One of the two men extradited by the federal prosecutors was accused of being responsible for an intrusion that affected as many as 1,500 organizations in a single stroke, making it one of the worst supply chain attacks ever.
Yaroslav Vasinskyi was arrested as he crossed from his native country of Ukraine into Poland. He was extradited to the US this week to face charges that carry a maximum penalty of 115 years in prison. On March 3, Vasinskyi arrived in Dallas, Texas.
In an indictment, prosecutors said that Vasinskyi was responsible for the July 2, 2021, attack that first struck remote-management-software seller Kaseya and then caused its infrastructure toinfecting 800 to 1,500 organizations that relied on the software. Sodinokibi/REvil, the group that Vasinskyi allegedly worked for, demanded $70 million for a universal decryptor that would restore all victims' data.
The tactics, techniques, and procedures used in the Kaseya supply chain attack were impressive. The attack started by exploiting a zero-day vulnerability in Kaseya’s VSA remote management service, which the company says is used by 35,000 customers. The group stole a legitimate software-signing certificate and used it to digitally sign the malware. This allowed the group to suppress security warnings that would have otherwise appeared when the malware was being installed.The attackers used a technique called DLL side-loading, which places a spoofed malicious DLL file in a WinSxS directory so that the operating system loads the spoof instead of the legitimate file. The file version that was dropped by the hackers was vulnerable to the side-loading of Windows Defender.
Federal prosecutors claim that Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout the software build system. Vasinskyi is accused of conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundered.
AdvertisementA Canadian man accused of participating in dozens of attacks pushing the NetWalker ransomware was extradited to the US on Thursday.
A man from Canada was arrested in January 2021 on charges that he received more than $27 million in revenue from NetWalker. The FBI's field office in Florida is handling the case after the defendants was transferred to the US.
NetWalker was an advanced and prolific group that operated under a model that allowed core members to recruit affiliates to use the NetWalker software. Any revenue generated by the organization would be split by the affiliates. The group extorted $25 million between March and July of 2020. Trinity Metro, a transit agency in Texas that provides 8 million passenger trips annually, and the University of California, San Francisco, were among the victims.
NetWalker was a human-operated operation, meaning operators spent days, weeks, or even months establishing a foothold inside a targeted organization. The darknet website that NetWalker affiliates used to communicate with victims was seized by authorities in Bulgaria. The NetWalker was part of the international effort.
Vachon-Desjardins is accused of conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmit a demand in relation to damaging a protected computer. Chainalysis said that the Canadian man helped push the strains.
Law enforcement authorities have had a number of successes in recent weeks. In June of last year, the FBI said it had seized over two million dollars that was paid to the attackers who crippled the network of Colonial Pipeline and caused gasoline and jet fuel supply disruptions up and down the East Coast. Darkside's website went down around the same time.