HUNT: Investigators from Kripos were last week involved when Ukrainian cyber police campaigned against what they believe to be a hacker league. Photo: The police
In the war-torn country, Ukrainian cyber police have been kicking in doors across Kyiv in search of hackers. Their identities stem from a five-year Norwegian-led police investigation.
Published:
Less than 20 minutes ago
– It was special to be in Kyiv now. We are investigating a Norwegian criminal case in Ukraine, at the same time as there is war in the country. I am impressed by the ability they have to normalize life over there, says police attorney Knut Jostein Sætnan to VG.
He was last week with nine other Kripos employees in Kyiv – looking for what they believe to be the hackers who attacked Hydro almost five years ago. Then the company was hit by an extensive ransomware virus, a type of malicious software that locks the user’s files or system and demands payment to unlock it again. The attack cost Hydro NOK 800 million, but was covered by the company’s insurance.
30 addresses were searched and several people have been arrested in Ukraine, including what the police believe is one of the main men in the group.
One imprisoned in Norway
– We also have an Armenian in custody Keeping a person in prison while the police investigate a case. in Norway which we believe has played a central role in the network. He was caught in Germany this summer and was extradited to Norway just over four weeks ago, says Sætnan.
The Armenian is said to have lived in Ukraine for a long time and the police believe he has been close to several of the key people caught in the case.
– The investigation against him is still ongoing, and we believe he has been an important part of the network’s attacks on businesses worldwide. We now believe that the international investigation has probably managed to reveal the structure of this network, and the aim is to put it completely out of action, says Sætnan.
The Armenian’s defender does not wish to comment on the case at this time.
SEIZURE: The police have secured 18 terabytes of data after last week’s action in Kyiv. Over 100 digital devices have been secured. Photo: The police
– Did you find everyone you were looking for in Ukraine?
– We are still hunting for additional people who we know who they are, but have no control over. In addition to even more that we want to identify, says Sætnan.
He says there were many who thought it was impossible to solve cases such as the Hydro hacking.
– But this investigation has clearly shown the opposite. That we should have a suspect in custody in Norway today is more than what we had imagined, Sætnan to VG.
The Armenian is charged with complicity in serious computer damage and serious extortion as part of the activities of an organized criminal group.
In total, at least 1,800 businesses in 71 countries have been attacked by the same group that affected Hydro.
COOPERATION: Police prosecutor Knut Jostein Sætnan says Kripos’ people have acted as international investigative leaders in the operation. – It is completely unique and has been important for progress. Photo: Espen Sjølingstad Hoen / VG
Five years of puzzles
It started with an email to a Hydro employee just before Christmas in 2018, with an infected attachment infected attachment A file sent with an email, which contains malware. which would prove to be very costly. The virus opened the door for the attackers to gain access to the aluminum company’s network.
Three months later, the hackers stepped in to stop operations at Hydro’s plant. Using the LockerGoga ransomware, they encrypted the company’s computers worldwide – rendering them unusable.
The machines were left with a ransom demand, where the company was asked to pay a large sum in BitcoinBitcoinA type of digital currency used on the internet., to get a code that could “unlock” the machines that have been encrypted.
Old ring binders were retrieved and pensioners who knew how the large aluminum machines could be switched to manual operation were called.
Praises Hydro
Hydro refused to pay and instead reported the matter to the police via MMS, as the computers in the office were not working.
Together with technical and tactical investigators, Kripos traveled to Hydro’s headquarters. There, work was done late into the night. What followed was a five-year hunt for the culprits.
– It provided a good basis for the cooperation we have had with Hydro afterwards, says Sætnan and praises the company for its openness. He cannot emphasize enough how glad he is that the company reported the matter.
– We depend on the companies to both report and cooperate. There are several companies in Europe that were hit as hard as Hydro, but they have chosen not to report the case.
Kripos’ recommendation to the victims is clear: Do not pay the ransom demands.
– Nevertheless, I understand that there are businesses that have no choice and must pay to get their data back in order to survive, he says and continues:
– They still have to report the cases, because these are important clues that can be very important in the investigation of these groupings.
Info
TIP US!
VG depends on good tips from our readers. Contact us by email, SecureDrop, or encrypted message via Signal to +4792088655.
Sea view
Successful cooperation
Sætnan says that the investigation into the Hydro case shows that it is useful to report this type of case that goes across national borders.
– Kripos has coordinated the international investigation and we have acted as investigative leaders internationally, says Sætnan.
They have cooperated with French, British and Ukrainian law enforcement authorities in a Joint Investigation Team (JIT), initiated by French police. In addition, there has been close cooperation with American, Dutch, Swiss and German police authorities.
– It is the amount of data analyzed over time that has enabled us to achieve this breakthrough. Somewhere along the way, the criminals have made mistakes that enable us to identify them, says Sætnan.
He describes the hacker network as well organized.
– They have clear, defined roles and a strict hierarchy. In addition to those who create the malware, infect businesses, carry out the attacks and later extort money from the businesses, there is also a large apparatus for handling the money.
According to Kripos, the investigation has managed to identify people from the bottom all the way up to the top of this network.
– Collectively, these have caused damage all over the world to the tune of several billion kroner, says Sætnan.
Kripos suspects that, in addition to the LockerGoga malware, the group has used a number of other malware such as Megacortex, Dharma and Ryuk. In 2021, Swiss police arrested a person who the police believe was behind the development of LockerGoga and Megacortex. He will be prosecuted in Switzerland.
– The investigation has shown that there is a smaller number of such criminal groups than we previously assumed. The group we are now investigating has been behind countless attacks with many different types of malware. That is why it is also very important to put them out of action, concludes Sætnan.
STOP: This is what it looked like when Norwegian Hydro notified all its employees not to turn on their computers when they were under a computer attack in 2019. Photo: Terje Pedersen / NTBPublisert:
Published: 28.11.23 at 09:00
Copy linkCopy linkShare on FacebookShare on FacebookShare by emailShare by email
2023-11-28 08:00:03
#arrested #Hydro #attack
 "LeBron James suffers highest career loss as Los Angeles Lakers fall to Philadelphia 76ers")
