Report of Cybersecurity

Stuxnet

Introduction:

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to

have been in development since at least 2005. Stuxnet targets supervisory
control and data acquisition (SCADA) systems and is believed to be responsible
for causing substantial damage to the nuclear program of Iran. Although
neither country has openly admitted responsibility, the worm is widely
understood to be a cyberweapon built jointly by the United States and Israel in
a collaborative effort known as Operation Olympic Games.
Stuxnet specifically targets programmable logic controllers (PLCs), which allow
the automation of electromechanical processes such as those used to control
machinery and industrial processes including gas centrifuges for separating
nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting
machines using the Microsoft Windows operating system and networks, then
seeking out Siemens Step7 so ware. Stuxnet reportedly compromised Iranian
PLCs, collecting information on industrial systems and causing the fast-
spinning centrifuges to tear themselves apart.Stuxnet's design and
architecture are not domain-specific and it could be tailored as a platform for
attacking modern SCADA and PLC systems, most of which are in Europe, Japan,
and the United States. Stuxnet reportedly ruined almost one-fifth of Iran's
nuclear centrifuges.Targeting industrial control systems, the worm infected
over 200,000 computers and caused 1,000 machines to physically degrade.

Stuxnet has three modules: a worm that executes all routines related to the
main payload of the attack; a link file that automatically executes the

1
propagated copies of the worm; and a rootkit component responsible for
hiding all malicious files and processes, to prevent detection of Stuxnet. It is
typically introduced to the target environment via an infected USB flash drive,
thus crossing any air gap. The worm then propagates across the network,
scanning for Siemens Step7 so ware on computers controlling a PLC. In the
absence of either criterion, Stuxnet becomes dormant inside the computer. If
both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto
the PLC and Step7 so ware, modifying the code and giving unexpected
commands to the PLC while returning a loop of normal operation system
values back to the users.

Operation

Unlike most malware, Stuxnet does little harm to computers and networks that
do not meet specific configuration requirements; "The attackers took great
care to make sure that only their designated targets were hit ... It was a
marksman's job." While the worm is promiscuous, it makes itself inert if
Siemens software is not found on infected computers, and contains safeguards
to prevent each infected computer from spreading the worm to more than
three others, and to erase itself on 24 June 2012.
For its targets, Stuxnet contains, among other things, code for a man-in-the-
middle attack that fakes industrial process control sensor signals so an infected
system does not shut down due to detected abnormal behavior.
Such complexity is very unusual for malware. The worm consists of a layered
attack against three different systems.
The Windows opera ng system,Siemens PCS 7, WinCC and STEP7 industrial
software applications that run on Windows and One or more Siemens S7 PLCs.

2
Windows infection

Stuxnet attacked Windows systems using an unprecedented four zero-day

attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker
worm). It is initially spread using infected removable drives such as USB flash
drives, which contain Windows shortcut files to initiate executable code. The
worm then uses other exploits and techniques such as peer-to-peer remote
procedure call (RPC) to infect and update other computers inside private
networks that are not directly connected to the Internet.The number of zero-
day exploits used is unusual, as they are highly valued and malware creators
do not typically make use of (and thus simultaneously make visible) four
different zero-day exploits in the same worm. Amongst these exploits were
remote code execution on a computer with Printer Sharing enabled, and the
LNK/PIF vulnerability, in which file execution is accomplished when an icon is
viewed in Windows Explorer, negating the need for user interaction.Stuxnet is
unusually large at half a megabyte in size, and written in several different
programming languages (including C and C++) which is also irregular for
malware. The Windows component of the malware is promiscuous in that it
spreads relatively quickly and indiscriminately.
The malware has both user mode and kernel mode rootkit ability under
Windows,and its device drivers have been digitally signed with the private keys
of two public key certificates that were stolen from separate well-known
companies, JMicron and Realtek, both located at Hsinchu Science Park in
Taiwan.The driver signing helped it install kernel mode rootkit drivers
successfully without users being notified, and thus it remained undetected for
a relatively long period of time.Both compromised certificates have been
revoked by Verisign.
Two websites in Denmark and Malaysia were configured as command and
control servers for the malware, allowing it to be updated, and for industrial
espionage to be conducted by uploading information. Both of these domain
names have subsequently been redirected by their DNS service provider to
Dynadot as part of a global effort to disable the malware.[

3
PLC infection

The entirety of the Stuxnet code has not yet been disclosed, but its payload
targets only those SCADA configurations that meet criteria that it is
programmed to identify.
Stuxnet requires specific slave variable-frequency drives (frequency converter
drives) to be a ached to the targeted Siemens S7-300 system and its
associated modules. It only attacks those PLC systems with variable-frequency
drives from two specific vendors: Vacon based in Finland and Fararo Paya
based in Iran.Furthermore, it monitors the frequency of the attached motors,
and only a acks systems that spin between 807 Hz and 1,210 Hz. This is a
much higher frequency than motors operate in most industrial applications,
with the notable exception of gas centrifuges.Stuxnet installs malware into
memory block DB890 of the PLC that monitors the Profibus messaging bus of
the system.When certain criteria are met, it periodically modifies the frequency
to 1,410 Hz and then to 2 Hz and then to 1,064 Hz, and thus affects the
operation of the connected motors by changing their rotational speed.It also
installs a rootkit – the first such documented case on this platform – that hides
the malware on the system and masks the changes in rotational speed from
monitoring systems.

Removal
Siemens has released a detection and removal tool for Stuxnet. Siemens
recommends contacting customer support if an infection is detected and
advises installing Microsoft updates for security vulnerabilities and prohibiting
the use of third-party USB flash drives. Siemens also advises immediately
upgrading password access codes.
The worm's ability to reprogram external PLCs may complicate the removal
procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may
not fully solve the infection; a thorough audit of PLCs may be necessary.
Despite speculation that incorrect removal of the worm could cause
damage,Siemens reports that in the first four months since discovery, the

4
malware was successfully removed from the systems of 22 customers without
any adverse effects.

Control system security

Prevention of control system security incidents,such as from viral infections like
Stuxnet, is a topic that is being addressed in both the public and the private
sector.
The US Department of Homeland Security National Cyber Security Division
(NCSD) operates the Control System Security Program (CSSP).The program
operates a specialized computer emergency response team called the
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT),
conducts a biannual conference (ICSJWG), provides training, publishes
recommended practices, and provides a self-assessment tool. As part of a
Department of Homeland Security plan to improve American computer
security, in 2008 it and the Idaho Na onal Laboratory (INL) worked with
Siemens to identify security holes in the company's widely used Process Control
System 7 (PCS 7) and its so ware Step 7. In July 2008, INL and Siemens publicly
announced flaws in the control system at a Chicago conference; Stuxnet
exploited these holes in 2009.
Several industry organizationsand professional societies have published
standards and best practice guidelines providing direction and guidance for
control system end-users on how to establish a control system security
management program. The basic premise that all of these documents share is
that prevention requires a multi-layered approach, often termed defense in
depth.The layers include policies and procedures, awareness and training,
network segmentation, access control measures, physical security measures,
system hardening, e.g., patch management, and system monitoring, anti-virus
and intrusion prevention system (IPS). The standards and best practices
also all recommend starting with a risk analysis and a control system security
assessment.

5
 Ransomware

Introduction

Ransomware is a type of malware from cryptovirology that threatens to

publish the victim's personal data or perpetually block access to it unless a
ransom is paid. While some simple ransomware may lock the system so that it
is not difficult for a knowledgeable person to reverse, more advanced malware
uses a technique called cryptoviral extortion. It encrypts the victim's files,
making them inaccessible, and demands a ransom payment to decrypt them.
In a properly implemented cryptoviral extortion attack, recovering the files
without the decryption key is an intractable problem – and difficult to trace
digital currencies such as paysafecard or Bitcoin and other cryptocurrencies
that are used for the ransoms, making tracing and prosecuting the
perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan disguised as a

legitimate file that the user is tricked into downloading or opening when it
arrives as an email attachment. However, one high-profile example, the
WannaCry worm, traveled automatically between computers without user
interaction.
Star ng as early as 1989 with the first documented ransomware known as the
AIDS trojan, the use of ransomware scams has grown internationally.There
were 181.5 million ransomware a acks in the first six months of 2018. This
record marks a 229% increase over this same me frame in 2017.In June 2014,
vendor McAfee released data showing that it had collected more than double
the number of ransomware samples that quarter than it had in the same
quarter of the previous year.CryptoLocker was particularly successful,
procuring an estimated US$3 million before it was taken down by authori es,
and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI)
to have accrued over US$18 million by June 2015. In 2020, the IC3 received

6
2,474 complaints iden fied as ransomware with adjusted losses of over $29.1
million. The losses could be more than that according to FBI.

Operation

The concept of file-encrypting ransomware was invented and implemented by

Young and Yung at Columbia University and was presented at the 1996 IEEE
Security & Privacy conference. It is called cryptoviral extortion and it was
inspired by the fictional facehugger in the movie Alien.Cryptoviral extortion is
the following three-round protocol carried out between the attacker and the
victim.
[attacker→vic m] The a acker generates a key pair and places the
corresponding public key in the malware. The malware is released.
[victim→a acker] To carry out the cryptoviral extor on a ack, the malware
generates a random symmetric key and encrypts the victim's data with it. It
uses the public key in the malware to encrypt the symmetric key. This is known
as hybrid encryption and it results in a small asymmetric ciphertext as well as
the symmetric ciphertext of the victim's data. It zeroizes the symmetric key and
the original plaintext data to prevent recovery. It puts up a message to the
user that includes the asymmetric ciphertext and how to pay the ransom. The
victim sends the asymmetric ciphertext and e-money to the attacker.
[attacker→vic m] The a acker receives the payment, deciphers the
asymmetric ciphertext with the attacker's private key, and sends the
symmetric key to the victim. The victim deciphers the encrypted data with the
needed symmetric key thereby completing the cryptovirology attack.
The symmetric key is randomly generated and will not assist other victims. At
no point is the attacker's private key exposed to victims and the victim need
only send a very small ciphertext (the encrypted symmetric-cipher key) to the
attacker.
Ransomware attacks are typically carried out using a Trojan, entering a system
through, for example, a malicious attachment, embedded link in a Phishing

7
email, or a vulnerability in a network service. The program then runs a
payload, which locks the system in some fashion, or claims to lock the system
but does not a scareware program. Payloads may display a fake warning
purportedly by an entity such as a law enforcement agency, falsely claiming
that the system has been used for illegal activities, contains content such as
pornography and "pirated" media.
Some payloads consist simply of an application designed to lock or restrict the
system until payment is made, typically by setting the Windows Shell to itself,
or even modifying the master boot record and/or partition table to prevent the
operating system from booting until it is repaired.The most sophisticated
payloads encrypt files, with many using strong encryption to encrypt the
victim's files in such a way that only the malware author has the needed
decryption key.
Payment is virtually always the goal, and the victim is coerced into paying for
the ransomware to be removed either by supplying a program that can decrypt
the files, or by sending an unlock code that undoes the payload's changes.
While the attacker may simply take the money without returning the victim's
files, it is in the attacker's best interest to perform the decryption as agreed,
since victims will stop sending payments if it becomes known that they serve
no purpose. A key element in making ransomware work for the attacker is a
convenient payment system that is hard to trace. A range of such payment
methods have been used, including wire transfers, premium-rate text
messages, pre-paid voucher services such as paysafecard,and the Bitcoin
cryptocurrency.
In May 2020, vendor Sophos reported that the global average cost to
remediate a ransomware attack (considering downtime, people time, device
cost, network cost, lost opportunity and ransom paid) was $761,106. Ninety-
five percent of organizations that paid the ransom had their data restored.

Encrypting ransomware
The first known malware extortion attack, the "AIDS Trojan" written by Joseph
Popp in 1989, had a design failure so severe it was not necessary to pay the

8
extortionist at all. Its payload hid the files on the hard drive and encrypted only
their names, and displayed a message claiming that the user's license to use a
certain piece of so ware had expired. The user was asked to pay US$189 to
"PC Cyborg Corporation" in order to obtain a repair tool even though the
decryption key could be extracted from the code of the Trojan. The Trojan was
also known as "PC Cyborg". Popp was declared mentally unfit to stand trial for
his actions, but he promised to donate the profits from the malware to fund
AIDS research.
The idea of abusing anonymous cash systems to safely collect ransom from
human kidnapping was introduced in 1992 by Sebastiaan von Solms and David
Naccache. This electronic money collection method was also proposed for
cryptoviral extortion attacks.In the von Solms-Naccache scenario a newspaper
publication was used (since bitcoin ledgers did not exist at the time the paper
was written).
The notion of using public key cryptography for data kidnapping attacks was
introduced in 1996 by Adam L. Young and Mo Yung. Young and Yung
critiqued the failed AIDS Information Trojan that relied on symmetric
cryptography alone, the fatal flaw being that the decryption key could be
extracted from the Trojan, and implemented an experimental proof-of-concept
cryptovirus on a Macintosh SE/30 that used RSA and the Tiny Encryp on
Algorithm (TEA) to hybrid encrypt the victim's data. Since public key
cryptography is used, the virus only contains the encryption key. The attacker
keeps the corresponding private decryption key private. Young and Yung's
original experimental cryptovirus had the victim send the asymmetric
ciphertext to the attacker who deciphers it and returns the symmetric
decryption key it contains to the victim for a fee. Long before electronic money
existed Young and Yung proposed that electronic money could be extorted
through encryption as well, stating that "the virus writer can effectively hold
all of the money ransom until half of it is given to him. Even if the e-money was
previously encrypted by the user, it is of no use to the user if it gets encrypted
by a cryptovirus".They referred to these attacks as being "cryptoviral
extortion", an overt attack that is part of a larger class of attacks in a field
called cryptovirology, which encompasses both overt and covert attacks.

9
The cryptoviral extortion protocol was inspired by the parasitic relationship
between H. R. Giger's facehugger and its host in the movie Alien.
Examples of extor onate ransomware became prominent in May 2005.By mid-
2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Kro en, Cryzip,
and MayArchive began utilizing more sophisticated RSA encryption schemes,
with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006,
was encrypted with a 660-bit RSA public key.In June 2008, a variant known as
Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large
enough to be computationally infeasible to break without a concerted
distributed effort.
Encryp ng ransomware returned to prominence in late 2013 with the
propagation of CryptoLocker—using the Bitcoin digital currency platform to
collect ransom money. In December 2013, ZDNet estimated based on Bitcoin
transac on informa on that between 15 October and 18 December, the
operators of CryptoLocker had procured about US$27 million from infected
users.[37] The CryptoLocker technique was widely copied in the months
following, including CryptoLocker 2.0 (thought not to be related to
CryptoLocker), CryptoDefense (which initially contained a major design flaw
that stored the private key on the infected system in a user-retrievable
location, due to its use of Windows' built-in encryption APIs),[26][38][39][40]
and the August 2014 discovery of a Trojan specifically targe ng network-
a ached storage devices produced by Synology.[41] In January 2015, it was
reported that ransomware-styled attacks have occurred against individual
websites via hacking, and through ransomware designed to target Linux-based
web servers.
In some infections, there is a two-stage payload, common in many malware
systems. The user is tricked into running a script, which downloads the main
virus and executes it. In early versions of the dual-payload system, the script
was contained in a Microsoft Office document with an attached VBScript
macro, or in a windows scripting facility (WSF) file. As detection systems
started blocking these first stage payloads, the Microsoft Malware Protection
Center identified a trend away toward LNK files with self-contained Microsoft

10
Windows PowerShell scripts.In 2016, PowerShell was found to be involved in
nearly 40% of endpoint security incidents,Some ransomware strains have used
proxies tied to Tor hidden services to connect to their command and control
servers, increasing the difficulty of tracing the exact location of the
criminals.Furthermore, dark web vendors have increasingly started to offer the
technology as a service, wherein ransomware is sold, ready for deployment on
victims' machines, on a subscription basis, similarly to Adobe Creative Cloud or
Office 365.
Symantec has classified ransomware to be the most dangerous cyber threat.
On 28 September 2020, the computer systems at US’ biggest healthcare
provider the Universal Health Services, was hit by a ransomware attack. The
UHS chain from different locations reported noticing problems, with some
locations reporting locked computers and phone systems from early Sunday
(27 September).

Non-encrypting ransomware

In August 2010, Russian authori es arrested nine individuals connected to a

ransomware Trojan known as WinLock. Unlike the previous Gpcode Trojan,
WinLock did not use encryption. Instead, WinLock trivially restricted access to
the system by displaying pornographic images and asked users to send a
premium-rate SMS (cos ng around US$10) to receive a code that could be
used to unlock their machines. The scam hit numerous users across Russia and
neighbouring countries—reportedly earning the group over US$16 million.
In 2011, a ransomware Trojan surfaced that imitated the Windows Product
Activation notice, and informed users that a system's Windows installation had
to be re-activated due to "[being a] victim of fraud". An online activation
option was offered (like the actual Windows activation process), but was
unavailable, requiring the user to call one of six international numbers to input
a 6-digit code. While the malware claimed that this call would be free, it was
routed through a rogue operator in a country with high international phone

11
rates, who placed the call on hold, causing the user to incur large international
long distance charges.
In February 2013, a ransomware Trojan based on the Stamp.EK exploit kit
surfaced; the malware was distributed via sites hosted on the project hosting
services SourceForge and GitHub that claimed to offer "fake nude pics" of
celebri es. In July 2013, an OS X-specific ransomware Trojan surfaced, which
displays a web page that accuses the user of downloading pornography. Unlike
its Windows-based counterparts, it does not block the entire computer, but
simply exploits the behaviour of the web browser itself to frustrate attempts to
close the page through normal means.
In July 2013, a 21-year-old man from Virginia, whose computer coincidentally
did contain pornographic photographs of underage girls with whom he had
conducted sexualized communications, turned himself in to police after
receiving and being deceived by FBI MoneyPak Ransomware accusing him of
possessing child pornography. An investigation discovered the incriminating
files, and the man was charged with child sexual abuse and possession of child
pornography.

Exfiltration (Leakware / Doxware)

The converse of ransomware is a cryptovirology attack invented by Adam L.

Young that threatens to publish stolen information from the victim's computer
system rather than deny the victim access to it. In a leakware attack, malware
exfiltrates sensitive host data either to the attacker or alternatively, to remote
instances of the malware, and the attacker threatens to publish the victim's
data unless a ransom is paid. The a ack was presented at West Point in 2003
and was summarized in the book Malicious Cryptography as follows, "The
attack differs from the extortion attack in the following way. In the extortion
attack, the victim is denied access to its own valuable information and has to
pay to get it back, where in the attack that is presented here the victim retains
access to the information but its disclosure is at the discretion of the computer
12
virus".The attack is rooted in game theory and was originally dubbed "non-
zero sum games and survivable malware". The attack can yield monetary gain
in cases where the malware acquires access to information that may damage
the victim user or organization, e.g., the reputational damage that could result
from publishing proof that the attack itself was a success.

Common targets for exfiltration include:

third party information stored by the primary victim (such as customer account
information or health records);information proprietary to the victim (such as
trade secrets and product information)
embarrassing information (such as the victim's health information or
information about the victim's personal past)
Exfiltration attacks are usually targeted, with a curated victim list, and often
preliminary surveillance of the victim's systems to find potential data targets
and weaknesses.

Mobile ransomware

With the increased popularity of ransomware on PC platforms, ransomware

targeting mobile operating systems has also proliferated. Typically, mobile
ransomware payloads are blockers, as there is little incentive to encrypt data
since it can be easily restored via online synchronization.Mobile ransomware
typically targets the Android platform, as it allows applications to be installed
from third-party sources.The payload is typically distributed as an APK file
installed by an unsuspecting user; it may attempt to display a blocking
message over top of all other applications,while another used a form of
clickjacking to cause the user to give it "device administrator" privileges to
achieve deeper access to the system.
Different tactics have been used on iOS devices, such as exploiting iCloud
accounts and using the Find My iPhone system to lock access to the device.

13
 On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up
windows in Safari that had been exploited by ransomware websites.It
recently[when?] has been shown that ransomware may also target ARM
architectures like those that can be found in various Internet-of-Things (IoT)
devices, such as Industrial IoT edge devices.
In August 2019 researchers demonstrated it's possible to infect DSLR cameras
with ransomware. Digital cameras often use Picture Transfer Protocol (PTP -
standard protocol used to transfer files.) Researchers found that it was
possible to exploit vulnerabilities in the protocol to infect target camera(s) with
ransomware (or execute any arbitrary code). This attack was presented at the
Defcon security conference in Las Vegas as a proof of concept attack (not as
actual armed malware).

File system defenses against ransomware

A number of file systems keep snapshots of the data they hold, which can be
used to recover the contents of files from a time prior to the ransomware
attack in the event the ransomware does not disable it.
On Windows, the Volume shadow copy (VSS) is often used to store backups of
data; ransomware often targets these snapshots to prevent recovery and
therefore it is often advisable to disable user access to the user tool
VSSadmin.exe to reduce the risk that ransomware can disable or delete past
copies.
On Windows 10, users can add specific directories or files to Controlled Folder
Access in Windows Defender to protect them from ransomware.It is advised to
add backup and other important directories to Controlled Folder Access.
Unless malware gains root on the ZFS host system in deploying an attack
coded to issue ZFS administrative commands, file servers running ZFS are
broadly immune to ransomware, because ZFS is capable of snapshotting even
a large file system many times an hour, and these snapshots are immutable

14
(read only) and easily rolled back or files recovered in the event of data
corruption.In general, only an administrator can delete (but cannot modify)
snapshots.

File decryption and recovery

There are a number of tools intended specifically to decrypt files locked by

ransomware, although successful recovery may not be possible. If the same
encryption key is used for all files, decryption tools use files for which there are
both uncorrupted backups and encrypted copies (a known-plaintext attack in
the jargon of cryptanalysis. But, it only works when the cipher the attacker
used was weak to begin with, being vulnerable to known-plaintext attack);
recovery of the key, if it is possible, may take several days. Free ransomware
decryption tools can help decrypt files encrypted by the following forms of
ransomware: AES_NI, Alcatraz Locker, Apocalypse, BadBlock, Bart, BTCWare,
Crypt888, CryptoMix, CrySiS, EncrypTile, FindZip, Globe, Hidden Tear, Jigsaw,
LambdaLocker, Legion, NoobCrypt, Stampado, SZFLocker, TeslaCrypt, XData.
The No More Ransom Project is an initiative by the Netherlands' police's
National High Tech Crime Unit, Europol’s European Cybercrime Centre,
Kaspersky Lab and McAfee to help ransomware victims recover their data
without paying a ransom.They offer a free CryptoSheriff tool to analyze
encrypted files and search for decryption tools.
In addition, old copies of files may exist on the disk, which has been previously
deleted. In some cases, these deleted versions may still be recoverable using
software designed for that purpose.

15
 Carbanak

Carbanak is an APT-style campaign targeting (but not limited to) financial

ins tu ons, that was discovered in 2014 by the Russian cyber security
company Kaspersky Lab.It utilizes malware that is introduces into systems
running Microsoft Windows using phishing emails, which is then used to steal
money from banks.The hacker group is said to have stolen over 900 million
dollars, from the banks as well as from over a thousand private customers.
The criminals were able to manipulate their access to the respective banking
networks in order to steal the money in a variety of ways. In some instances,
ATMs were instructed to dispense cash without having to locally interact with
the terminal. Money mules would collect the money and transfer it over the
SWIFT network to the criminals’ accounts, Kaspersky said. The Carbanak group
went so far as to alter databases and pump up balances on existing accounts
and pocketing the difference unbeknownst to the user whose original balance
is still intact.
Their intended targets were primarily in Russia, followed by the United States,
Germany, China and Ukraine, according to Kaspersky Lab. One bank lost $7.3
million when its ATMs were programmed to spew cash at certain times that
henchmen would then collect, while a separate firm had $10 million taken via
its online platform.
Kaspersky Lab is helping to assist in investigations and countermeasures that
disrupt malware operations and cybercriminal activity. During the
investigations they provide technical expertise such as analyzing infection
vectors, malicious programs, supported command and control infrastructure
and exploitation methods.
FireEye published research tracking further activities, referring to the group as
FIN7, including an SEC-themed spear phishing campaign. Proofpoint also
published research linking the group to the Bateleur backdoor, and expanded
the list of targets to U.S.-based chain restaurants, hospitality organizations,
retailers, merchant services, suppliers and others beyond their initial financial
services focus.

16
On 26 October 2020, PRODAFT (Switzerland) started publishing internal details
of the Fin7/Carbanak group and tools they use during their opera on.
Published information is claimed to be originated from a single OPSEC failure
on the threat actor’s side.
On March 26, 2018, Europol claimed to have arrested the "mastermind" of the
Carbanak and associated Cobalt or Cobalt Strike group in Alicante, Spain, in an
investigation led by the Spanish National Police with the cooperation of law
enforcement in multiple countries as well as private cybersecurity companies.
The group's campaigns appear to have continued, however, with the Hudson's
Bay Company breach using point of sale malware in 2018 being a ributed to
the group.

Controversy
Some controversy exists around the Carbanak attacks, as they were seemingly
described several months earlier in a report by the Internet security companies
Group-IB (Russia) and Fox-IT (The Netherlands) that dubbed the attack
Anunak.The Anunak report shows also a greatly reduced amount of financial
losses and according to a statement issued by Fox-IT after the release of The
New York Times article, the compromise of banks outside Russia did not match
their research. Also in an interview conducted by Russian newspaper
Kommersant the controversy between the claims of Kaspersky Lab and Group-
IB come to light where Group-IB claims no banks outside of Russia and Ukraine
were hit, and the activity outside of that region was focused on Point of Sale
systems.
Reuters issued a statement referencing a Private Industry Notification issued
by the FBI and USSS (United States Secret Service) claiming they have not
received any reports that Carbanak has affected the financial sector. Two
representative groups of the US banking industry FS-ISAC and ABA (American
Bankers Association) in an interview with Bank Technology News say no US
banks have been affected.

17