As the landscape of cybercrime evolves, the challenge of navigating the fog of uncertainty is intensifying. The increasing frequency of false or misleading reports is creating a web of misinformation that sometimes makes discerning the truth about criminal cyber incidents virtually impossible.
Over the past four months alone, the press, social media accounts, and some researchers have reported several high-profile incidents that turned out to be false or at least far different from what they initially seemed.
In late January, a person claimed on a hacking forum to be selling the data for 48,606,700 Europcar.com customers. However, Europcar said the data was fake and was fabricated using artificial intelligence.
In late February, the ransomware group LockBit seemingly reemerged with new dark web sites after it was disrupted in an epic law enforcement takedown. A seemingly reconstituted LockBit gang threatened to release a trove of files it stole from Fulton County, Georgia in an attack earlier that month unless the county paid a ransom. The extortion effort proved a head fake when Fulton County called the gang’s bluff and no stolen files materialized.
False narratives about hacks have been increasing in recent months
Also In late February, a little-known threat actor group called Mogilevich claimed it had hacked gaming giant Epic Games and stolen 189GB of data, which Epic Games denied.
The audacity of this claim, made by a group that Brett Callow, threat analyst at Emsisoft, said is not likely a group but is “probably just one idiot,” was further highlighted when they also claimed to have hacked Ireland’s Department of Finance (DFA), which it denied. Faced with these denials, Mogilevich conceded its claims were not valid, saying they were “professional fraudsters” out to scam some quick cash.
In early April, a threat actor called DoD offered on BreachForums three gigabytes of data allegedly stolen from the US Environmental Protection Agency’s (EPA) systems, claiming it was a contact list of critical infrastructure organizations worldwide. The EPA said that DoD had confirmed it had never breached the agency and that the data posted was already publicly available.
In mid-April, a new ransomware group called RansomHub added insult to injury by posting to its dark web site the sale of four terabytes of data it claimed had been stolen in a devastating ransomware attack on Change Healthcare by the once-disrupted but now-reincarnated AlphV/BlackCat group.
At that point, Change Healthcare was reeling from the still-ongoing disaster the ransomware attack had on healthcare providers and pharmacies across the US, even though it was later revealed that Change Healthcare had paid the attackers $22 million to stanch the damage. Although cybersecurity experts believe, but are not sure, that RansomHub’s claims of having the data are real, confusion surrounds whether RansomHub is actually AlphV/BlackCat itself using an alias or an affiliate of that group or a brand-new group.
Pressure to get money fuels the false narratives
What frequently makes grasping the facts surrounding breaches difficult are the tactics hackers use to pressure organizations into paying ransom quickly, often based on false or exaggerated claims. “Wow, it’s almost like we can’t trust criminals to give us a true answer,” Troy Hunt, founder of the data breach search website HaveIBeenPwned, tells CSO.
“We’ve got to recognize that the folks we’re dealing with here are criminals, and their motives are clearly not pure. They’ll construct whatever narrative they need to service their own requirements.”
“The gangs try to push organizations into paying quickly,” Callow tells CSO. “They do not want to wait until organizations have had time to do the forensics and find that they didn’t lose as much data as the gang claims or that the data wasn’t as sensitive as the gang claimed it was. It’s in their interests to try and force payments quickly, very often on the back of bluffs.”
Callow thinks the misinformation problem, an enduring feature of cybercrime, accompanies greater turmoil in the threat actor world. “What is new is the increased rate of disruptions, creating a more unpredictable ecosystem,” he tells CSO. “Ransomware has always been unpredictable, but now it’s even more unpredictable.”
Complicating the problem are acts of betrayal by ransomware gangs toward their affiliates due to the chaos spawned by law enforcement disruptions. In the case of RansomHub, for example, “Change Healthcare reportedly paid $22 million to AlphV, who was already in a somewhat dazed state from the law enforcement disruption and allegedly took off with the money not paying the affiliate,” Callow says. “The affiliate had the data and was attempting to extort United Health for a second time. Supposedly. It could also have been AlphV trying for a second round of extortion. A scam within a scam.”
The accelerating spread of misinformation online
Fueling the rise of data breach misinformation is the speed at which fake data breach reports are spread online. In a recent blog post, Hunt wrote: “There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and ‘raising them to the surface,’ so to speak. Incidents that may have previously remained on the fringe are being regularly positioned in the spotlight where they have much greater visibility.”
“It’s getting very difficult at the moment because not only are there more breaches than ever, but there’s just more stuff online than ever,” Hunt says. “It’s just a nonstop stream of all of these data breaches regularly numbering in the hundreds of thousands or millions of records, and that’s up there on the surface of the web for all to see.”
Although Hunt says most reported incidents are what they appear to be, “it does mean that there’s just a huge amount of data floating around, and you’ve still got to do all the due diligence and verification on them.”
Some press outlets contribute to the breach misinformation problem by uncritically reporting incidents posted on leak sites without much verification as they race to land scoops. “Any responsible journalist will be as cautious as they can be so as not to risk becoming, effectively, tools of the criminals,” Callow says. “It’s always a matter of balancing assisting the criminals against the public’s right to know. And some of these alleged incidents are very newsworthy.”
Purported security researchers who continually produce reports of breach incidents can also be blamed for the misinformation. “I’ll put security researchers in quote marks there who try to build a following by tweeting details of each and every breach,” Callow says. “And they are very often assisting the criminals.”
Companies also spread misinformation
It’s not only cybercriminals contributing to the current tide of breach misinformation. Companies, long loth to go public with cyber incidents affecting their customers, often initially deny breaches, only to get dragged by journalists and others over time from denial to admission.
AT&T, for example, recently started out denying a 2021 breach affecting 71 million of its customers, only to finally confirm that the breach affected 73 million customers.
Hunt says, “As much as we say that there are breaches out there that are not breaches or misattributed, we’ve also got the problem where we’ve got organizations saying that there’s no breach, and then you give it time, and they’re like, oh no, okay, hang on. There is a breach.”
“It’s not just threat actors misrepresenting things,” Hunt says. “It’s organizations not acknowledging that there is a breach when it has happened.”
No easy solutions to the problem
Few easy solutions to the misinformation problem exist aside from skeptically examining and conducting due diligence regarding the breaches claimed by threat actors.
Hunt thinks the truth always lies in the data. “Until there is evidence to support a claim, it’s just a claim, and we remain skeptical. The truth is always there in the data. It’s just a question of analyzing it. I think for the press, particularly if you’re communicating with the threat actor involved in this, you can always put the question to them: can you prove this is legitimate? What are the indicators here that show that this is what you say?”
And for companies that have experienced breaches or are the subject of false breach reports, sunlight is the best disinfectant.
“We need to get everything out from in the shadows,” Callow says. “Far too much happens in the shadows. The more light can be shone on it, the better. That would be great in multiple ways. It’s not just a matter of removing some of the leverage threat actors have. It’s also giving the cybersecurity community and the government access to better data. Far too much goes unreported.”
“I don’t think we are ever going to get to the point where things are clear and concise,” Hunt says. “For me, particularly running HaveIBeenPwned, all I want is the truth to come out of the data. If an organization has been breached, whether it’s breached or scraped, or whatever else, then let that truth come out. If they haven’t, then let that truth come out.”
CSO and CISO, Data Breach, IT Leadership, Security Practices
Leave a Reply