Hive disrupted, Google’s ad problems and new wiper malware in Ukraine

Wolfgang Hasselmann / Unsplash

Welcome to Changelog for 1/29/23, published by Synack! Nate Mott here and ready to recap the week in cybersecurity. Without further ado:


The payload

The U.S. Department of Justice announced on Jan. 26 that it had conducted a “months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms and critical infrastructure.”

Hive started to sting its victims — mostly small and mid-sized organizations that, according to Palo Alto Networks Unit 42, were “ill-equipped for managing a ransomware attack” — in June 2021. It continued to metamorphose 18 months later, however, with Rapid7 saying Hive “employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files” in a recent attack on an unidentified victim.

Now the ransomware gang will have to continue to evolve. It wasn’t entirely smoked out — its members could set up new infrastructure, find new affiliates and continue to target organizations around the world. But those changes take time, and the FBI has already cost Hive a lot of money via this operation.

“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims and ultimately averting more than $130 million dollars in ransomware payments,” Deputy Attorney General Lisa Monaco said in a statement. “We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

A ransomware gang missing out on more than $130 million? That sounds pretty sweet to me.

The week, compiled

Speaking of DOJ: It announced on Jan. 25 that it was filing an antitrust lawsuit against Google “for monopolizing multiple digital advertising technology products.”

The news reminded me of reports that Google has failed to effectively manage the use of search ads to distribute malware, assist with phishing attempts or just outright scam people. BleepingComputer has published numerous reports on Google ads being used by ransomware gangs to gain initial access to victim networks, for example, or steal credentials from password manager users.

It works like this: Malicious actors purchase domains that resemble the legitimate addresses for popular software, publications and other websites. Then all they have to do is pay for ads that appear when people search for the actual site. Google shows the ads for the malicious sites before the legitimate search results, and because many people assume that Google has vetted these advertisements or simply don’t notice that they aren’t organic search results, they’re taken to the doppelganger website.

Rajeshwar Bachu / Unsplash

Analygence senior vulnerability analyst Will Dormann has been keeping a running list of malicious domains found by searching for popular software on Twitter. It’s one thing for a company to monopolize digital advertisements; it’s another thing for it to make the world’s most popular search engine a reliable vehicle for malware and malicious websites in the process.

Here are some of the other interesting stories of the week:

The Record: Russia has reportedly blocked access to the websites of the FBI, CIA and Rewards for Justice, a federal program intended to “generate useful information that protects Americans and furthers U.S. national security.” The U.S. program has notably dangled $10 million rewards in exchange for information about high-profile ransomware operators.

Google: Google’s Threat Analysis Group said it “disrupted over 50,000 instances of DRAGONBRIDGE activity across YouTube, Blogger and AdSense” throughout 2022. (Mandiant, which is now part of Google Cloud, described DRAGONBRIDGE in October 2022 as a pro-China influence campaign.) “Despite their scale and profuse content production, DRAGONBRIDGE achieved practically no organic engagement from real viewers,” Google said. “In 2022, the majority of DRAGONBRIDGE channels had 0 subscribers when Google disrupted them, and over 80% of DRAGONBRIDGE videos had fewer than 100 views.”

CyberScoop: ESET said on Jan. 27 that Sandworm, an advanced persistent threat group within Russia’s GRU military intelligence agency, deployed new wiper malware against an unidentified organization within Ukraine. (CyberScoop reported that the attack focused on a single target in Ukraine’s public sector.) Wiper malware has proven fairly common throughout Russia’s invasion of Ukraine, with the first examples of its deployment being spotted within weeks of the conflict’s start.

A message from Synack

Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.

Flash memory

The most surprising talk at ShmooCon 2023 was “Textiles and Technology” by Amanda Draeger. That’s partly because I didn’t realize how much of an effect textiles — specifically the Jacquard machine that, as Wikipedia puts it, “made possible the automatic production of unlimited varieties of complex pattern weaving” — had on computing and partly because I underestimated the human impact of these changes.

A portrait of Jacquard made with one of his namesake machines. Michel Marie Carquillat (tisseur) d’après Claude Bonnefond / Wikimedia

“Automate the right things,” Draeger said. “In figuring out how all this stuff needed to work for weaving that then trickled down to how computers work today, they focused on the tasks that suck for humans to do. The things that are hard, the things that are extremely error-prone, and figured out how to make them easy so [the craftsman] can get on with producing more.”

This had unforeseen consequences via the industrial revolution, which eventually prompted backlash from the Luddites, and prompted Draeger to note that “there is no such thing as unskilled labor… we can’t completely get rid of those ‘low-skill’ jobs because they’re important.” That’s worth remembering, especially as we continue through this iteration of the artificial intelligence boom and bust cycle.

Local files

WSJ: Spies are gonna spy — at least according to an interview with NSO Group CEO Yaron Shohat, who told the Wall Street Journal that the spyware company’s “products are in high demand” and that he “really believe[s] this kind of technology is necessary for any law-enforcement agency or intelligence agency” despite increasing scrutiny from global regulators, human rights activists and tech companies like Apple and WhatsApp, both of which have filed lawsuits against NSO Group for exploiting flaws in their products.

BleepingComputer: Yandex, which is essentially the Russian analog to Google, said on Jan. 26 that approximately 44.7GB worth of source code leaked online was published by a former employee rather than someone who’d gained access to its network. “We are conducting an internal investigation into the reasons for the release of source code fragments to the public,” the company told BleepingComputer, “but we do not see any threat to user data or platform performance.”


Companies aren’t usually criticized for making their products too secure. Apple is now an exception, with Vice reporting that “perfectly good macbooks from 2020 are being sold for scrap because of activation lock,” which is a macOS feature that prevents anyone from accessing a device associated with a particular Apple ID without supplying the appropriate credentials even if it’s been wiped.

“Even if you erase your Mac remotely,” Apple said in a support article, “Activation Lock can continue to deter others from reactivating your Mac without your permission. All you need to do is keep Find My turned on and remember your Apple ID and password.” That’s great news for people whose devices are stolen, misplaced or otherwise compromised — it’s less great news for resellers.

Could this have some implications for the environmental impact of these devices? Sure. It’s frustrating to resellers, too, who resign themselves to breaking down locked Macs for parts. But it’s actually somewhat comforting to know that someone who steals a new MacBook is unlikely to break the bank. Otherwise there wouldn’t be any point in using Activation Lock, so what is there to complain about?

Giorgio Trovato / Unsplash

That’s all for this week — please send any tips or feedback to or See you next Sunday!