InfoSec Round-Up: February 19th

NK Hackers Charged, Yandex Insider Attack & ICO Fines

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

North Koreans Charged Over $1.3bn Theft

Three North Korean hackers have been charged by the US over a plot to steal over $1.3bn from various banks and businesses around the world.

As well as being accused of criminal conspiracy, conspiracy to commit wire fraud and bank fraud, the three men are additionally accused of deploying malicious cryptocurrency programs.

Not in custody, the cyber criminals are thought to remain in North Korea, and as such are unlikely to face the US Justice system any time soon.

One of the accused, Park Jin Hyok, had previously been charged in 2019 for his involvement in the 2014 Sony Entertainment hack, with all three accused of being involved with the extremely destructive 2017 Wannacry virus.

Assistant Attorney General for National Security, John Demers, said on the matter, "North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading bank robbers". Adding that the country “has become a criminal syndicate with a flag”.

Yandex Insider Breach

Prominent Russian search engine, Yandex has revealed that around 5,000 of its users have had their accounts compromised following a malicious insider attack.

Publishing a statement online, the search giant announced that following a routine screening by Yandex’s security team, it was discovered that an employee has been providing unauthorised access to users’ mailboxes for “personal gain.”

As one of three systems administrators with the necessary access rights to provide technical support for the service, as a result of the employee’s actions, 4,887 mailboxes were illegally accessed.

With the technology company contacting law enforcement authorities about the incident, insider attacks such as this are often difficult to detect, as well as being more often than not, down to negligence rather than malice.

In the statement, the company noted, “A thorough internal investigation of the incident is under way, and Yandex will be making changes to administrative access procedures. This will help minimize the potential for individuals to compromise the security of user data in future.” Adding, “We apologize to the users who have been affected by this incident.”

ICO Fines Nuisance Callers £270,000

The UK’s data watchdog, the Information Commissioner’s Office (ICO) has issued fines totalling almost £300,000 to two companies for making unlawful marketing calls.

Contravening regulation 21 of the Privacy and Electronic Communications Regulation, the company should not have been making market calls to individuals registered to the Telephone Preference Service (TPS).

Call Centre Ops and House Guard, the companies behind the communications, were both found to have made around a total of 800,000 illegal calls, with some employees claiming ‘not to be a sales call’ despite attempting to sell life insurance.

Andy Curry, ICO Head of Investigations stated on the fines, “If you sign up to the TPS, you should not expect to get nuisance calls. It’s as simple as that. Companies that have no respect for their customers’ wishes and choose to flout the law, can expect to face consequences – for their reputation and to their bottom line.”

Thank you for reading this edition of InfoSec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.