Hack of Belarusian Railway meant to disrupt the movement of Russian troops into Belarus and demanding the release of political prisoners in exchange for ransomware decryption keys, by [[Cyber Partisans]].

* https://www.reuters.com/legal/litigation/belarusian-group-claims-hack-railway-system-after-russian-troop-moves-2022-01-24/
* https://www.bloomberg.com/news/articles/2022-01-24/hackers-say-they-breached-belarusian-rail-to-stop-russian-troops

== Explanation of the Hack ==

According to the hackers, they used similar methods during their previous hack of the [[Academy of Public Administration (Belarus)|Academy of Public Administration]].

https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

[[Category:Hacks]]

Hacker History

2022-01-26T00:38:27Z

Amongomous: /* 2022 */

Hacker History

2022-01-26T00:37:45Z

Amongomous: /* 2021 */

Academy of Public Administration (Belarus)

2022-01-26T00:37:00Z

Amongomous: Created page with "Two hacks wiping and encrypting the internal network of the Academy of Public Administration in Belarus, by Cyber Partisans. * Video of the second hack: https://www.youtube.com/watch?v=8l4etG0YKKQ == Explanation of the Hack == According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had its RDP port exposed to the internet. T..."

Two hacks wiping and encrypting the internal network of the Academy of Public Administration in Belarus, by [[Cyber Partisans]].

* Video of the second hack: https://www.youtube.com/watch?v=8l4etG0YKKQ

== Explanation of the Hack ==

According to an incident report leaked by the hackers themselves during the second hack, they gained initial access using the CVE-2019-0708 BlueKeep exploit in an unpatched Windows 2008 server that had its RDP port exposed to the internet. They proceeded to dump local user credentials using [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/87be30d3b286677d878f98b7f49b81844fb7f474/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md#mimikatz---mini-dump mimikatz], tunneled out using [https://github.com/jpillora/chisel chisel] and [https://github.com/3proxy/3proxy 3proxy] to use RDP and [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/1a3058f40c145a7c97fc71444cf3f1f38e3b4614/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md#psexecpy--smbexecpy--wmiexecpy psexec.py] for lateral movement on the internal network until landing on and taking over the domain controller. They then deleted data from both live and backup systems.

https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

[[Category:Hacks]]

Hacker History

2022-01-22T06:52:35Z

Amongomous: /* 2021 */

2022-01-01T18:27:10Z

Amongomous: Created page with "Hack of 7.5 million tax records from the Latvian State Revenue Service's Electronic Declaration System, exposing pay rises for high-ranking banking and public sector employees, by Neo of the Fourth Awakening People's Army. == Media Coverage == * [https://www.theregister.com/2010/02/26/latvian_hacker_whistleblower/ The Register: Latvian hacker tweets hard on banking whistle] * [https://www.theregister.com/2010/05/14/latvian_hacker_whistleb..."

Hack of 7.5 million tax records from the Latvian State Revenue Service's Electronic Declaration System, exposing pay rises for high-ranking banking and public sector employees, by [[wikipedia:Ilmārs Poikāns|Neo]] of the Fourth Awakening People's Army.

== Media Coverage ==

* [https://www.theregister.com/2010/02/26/latvian_hacker_whistleblower/ The Register: Latvian hacker tweets hard on banking whistle]
* [https://www.theregister.com/2010/05/14/latvian_hacker_whistleblower/ The Register: Latvia's 'Robin Hood' hacker unmasked as AI researcher]
* [https://eng.lsm.lv/article/society/society/president-pardons-whistleblower-neo.a261433/ Public broadcasting of Latvia: President pardons whistleblower 'Neo']

[[Category:Hacks]]

2021-12-26T03:33:04Z

Amongomous:

Hack of the video game company Electronics Arts exposing 780GB of data including source code for the company's FrostBite engine, by LAPSUS$.

[https://www.vice.com/en/article/wx5xpx/hackers-steal-data-electronic-arts-ea-fifa-source-code Vice: Hackers Steal Wealth of Data from Game Giant EA]

== Explanation of the Hack ==

The hackers bought a cookie that let them log into the an EA slack account on Genesis Market, a marketplace for credentials stolen from computers infected with malware. The hackers then tricked an IT employee into granting them access to the company's internal network.

* [https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack Vice: How Hackers Used Slack to Break into EA Games]
* [https://www.vice.com/en/article/n7b3jm/genesis-market-buy-cookies-slack Vice: Inside the Market for Cookies That Lets Hackers Pretend to Be You]

The hackers first tried to sell the access and source code on Raidforums. The Raidforums members got the hackers in touch with a Vice journalist who interviewed them and broke news of the hack to EA. The hackers then tried to solicit said journalist to pass along a ransom message to EA. Unfortunately, the journalist refused. The hackers proceeded to send a ransom message asking for $100m not to release the data and Vice was then able to confirm that EA had indeed received it. EA does not seem to have paid as the hackers have subsequently released all of the data for free.

[https://www.vice.com/en/article/m7e57n/hackers-extort-ea-fifa Vice: Hackers Move to Extort Gaming Giant EA]

== Ransom message ==

<pre>
Hello EA

we are the Hackers who breached your src and other data
First of all we apologize to harm your company and reputation
well what is the motive behind any hack Money right ?
so we are here to discuss related to this thing
we checked your statement on media where you mentioned ""No player data was accessed, and we have no reason to believe there is any risk to player privacy,
Is this really true? We, in fact, got to some of your production database we have database (around 2TB of pure data)
As you already know
we have src , tools + unrevealed 2tb pure data
with respect you also know if we leak this it can be big trouble for your company
that's why i have a idea best offer to you
we never sell your data to anyone
only my team have this data if we want to kept his all private we can
the deal is Pay us 100 mil$ in xmr (monero)
we will never disclose your any type of data in public even we take full responsibility it will never leak and it will deleted from our system too
You have 7 days for paying us first 33.34 mil$ to the first address
After 8 th day we will contact news to tell them we have user data.
After the 9th day we will start to post some part of your source code every day on the deepweb til the first payment is completed.
we gave you the best offer if you pay in delay, everything will be deleted and your company can run,

We have no interest in leaking if you pay. I know this sound like a ransomware, but just for one time, trust us. We just want money

we know your are afraid of scammers
we sending you here our proof ofdata for your trust

So, how's that we gonna proceed,
You will maintenance your fifa 21 servers the 5th of july at any time,
Before the maintenance, you will post a message on your twitter account (@EA)
After the first payment completed, you will have 2weeks to send the other 66.66mil USD

Data : USER_EVENT_SESSION_ENGA... Rows : 348.0G Size : 30.3TB
USER_EVENT_ECONOMY Rows : 108.5G Size : 11.4TB
USER_EVENT_MESSAGING Rows : 190.9G Size : 11.2TB

I really hope you understand that we are not kidding and we are friendly.
Thoses addresses are one time payment, mean you can't send two time to an address.

so here is out payment address

XMR :

again we are sorry but you know during this pandemic we all need money , just all people ways are different

i hope you will send the first payment in less than 7 days so we can continue

Instruction : Well for our own reasons we don't use any direct contact with you

we will use indirect contact method
So, I will give you some written content which you will post from your Twitter account so that we can understand.
if you are ready and make payment with the address
post on your twitter account : "maintenance from 5 July 10 to 11 UTC

If you posted this we will understand you are ready to make the payment and we will proceed

In Case you want to deny our golden offer
post :
or if you need some more time post "just report this to any reporter and made news again we so we understand you deny our offer and we will start to posting our code and start selling other sensitive data"

in one line : if you agree do a maintenance 5th of july from 10 to 11 UTC AND POST ON TWITTER
We need 33.34 mil in this week after this We will recontact you in some times

When the first payment will be completed we will delete 50% of what we have

On the third payment we will delete the database from our servers

You will have 2 weeks to pay the others payment

33.34 mil in this week after this We will recontact you in some times

When the first payment will be completed we will delete 50% of what we have

On the third payment we will delete the database from our servers

You will have 2 weeks to pay the others payment
hope you will understand and pay us as fast as you can

Last thing
If possible, do not tell this to the reporter and LE shits because we also do not want your reputation and worth to be down.
</pre>

[[Category:Hacks]]