The Russian national arrested earlier this month by Czech police has been charged in the United States for hacking into the systems of LinkedIn, Dropbox and Formspring.

Yevgeniy Aleksandrovich Nikulin, 29, of Moscow, Russia, was arrested by Czech authorities on October 5, but news of the arrest only came to light last week.

While initially some believed that the arrest was related to cyberattacks supposedly launched by the Russian government against political organizations in the United States, LinkedIn revealed that the law enforcement operation, carried out in cooperation with the FBI, was actually linked to the breach suffered by the social media company in 2012.

The U.S. Department of Justice announced on Friday that Nikulin had been charged by a federal grand jury in Oakland, California, with nine counts related to obtaining information from computers, causing damage to computers, trafficking in access devices, aggravated identity theft and conspiracy.

Authorities said Nikulin is believed to be behind not only the LinkedIn breach, but also the 2012 attacks on Dropbox and Formspring.

The Dropbox hack, carried out after an employee’s credentials were stolen, has affected more than 68 million accounts, but the full extent of the incident only came to light recently. As for the social Q&A site Formspring, hackers leaked 420,000 hashed passwords back in 2012, which triggered a password reset on all user accounts.

According to the DoJ, LinkedIn and Formspring were also breached after hackers obtained employee credentials. Authorities said Nikulin conspired with others to sell the information stolen from Formspring.

Nikulin is currently in custody in the Czech Republic and the United States hopes to convince Czech authorities to approve his extradition. On the other hand, Moscow insists that the man be handed over to Russia.

Related: Moscow Confirms Ministry Website Attack After U.S. Hacker Claim

Related: 50 Hackers Using Lurk Banking Trojan Arrested in Russia

Related: US Jury Convicts Russian MP's Son for Hacking Scheme

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Suspected Russian hackers fingered for hacking the United States Democratic National Committee (DNC) have brewed a trojan targeting Mac OS X machines in the aerospace sector, says Palo Alto researcher Ryan Olson.

The malware relies on social engineering and exploits a well-known vulnerability in the MacKeeper security software to gain access to machines.

Olson says the group known as "Sofacy", "Pawn Storm" and "Fancy Bear", among other names, is thought to be behind attacks leading to the theft and leaking of DNC emails and research documents.

The group is thought to have also hacked NATO and European organisations in the military sector.

"The Sofacy group created the Komplex trojan to use in attack campaigns targeting the OS X operating system – a move that showcases their continued evolution toward multi-platform attacks," Olsen says.

"The tool is capable of downloading additional files to the system, executing and deleting files, as well as directly interacting with the system shell.

"... we believe Komplex has been used in attacks on individuals related to the aerospace industry, as well as attacks leveraging an exploit in MacKeeper to deliver the trojan."

Olsen says the malware is similar to the group's Carberp trojan in a move that could simplify compromise of PC and OS X systems with the same command-and-control server.

It delivers information on a target machine including running processes, user identities, and can execute commands sent from the server.

The trojan is shipped within a PDF document on Russian space projects that executes the malware along with a 17-page document, the latter a ruse to cloak the malware's execution. ®

Sponsored: IBM FlashSystem V9000 product guide

The Register - Security

Two US lawmakers who are members of their respective intelligence committees said Thursday that a spate of recent cyber attacks suggests Russia is trying to disrupt the November election.

"Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the US election," said a statement from Senator Dianne Feinstein and Representative Adam Schiff, both Democrats from California.

"At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election -- we can see no other rationale for the behavior of the Russians."

US officials have stopped short of blaming Moscow for the wave of computer intrusions, but many analysts have said the attacks appear to be from Russian hackers.

Feinstein and Schiff, who as members of their intelligence committees receive classified briefings, said they believe that the hacks "could come only from very senior levels of the Russian government" and called in Russian President Vladimir Putin "to immediately order a halt to this activity."

"Americans will not stand for any foreign government trying to influence our election," they said.

"We hope all Americans will stand together and reject the Russian effort."

The recent breach of Democratic National Committee data, along with other electronic intrusions, has raised concerns about cyber incidents that could affect the outcome of the US presidential race, or other contests.

The campaign of Democratic presidential candidate Hillary Clinton said one of the hacks had accessed an analytics data program.

Cybersecurity experts see a potential for more hacks and incidents in the coming months which could hurt the integrity of the election campaign.

Related: XTunnel Malware Specifically Built for DNC Hack

view counter

© AFP 2016


SecurityWeek RSS Feed

When hackers, believed to be a Russian crime gang, broke into Oracle-owned payment terminal biz MICROS, it was assumed the crooks were snooping around other register makers, too.

Well, assume no more: here's five other companies poked and prodded by the crew, with wildly varying degrees of success.

Days after word broke that MICROS had been infiltrated by miscreants, Hold Security tipped off Forbes that POS vendors ECRS, Navy Zebra, PAR Technology, Cin7, and Uniwell were also targeted by the same group.

Alex Holden, CISO for Hold Security, told El Reg that the network breaches all look to have taken place over a two-week period between July 16 and 29 when members of a Russian hacking group infiltrated company web servers and attempted to access customer databases.

"In our investigation after learning about the MICROS breach, we identified a number of victims to the same group," Holden said. "Besides learning about how MICROS was compromised, we saw the hackers target and successfully attack a number of other POS software providers."

Holden said his team witnessed stolen data and backdoor passwords being exchanged in underground forums, with the hackers selling information obtained from MICROS for $ 10,000.

"Hackers use standard attack tools to install backdoors into web servers of the victims," explained Holden. "Once successful, they would try to gain access to SQL databases and retrieve or download data."

It appears, however, that the attempts at infiltrating the networks of those other companies were by and large far less successful than the ransacking of MICROS.

It was feared that, by compromising the POS vendors, the criminals would be able to remotely access payment terminals in potentially thousands of stores, hotels and restaurants, and snoop on people's bank card details.

However, so far, it appears the main victims were poorly secured web and documentation servers, and no sensitive personal information was directly obtained. It is, of course, possible that any internal documentation or passwords grabbed by the hackers could be leveraged to attack further systems and networks.

Cin7 claims it wasn't hit at all. A spokesperson for the software biz told The Register, "we have not suffered any type of breach in the system," and gave us a copy of the notice founder Danny Ing sent to his customers:

We wanted to let you know that Cin7 has been the target of an unsuccessful cyberattack, which was detected as part of our normal security auditing process. As a further precautionary measure, our protocol in these situations is to recommend you reset your Cin7 password.

We want to reassure you that, as our terms and conditions indicate, Cin7 does not store any credit card information for your business or your customers. We greatly value our business relationship with you, and look forward to many more years of our continued partnership.

Yet Ing apparently told Forbes earlier this week that "malicious code designed to get passwords from the database or operating system" was found on one of its servers. It may have been that the infection was detected and stopped immediately.

Meanwhile, in an email seen by The Register to resellers, Uniwell said: "Recently, a web server which contains public domain information on Uniwell products such as operating and service manuals, installation documents and brochures was breached. There is absolutely no connection between this web server breach and the security of our POS systems."

Uniwell's director of technology Gilmer Pinto told us shops and hotels' Uniwell terminals are not connected to its website's systems, therefore there was no way the hackers could tunnel their way into sales registers and lift card information. "Our ROM-based proprietary POS systems do not fall into a category as other PC-based POS systems that use servers and keep customers' data. Our POS Systems are simply not designed that way," said Pinto.

The biz plans to shut down the compromised server, though, and use other systems to distribute information and manuals.

ECRS was quoted by Forbes as saying the hackers were able to insert malicious code into one of its web portals and may have had access to customer contact information, but "the affected system was segregated from the systems that ECRS uses to facilitate remote access to merchant systems, and the affected system was not used to store sensitive information pertaining to credit card processing."

PAR Technologies, meanwhile, said it was treating the incident "as a non-material event" and that no production data was accessed.

NavyZebra and its parent company BankCard Services said it is investigating the claims, stressing that it does not store any payment card details.

So, as you would expect, the miscreants behind the MICROS hit are indeed probing and infiltrating other sales terminal vendors. Investigative reporter Brian Krebs estimates that the crew, known as the Carbanak Gang, swiped have more than $ 1bn from banks, shops, hotels, and so on, over the years by hacking payment systems.

Let's hope POS makers are all taking notes. And that their card readers are more secure than their websites. ®

Sponsored: Global DDoS threat landscape report

The Register - Security