The Trinity Ransomware Group, a cybercriminal group specializing in information kidnapping for ransom, claims to have stolen 560 GB of data from the Spanish Tax Agency (AEAT). The group is well-known in the cybercrime world, and in October, the Health Care Cybersecurity Communication and Coordination Center (HC3) of the United States government warned that they were targeting strategic facilities. Additionally, at least one hospital in the country had fallen victim to their attacks.
The Agency does not confirm the attack and assures that it “has not detected any signs of possible encrypted devices or data leaks” and that it is “monitoring all its systems”, which are operating normally.
The hackers have published the alleged attack on their website, where they value the stolen data at 38 million dollars and give the Agency until December 31st to pay that price to recover the data.
Communication from Trinity on its website on Onion announcing the attack on the AEAT
However, this time the gang seems to have broken their own rules. Cybersecurity experts explain that Trinity usually encrypts data packets on their victims' websites and leaves a note as a background explaining the hijacking, that their personal data and databases have been extracted and requesting payment of the ransom in cryptocurrencies in exchange for giving the victim a key to decrypt the files. This note, the same sources point out, includes the URL of the gang's website on the Onion with instructions and a contact email address to negotiate the recovery. Trinity generally gives its victims a 24-hour deadline to contact them, warning them that if they don't, their data will be leaked or sold on the “Dark web,” a black market accessed by cybercriminals who can use that data to extort the individuals listed there.
In this case, according to Agency spokespersons, there are no encrypted files, nor a contact note either. Therefore, some professionals in the sector speculate that the hacked website may belong to another Spanish tax agency, from a city or autonomous community, or even from an institution with which the Agency shares data, such as regional administrations or the Judicial Neutrality Point. However, AEAT spokespersons point out that they have not found any signs of suspicious activity in those indirect access channels.
The American government confirms 7 successful attacks
According to the American federal agency HC3, as of October, 7 victims of Trinity had been confirmed, two of them healthcare facilities, one in the United States and the other in Britain.
The band started operating in May, and some experts in cybercrime link its origins to the dismantling of LockBit, a band specialized in data hijacking or ransomware that managed to attack 2,500 companies in 120 countries until it was dismantled last February in an operation by Europol. The National Crime Agency (NCA) of the United Kingdom identified its leader as the Russian Dmitry Khoroshev, and in October the Civil Guard reported that they had detained at Barajas airport the administrator of the Internet service provider being used, a Belarusian citizen whose name was not disclosed. Khoroshev remains at large, with a $10 million reward from the U.S. Department of Justice for anyone providing information leading to his arrest.
“After the dismantling of their operations in Operation Cronos, some members of LockBit continued their activities under different identities and ransomware variants,” explain cybercrime experts. However, they warn that “there is no clear evidence directly linking” the two groups.
Both operate in the same way, which experts refer to as “ransomware-as-a-service (RaaS)”: they sell the malicious code they develop to other hackers, called “affiliates”, who then use it to carry out their own attacks. They both also employ double extortion techniques: in addition to demanding a ransom for decrypting the stolen data, they sell it to be used by other cybercriminals.
A mine for phishing campaigns
If the band had actually accessed data from the Tax Agency (AEAT) and this organization refused to pay a ransom, the access to tax data of hundreds of taxpayers would be a very enticing bait for other cybercriminals specialized in “social engineering” campaigns: using the Agency's data to contact citizens pretending to be them and informing them, for example, that they have been fined or that they need their authorization to pay the second installment. “If a person receives an SMS with requests like these, containing their correct tax information, asking them to authorize the transaction via a link on a website that closely resembles the AEAT's, it's easy for them to convince their victim and succeed in extracting money,” explains a professional in the field.
Experts in cybercrime also do not rule out that Trinity's attack may have political objectives, not just economic ones. Tom Burt, Microsoft's Vice President of Customer Security and Trust, recently warned that “we are observing a trend towards the combination of state and cybercriminal activities,” with some states hiring hackers as “private cyber mercenaries” to politically destabilize other states or influence elections, as Russia, China, and Iran have done in the United States elections.
Also, Enisa, the EU Agency for Cybersecurity, warned yesterday in its annual report that “as geopolitical and economic tensions increase, cyber warfare intensifies and campaigns of espionage, sabotage, and disinformation become key tools for some countries to manipulate events and gain a strategic advantage.” Thus, a cyber attack that would allow the dissemination of tax data from political, business, or union leaders could fit into the objectives of these networks.
In some cases, these groups announce attacks that ultimately prove to be false. LockBit itself did so in May, when it claimed to have stolen 33 TB of data from the Federal Reserve, the central bank of the United States. An assertion that was proved to be false. “Attackers often leak some of the obtained data to prove that their attack has indeed been successful and to put more pressure on the victim. They did not do it this time. Just as Trinity has not done in this case either,” they point out. The confirmation of the veracity of the attack, therefore, will have to wait until December 31st.
