Real Life Cyber Criminal Cases

NAME
ID
SECTION NO
Table of Contents
1.Introduction......................................................................................................................................3
2.0 Discussion of Attack......................................................................................................................3
2.1 What is Phishing and spear phishing...........................................................................................4
2.2 How they Got in..........................................................................................................................4
2.3 Malware Deployed......................................................................................................................4
2.4 Covering Their Tracks.................................................................................................................5
3. Conclusion........................................................................................................................................5
4. References.........................................................................................................................................6
1.Introduction
Cybercrime basically occurs through the internet or some computer network. Most
cybercrime happened online because of the massive amounts of computers connected
together and they’re able to communicate with each other real-time, which means that any
person in any other internet connected place can connect to and communicate with the
computers in your jurisdiction. Whenever talking about cybercrime there is usually a focus on
the connection between the systems and very often the connection is global e.g Facebook is
hosted in the United States with servers all over the world and you’re connecting to those
countries in real time. So how do these computers actually talk to each other? Well, the
devices over the internet communicate with each other using tcp/ip protocol. A protocol can
basically be described as a language. Each computer using the tcp/ip needs a unique IP
address to communicate to other devices.
When a device is put online anyone in the world can connect to its Ip address, so once you
connect your computer to the internet everyone that’s also connected to the internet can
connect to your computer[ CITATION Ada19 \l 2057 ]. The device’s security setting determines
how the device responds to different connections so it’s important to check if whether if your
device is configured securely; moreover, every program that we run on the computer can
potentially open up a hole that can let connections come in and go out. Attackers can use
these holes to try to gain access inside your local network and hence take advantage of
software vulnerabilities or bad configuration and take over your internal network.
Cybercrimes can come in various forms, the majority of cybercrime is mainly financially
motivated; however, attackers may try to steal your data or information stored on your PC
example hacking into a business and stealing their business secrets or in order to blackmail
someone[ CITATION AVA19 \l 2057 ]. Police are limited by jurisdiction which makes harder to
carry out investigation as cross jurisdiction requires country to country cooperation. Email is
considered to the the top malware carrier, accoriding to Veizon nearly 46% of different frims
have received emails that ended up comntaining malware [ CITATION Ver20 \l 2057 ] not only
does it stop here but the cloud breach that typically involve an email revolve around 73%
[ CITATION Ver20 \l 2057 ].

2.0 Discussion of Attack

The prolific state sponsored north Korean hacker group Lazarus is back with a new hack, this
time instead of stealing money from the north Korean regime they’re switching tactics and
engaging in corporate cyber espionage. The hack occurred in mid of 2020, as no precise dates
was given out. They’ve managed to hack into a Russian defence firm through Microsoft
word. Lazarus which also known as APT38 is a North Korean hacker group known for a
variety of high-profile hacks from the Sony picture hack of 2014 through to WannaCry itself.
In their latest and possibly most ambitious hack they targeted defence companies. Their
initial attack vector being spear phishing.
2.1 What is Phishing and spear phishing
Phishing, it is when criminal send on mass emails impersonating someone with the intention
of them sending you money, for example receiving an email that sates you’ve won certain
amount of money and in order to claim this send you need to send some specific amount to an
account; however, spear phishing is like normal phishing but instead of copy pasting the
same email, the emails are instead verily targeted, hackers will identify a small set of victims
and personally craft each email in a bid to make them believable as much as possible.
2.2 How they Got in
In the light of the Kaspersky report the hackers composed the emails to make it look like they
were relaying vital covid updates from another department within the same organization
though embedded within the email was a malicious Microsoft Word document, the document
contained within its malevolent macros. A macro in word is essentially just an extra code
contained within a document which automates certain tasks for example formatting. For most
parts the function carried out by the macros are pretty simple; however, they can be leveraged
to run cursed code which is the reason why Microsoft Word has them disabled by default.
When the victim tried opening, he documents they were presented with the problem that the
macros wouldn’t run. The workers responded to the email explaining the issue, being
unaware that they were aiding the North Korean hackers that they couldn’t run the malicious
code and basically asking them to fix it. The attackers responded with another email
explaining how to enable macros so that the malicious code would work. After some brief
back and forth, the victim finally managed to enable macros and the malicious code ran.
Kaspersky was kept the name of the company confidential but by looking at the firms’
communication it can be presumed that it was a likely a Russian company.
2.3 Malware Deployed
After successfully running the macro, a malware was deployed called the ThreatNeedle.
ThreatNeedle was used to carry out initial reconnaissance and deploy yet more malware for
lateral movements within the victim’s computer system. Lateral movement in this context
just refers to gaining further access and moving deeper within the victim network. After the
initial breach in the search of sensitive data to steal, the hackers used an open-source tool
called responder to harvest credentials from the victim’s pc to infiltrate, then used these grabs
creds to gain access to other computers and eventually managed to compromise a computer
used by system administrators. From there they managed to find their way into restricted
network as shown in fig 1. It was unclear what was stored on this restricted network but it
valuable enough to warrant isolating it from the internet and from the main corporate network
for security reasons. It’s suggested in the report that the main aim of this hack was to steal
intellectual property, given the compromised company is the defence related one can only
imagine what the target of this hack was[ CITATION Vya21 \l 2057 ].
2.4 Covering Their Tracks
Once they had found something worth stealing, they reconfigured the company’s router
creating a tunnel to exfiltrate files out of that restricted network. The hackers were successful
in their mission, as after grabbing what they came for the hackers started removing all traces
of their activity from the victim computers, setting up scripts to automatically delete log files.
The Kaspersky reports details through this investigation they managed to find the connections
to other hacks thought to be the work of North Korea’s Lazarus group. There’s a lot of
overlap here in the tools and scripts utilized in this hack compared to other recent acts as
shown in fig 2. This helps tie all of these different campaigns together and point the finger at
Lazarus. Lazarus are also said to be behind other major hacks such as WannaCry and a
billion-dollar bank heist. The critical guidance is basically to follow online protection best
practices and reinforce training identifying with cybercrime. It is a lot simpler to forestall
wrongdoing than to punish wrongdoing. Indeed, even the least difficult practices, for
example, preparing to recognize phishing or scam emails and standard reinforcement of
information, can go far in securing people in general.

3. Conclusion
Cyberspace security management has become significant in public safety management.
Future attacks that undermine public safety don't really come from borders, airspace, or sea,
however happen in cyberspace. Insight activities and incognito tasks will progressively be
founded on the Internet. It is significant that organizations are set up to manage this new
danger. Thusly, it is important to form a public cyberspace security policy to characterize
assignments and indicate the duties of different organizations with incorporated engineering.
Terrorists have been utilizing the Internet to execute their destructive tasks. Nations have
exceptionally evolved abilities for dispatching digital fighting. The public authority ought to
likewise observe this stressful advancement and devise a plan to stop it.

4. References
AVAST. (2019 ). What is Cybercrime and. Avast .
Bossler, A. M. (2019, November 18). Introduction: new directions in cybercrime research.
From Tandfonline :
https://www.tandfonline.com/doi/full/10.1080/0735648X.2019.1692426
Verizon. (2020). Data Breach Investigations Report. Verizon .
Vyacheslav Kopeytsev, S. P. (2021). Lazarus targets defense industry. Kaspersky .