Investigative authorities in Europe and the USA have struck another blow against organized cybercrime. Investigators in Baden-Württemberg, in cooperation with European forces, Europol, the US federal police FBI and other US authorities, took control of the IT infrastructure of the ransomware group “Hive” on Thursday. This was announced by the police headquarters in Reutlingen on Thursday afternoon.
“Operation Dawnbreaker”
During “Operation Dawnbreaker”, the authorities reportedly “seized a large number of servers and secured data and accounts from the network and its users”. The starting point of the operation was a ransomware attack on a German company in the Esslingen area. In the course of the investigation, the police “succeeded in penetrating the criminal IT infrastructure of the perpetrators”.
During the investigation, the authorities could have “retrace the trail to the hitherto unknown, globally active Hive network” and give the international partners “crucial information”.
The investigations are ongoing. The authorities do not provide any information on the identity of the perpetrators and “customers” of the group. From the evaluation of the confiscated servers and the seized data, the authorities hope to gain further insights into suspects and “users” of the criminal network.
“Ransomware as a Service”
Like other groups, the Hive network offered its ransomware “as a service”. The authorities blame the group for more than 1,500 serious cyber attacks against companies and organizations in 80 countries over the past year and a half, 70 of them in Germany. In Germany, Hive attacked the MediaMarkt and Saturn electronics markets in November 2021.
According to Europol, the “Hive” members have used various attack vectors. Some attacks ran via simple logins with the Remote Desktop Protocol (RDP) or via VPN. In other cases, attackers have bypassed multifactor logins and gained access through software holes. Other attacks were initiated via phishing emails with malware.
According to estimates by the US judiciary, the perpetrators were able to extort around 100 million US dollars. According to information from Europol, the extorted money was then shared: the attackers give one fifth to the developers of the ransomware and keep 80 percent of the loot themselves.
network infiltrated
Some of the affected German companies did not pay the demanded ransom, but instead filed criminal charges, thus getting the investigations rolling. The German investigators then called in their international colleagues. The US authorities say they have had access to the network since July 2022.
They also used it to provide affected companies with the data for decrypting the systems encrypted by the ransomware. “Since July of last year, we have assisted more than 300 victims around the world, preventing approximately $130 million in ransom payments,” said US Attorney General Merrick Garland. In the USA, for example, a hospital was attacked with Hive.
In addition to the United States, Germany, and the Netherlands, investigators in Canada, France, Ireland, Lithuania, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom were involved in Operation Dawnbreaker.
The public prosecutor’s office in Stuttgart estimates that the damage caused by Hive is in the billions and expects the problem to grow. “It is all the more important that the investigative authorities continue to network, act flexibly and keep the technology up to date,” explained senior public prosecutor Joachim Dittrich.
Update
26.01.2023
18:19
watch
Message added with more details.
Update
27.01.2023
11:45
watch
Correction: According to the police, the ransomware attack on an automotive supplier initially mentioned in the article was not the starting point of the investigation. We have deleted the reference to the company.
(vbr)
