Mar 26, 2024NewsroomMoney Laundering / Digital Currency

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022.

This includes Bitpapa IC FZC LLC, Crypto Explorer DMCC (AWEX), and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey (TOEP).

In all, the designations cover thirteen entities and two individuals operating in the Russian financial services and technology sectors.

“Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions,” the Treasury said, adding the action seeks to “target companies servicing Russia’s core financial infrastructure and curtail Russia’s use of the international financial system to further its war against Ukraine.”

Bitpapa, which offers virtual currency exchange to Russian nationals, has been accused of facilitating transactions worth millions of dollars with sanctioned Russian entities Hydra Market and Garantex.

Crypto Explorer, the Treasury said, offers currency conversion services between virtual currencies, rubles, and UAE dirhams.

“AWEX offers cash services at its offices in Moscow and Dubai and also loads funds onto credit cards associated with OFAC-designated Russian banks such as Sberbank and Alfa-Bank,” it added.

Also sanctioned is another virtual currency exchange run by TOEP that’s alleged to have enabled digital payments in rubles and virtual currencies to sanctioned entities such as Sberbank, Alfa-Bank, and Hydra Market.

The penalty list also features Moscow-based fintech companies such as B-Crypto, Masterchain and Laitkhaus, which have partnered with sanctioned Russian banks to issue, exchange, and transfer cryptocurrency assets.

Pursuant to the sanctions, all properties and interests in the U.S. connected to designated individuals and entities will be frozen. Furthermore, entities at least 50% owned directly or indirectly by one or more blocked persons will also be subject to the blockade.

“Russia is increasingly turning to alternative payment mechanisms to circumvent U.S. sanctions and continue to fund its war against Ukraine,” said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

“As the Kremlin seeks to leverage entities in the financial technology space, Treasury will continue to expose and disrupt the companies that seek to help sanctioned Russian financial institutions reconnect to the global financial system.”

Mar 21, 2024NewsroomThreat Intelligence / Malware

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG.

“The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions,” Cisco Talos said in a new report published today.

“Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.”

There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltrating taking place via the tool a month later, around January 12, 2024.

TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.

The attack chain involves Turla exploiting their initial access to configure Microsoft Defender antivirus exclusions to evade detection and drop TinyTurla-NG, which is then persisted by creating a malicious “sdm” service that masquerades as a “System Device Manager” service.

TinyTurla-NG acts as a backdoor to conduct follow-on reconnaissance, exfiltrate files of interest to a command-and-control (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.

“Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence,” Talos researchers said.

Mar 12, 2024NewsroomCyber Espionage / Threat

Russia has detained a South Korean national for the first time on cyber espionage charges and transferred from Vladivostok to Moscow for further investigation.

The development was first reported by Russian news agency TASS.

“During the investigation of an espionage case, a South Korean citizen Baek Won-soon was identified and detained in Vladivostok, and put into custody under a court order,” an unnamed source was quoted as saying.

Won-soon has been accused of handing over classified “top secret” information to unnamed foreign intelligence agencies.

According to the agency, Won-soon was detained in Vladivostok earlier this year and shifted to Moscow late last month. He is said to be currently at the Lefortovo pretrial detention center. His arrest has been extended for another three months, until June 15, 2024.

The detention center is currently also the place where American journalist Evan Gershkovich is being held, awaiting trial on suspicion of espionage. Gershkovich has denied the charges.

The development comes amid burgeoning geopolitical ties between Russia and North Korea, even as state-sponsored hacking groups associated with the latter have targeted the Kremlin to pursue their strategic intelligence-gathering missions.

It also comes days after the U.S. arrested a former Google engineer for allegedly stealing proprietary information from the tech giant while covertly working for two China-based companies, including one founded by him last year prior to his resignation.