The sensitive nature of stolen material leads experts to think hackers might seek to do more than extort companies
The number of deepfakes used in scams in just the first three months of 2023 outstripped all of 2022
BY:
Alexis Estes
Cybersecurity Analyst
Project Counsel Media
29 JUNE 2023 — A few weeks ago, when Progress Corp, the Massachusetts-based maker of business software, revealed its file transfer system had been compromised, the issue quickly gathered global significance and blew the needle off the cybersecurity Richter scales. A Russian-speaking gang dubbed Cl0p had used the vulnerability to steal sensitive information from hundreds of companies including British Airways, Shell and PwC. It had been expected that the hackers would then attempt to extort affected organisations, threatening to release their data unless a ransom was paid.
NOTE: while it was clear it was state-sponsored, many cybersecurity analysts also thought “China” given China’s similar interest in hacking granular personal data from Western countries at quantum scale. Disinformation, disruption of services and IT infrastructure, blackmail, an insurance policy against SWIFT sanctions – China may not quite know how to use the data effectively but the possibilities from collection must be enticing.
However, cyber security experts said the nature of the data stolen in the attack – including the driving licences, health and pension information of millions of Americans – hints at another way hackers would cash in: ID theft scams, which combined with the latest in so-called deepfake software may prove even more lucrative than extorting companies. If a blackhat had this much information, in such a pristine state, the sky is the limit.
Because experts have long warned about the growth of deepfake scams where criminals pair artificial intelligence software with personal information to create realistic digital likenesses of people to bypass traditional security checks. The number of deepfakes used in scams in just the first three months of 2023 outstripped all of 2022 and then some, according to Miami-based Sumsub, a user verification platform, with particularly high growth in Canada, the US, Germany and the UK. This is because faking a western citizen’s identity unlocks not just bank and traditional online scams, but also the theft of government benefits.
For example, the sort of information stolen in the Progress hack – photographs, names, dates of birth, home addresses and parts of their social security numbers – could be u eed to create fake video selfies that many U.S. state agencies use to verify identities. That could allow criminals to successfully claim unemployment benefits, and apply for federal college loans, food stamps and other programs. Sumsub estimates that each stolen identity can be successfully leveraged to steal as much as $2 million just from government benefit programs alone.
And as AI advances, more tools become available to fraudsters, and the use of synthetic fraud rises at an alarming rate. Sumsub says it must continually come up with new ways to spot these sophisticated fakes.
And the attacks seem to be easy. After at least one of its customers had their data breached, and then another, Progress revealed that hackers had found “a previously undiscovered weakness” in its software that allowed them to target its clients. The breach eventually led to the theft of terabytes of data from Progress’s customers, including oil company Shell and accounting rivals PwC and EY, as well as dozens of other American government agencies, including the Department of Agriculture, Maryland’s health services and the California pensions system, one of the largest in the world.
NOTE: This also harps on an issue screamed loudly by Steve King, Andy Jenkinson and other cybersecurity pros: until we change laws and make data a liability that companies can be sued over for mismanaging, the problem will continue. There should be a price for being so careless with customer data. Yes, I get it. Blame the Russians, and all the clapping seals will immediately forgive the klutzes for not being careful enough with the sensitive data … “because, well, it’s Russia”. But in the real world, most data breaches happen because of inadequate information security policies. One suspects there will be no consequences whatsoever for Progress Corp, the company whose carelessness led to these incidents, nor its management or shareholders.
The sprawling landscape of victims – many of whom are yet to publicly acknowledge the breach – are connected to each other by their reliance on a piece of software called MOVEit, made by Progress, which was advertised as a secure method for companies to comply with data processing regulations, keeping their most precious information safe both in transit and in storage.
The second part of the heist was expected to be extortion: demanding payment or the data is put on the dark web. For instance, the hackers recently posted a vast amount of data from Shell, an indication that the company did not pay a ransom. Shell said a very small number of its employees used the software, and the rest of its systems were untouched. This was not a ransomware event.
The hackers, who declined via email to comment, also leveraged a highly sophisticated webshell, or backdoor, that appears to have bypassed industry-standard security measures from companies such as Microsoft or CrowdStrike, according to two people familiar with the initial investigation into the hack. Progress said it was working with law enforcement and helping its customers further secure their data, “including applying the patches we have released”. As the usual, nauseating press release:
“We are committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products”.
Progress is relying on Charles River Associates, a consultancy, the forensics division of DLA Piper, the law firm, and Google-owned Mandiant cyber security as it prepares for lawsuits against it. The U.S. Cybersecurity and Infrastructure Security Agency is also involved, but has not commented on the hack.
Bottom line, organised crime syndicates, state operations, and professional fraud groups are those most likely to use this information with the intent of committing global ID fraud at scale. Since the data stolen was real, it will be verified as genuine when fraud is attempted, allowing it to pass through most case-level checkpoints. So most cybersecurity analysts expect to see a major uptick in serial fraud attacks across the board due to the influx of stolen identity information getting into the hands of professional fraudsters.
At the California Public Employees’ Retirement System, or Calpers, the Cl0p hackers made off with the personal data of about 769,000 retired members and their survivors. The data of recently deceased Americans was particularly valuable in the black market, said a private cyber security official involved in investigations at several victims.
So you see the problem: open a credit card in a dead man’s name, take out loans, redirect social security payments, sign up for food benefits. Who’s going to ring the alarm?
Artificial intelligence poses an existential threat to nations that lack a universal identity credential. I live in Europe and have citizenship/residency in 3 European countries, and I have 3 identity cards. Nations with secure universal digital identity systems are at very low risk of cybersecurity threats because the systems require two-factor authentication (some three-factor) with a physical card. With such a system, everyone from business people to welfare beneficiaries can quickly and easily access government data systems with no need to jump through multiple hoops just to receive a basic benefit (driver’s license, food stamps). The opportunity cost of failing to use a universal and secure ID is probably in the hundreds of billions of dollars worldwide. Imagine a world with no bureaucratic hurdles. Now, we are starting to confront huge direct losses as well.