137 Days (Post ARIA Launch)

In a previous blog, I outlined an International threat actor responsible for multiple “criminal” attacks against our team at Shadowbyte, including defamation of our leadership team, DDoS attacks on our websites, and reaching out to our customers in an attempt to shut down the launch of our product, ARIA (Automated Risk Identification & Alerting Platform). This criminal and his associates are furious at our Founder, Vinny Troia, who’s investigation into The Dark Overlord, Gnostic Players and ShinyHunters (all led by this same individual) has already provided enough detail to incarcerate one of their members.

In October 2020, Troia published the following report outing the criminal’s identity and detailing his criminal efforts. https://nightlion.com/blog/2020/the-dark-overlord-cyber-terrorist-investigation/

So, there’s that.

The FBI email server hack

We believe Chris Meunier, 22, of Calgary Canada is responsible for many high-profile hacks including The Columbia Falls school district, Disney, Netflix, and, as of yesterday, the FBI via their LEEP mail server. He is also responsible for continuous smear campaigns targeting Vinny Troia, and yesterday’s breach is no exception. The email from eims@ic.fbi.gov that went out from the FBI server indicated a fake breach that named Troia as a member of The Dark Overlord group. (Posted below as was sent with all errors)

“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, who is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.”

Stay safe
U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group

Having an International Cyber Criminal hate Vinny so much for successfully investigating a member of his organization, then outing him to the community, really reinforces that we must be doing something right.

Right?

In addition to those hacks listed above, the following governments and critical infrastructure organizations can also be linked directly to Meunier:

  • Elections.ca
  • G.S. Polymers
  • GSA.gov
  • GSMA Intelligence
  • H-E Parts Morgan
  • Royal Bank of Canada
  • Turkish National Police
  • Cox Communications

Our research has also found that under Meunier’s guidance, The Dark Overlord, Gnostic Players and ShinyHunters can be attributed to about 40 percent of all non-credit card data breaches, globally.

Why hasn’t he been arrested?

This is where the story gets interesting.

The laws regarding arresting or detaining a cyber criminal in Canada swing heavily in favor of the criminal. Though we have spoken at length with Calgary police about Meunier, their rules for cybercrime are much stricter and they won’t arrest or detain him unless there “is a smoking gun that shows he specifically committed a crime from his house in Calgary.”

While it is expected for Nations and Jurisdictions to have varying law enforcement processes, when we are talking about cyber criminals, they have no jurisdiction. In fact, cyber criminals are becoming very familiar with which countries are most protective of them when it comes to extradition. Canada, a strong ally of the US in every respect, is one of many.

Nations Harboring Cyber Criminals

Over the last few months, Shadowbyte has worked closely with Congressman Luis (Lou) Correa from California’s 46th District (House Committee on Homeland Security, Congressional Cybersecurity Caucus) to push for better Extradition policies and laws to address this issue. In a statement released today from Congressman Correa, he had this to say:

“Friday’s breach of the DHS/FBI LEEP email server is the latest in a long string of data breaches which evidence indicates can be attributed to one individual operating in Calgary, Canada. Unfortunately, Canadian cyber security and privacy law have made it difficult to arrest this individual, and extradite him once apprehended,” said Rep. Correa.

“Since July of this year, I have been receiving research and intelligence from the leadership team at Shadowbyte, a Threat Intelligence Company investigating the hacker,” he added. “In reviewing the details of their investigation and evidence, it is clear that we (US) must do better in our coordination with other countries for extradition of cyber crime suspects. While recent efforts at curbing international Ransomware organizations have focused on extradition, this has been limited to Russia and China. Meanwhile, cyber criminals in other parts of the world, much closer to our own borders, seem to have carte Blanche while they hide behind their country’s laws. My office will continue to push the importance of this on The Hill and to the White House.”

 

30 Nation Ransomware Event

The 30 Nation Ransomware event that took place at The White House recently brought forward many crucial elements for international cooperation and integrated efforts in taking down Ransomware organizations operating globally. We have even seen, as recently as October, countries like South Korea extraditing alleged Russian cyber criminals. Additionally, there are several international agreements which outline ways to coordinate extradition. For example, The Budapest Convention on Cybercrime gave recommendations and “guidelines” for such coordination. Specifically, Treaty 185 from the Convention shows countries who have signed, ratified, and enacted the “guidelines” which suggests that Nations are willing to do the work to bring cyber criminals to justice.

And yet, here we are. Cyber criminals can still hide in countries that are US allies and very close to home knowing they will not be held to task.

We must do better. Allowing cyber criminals to hide behind extradition loopholes only makes our work in defending the US more challenging.

As we continue to work with Congressman Correa and other policy makers to drive home the importance of International Cyber Criminal Extradition, we must also solidify agreements with our allies that provide crystal clear, actionable requirements. I am hopeful that the 30 Nation Ransomware Conference attendees can aid in providing that clarity.

The Tech Report

Later this week, Vinny will be publishing the full technical report on many of Meuiner’s exploits. We will continue fighting this fight because it’s the right thing to do.

I still don’t like bullies.