Bulgarian Government Cyberattack | New Chinese Cyber Espionage Group | Shein Owner Fined Over Breach Response

October 17th

Article by Christopher Lauder, Client Engagement Executive, Rela8 Group

Bulgarian Government Cyberattack

The head of Bulgaria’s National Investigation Service, Borislav Sarafov, said on October 16th that the perpetrator of a cyberattack the previous day on several Bulgarian state, government and private websites had been identified, and the attack had come from a city in Russia.

The October 15th Distributed Denial of Service (DDoS) attack targeted various Bulgarian government ministry websites, that of the Presidency, the National Revenue Agency, telecommunications companies, airports, banks and some media organisations.

Sarafov told Bulgarian media that the name and address of the perpetrator were known, and the attack had come from the city of Magnitogorsk. Bulgaria’s authorities have issued assurances that no information and data had been compromised. In a statement, Sarafov said:

“We will try to identify all those involved in this hacker attack and bring them to court in Bulgaria, if Russian judicial authorities respond and they are extradited. If not, we will try them in absentia”

Bulgaria’s caretaker Defence Minister Dimitar Stoyanov appeared to link the attacks with claims in Russia of a Bulgarian connection to an explosion on a bridge linking Russia with Russian-occupied Crimea. No evidence has been offered for those claims and Bulgaria’s security services have said that they have found them to be baseless.

Stoyanov said that the Defence Ministry’s site had been attacked as part of a general attack on the websites of Bulgarian institutions:

“The cyberattack was well repelled and there was no damage [...] Bulgaria did not participate in the bombing of the Crimean bridge, as was proven by our services. Our country is not the weak link in NATO, as some have commented” 

Source - Bulgarian Government Cyberattack - RFERL

Source - Bulgarian Government Cyberattack - Sofia Globe

New Chinese Cyber Espionage Group

SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications and IT service providers in the Middle East and Asia.

The experts believe the group operated for cyber espionage purposes and is a Chinese-speaking threat group.

The espionage-related attacks are characterised using a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. In a report made earlier this week, SentinelOne researchers Joey Chen and Amitai Ben Shushan Ehrlich said:

"Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines. This meant the attacker gave up on a stable [command-and-control] channel in exchange for stealth"

WIP, short for work-in-progress, is the moniker assigned by SentinelOne to emerging or hitherto unattributed activity clusters, similar to the UNC####, DEV-####, and TAG-## designations given by Mandiant, Microsoft, and Recorded Future.

The cyber security firm also noted that select portions of the malicious components employed by WIP19 were authored by a Chinese-speaking malware author dubbed WinEggDrop, who has been active since 2014.

The fact that the attacks are precision targeted and low in volume, not to mention have singled out the telecom sector, indicates that the primary motive behind the campaign may be to gather intelligence.

The findings are yet another indication of how China-aligned hacking groups are at once sprawling and fluid owing to the reuse of a variety of malware families among several threat actors.

Source - New Chinese Espionage Group - TheHackerNews

Source - New Chinese Espionage Group - InfoSec Magazine

Source - New Chinese Espionage Group - SentinelOne Report

Almost all operations performed by the threat actor were completed in a 'hands-on keyboard' fashion, during an interactive session with compromised machines
SentinelOne report

Shein Owner Fined Over Breach Response

The owner of fast-fashion site Shein has been fined $1.9m (£1.69m) over its handling of a data breach. Login details for 39 million Shein accounts were stolen in 2018 after its parent company, Zoetop, was targeted by hackers.

New York Attorney General Letitia James said Zoetop had lied about the extent of the breach and had notified "only a fraction" of affected customers. Shein says it has taken "significant steps" to improve its cyber security.

Names, email addresses, passwords, and credit card information belonging to tens of millions of Shein account holders were stolen by hackers and sold online. A further seven million account holders of Romwe, another fast-fashion site owned by Zoetop, were caught up in the 2018 breach.

The New York Attorney General's office said Zoetop had failed to safeguard customer data and to inform millions of account holders their personal information had been exposed. Among those affected were more than 800,000 customers living in New York.

The New York Attorney General's office concluded that Zoetop had lied about the size of the breach - initially reporting that only 6.42 million Shein accounts had been exposed in the hack:

"While New Yorkers were shopping for the latest trends on Shein and Romwe, their personal data was stolen and Zoetop tried to cover it up [...] Failing to protect consumers' personal data and lying about it is not trendy"

The bulk of the 39 million affected account holders were not contacted and there was no forced password reset for all those accounts.

At the time, the company also told consumers it had seen "no evidence" of credit-card or payment information being compromised and only email addresses and passwords had been stolen. A spokesperson for Shein has stated:

"We have fully co-operated with the New York attorney general and are pleased to have resolved this matter. Protecting our customers' data and maintaining their trust is a top priority, especially with ongoing cyber threats posed to businesses around the world"

Source - Shein / Zoetop Databreach - BBC News

Source - Shein / Zoetop Databreach - TechCrunch

Source - Shein / Zoetop Databreach - The Verge

If you want to get in touch then give us a shout