Father Christmas gets in quietly, bringing lots of presents with him – but they’re not always the ones you want [Part 2]

We‘re counting down now. It won’t be long before Father Christmas is on his way. So now it’s time for the second part of our Advent blog. Do you still remember part one? It's where I talked about Christmas presents - but not for you, for cybercriminals who will be getting lots of presents in December. Specifically, I talked about the hidden risks of blockchain technology, crypto-money laundering, the connection with ransomware and, of course, why the comparison with Christmas presents works as a metaphor. Part two continues with insights from the world of cybercriminals, starting with “Father Frost”...

Santa has two faces...

You probably no longer believe in Father Christmas anymore either, but as a child you probably believed in the chubby man dressed in red with a snow-white beard, or in Switzerland, it’s the Christ Child, right? In other countries like Russia, the equivalent figure is “Father Frost.” He is accompanied by his daughter Snegurotschka (translated as the Snow Maiden or Snowflake) and he gives presents to children on New Year's Eve.

The belief in Father Christmas or Father Frost is somehow linked to the attribution of attacker groupings, i.e. the ascription of different attack methods to certain groupings. Specifically, this means when you go beyond the assignment of groupings and want to ascribe them to their origins. It is not uncommon to hear rumours that the Chinese or the Russians have a hand in it, occasionally also the North Koreans, and even good old Uncle Sam (USA).

Hiding your tracks is often successful - but not always

When we carry out our investigations, we are always tempted to attribute the attack geographically too. It is easier to explain to the victims of the attack that they have been hacked by a country than to point to a corresponding grouping. Time and again, we find interesting indicators that allow us to assign the attack this way. In incident response cases for example, we have already had to deal with groups that closed their offices on Russian national holidays; or when attackers try to log into a system using Cyrillic alphabet user names such as "Матиас", the assumption is that the attacker is probably familiar with the Cyrillic script, so if you think it's Russian Father Frost in a case like this, you're probably not that far off the mark. Even the tone of the negotiations over the ransom allows us to draw conclusions about the attackers' cultural background. Similarly, the time of day the attackers were active in the victim's systems and answered most quickly in the "negotiation chats" – they exist, no kidding!

At some point, every Father Christmas takes off his costume

All these clues ultimately help to unmask the attackers, like when you were a child and you heard noises in the hallway late at night. It wasn't Father Christmas you suspected, but your parents putting the presents under the tree.

That is why it became clear relatively quickly during the Colonial Pipeline Hack that the Darkside ransomware very likely originated from someone who was using the Cyrillic alphabet. After Joe Biden put pressure on the Russian government, a short time later Darkside disappeared from the scene. The group later re-emerged under the name "Blackmatter", but has since ceased operations again. In the end, the whole thing was a big headache for those behind it and hopefully also marked the end of Darkside/Blackmatter. But the blame for the whole story laid with the so-called affiliates. You will find out why and what is meant by this in a few days, in the final part of the Advent story. Either way, we can assume that there will always be attackers like Darkside / Blackmatter. Unfortunately, there are still countries in where attacker groups can operate with no major fear of sanctions and from where they can send ransomware, so long as it does not affect their own country. So you can see that it's not just Father Christmas who comes around every year...

Don’t want to miss out on the final part? Then you can either subscribe to our blog updates and/or follow us on LinkedIn – that way, you always stay up-to-date, and not just during Advent.
Subscribe our Blog Updates!PS: After my series of blogs, there is a great competition waiting for you where we will be giving away attractive prizes for you personally and for your company. How do you enter? It's simple – read my three-part Advent story carefully and answer a few questions about it in the fourth window. We have our fingers crossed for you!

<< >>

Cyber Security , Cyber Risks

Stefan Rothenbühler
About the author / Stefan Rothenbühler

InfoGuard AG - Stefan Rothenbühler, Principal Cyber Security Analyst

More articles from Stefan Rothenbühler

Related articles
SIC5 – What you need to know about banks’ “instant payments”
SIC5 – What you need to know about banks’ “instant payments”

Electronic payment systems have simplified cashless payments enormously and the next evolution in payments is [...]
Incident response: the police are your friends and helpers
Incident response: the police are your friends and helpers

In this article, Stefan Rothenbühler, InfoGuard's Senior Cyber Security Analyst, reports on how to cooperate [...]
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents
Cyber Threat Intelligence Insights: Timing of Ransomware Incidents

In the last blog post, we looked at the 53 largest CSIRT cases in 2022. In this post, we will focus [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media