Dropbox

The Russian national arrested earlier this month by Czech police has been charged in the United States for hacking into the systems of LinkedIn, Dropbox and Formspring.

Yevgeniy Aleksandrovich Nikulin, 29, of Moscow, Russia, was arrested by Czech authorities on October 5, but news of the arrest only came to light last week.

While initially some believed that the arrest was related to cyberattacks supposedly launched by the Russian government against political organizations in the United States, LinkedIn revealed that the law enforcement operation, carried out in cooperation with the FBI, was actually linked to the breach suffered by the social media company in 2012.

The U.S. Department of Justice announced on Friday that Nikulin had been charged by a federal grand jury in Oakland, California, with nine counts related to obtaining information from computers, causing damage to computers, trafficking in access devices, aggravated identity theft and conspiracy.

Authorities said Nikulin is believed to be behind not only the LinkedIn breach, but also the 2012 attacks on Dropbox and Formspring.

The Dropbox hack, carried out after an employee’s credentials were stolen, has affected more than 68 million accounts, but the full extent of the incident only came to light recently. As for the social Q&A site Formspring, hackers leaked 420,000 hashed passwords back in 2012, which triggered a password reset on all user accounts.

According to the DoJ, LinkedIn and Formspring were also breached after hackers obtained employee credentials. Authorities said Nikulin conspired with others to sell the information stolen from Formspring.

Nikulin is currently in custody in the Czech Republic and the United States hopes to convince Czech authorities to approve his extradition. On the other hand, Moscow insists that the man be handed over to Russia.

Related: Moscow Confirms Ministry Website Attack After U.S. Hacker Claim

Related: 50 Hackers Using Lurk Banking Trojan Arrested in Russia

Related: US Jury Convicts Russian MP's Son for Hacking Scheme

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world's biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials.

The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world's largest hacks on "Group E", a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states.

Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches.

The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police.

He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported.

Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker.

It was then sold to a unnamed nation-state actor group.

Komarov's employer InfoArmor says it performed "extensive analysis of collected intelligence" from the Yahoo! hack from different sources to "clarify the motivation and attribution of the key threat actors" concluding "many recent press reports and published articles have significant inaccuracies".

Yahoo! last week pinned the breach on a unnamed state actor but did not say if, as Komarov claims, that the group bought the credentials from Group E which conducted the intrusion.

The company did not respond to a request for comment by the time of publication.

Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov.

Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov.

Komarov tells The Register Group E, so called after the first letter of its leader's moniker, broke into sites using a variety of attack vectors.

"Web apps vulnerabilities and exploitation, plus network intrusion through infection … [and] direct access to databases and source code," Komarov says.

Sites breached by the five-person Group E hacker outfit. Statistics via Andrew Komarov

Breach company Number of records
Yahoo! 500 million (up to 1bn)
Myspace 360 million
LinkedIn 167 million
Vk.com 137 million
Qip.ru 133 million
Badoo 126 million
Dropbox 103 million
Rambler.ru 101 million
Tumblr 50 million
LastFM 43 million
Fling.com 40 million
Mobango.com 6 million
Other combined dumps: 600 million

A second group known as "For Hell" used the same broker to sell stolen databases and masterminded other high profile breaches. Komarov says one member known as ROR[RG}) hacked Ashley Madison, Adult Friend Finder, and the Turkish National Police, while a second team mate known as "arnie" or "darkoverlord" conducted breaches of unnamed health care organisations.

Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites.

He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups.

That broker is claimed by hackers including some speaking to Vulture South to be a part-time scammer for selling bogus credentials, although the claims cannot be verified. Komarov says Tessa88 was at pains to mask the identity of the hacking groups when selling the Yahoo! credentials to the nation-state actors.

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security

Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses.

Data storage and software provider Dropbox has also self-certified under the Privacy Shield. The companies are the latest major US technology businesses to sign up to the scheme. Google's certification was registered on 22 September and Dropbox's on 23 September.

Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.

Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield.

Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors".

Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Optimizing the hybrid cloud


The Register - Security