Threat Watch

Polish Police Shut Down Hacker Super-Group Involved in Bomb Threats, Ransomware and SIM-swapping

Polish authorities shut down a prominent Polish hacking group and arrested four individuals with four more under investigation. The group has been under investigation since May of 2019 when they sent a bomb threat to a school in Łęczyca. The group more notoriously sent similar threats to over a thousand kindergartens in June 2019. Each fake bomb threat demanded 5,00 zlotys (roughly $1,300) in payment.

Along with bomb threats, the group participated in malware distribution, SIM swapping and E-commerce fraud. The group would steal personal data using malware previously deployed on a victim’s device. They would then trick the victim’s mobile carrier to port phone numbers to other SIM cards. Using this SIM card, the hackers would then reset passwords for the victim’s online accounts or bypass two-factor authentication (2FA) to steal money from victims. Using this method, the group was able to steal over 600,000 zlotys (roughly $150,000).  Additionally, the group created multiple fake online stores to sell nonexistent products, defrauding more than 10,000 buyers.

ANALYST NOTES

Like many cybercriminals, this group stole personal data using malware such as Remote Access Tools (RAT) and mobile malware. It was usually distributed using phishing emails impersonating government institutions. A very important aspect of this case is that the criminals got around two-factor authentication by convincing victims’ cellular phone carriers to port the victim’s phone number to the attacker’s SIM card and then receiving the 2FA codes by text message. A much stronger authentication method is to install the Google Authenticator app or Microsoft Authenticator app to generate secure 2FA codes directly on a mobile device, rather than relying on text messages to deliver codes. SIM-swapping has become more prevalent recently and is a difficult problem to address with most cellular providers. In this case, one of the victims narrowly avoided having their bank account drained of funds because the bank employee thought the online transfer request was suspicious, called the victim’s phone number, and realized when the attacker answered the phone that it was not their customer’s voice. There is some value in having a good relationship with bank personnel.

To read more on ZDNet, please see: https://www.zdnet.com/article/polish-police-shut-down-hacker-super-group-involved-in-bomb-threats-ransomware-sim-swapping/

The Europol press release also has more details: https://www.europol.europa.eu/newsroom/news/4-hackers-arrested-in-poland-in-nation-wide-action-against-cybercrime