June 9-15, 2022 | Issue 12 - Counterintelligence/Cyber (CICYBER)
Keanna Grelicha, Marina Tovar, CICYBER Team
Hannah Norton, Editor; Jennifer Loy, Chief of Staff
Date: June 9, 2022
Parties involved: US government; Forbes; travel company, Sabre; travel company, Travelport; Russian hacker Aleksei Burkov
The event: Forbes released the 2015 investigation documents on Aleksei Burkov, a Russian hacker who stole $20 million by conducting several crimes, like identity and device theft, through the Cardplanet website on the dark web. The documents show that the US government acquired surveillance reports from the travel companies Sabre and Travelport granted under the All Writs Act. Using the Act, the US government requested all real-time records of Burkov for two years, citing his cybercriminal activity as justification.
Analysis & Implications:
The travel companies’ ability to release data reports of their clients’ information could very likely lead to privacy concerns for existing clients who feel their data could be mishandled. Customers who view data sharing as violating their privacy could very likely end their services with the travel companies, very likely resulting in a declining reputation. The companies will very likely find advertising services and obtaining more clients challenging as a result, very likely further decreasing their revenues. The financial burden will likely lead to a decrease in provided services, likely forcing them to downsize.
The US government’s ability to subpoena data reports from private companies will very likely result in increased government distrust from data privacy advocacy groups regarding digital data security. Privacy advocates will very likely demand change to data legislation from current or new politicians in the form of protests during the upcoming US midterm elections. Public advocacy will likely result in private companies altering their data privacy agreements to increase their clients' awareness of the government’s use of data in criminal cases to decrease the risk of client lawsuits, revenue loss, and reputational damages. If the companies do not allow for government data sharing, they will very likely face federal lawsuits for obstructing criminal investigations, very likely resulting in financial losses.
The US government will likely replicate the Burkov investigation methods, like using the All Writs Acts, for other cybercriminals who threaten US national security through cyberattacks. Countries with laws similar to the All Writs Act will very likely request companies to report cybercriminals’ data for investigations, very likely leading to more data privacy concerns regarding transparency among other digital assets like cryptocurrencies. The transparency of these data forms will likely result in public distress, likely leading to privacy lawsuits.
Date: June 12, 2022
Parties involved: HelloXD ransomware group
The event: HelloXD, an early-stage ransomware group active since November 2021, improved the encryption systems they use in the ransomware attacks with double encryption and a new malware that allows them to evade detection systems. HelloXD double-extortion attacks that encrypt the victim’s system and extract the corporate data is upgraded with these new features. HelloXD is actively making changes to its features to improve the effectiveness of its attacks.
Analysis & Implications:
HelloXD’s victims who refuse to pay a ransom will very likely experience delayed normalization in their networks’ restoration due to the double encryption system, which will very likely impact their revenues. Delayed network functioning of administrative tasks, like collecting pending invoices or providing services, will very likely decrease the victim’s revenues if the system’s encryption is extended. The risk of profit loss could very likely force the victim to pay the ransom to obtain the decryption key to decrypt the systems rapidly, likely avoiding an additional loss of revenue and trust. The system’s rapid normalization and the victim’s rapid response in paying the ransom could likely provide a positive image to the targeted company’s customers, likely decreasing the chances of using other providers.
The double encryption method with the double-extortion attack will very likely upgrade HelloXD’s attack effectiveness as it will very likely force the victim to pay the ransom due to threats of data leaks or delayed system normalization. Ransomware groups will very likely replicate this methodology due to the attack’s success rate, very likely leading to improvements on the original methodology, such as detection evasion methods. Ransomware groups will very likely target enterprises with outdated or weak firewalls as the improved ransomware will very likely easily bypass the victim’s protection measures. Ransomware groups will very likely target enterprises because of their financial capabilities and the attack’s success rate of obtaining a ransom.
________________________________________________________________________ The Counterterrorism Group (CTG)
 “The All Writs Act is a 233-year-old law allowing the government to issue all indictments necessary to help authorities in administering justice.” Feds Forced Travel Firms to Share Surveillance Data on Hacker, Threat Post, June 2022, https://threatpost.com/feds-forced-travel-firms-to-share-surveillance-data-on-hacker/179929/
 “Double encryption consists of two ransomware strains to encrypt the data.” Double Encryption: When Ransomware Recovery Gets Complicated, Security Intelligence, July 2021, https://securityintelligence.com/articles/double-encryption-extortion-ransomware-recovery/
 Hello XD ransomware now drops a backdoor while encrypting, Bleeping Computer, June 2022, https://www.bleepingcomputer.com/news/security/hello-xd-ransomware-now-drops-a-backdoor-while-encrypting/