Red Cross hack linked to Iranian influence operation? – Krebs on security
A network intrusion International Committee of the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people assisted by the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data was also used to register several domain names which the FBI says are linked to a large influence operation media from Iran.
On January 19, the ICRC revealed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent Movement. The ICRC said the hacked servers contained data relating to the organization Restoring family links services, which works to reconnect people separated by war, violence, migration and other causes.
On the same day, the ICRC went public with its violation, someone using the nickname “Sheriff” on the English forum on cybercrime RaidForums announced the sale of Red Cross and Red Crescent Movement data. The sheriff’s sales thread suggests the ICRC was asked to pay a ransom to ensure the data would not be leaked or sold online.
“Mr. Mardini, your words have been heard,” the sheriff wrote, posting a link to the Twitter profile of Director General of the ICRC, Robert Mardini and urging forum members to tell him to check his email. “Check your email and send a figure you can afford.”
In its online statement on the hack (updated February 7), the ICRC said it had no contact with the hackers and no ransom demands were made.
“In line with our ongoing practice of engaging with any actor who may facilitate or hinder our humanitarian work, we are prepared to communicate directly and confidentially with anyone who may be responsible for this operation to impress on them the need to respect our humanitarian action. “, reads the statement from the ICRC.
Asked to comment on the sheriff’s claims, the ICRC issued the following statement:
“At this time, we have no conclusive evidence that this information about the data breach has been published or is being shared. Our cybersecurity team has reviewed any reported allegations of data available on the dark web.
Update, 2:00 p.m. ET: The ICRC has just published an update to its FAQ on the violation. The ICRC now claims that the hackers broke in on November 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). “This vulnerability allows malicious cyber actors to place web shells and conduct post-exploit activities such as compromising administrator credentials, performing lateral movements, and exfiltrating registry hives and active files. Directory. Once inside our network, hackers were able to deploy offensive security tools that allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, although that data was encrypted.
The email address used by the sheriff to register on RaidForums — [email protected] — appears in an affidavit for a search warrant filed by the FBI about a year ago. This FBI warrant follows an investigation published by the security firm FireEyewhich examined an Iranian network of inauthentic news sites and social media accounts aimed at the US, UK and other Western audiences.
“This operation leverages a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives consistent with Iranian interests,” the FireEye researchers wrote. “These narratives include anti-Saudi, anti-Israel and pro-Palestinian themes, as well as support for specific U.S. policies that are pro-Iran.”
According to the FBI affidavit, the [email protected] address was used to register at least three different domains for fake news sites, including awdnews[.]com, sachtimes[.]com and whatsupic[.]com. A reverse WHOIS lookup on this email address on DomainTools.com (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, muslim press[.]com and realneinovosti[.]report.
A review of the Sheriff’s posts on RaidForum reveals that he has used two other nicknames since joining the forum in December 2021: “Not charged,” and “threat_actor.” In several posts, the sheriff mocks a FireEye employee by name.
In a January 3, 2022 post, the Sheriff states that his “team” is seeking licenses for the Cobalt Strike penetration testing tool and is willing to pay $3,000-4,000 per license. Cobalt Strike is a legitimate security product that is only sold to trusted partners, but compromised or ill-gotten Cobalt Strike licenses are frequently used in the run up to ransomware attacks.
“We’ll be buying constantly, making contact,” the sheriff advised. “Do not ask if we still need)) the team is interested in licensing indefinitely.”
On January 4, 2022, Sheriff tells RaidForums that his team needs access to a specific data broker platform and offers to pay up to $35,000 for that access. The sheriff says they will only accept offers secured by the forum’s escrow account.
Asking for escrow in a sales thread is almost universally a sign that someone is serious and ready to transact on whatever has been advertised or requested. Indeed, escrow transactions necessarily require the buyer to make a deposit with the administrators of the forum before proceeding with any transaction.
Sheriff appears to have been part of a group on RaidForums that offered to buy access to organizations that could be extorted with ransomware or threatened with the release of stolen data (PDF screenshot from threat intelligence firm KELA). In a “scam report” filed against the Sheriff by another RaidForums member on December 31, 2021, the plaintiff claims that the Sheriff bought them access and agreed to pay 70% of any ransom paid by the organization victim.
Instead, the plaintiff argues that the sheriff only paid them about 25%. “The company paid a ransom of $1.35 million and only a payment of $350,000 was made to me, so I’m asking for $600,000 to settle this dispute,” the affiliate wrote.
In another post on RaidForums, a user aptly named “FBI Agent” advised other locals to steer clear of the Sheriff’s ransomware affiliate program, noting that any dealings with this person could violate the US Treasury Department sanctions. Foreign Assets Control Office (OFAC) which restrict trade with persons residing in Iran.
“To be clear, we do not work with anyone on the OFAC Sanctions List, under which @Sheriff is a part,” the ransomware affiliate program administrator wrote in response.
RaidForums says Sheriff was referred to the forum by Pompompurine, the same hacker who used a security flaw in the FBI website last year to send a false alert about a cybercrime investigation to state and local authorities. Pompompurin has been very active on RaidForums over the past few years, frequently posting databases of newly hacked organizations and selling access to stolen information.
Reached via Twitter, Pompompurin said they had no idea who might have offered money and information about the sheriff, and would never “report” the sheriff.
“I know who he is but I’m not saying anything,” Pompompurin replied.
The sheriff’s information was brought to my attention by an anonymous person who originally contacted KrebsOnSecurity saying they wanted to donate to the publication. When the person giving the gift asked me if it was normal for the money to come from a ransomware transaction, I naturally declined the offer.
This person then shared the information about the link between the sheriff’s email address and the FBI search warrant, as well as the account credentials.
The same identity approached several other security researchers and journalists, one of whom was able to validate that the address [email protected] belonged to the sheriff’s account. These researchers were also offered tainted gifts, except that the person offering the gift seemed to use a different story with each person about who they were or why they were offering the money. Other people contacted by the same anonymous user said they also received unsolicited information about the sheriff.
It seems clear that whoever offered this money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared is verified, and since there are very few public reports of the source of the ICRC intrusion, the potential link to Iran-based hacker groups seems worth noting.