resident Carla Embleton said.

Ottawa resident Mike Primeau said he received a similar text to his cell phone saying that his son had been sent “a reimbursement of $163.36” and was asked to reply to receive the payment.

spam text

Primeau was the one who registered his entire family—including his son—for the COVID-19 vaccine.

Multiple other people reported receiving text messages with either their full names or the full names of their children; however the requests differed slightly.

In a news release issued Tuesday, investigators said that two search warrants—one in Quebec and another in Ottawa—were executed on Nov. 22 in connection with the security breach. Several devices, computers and laptops were seized.

As a result of the investigation, 21-year-old Gloucester resident Ayoub Sayid and 22-year-old Rahim Abdu from Vaudreuil-Dorio were taken into custody.

They were both charged with Unauthorized Use of a Computer contrary to s. 342.1(1)(c) of the Criminal Code.

Police say that Sayid is an employee of the Ontario Ministry of Government and Consumer Services in the vaccine contact centre.

The charges have not been proven…


Nigerian Government Warns Of New Iran-based Hacking Group Targeting Telecoms Companies


The Nigerian Communications Commission (NCC) has called the attention of the Nigerian public to the existence of another hacking group orchestrating cyber espionage in the African telecoms space.
NCC issued the warning saying that efforts were on to keep stakeholders in the country’s telecoms sector informed, educate and protected.

The commission identified an Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) to have reportedly been targeting telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa with upgraded malware in a recent politically motivated attacks oriented in cyberespionage.
The information about this cyber attack is contained in the latest advisory issued by the Nigerian Computer Emergency Response Team (ngCERT). 
The ngCERT rated the probability and damage level of the new malware as high.
According to the advisory, the hacking group is known to be focused on infiltrating the networks of telecoms companies and ISPs. 
Between July and October 2021, Lyceum was reportedly implicated in attacks against ISPs and telecoms organisations in Israel, Morocco, Tunisia, and Saudi Arabia.
The advanced persistent threat (APT) group has been linked to campaigns that hit Middle Eastern oil and gas companies in the past.
The group now appears to have expanded its focus to the technology sector. 
The APT is also responsible for a campaign against an unnamed African government’s Ministry of Foreign Affairs.
By the attackers’ mode of operation, Lyceum’s initial onslaught vectors include credential stuffing and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James).
Both malware are backdoors. Shark, a 32-bit executable written in C# and .NET, generates a configuration file for domain name system (DNS) tunnelling or Hypertext Transfer Protocol (HTTP) C2 communications; whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data.
Both are able to communicate with the group’s command-and-control (C2) servers. The…