Professor
Professional
- Messages
- 653
- Reaction score
- 645
- Points
- 93
HACKER GROUPS.
Learn all about the most famous hacker groups that changed the digital world! In this episode, we will tell you about APT28 (Fancy Bear), Conti, Lazarus Group, Lizard Squad and Anonymous - their incredible attacks, secret methods and influence on world politics. You will hear about high-profile hacks like WannaCry, attacks on PlayStation and even cyberwars involving entire countries. Want to understand how hackers become key players in global conflicts?
Contents:
Introduction: The most dangerous hacker groups in the world
Find out why hackers play a key role in modern digital conflicts.
#5: Anonymous - Cyberattacks and the fight for free speech
The main operations of Anonymous: from WikiLeaks to the attack on Sony.
How anonymous hackers inspired protest movements?
Confrontation with the Church of Scientology.
The story of how Anonymous exposed a cult and became a legend.
#4: Lizard Squad — Chaos in the Gaming World
Hacking PlayStation Network and Xbox Live.
The plane scandal and how it affected the group’s reputation?
#3: Lazarus Group — North Korean Cyberwars
Cyberattack on Sony Pictures: revenge for the film “The Interview”.
WannaCry and the largest ransomware in history.
The theft of $81 million from Bangladesh Bank.
How hackers deceived the SWIFT banking system and caused a global crisis of trust.
#2: Conti — A ransomware group with global influence
Attack on the Irish healthcare system: millions of patients at risk.
The group’s data leak: how the exposure changed the world of cybercrime?
#1: APT28 (Fancy Bear) — Cyberspies from Russia
Hacking the US Democratic Party: how hackers interfered with the 2016 elections.
Attacks on NATO and the energy sector of Ukraine: the geopolitical aspect of the attacks.
Introduction: The World's Most Dangerous Hacker Groups
Today I will tell you about five of the most dangerous hacker groups that have shocked the world with their actions. Some of them are behind the largest data leaks, some have paralyzed entire cities.
Anonymous - Cyberattacks and the fight for freedom of speech
Anonymous is a community of hacktivists that does not have a clear leadership structure or a single organization. Their distinctive feature is the use of Guy Fawkes masks from the movie "V for Vendetta", symbolizing resistance to authoritarianism and the fight for freedom.
The group has become famous for its attacks against corporations, governments, and organizations that they believe act unfairly. The main motive of Anonymous is the protection of human rights and freedom of speech. Anonymous appeared in the mid-2000s as a phenomenon associated with the popular forum 4chan. On this site, users anonymously posted content. At first, their actions were more like Internet pranks, memes, jokes, and mass raids on websites.
However, over time, Anonymous began to use their skills for more serious purposes. In 2008, Anonymous focused on the Church of Scientology, a religious organization known for its controversial methods of operation and strict confidentiality. The conflict began after a video of Tom Cruise, a famous Scientologist, was leaked online, in which he described the religion.
The Church attempted to remove the video from the Internet, citing copyright infringement, which caused a storm of indignation. Anonymous saw this as an act of censorship and an attempt to suppress free speech. For a group founded on the principles of openness and freedom of information, this was a challenge. Anonymous began by organizing large-scale distributed denial-of-service attacks on the official websites of the Church of Sanitology, overwhelming them with requests.
The sites remained unavailable for several days at a time. Anonymous sent thousands of blank black pages to the fax machines of the Sanitology centers to exhaust their ink. They called the centers and bombarded the staff with ridiculous questions and trolled. The group released a video threatening the Church of Sanitology, in which they stated that they would destroy this organization for its actions.
This video went viral and attracted media attention. In February 2008, Anonymous organized mass protests outside the Church of Sanitology buildings in different countries. Participants wore Guy Fawkes masks to hide their faces and show solidarity with the protesters. The protests were peaceful, and the participants held signs with slogans condemning censorship and the methods of the church. Operation Channology was the first major Anonymous project to attract international media attention.
The group emerged from the shadows of internet forums and became a visible player in the political and social arena. The Church of Scientology’s attempts to suppress the videos backfired. The public learned more about the controversial aspects of their activities. Initially, the attack on Scientologists began as a joke for the sake of losses, but gradually turned into a serious movement. In 2010, Wikileaks became the center of controversy after publishing classified US materials. These leaks contained hundreds of thousands of diplomatic cables revealing the actions of the US government and military in various countries.
After this publication, pressure began to be put on Wikileaks, financial companies and services refused to process donations for the platform, blocking its funding. Anonymous considered the actions of financial giants to be an attack on freedom of speech and an attempt to suppress the truth. This was unacceptable for the group, and they decided to respond with their own methods - cyberattacks and an information campaign. The
main target of Anonymous was the websites of companies that refused to work with Wikileaks - PayPal, MasterCard, Visa, the Swiss bank PostFinance, which closed Asanju's personal account. Anonymous used DOS attacks to paralyze the work of these companies' websites. Paypal and Mastercard servers stopped responding to requests, which is why customers could not make transactions. The DOS attack on Visa was so powerful that the company's website was disabled for several hours.
Anonymous coordinated their attacks through chats, providing instructions to participants on how to connect to the botnet and direct traffic to the servers. Anonymous helped spread Wikileaks mirrors so that users could access the leaks despite blocking attempts. They launched hashtags and organized an information campaign on Twitter, YouTube and other social networks.
Operation Payback received wide coverage in the international media. Wikileaks became even more famous, and the publications attracted millions of users. According to information at the time, the attacks caused significant financial damage to PayPal and Mastercard, since the temporary shutdown of their sites meant the loss of thousands of transactions. PayPal admitted that their blocking of donations to Wikileaks was politically motivated. This confirmed Anonymous' suspicions and strengthened their reputation as freedom fighters.
In 2011, Anonymous carried out one of its most famous campaigns - an attack on Sony related to the controversy around the hacking of the PlayStation 3. This event led to the largest shutdown of the PlayStation Network at that time, caused mass outrage among users and caused huge damage to Sony's reputation. Why did Anonymous attack Sony? In early 2011, a well-known hacker named George Hodes published PlayStation 3 security keys that allowed unofficial software, including pirated games, to be installed on the console.
Sony responded harshly, suing Geohot and other hackers for copyright infringement and system cracking. Anonymous believed that PS3 owners had the right to modify their devices because they had paid for them. In April 2011, Anonymous announced an operation on Sony.
The group began by attacking Sony websites, including Sony.Com and PlayStation.Com. The PlayStation Network, a service with millions of active users, was a primary target. In mid-April 2011, the PlayStation Network suddenly went down. Users were unable to connect to servers, play games, download content, or make purchases. On April 20, Sony officially shut down the PCN to prevent further attacks.
The network was down for 23 days. It was the largest outage of its kind in history at the time. Sony later admitted that the personal data of 77 million users, including names, addresses, emails, and possibly credit card information, had been stolen during the attack. This caused panic among users and led to investigations in several countries. Following the shutdown of the PCN, Anonymous released a statement denying any involvement in the data breach.
They claimed that their goal was solely to protest against Sony, not to steal information. Some experts suggest that the real culprits of the data leak could have been another group of hackers who took advantage of the chaos created by Anonymous. Sony estimated the damage from the attack at $ 171 million. These costs included compensation for users, restoration of infrastructure and legal restraints.
The company's reputation was greatly damaged, millions of users lost access to their content and games. Sony was fined in Europe for inadequate protection of user data. In 2015, after the tragic terrorist attacks in Paris, the hacker group Anonymous declared a cyberwar against the Islamic State - ISIS. This was one of the most ambitious and large-scale actions of Anonymous aimed at combating terrorism in the digital space.
On November 13, 2015, a series of terrorist attacks organized by ISIS occurred in Paris, in which 130 people were killed. These events shocked the world, causing a wave of indignation and fear. Anonymous announced through a video message. Anonymous will hunt you, we will eliminate you from the Internet. The goal of the operation was to destroy accounts, pages and websites associated with recruitment and dissemination of extremist ideology.
Identifying individuals associated with ISIS and transferring their data to intelligence agencies. Destroying funding channels and donations to terrorist organizations. Anonymous actively attacked ISIS accounts on Twitter, Facebook and other social networks. By November 2015, the group said it had disabled more than 20,000 Twitter accounts associated with ISIS. They handed over lists of such accounts to intelligence agencies.
Anonymous attacked websites used by ISIS for recruitment, propaganda, and coordination. The group attempted to hack ISIS-related e-wallets and funding channels. Although there was no direct success in this area, the efforts drew attention to the issue of terrorist financing. This was the first time that a hacker group declared war on a terrorist organization. Twitter accused Anonymous of acting erratically.
Sometimes, they blocked the accounts of innocent people mistaken for ISIS supporters. What was the result of the operation? Thousands of accounts and websites were destroyed or blocked. The terrorists’ online propaganda activity was temporarily slowed down. Anonymous subsequently focused its efforts on Telegram. They found ISIS channels and passed the data to the platform’s administrators. Some intelligence agencies said that Anonymous’ actions hindered their investigations, as the destruction of accounts made it difficult to track the terrorists.
Lizard Squad — Chaos in the Gaming World
Lizard Squad is one of the most famous and controversial hacker groups, known for their brazen attacks, provocative behavior, and creating chaos on the Internet. Unlike other hacker groups, such as Anonymous, they rarely hid behind lofty ideals, acting more out of a desire to gain attention, humiliate those they attacked, or just have fun.
The first mention of Lizard Squad appeared in mid-2014. At first, they attacked online game servers such as Minecraft and streaming platforms. They used Twitter and other social networks to announce their attacks, which attracted the attention of the media and the public. Lizard Squad in translation Lizard Squad refers to the hooligan style and chaos they created. The group did not have a single leader, which is typical for many modern hacker organizations.
The members coordinated their actions through closed forums, chat groups, and encrypted channels. Lizard Squad used Twitter as a primary channel for announcements and ridicule, posting lists of their victims and announcing upcoming attacks. For example, after an attack on Xbox Live, they posted the message “Xbox Live is down, enjoy your offline Christmas.”
The group often entered into open conflicts with other hacker groups, such as Anonymous, whom they accused of hypocrisy and unnecessary morality. These conflicts sometimes escalated into full-fledged cyberwars with attacks on each other. One of the group’s goals was to monetize their actions. They created Lizard Stressor, a DDoS attack tool that they sold to other hackers. Lizard Squad did not hide their actions and often bragged about their successes.
They boldly challenged major companies to a duel, claiming that they were powerless to stop them. Unlike hackers focused on espionage or data theft, Lizard Squad acted for the sake of it. Instead of making serious statements, the group posted memes, jokes, and provocations. Despite their anonymity, several members of Lizard Squad were still paid off. In 2015, authorities in the United States, Great Britain, and Finland carried out a series of arrests.
Following the arrests and pressure from the authorities, Lizard Squad's activity declined sharply. Some former members moved to other groups or stopped hacking. By the end of 2014, Sony's PlayStation Network and Microsoft's Xbox Live were the largest gaming services with tens of millions of active users. An attack on them guaranteed media and public attention. In mid-December 2014, Blizzard Squad began conducting DDoS attacks on PlayStation Network and Xbox Live servers.
Within the first few hours of the attacks, millions of users began complaining about being unable to connect to their accounts and games. The attacks peaked on Christmas Eve. Lizard Squad deliberately chose this time, knowing that thousands of new consoles would be unpacked and activated that day. Families who had expected to spend the holidays playing together were faced with a complete outage.
PlayStation remained unavailable for over 24 hours. Although Microsoft was quick to restore service, some users complained about the outage for several days. Lizard Squad used botnets to generate huge amounts of traffic, overloading servers. To amplify the attacks, they connected vulnerable devices such as routers and IOT devices. Experts estimate that the volume of traffic directed at Sony and Microsoft servers reached hundreds of gigabits per second, making the attack one of the most powerful to date.
Millions of gamers expressed their disappointment on social media, accusing Sony and Microsoft of failing to prevent the attack. Following the attack, demand for DDoS tools like Lizard Stressor increased significantly. One of the most controversial and well-known incidents associated with the Lizard Squad was the fake threat to blow up an airplane in August 2014.
The incident attracted the attention of media and authorities around the world and became an example of how cyberbullies can use the internet to cause chaos in the real world. The Lizard Squad targeted John Smedley, the president of Sony's cybersecurity division. At the time, Smedley was in charge of developing and supporting popular games including Everquest and Planetside. The Lizard Squad decided to attack his reputation by violating not only his digital but also his physical security.
On August 24, the Lizard Squad tweeted, “American Airlines Flight 362 has explosives on board. We are targeting it.” After receiving the threat, American Airlines took immediate action. The plane was urgently diverted to Phoenix, Arizona, for evacuation. Passengers, including Smedley, were forced to wait while security officers inspected the plane and their luggage.
After a thorough inspection, it was determined that the reports were false and there were no explosives on board. However, the threat caused significant delays and disruption to air travel. The group wanted to show how easy it is to cripple an airline with a simple online threat. The Lizard Squad was looking for opportunities for maximum media exposure, and the attack on the plane became their calling card. Smedley condemned the Lizard Squad’s actions, calling them terrorists and cynical hooligans.
In January 2015, Lizard Squad hacked the Malaysia Airlines website. The homepage of the website read 404 Plane. Not Found. This was a clear reference to the disappearance of flight MH370. The attack caused an uproar, as it was perceived as an insult to the memory of the victims of the disaster.
Lazarus Group - North Korean Cyberwarfare
Lazarus Group, one of the most famous hacker organizations, is more than just a group of cybercriminals.
Its activities, according to analysts, are closely linked to the state interests of North Korea. The group is considered to be the country's tool for conducting financial, espionage, and destructive operations in cyberspace. Lazarus Group is linked to North Korean intelligence by Unit 121, a cyber unit that is part of the General Intelligence Bureau of North Korea.
Unit 121 was founded in the late 90s and initially trained specialists in cyber warfare, Lazarus Group is considered its operational wing, responsible for attacks outside of North Korea. The first confirmed traces of Lazarus Group activity appeared in 2007. Early attacks were aimed at South Korean government and financial structures, which indicates the geopolitical focus of their operation.
Lazarus Group operates under the strict control of the North Korean government. Their activities are aimed at achieving two main goals. Financial support for the regime, making money through hacking banks, cryptocurrency exchanges and corporate networks. Geopolitical espionage, data collection, undermining trust in the systems of North Korea's adversaries. Experts divide Lazarus Group into three main categories depending on their specialization.
Focused on attacks inside South Korea, specializing in espionage, data collection, and creating chaos. The group's financial division specializes in stealing money through bank attacks, hacking cryptocurrency exchanges, and financial platforms. Participates in large-scale and espionage financial operations. Known for their attacks on international financial systems, including the SWIFT network.
North Korea has a number of specialized educational institutions, such as the Kimmersen University of Automation, which trains world-class hackers. Students who demonstrate outstanding abilities are sent to study abroad, particularly in China and Russia. After completing their studies, they get jobs at Bureau 121. According to defectors, hackers live in relatively comfortable conditions compared to the rest of the North Korean population, have access to the Internet, and work abroad to avoid resource restrictions.
North Korea is under strict international sanctions that limit its access to foreign exchange reserves and technology. Lazarus Group has become a kind of financial weapon, capable of bypassing sanctions and providing an influx of funds into the state budget. Lazarus Group is known for its complex, multi-stage attacks.
The initial stage involves phishing and installing malware. Next comes the exploration of the victim’s infrastructure and the withdrawal of funds, all traces are erased to make it more difficult to investigate. The group constantly improves its methods, introducing new tools and strategies. The group is known for sometimes blackmailing companies, demanding a ransom in exchange for not distributing stolen data. Lazarus Group often creates fake companies or applications to carry out attacks.
For example, they created a cryptocurrency trading app infected with malware. Thanks to the support of the North Korean government, it is almost impossible to detect and detain members of the Lazarus Group. The attack on Sony Pictures in 2014 was one of the most high-profile in history. This operation demonstrated how cybercrime can be used as a political weapon.
Sony was preparing to release an interview film, a satirical comedy, in which the main characters are tasked by the SRU to kill North Korean leader Kim Jong-un. North Korea's Foreign Ministry warned the United States that the film's release would face severe consequences. The statement was later linked to an attack that occurred months before the premiere. In November 2014, a group of hackers infiltrated Sony Pictures' network. They broke into the company's internal servers using malware called Desktopware, which destroyed data after it was downloaded.
Hackers leaked confidential employee data, including salaries and personal correspondence, unreleased Sony Pictures films, scripts for future projects, company development plans, and other corporate documents. The hackers threatened to attack movie theaters that would show the interview. This led to a mass refusal by movie theaters to show the film, and Sony was forced to cancel the wide release.
The damage from the data leak and restoration work is estimated at $15-20 million. The company had to completely rebuild its security system. The leak of internal correspondence caused scandals related to sexism, racism, and bias in Hollywood. Some high-ranking Sony employees, including one of the executives, resigned. Sony released the film in a limited release in theaters and on streaming platforms, including YouTube.
President Barack Obama condemned Sony for its decision to cancel the release of the film. The United States imposed additional sanctions on North Korea, accusing it of involvement in the attack. The FBI officially accused North Korea of organizing the attack. The evidence included IP addresses linked to North Korea, and malware similar to that used in previous attacks linked to the Lazarus Group.
One of the most brazen cyber attacks in history occurred in February 2016, when the Lazarus Group stole 81 million from the Bangladesh Central Bank by exploiting vulnerabilities in the international banking system SWIFT. The Bangladesh Central Bank stores its foreign exchange reserves at the Federal Reserve Bank of New York. These reserves are used to conduct international transactions through the SWIFT system. The Lazarus Group chose the Bangladesh Central Bank because of alleged vulnerabilities in its security system.
The hackers broke into the central bank’s internal network through phishing emails sent by an employee. They spent several months studying the bank’s network structure and the SWIFT system. The hackers forged more than 35 requests to transfer a total of about 1 billion from the Bangladesh Central Bank’s reserves. They used malware to erase transaction logs and hinder the investigation.
Of the 35 requests totaling 1 billion, only 5 transactions totaling 101 million were completed. 20 million were transferred to Sri Lanka, but these funds were recovered due to a paperwork error. 81 million dollars ended up in bank accounts in the Philippines. The money transferred to the Philippines was withdrawn through a casino, making it virtually impossible to trace. Using a casino was a smart move, as Philippine law does not require casinos to adhere to strict anti-money laundering regulations.
The Bangladesh Central Bank discovered the problem a few days later when it tried to conduct a routine transaction but was unable to access the SWIFT system. An investigation revealed that the SWIFT logs had been deleted and the system had been compromised. One of the transfer requests was sent to Sharlika Fundation. In it, the word Fundation was spelled as Fundation, which raised suspicions at Deutsche Bank, which was reviewing the transaction.
The FBI, Interpol, and cybersecurity experts joined the investigation. The FBI quickly linked Lazarus Group to the attack, noting the similarities in malware. About $81 million was laundered through the Philippine casino. If all the transfer requests had been fulfilled, the stolen funds would have amounted to $1 billion. The Vanakrai ransomware attack in May 2017 was one of the largest cyberattacks in history, affecting more than 200,000 devices in 150 countries in just a few days.
The Lazarus Group was behind the attack. Vanacrai is a ransomware that exploits a vulnerability in the Windows operating system. The malware infiltrated the network, encrypted users’ files, and displayed ransom messages. Decryption required payment in Bitcoin, typically between $300 and $600.
The attack began on May 12, 2017, and spread with incredible speed. Vanacrai used a worm mechanism to infect devices connected to the same network. The virus affected devices in various sectors – hospitals, transport systems, banks, energy companies. Vanacrai disabled computers in hundreds of hospitals, leading to canceled surgeries, department closures, and delays in treating patients.
Doctors were forced to use paper records. French carmaker Renault halted production at several plants to prevent the virus from spreading. In Germany, Vanacrai disrupted the railway system, causing the train information display to show messages from the virus. The total damage from the attack is estimated at $4.8 billion. Microsoft released a patch to fix the vulnerability in March 2017, two months before the attack.
However, many organizations did not install the update, which allowed the virus to spread. Despite the scale of the attack, the hackers collected a relatively small amount. Many victims refused to pay the ransom. In recent years, the Lazarus Group has stepped up attacks on cryptocurrency exchanges and platforms. Using sophisticated phishing techniques, malware, and system hacks, the group stole digital assets worth millions of dollars, making crypto exchanges one of its main targets.
South Korean exchange BitHump has been a victim of Lazarus Group several times. In 2017, hackers stole data from 30,000 users and stole about $7 million. A year later, Lazarus stole more than $30 million from this exchange. In 2018, the Japanese exchange CoinCheck was attacked, resulting in the theft of $534 million.
Lazarus Group used infected emails to access the exchange's network. It was one of the largest crypto attacks in history. In 2020, Lazarus Group attacked the Singaporean exchange Kucoin. $281 million was stolen. Some of the stolen funds were recovered thanks to transaction tracking using analytics platforms. Lazarus Group has stolen more than $1.7 billion in cryptocurrencies in recent years.
This has become a significant source of income for North Korea.
Conti — A Ransomware Group with Global Influence
Conti is a hacker group, part of a ransomware attack specialty. They have become one of the most successful cybercriminals of our time, with an operations scale that is astounding in its efficiency and destructiveness. Their origins, structure, and tactics provide a deep understanding of why this particular group has become so influential. Conti emerged in 2020, but its roots go back to earlier groups such as Raek and Trickbot.
Raek was known for its successful attacks on corporations and government agencies. Trickbot is a botnet that distributed malware and provided initial access to infected systems. Most experts agree that Conti is made up of Russian-speaking hackers. This is supported by the language spoken by the members and the software code, which avoids attacks on systems with the Russian language installed.
Conti emerged amid the rise in the popularity of ransomware. The huge ransoms paid by victims made this niche particularly lucrative. The group operates as a full-fledged corporation with roles. Developers are responsible for creating and updating malware. Operators are responsible for implanting programs into target systems. Negotiators are involved in communicating with victims, negotiating the ransom. Data analysts process the stolen information, finding the most valuable data for blackmail.
Conti provided its tools to other hackers for a percentage of the ransom. This allowed the group to scale operations and spread its influence. In 2022, a leak of internal Conti documents published by an insider revealed their corporate approach. Employee salaries ranged from 1.5 to 2 thousand per month for ordinary participants.
Top management received tens and hundreds of thousands of dollars. Conti selects victims based on their financial solvency and level of cybersecurity. The main targets are government agencies, healthcare, and large corporations. Conti claimed that they would not attack hospitals or schools, but as their actions showed, this rule was violated. The group had its own blog on the Dark Web, where they published stolen data and threats, increasing the pressure on victims.
They used a combination of sophisticated tools, carefully planned methods, and unique tactics to seize and monetize access to corporate and government systems. Conti's software has become the group's calling card. Conti can encrypt data faster than most competitors by using multiple data processing threads in parallel. In addition to encryption, Conti steals the victim's data.
If the company refuses to pay, the hackers threaten to publish the stolen data on their Dark Web block. This method makes refusing to pay the ransom extremely risky for companies, especially if the leak could affect their reputation or lead to litigation. Once in the network, Conti uses privilege escalation tools to gain administrative access to the systems. Conti aims to spread its malware within the corporate network by attacking additional devices.
This is done to increase the scale of the attack and capture critical data. Once reconnaissance is complete, the hackers encrypt the data and destroy backups to force the victim to pay, Conti deletes and modifies system logs to make the investigation more difficult. The Conti group is known for its aggressive tactics. If negotiations drag on, they begin to publish data to speed up the payment process.
The attack on the Irish health system in 2021, carried out by the Conti group, was one of the largest and most destructive cyber attacks in the history of healthcare. It caused chaos in the national health system, paralyzed hospitals, delayed operations and put the lives of thousands of patients at risk. This attack was an example of how cybercrime can directly affect the health and safety of people.
Conti planted its ransomware on the explosive health system. Initially, access was gained through a phishing attack targeting an employee. The infected system gave hackers access to the internal network. The hackers used tools for lateral movement within the network, such as Cobalt Strike. They gained access to servers with patient data, financial documents, and other critical information.
The ransomware encrypted key systems, making them inaccessible to employees. The hackers left messages demanding a ransom of $20 million. More than 80% of IT systems were disabled, causing widespread disruption. Patients could not access their medical records. Surgeries and consultations were cancelled. Cancer patients requiring urgent treatment were unable to receive medical care in time.
Emergency services were operated manually. The hackers claimed to have accessed sensitive patient information, including medical records, addresses, and financial information. Despite promising not to publish the data, fears of a leak caused public concern. Conti provided a free tool to decrypt the data a few days after the attack. This may be due to global condemnation of their actions and pressure from law enforcement.
However, restoring the system proved slow and expensive due to the scale of the destruction. The Irish government took a firm stand and refused to pay the hackers. Restoring all systems cost Ireland more than €100 million. Conti released a statement trying to justify their actions, stating that they did not want to harm people. This attack caused a stir in society and even among hacker communities, which forced Conti to reconsider their actions.
As a result, the Conti group fell victim to internal leaks that significantly affected its activities. These leaks not only illuminated the internal processes of the group, but also gave cybersecurity experts a unique chance to study the methods of one of the most powerful cybercriminal groups of our time. In February 2022, in the early days of the war between Russia and Ukraine, the Conti group publicly declared its support for the Russian side.
This statement caused a sharp response in hacker circles and led to a leak of their internal data. An anonymous insider, allegedly associated with Ukraine, published a significant amount of Conti's internal information. Malware source codes, internal chats, manual correspondence, financial reports, including ransom data. More than 170 thousand messages from internal chats became available in the public domain.
The leak showed that the group earned millions of dollars from ransoms. A significant portion of the income was spent on developing new tools, paying for infrastructure, and bribing potential insiders in companies. Chats revealed information about conflicts between participants. For example, developers complained about salary delays.
Interesting facts from the leak. The group carefully tested its software before attacks, one of the tools was a unique encryptor that can bypass modern antiviruses.
Some members of the group discussed political topics and expressed support for certain countries, which created internal conflicts. The leak dealt a serious blow to the group’s reputation and security. Law enforcement agencies received a lot of useful data for the investigation. Many victims, having seen the exposure, refused to pay the ransom, realizing that the group was vulnerable.
APT28 (Fancy Bear) - Cyber Spies from Russia
The group is considered one of the longest-standing and most experienced in cyberspace. Experts associate APT28 with the Main Intelligence Directorate of Russia. These assumptions are based on the analysis of their activities, attack targets, and the nature of their work. For example, the group’s active hours coincide with the working day in the Moscow time zone, the use of tools and methods typical of special services, and the focus of attacks on geopolitical targets such as NATO, the European Union, and political parties in Western countries. APT28 is focused on state cyber espionage and interference in international affairs.
Their tasks include intelligence gathering, discrediting opponents, interfering in political processes, and military intelligence. APT28 is a highly organized group with a clear division of roles. Software developers are responsible for creating malware, operators carry out attacks, manage command and control servers, and interact with victims through phishing campaigns or vulnerable systems. Intelligence analysts process the collected data to make it useful for further operations.
For example, they systematize documents stolen from political party servers. APT28 operates in conditions of strict secrecy. Group members rarely have full information about the scale of an operation. The decentralized approach minimizes the risk of information leakage if one of the participants is caught. APT28 is known for its patience.
They can remain in the victim’s system for years, quietly collecting data. The emergence of APT28 is associated with the strengthening of the role of cyber intelligence in the strategy of Russian special services in the early 2000s. Unlike APT29, KOZI-B, which is also associated with Russia, APT28 is more focused on political interference than espionage. APT28 is known for its strategic long-term vision. Some of its operations, such as the NATO hacks, began as early as 207, long before they became public.
Phishing attacks are a key method of infiltration for APT28. The group thoroughly studies its victims before an attack, including their habits, contacts, and interests. Emails are created to look as authentic as possible, such as messages from colleagues, banks, or government agencies. Attachments with malicious macros, such as Word or Excel documents, are often used.
In 2016, the group used phishing emails to hack into the accounts of employees of the US National Committee of the Communist Party. The emails contained links to fake Google login pages. The victims entered their credentials, which immediately fell into the hands of the hackers. APT28 actively uses zero vulnerabilities. Previously unknown vulnerabilities in software. In attacks on NATO and the European Union, the group used vulnerabilities in Microsoft Word and Windows that allow remote code use.
APT28 maintains an extensive arsenal of exploits for various operating systems and applications. They develop their own malware, which is highly complex. APT28 actively tries to hide its affiliation with Russia. They use symbols of other countries to confuse investigators, for example, leaving false traces pointing to China, using tools with English-language interfaces.
In 2016, the United States was preparing for the presidential elections, in which the main candidates were Hillary Clinton and Donald Trump. APT28 used spear phishing to gain access to DNS systems. Victims were sent emails that mimicked security notifications from Google. The emails contained a link to a fake Google login page. When employees entered their credentials, the hackers gained access to their accounts.
One of the hacked accounts belonged to John Podesta, Hillary Clinton’s campaign chairman. His emails contained sensitive data about the campaign’s strategy. The stolen data was passed on to WikiLeaks, which began publishing it several months before the election. The exposed data caused a scandal, as a result of which the head of DNS resigned. US intelligence agencies accused Russia of coordinating the attack.
In 2016, sanctions were imposed on Russia, including the expulsion of 35 Russian diplomats. In 2016, APT28 carried out a series of attacks on the World Anti-Doping Agency. Background to the attack. A major doping scandal erupted in 2015. The VAD investigation revealed systematic doping by Russian athletes. As a result, the Russian team was temporarily suspended from international competitions, including the Olympics.
Hackers used phishing to gain access to VAD internal documents. Medical records of famous athletes were stolen, including permission to use banned substances. The stolen materials were posted on the FSNB website and actively distributed through social networks. They claimed that Western athletes were legally using banned substances.
The hackers focused on the fact that world-famous sports stars such as Serena Williams and Simone Biles allegedly enjoyed privileges that allowed them to take drugs banned for other athletes. Instead of discussing doping in Russia, the public began to discuss double standards in international sports. The FSNB claimed that VADOS was turning a blind eye to doping in Western countries, which undermined trust in the organization. The scandal caused a wave of mistrust in the anti-doping system. The
leak was widely covered by the media, which increased disagreements between countries on the issue of fairness in sports. These events increased tensions between the West and Russia. The cyberattack on the presidential campaign of Emmanuel Macron in 2017 was one of the most high-profile operations allegedly linked to the APT28 group. The 2017 French elections were held amid heightened international tensions. Experts believe that the aim of the attack was to undermine Macron's election campaign and strengthen the position of more pro-Russian candidates.
The hackers used phishing techniques, sending fake emails to campaign staff disguised as internal messages. The attackers gained access to accounts and data. As a result of the attack, the hackers stole more than 20,000 documents, including correspondence, financial statements, strategic plans and personal information. Two days before the second round of the election, the stolen data was published online under the name Macron Leaks.
The documents were distributed through forums, Twitter and other platforms. The hackers tried to find compromising information in the stolen documents that could damage Macron’s reputation and reduce his chances of winning. Fake materials were embedded among the real documents, including false claims of financial fraud and tax evasion. Macron’s team knew in advance about the hackers’ attempts to penetrate their system, rather than intentionally uploading fake documents to confuse the attackers and reduce the impact of the leaks.
French law prohibited media from publishing or discussing the leaks two days before the election, significantly reducing their impact. Despite the leak, Macron won a landslide victory, receiving over 66% of the vote. The metadata of some of the stolen documents contained Russian characters, which became indirect evidence of APT28’s involvement.
APT28 has repeatedly carried out cyberattacks on NATO structures and related government agencies. These attacks, conducted over a period of more than 10 years, were aimed at espionage and disinformation. They were part of a larger cyberwar related to geopolitical tensions between Russia and NATO countries. One of APT28’s most notorious and destructive campaigns was the cyberattacks on the energy sector in Ukraine.
In 2015, 3 Ukrainian energy companies servicing the regions of Ivano-Frankivsk, Kyiv region and Lviv. 225 thousand people were left without electricity for several hours. Hackers sent fake emails to employees of energy companies with attachments containing malware. The program penetrated the companies' networks, allowing the attackers to seize control of their systems. The hackers gained access to Escado systems and manually turned off the substations.
Kill Disk software was used to destroy critical files and complicate the restoration of systems. Hackers also attacked the phone lines of energy companies to prevent prompt restoration of work. For the first time in history, the attack was carried out entirely remotely, without physical access to the facilities. APT28 continues to be one of the most influential and discussed hacker groups.
Learn all about the most famous hacker groups that changed the digital world! In this episode, we will tell you about APT28 (Fancy Bear), Conti, Lazarus Group, Lizard Squad and Anonymous - their incredible attacks, secret methods and influence on world politics. You will hear about high-profile hacks like WannaCry, attacks on PlayStation and even cyberwars involving entire countries. Want to understand how hackers become key players in global conflicts?
Contents:
Introduction: The most dangerous hacker groups in the world
Find out why hackers play a key role in modern digital conflicts.
#5: Anonymous - Cyberattacks and the fight for free speech
The main operations of Anonymous: from WikiLeaks to the attack on Sony.
How anonymous hackers inspired protest movements?
Confrontation with the Church of Scientology.
The story of how Anonymous exposed a cult and became a legend.
#4: Lizard Squad — Chaos in the Gaming World
Hacking PlayStation Network and Xbox Live.
The plane scandal and how it affected the group’s reputation?
#3: Lazarus Group — North Korean Cyberwars
Cyberattack on Sony Pictures: revenge for the film “The Interview”.
WannaCry and the largest ransomware in history.
The theft of $81 million from Bangladesh Bank.
How hackers deceived the SWIFT banking system and caused a global crisis of trust.
#2: Conti — A ransomware group with global influence
Attack on the Irish healthcare system: millions of patients at risk.
The group’s data leak: how the exposure changed the world of cybercrime?
#1: APT28 (Fancy Bear) — Cyberspies from Russia
Hacking the US Democratic Party: how hackers interfered with the 2016 elections.
Attacks on NATO and the energy sector of Ukraine: the geopolitical aspect of the attacks.
Introduction: The World's Most Dangerous Hacker Groups
Today I will tell you about five of the most dangerous hacker groups that have shocked the world with their actions. Some of them are behind the largest data leaks, some have paralyzed entire cities.
Anonymous - Cyberattacks and the fight for freedom of speech
Anonymous is a community of hacktivists that does not have a clear leadership structure or a single organization. Their distinctive feature is the use of Guy Fawkes masks from the movie "V for Vendetta", symbolizing resistance to authoritarianism and the fight for freedom.
The group has become famous for its attacks against corporations, governments, and organizations that they believe act unfairly. The main motive of Anonymous is the protection of human rights and freedom of speech. Anonymous appeared in the mid-2000s as a phenomenon associated with the popular forum 4chan. On this site, users anonymously posted content. At first, their actions were more like Internet pranks, memes, jokes, and mass raids on websites.
However, over time, Anonymous began to use their skills for more serious purposes. In 2008, Anonymous focused on the Church of Scientology, a religious organization known for its controversial methods of operation and strict confidentiality. The conflict began after a video of Tom Cruise, a famous Scientologist, was leaked online, in which he described the religion.
The Church attempted to remove the video from the Internet, citing copyright infringement, which caused a storm of indignation. Anonymous saw this as an act of censorship and an attempt to suppress free speech. For a group founded on the principles of openness and freedom of information, this was a challenge. Anonymous began by organizing large-scale distributed denial-of-service attacks on the official websites of the Church of Sanitology, overwhelming them with requests.
The sites remained unavailable for several days at a time. Anonymous sent thousands of blank black pages to the fax machines of the Sanitology centers to exhaust their ink. They called the centers and bombarded the staff with ridiculous questions and trolled. The group released a video threatening the Church of Sanitology, in which they stated that they would destroy this organization for its actions.
This video went viral and attracted media attention. In February 2008, Anonymous organized mass protests outside the Church of Sanitology buildings in different countries. Participants wore Guy Fawkes masks to hide their faces and show solidarity with the protesters. The protests were peaceful, and the participants held signs with slogans condemning censorship and the methods of the church. Operation Channology was the first major Anonymous project to attract international media attention.
The group emerged from the shadows of internet forums and became a visible player in the political and social arena. The Church of Scientology’s attempts to suppress the videos backfired. The public learned more about the controversial aspects of their activities. Initially, the attack on Scientologists began as a joke for the sake of losses, but gradually turned into a serious movement. In 2010, Wikileaks became the center of controversy after publishing classified US materials. These leaks contained hundreds of thousands of diplomatic cables revealing the actions of the US government and military in various countries.
After this publication, pressure began to be put on Wikileaks, financial companies and services refused to process donations for the platform, blocking its funding. Anonymous considered the actions of financial giants to be an attack on freedom of speech and an attempt to suppress the truth. This was unacceptable for the group, and they decided to respond with their own methods - cyberattacks and an information campaign. The
main target of Anonymous was the websites of companies that refused to work with Wikileaks - PayPal, MasterCard, Visa, the Swiss bank PostFinance, which closed Asanju's personal account. Anonymous used DOS attacks to paralyze the work of these companies' websites. Paypal and Mastercard servers stopped responding to requests, which is why customers could not make transactions. The DOS attack on Visa was so powerful that the company's website was disabled for several hours.
Anonymous coordinated their attacks through chats, providing instructions to participants on how to connect to the botnet and direct traffic to the servers. Anonymous helped spread Wikileaks mirrors so that users could access the leaks despite blocking attempts. They launched hashtags and organized an information campaign on Twitter, YouTube and other social networks.
Operation Payback received wide coverage in the international media. Wikileaks became even more famous, and the publications attracted millions of users. According to information at the time, the attacks caused significant financial damage to PayPal and Mastercard, since the temporary shutdown of their sites meant the loss of thousands of transactions. PayPal admitted that their blocking of donations to Wikileaks was politically motivated. This confirmed Anonymous' suspicions and strengthened their reputation as freedom fighters.
In 2011, Anonymous carried out one of its most famous campaigns - an attack on Sony related to the controversy around the hacking of the PlayStation 3. This event led to the largest shutdown of the PlayStation Network at that time, caused mass outrage among users and caused huge damage to Sony's reputation. Why did Anonymous attack Sony? In early 2011, a well-known hacker named George Hodes published PlayStation 3 security keys that allowed unofficial software, including pirated games, to be installed on the console.
Sony responded harshly, suing Geohot and other hackers for copyright infringement and system cracking. Anonymous believed that PS3 owners had the right to modify their devices because they had paid for them. In April 2011, Anonymous announced an operation on Sony.
The group began by attacking Sony websites, including Sony.Com and PlayStation.Com. The PlayStation Network, a service with millions of active users, was a primary target. In mid-April 2011, the PlayStation Network suddenly went down. Users were unable to connect to servers, play games, download content, or make purchases. On April 20, Sony officially shut down the PCN to prevent further attacks.
The network was down for 23 days. It was the largest outage of its kind in history at the time. Sony later admitted that the personal data of 77 million users, including names, addresses, emails, and possibly credit card information, had been stolen during the attack. This caused panic among users and led to investigations in several countries. Following the shutdown of the PCN, Anonymous released a statement denying any involvement in the data breach.
They claimed that their goal was solely to protest against Sony, not to steal information. Some experts suggest that the real culprits of the data leak could have been another group of hackers who took advantage of the chaos created by Anonymous. Sony estimated the damage from the attack at $ 171 million. These costs included compensation for users, restoration of infrastructure and legal restraints.
The company's reputation was greatly damaged, millions of users lost access to their content and games. Sony was fined in Europe for inadequate protection of user data. In 2015, after the tragic terrorist attacks in Paris, the hacker group Anonymous declared a cyberwar against the Islamic State - ISIS. This was one of the most ambitious and large-scale actions of Anonymous aimed at combating terrorism in the digital space.
On November 13, 2015, a series of terrorist attacks organized by ISIS occurred in Paris, in which 130 people were killed. These events shocked the world, causing a wave of indignation and fear. Anonymous announced through a video message. Anonymous will hunt you, we will eliminate you from the Internet. The goal of the operation was to destroy accounts, pages and websites associated with recruitment and dissemination of extremist ideology.
Identifying individuals associated with ISIS and transferring their data to intelligence agencies. Destroying funding channels and donations to terrorist organizations. Anonymous actively attacked ISIS accounts on Twitter, Facebook and other social networks. By November 2015, the group said it had disabled more than 20,000 Twitter accounts associated with ISIS. They handed over lists of such accounts to intelligence agencies.
Anonymous attacked websites used by ISIS for recruitment, propaganda, and coordination. The group attempted to hack ISIS-related e-wallets and funding channels. Although there was no direct success in this area, the efforts drew attention to the issue of terrorist financing. This was the first time that a hacker group declared war on a terrorist organization. Twitter accused Anonymous of acting erratically.
Sometimes, they blocked the accounts of innocent people mistaken for ISIS supporters. What was the result of the operation? Thousands of accounts and websites were destroyed or blocked. The terrorists’ online propaganda activity was temporarily slowed down. Anonymous subsequently focused its efforts on Telegram. They found ISIS channels and passed the data to the platform’s administrators. Some intelligence agencies said that Anonymous’ actions hindered their investigations, as the destruction of accounts made it difficult to track the terrorists.
Lizard Squad — Chaos in the Gaming World
Lizard Squad is one of the most famous and controversial hacker groups, known for their brazen attacks, provocative behavior, and creating chaos on the Internet. Unlike other hacker groups, such as Anonymous, they rarely hid behind lofty ideals, acting more out of a desire to gain attention, humiliate those they attacked, or just have fun.
The first mention of Lizard Squad appeared in mid-2014. At first, they attacked online game servers such as Minecraft and streaming platforms. They used Twitter and other social networks to announce their attacks, which attracted the attention of the media and the public. Lizard Squad in translation Lizard Squad refers to the hooligan style and chaos they created. The group did not have a single leader, which is typical for many modern hacker organizations.
The members coordinated their actions through closed forums, chat groups, and encrypted channels. Lizard Squad used Twitter as a primary channel for announcements and ridicule, posting lists of their victims and announcing upcoming attacks. For example, after an attack on Xbox Live, they posted the message “Xbox Live is down, enjoy your offline Christmas.”
The group often entered into open conflicts with other hacker groups, such as Anonymous, whom they accused of hypocrisy and unnecessary morality. These conflicts sometimes escalated into full-fledged cyberwars with attacks on each other. One of the group’s goals was to monetize their actions. They created Lizard Stressor, a DDoS attack tool that they sold to other hackers. Lizard Squad did not hide their actions and often bragged about their successes.
They boldly challenged major companies to a duel, claiming that they were powerless to stop them. Unlike hackers focused on espionage or data theft, Lizard Squad acted for the sake of it. Instead of making serious statements, the group posted memes, jokes, and provocations. Despite their anonymity, several members of Lizard Squad were still paid off. In 2015, authorities in the United States, Great Britain, and Finland carried out a series of arrests.
Following the arrests and pressure from the authorities, Lizard Squad's activity declined sharply. Some former members moved to other groups or stopped hacking. By the end of 2014, Sony's PlayStation Network and Microsoft's Xbox Live were the largest gaming services with tens of millions of active users. An attack on them guaranteed media and public attention. In mid-December 2014, Blizzard Squad began conducting DDoS attacks on PlayStation Network and Xbox Live servers.
Within the first few hours of the attacks, millions of users began complaining about being unable to connect to their accounts and games. The attacks peaked on Christmas Eve. Lizard Squad deliberately chose this time, knowing that thousands of new consoles would be unpacked and activated that day. Families who had expected to spend the holidays playing together were faced with a complete outage.
PlayStation remained unavailable for over 24 hours. Although Microsoft was quick to restore service, some users complained about the outage for several days. Lizard Squad used botnets to generate huge amounts of traffic, overloading servers. To amplify the attacks, they connected vulnerable devices such as routers and IOT devices. Experts estimate that the volume of traffic directed at Sony and Microsoft servers reached hundreds of gigabits per second, making the attack one of the most powerful to date.
Millions of gamers expressed their disappointment on social media, accusing Sony and Microsoft of failing to prevent the attack. Following the attack, demand for DDoS tools like Lizard Stressor increased significantly. One of the most controversial and well-known incidents associated with the Lizard Squad was the fake threat to blow up an airplane in August 2014.
The incident attracted the attention of media and authorities around the world and became an example of how cyberbullies can use the internet to cause chaos in the real world. The Lizard Squad targeted John Smedley, the president of Sony's cybersecurity division. At the time, Smedley was in charge of developing and supporting popular games including Everquest and Planetside. The Lizard Squad decided to attack his reputation by violating not only his digital but also his physical security.
On August 24, the Lizard Squad tweeted, “American Airlines Flight 362 has explosives on board. We are targeting it.” After receiving the threat, American Airlines took immediate action. The plane was urgently diverted to Phoenix, Arizona, for evacuation. Passengers, including Smedley, were forced to wait while security officers inspected the plane and their luggage.
After a thorough inspection, it was determined that the reports were false and there were no explosives on board. However, the threat caused significant delays and disruption to air travel. The group wanted to show how easy it is to cripple an airline with a simple online threat. The Lizard Squad was looking for opportunities for maximum media exposure, and the attack on the plane became their calling card. Smedley condemned the Lizard Squad’s actions, calling them terrorists and cynical hooligans.
In January 2015, Lizard Squad hacked the Malaysia Airlines website. The homepage of the website read 404 Plane. Not Found. This was a clear reference to the disappearance of flight MH370. The attack caused an uproar, as it was perceived as an insult to the memory of the victims of the disaster.
Lazarus Group - North Korean Cyberwarfare
Lazarus Group, one of the most famous hacker organizations, is more than just a group of cybercriminals.
Its activities, according to analysts, are closely linked to the state interests of North Korea. The group is considered to be the country's tool for conducting financial, espionage, and destructive operations in cyberspace. Lazarus Group is linked to North Korean intelligence by Unit 121, a cyber unit that is part of the General Intelligence Bureau of North Korea.
Unit 121 was founded in the late 90s and initially trained specialists in cyber warfare, Lazarus Group is considered its operational wing, responsible for attacks outside of North Korea. The first confirmed traces of Lazarus Group activity appeared in 2007. Early attacks were aimed at South Korean government and financial structures, which indicates the geopolitical focus of their operation.
Lazarus Group operates under the strict control of the North Korean government. Their activities are aimed at achieving two main goals. Financial support for the regime, making money through hacking banks, cryptocurrency exchanges and corporate networks. Geopolitical espionage, data collection, undermining trust in the systems of North Korea's adversaries. Experts divide Lazarus Group into three main categories depending on their specialization.
Focused on attacks inside South Korea, specializing in espionage, data collection, and creating chaos. The group's financial division specializes in stealing money through bank attacks, hacking cryptocurrency exchanges, and financial platforms. Participates in large-scale and espionage financial operations. Known for their attacks on international financial systems, including the SWIFT network.
North Korea has a number of specialized educational institutions, such as the Kimmersen University of Automation, which trains world-class hackers. Students who demonstrate outstanding abilities are sent to study abroad, particularly in China and Russia. After completing their studies, they get jobs at Bureau 121. According to defectors, hackers live in relatively comfortable conditions compared to the rest of the North Korean population, have access to the Internet, and work abroad to avoid resource restrictions.
North Korea is under strict international sanctions that limit its access to foreign exchange reserves and technology. Lazarus Group has become a kind of financial weapon, capable of bypassing sanctions and providing an influx of funds into the state budget. Lazarus Group is known for its complex, multi-stage attacks.
The initial stage involves phishing and installing malware. Next comes the exploration of the victim’s infrastructure and the withdrawal of funds, all traces are erased to make it more difficult to investigate. The group constantly improves its methods, introducing new tools and strategies. The group is known for sometimes blackmailing companies, demanding a ransom in exchange for not distributing stolen data. Lazarus Group often creates fake companies or applications to carry out attacks.
For example, they created a cryptocurrency trading app infected with malware. Thanks to the support of the North Korean government, it is almost impossible to detect and detain members of the Lazarus Group. The attack on Sony Pictures in 2014 was one of the most high-profile in history. This operation demonstrated how cybercrime can be used as a political weapon.
Sony was preparing to release an interview film, a satirical comedy, in which the main characters are tasked by the SRU to kill North Korean leader Kim Jong-un. North Korea's Foreign Ministry warned the United States that the film's release would face severe consequences. The statement was later linked to an attack that occurred months before the premiere. In November 2014, a group of hackers infiltrated Sony Pictures' network. They broke into the company's internal servers using malware called Desktopware, which destroyed data after it was downloaded.
Hackers leaked confidential employee data, including salaries and personal correspondence, unreleased Sony Pictures films, scripts for future projects, company development plans, and other corporate documents. The hackers threatened to attack movie theaters that would show the interview. This led to a mass refusal by movie theaters to show the film, and Sony was forced to cancel the wide release.
The damage from the data leak and restoration work is estimated at $15-20 million. The company had to completely rebuild its security system. The leak of internal correspondence caused scandals related to sexism, racism, and bias in Hollywood. Some high-ranking Sony employees, including one of the executives, resigned. Sony released the film in a limited release in theaters and on streaming platforms, including YouTube.
President Barack Obama condemned Sony for its decision to cancel the release of the film. The United States imposed additional sanctions on North Korea, accusing it of involvement in the attack. The FBI officially accused North Korea of organizing the attack. The evidence included IP addresses linked to North Korea, and malware similar to that used in previous attacks linked to the Lazarus Group.
One of the most brazen cyber attacks in history occurred in February 2016, when the Lazarus Group stole 81 million from the Bangladesh Central Bank by exploiting vulnerabilities in the international banking system SWIFT. The Bangladesh Central Bank stores its foreign exchange reserves at the Federal Reserve Bank of New York. These reserves are used to conduct international transactions through the SWIFT system. The Lazarus Group chose the Bangladesh Central Bank because of alleged vulnerabilities in its security system.
The hackers broke into the central bank’s internal network through phishing emails sent by an employee. They spent several months studying the bank’s network structure and the SWIFT system. The hackers forged more than 35 requests to transfer a total of about 1 billion from the Bangladesh Central Bank’s reserves. They used malware to erase transaction logs and hinder the investigation.
Of the 35 requests totaling 1 billion, only 5 transactions totaling 101 million were completed. 20 million were transferred to Sri Lanka, but these funds were recovered due to a paperwork error. 81 million dollars ended up in bank accounts in the Philippines. The money transferred to the Philippines was withdrawn through a casino, making it virtually impossible to trace. Using a casino was a smart move, as Philippine law does not require casinos to adhere to strict anti-money laundering regulations.
The Bangladesh Central Bank discovered the problem a few days later when it tried to conduct a routine transaction but was unable to access the SWIFT system. An investigation revealed that the SWIFT logs had been deleted and the system had been compromised. One of the transfer requests was sent to Sharlika Fundation. In it, the word Fundation was spelled as Fundation, which raised suspicions at Deutsche Bank, which was reviewing the transaction.
The FBI, Interpol, and cybersecurity experts joined the investigation. The FBI quickly linked Lazarus Group to the attack, noting the similarities in malware. About $81 million was laundered through the Philippine casino. If all the transfer requests had been fulfilled, the stolen funds would have amounted to $1 billion. The Vanakrai ransomware attack in May 2017 was one of the largest cyberattacks in history, affecting more than 200,000 devices in 150 countries in just a few days.
The Lazarus Group was behind the attack. Vanacrai is a ransomware that exploits a vulnerability in the Windows operating system. The malware infiltrated the network, encrypted users’ files, and displayed ransom messages. Decryption required payment in Bitcoin, typically between $300 and $600.
The attack began on May 12, 2017, and spread with incredible speed. Vanacrai used a worm mechanism to infect devices connected to the same network. The virus affected devices in various sectors – hospitals, transport systems, banks, energy companies. Vanacrai disabled computers in hundreds of hospitals, leading to canceled surgeries, department closures, and delays in treating patients.
Doctors were forced to use paper records. French carmaker Renault halted production at several plants to prevent the virus from spreading. In Germany, Vanacrai disrupted the railway system, causing the train information display to show messages from the virus. The total damage from the attack is estimated at $4.8 billion. Microsoft released a patch to fix the vulnerability in March 2017, two months before the attack.
However, many organizations did not install the update, which allowed the virus to spread. Despite the scale of the attack, the hackers collected a relatively small amount. Many victims refused to pay the ransom. In recent years, the Lazarus Group has stepped up attacks on cryptocurrency exchanges and platforms. Using sophisticated phishing techniques, malware, and system hacks, the group stole digital assets worth millions of dollars, making crypto exchanges one of its main targets.
South Korean exchange BitHump has been a victim of Lazarus Group several times. In 2017, hackers stole data from 30,000 users and stole about $7 million. A year later, Lazarus stole more than $30 million from this exchange. In 2018, the Japanese exchange CoinCheck was attacked, resulting in the theft of $534 million.
Lazarus Group used infected emails to access the exchange's network. It was one of the largest crypto attacks in history. In 2020, Lazarus Group attacked the Singaporean exchange Kucoin. $281 million was stolen. Some of the stolen funds were recovered thanks to transaction tracking using analytics platforms. Lazarus Group has stolen more than $1.7 billion in cryptocurrencies in recent years.
This has become a significant source of income for North Korea.
Conti — A Ransomware Group with Global Influence
Conti is a hacker group, part of a ransomware attack specialty. They have become one of the most successful cybercriminals of our time, with an operations scale that is astounding in its efficiency and destructiveness. Their origins, structure, and tactics provide a deep understanding of why this particular group has become so influential. Conti emerged in 2020, but its roots go back to earlier groups such as Raek and Trickbot.
Raek was known for its successful attacks on corporations and government agencies. Trickbot is a botnet that distributed malware and provided initial access to infected systems. Most experts agree that Conti is made up of Russian-speaking hackers. This is supported by the language spoken by the members and the software code, which avoids attacks on systems with the Russian language installed.
Conti emerged amid the rise in the popularity of ransomware. The huge ransoms paid by victims made this niche particularly lucrative. The group operates as a full-fledged corporation with roles. Developers are responsible for creating and updating malware. Operators are responsible for implanting programs into target systems. Negotiators are involved in communicating with victims, negotiating the ransom. Data analysts process the stolen information, finding the most valuable data for blackmail.
Conti provided its tools to other hackers for a percentage of the ransom. This allowed the group to scale operations and spread its influence. In 2022, a leak of internal Conti documents published by an insider revealed their corporate approach. Employee salaries ranged from 1.5 to 2 thousand per month for ordinary participants.
Top management received tens and hundreds of thousands of dollars. Conti selects victims based on their financial solvency and level of cybersecurity. The main targets are government agencies, healthcare, and large corporations. Conti claimed that they would not attack hospitals or schools, but as their actions showed, this rule was violated. The group had its own blog on the Dark Web, where they published stolen data and threats, increasing the pressure on victims.
They used a combination of sophisticated tools, carefully planned methods, and unique tactics to seize and monetize access to corporate and government systems. Conti's software has become the group's calling card. Conti can encrypt data faster than most competitors by using multiple data processing threads in parallel. In addition to encryption, Conti steals the victim's data.
If the company refuses to pay, the hackers threaten to publish the stolen data on their Dark Web block. This method makes refusing to pay the ransom extremely risky for companies, especially if the leak could affect their reputation or lead to litigation. Once in the network, Conti uses privilege escalation tools to gain administrative access to the systems. Conti aims to spread its malware within the corporate network by attacking additional devices.
This is done to increase the scale of the attack and capture critical data. Once reconnaissance is complete, the hackers encrypt the data and destroy backups to force the victim to pay, Conti deletes and modifies system logs to make the investigation more difficult. The Conti group is known for its aggressive tactics. If negotiations drag on, they begin to publish data to speed up the payment process.
The attack on the Irish health system in 2021, carried out by the Conti group, was one of the largest and most destructive cyber attacks in the history of healthcare. It caused chaos in the national health system, paralyzed hospitals, delayed operations and put the lives of thousands of patients at risk. This attack was an example of how cybercrime can directly affect the health and safety of people.
Conti planted its ransomware on the explosive health system. Initially, access was gained through a phishing attack targeting an employee. The infected system gave hackers access to the internal network. The hackers used tools for lateral movement within the network, such as Cobalt Strike. They gained access to servers with patient data, financial documents, and other critical information.
The ransomware encrypted key systems, making them inaccessible to employees. The hackers left messages demanding a ransom of $20 million. More than 80% of IT systems were disabled, causing widespread disruption. Patients could not access their medical records. Surgeries and consultations were cancelled. Cancer patients requiring urgent treatment were unable to receive medical care in time.
Emergency services were operated manually. The hackers claimed to have accessed sensitive patient information, including medical records, addresses, and financial information. Despite promising not to publish the data, fears of a leak caused public concern. Conti provided a free tool to decrypt the data a few days after the attack. This may be due to global condemnation of their actions and pressure from law enforcement.
However, restoring the system proved slow and expensive due to the scale of the destruction. The Irish government took a firm stand and refused to pay the hackers. Restoring all systems cost Ireland more than €100 million. Conti released a statement trying to justify their actions, stating that they did not want to harm people. This attack caused a stir in society and even among hacker communities, which forced Conti to reconsider their actions.
As a result, the Conti group fell victim to internal leaks that significantly affected its activities. These leaks not only illuminated the internal processes of the group, but also gave cybersecurity experts a unique chance to study the methods of one of the most powerful cybercriminal groups of our time. In February 2022, in the early days of the war between Russia and Ukraine, the Conti group publicly declared its support for the Russian side.
This statement caused a sharp response in hacker circles and led to a leak of their internal data. An anonymous insider, allegedly associated with Ukraine, published a significant amount of Conti's internal information. Malware source codes, internal chats, manual correspondence, financial reports, including ransom data. More than 170 thousand messages from internal chats became available in the public domain.
The leak showed that the group earned millions of dollars from ransoms. A significant portion of the income was spent on developing new tools, paying for infrastructure, and bribing potential insiders in companies. Chats revealed information about conflicts between participants. For example, developers complained about salary delays.
Interesting facts from the leak. The group carefully tested its software before attacks, one of the tools was a unique encryptor that can bypass modern antiviruses.
Some members of the group discussed political topics and expressed support for certain countries, which created internal conflicts. The leak dealt a serious blow to the group’s reputation and security. Law enforcement agencies received a lot of useful data for the investigation. Many victims, having seen the exposure, refused to pay the ransom, realizing that the group was vulnerable.
APT28 (Fancy Bear) - Cyber Spies from Russia
The group is considered one of the longest-standing and most experienced in cyberspace. Experts associate APT28 with the Main Intelligence Directorate of Russia. These assumptions are based on the analysis of their activities, attack targets, and the nature of their work. For example, the group’s active hours coincide with the working day in the Moscow time zone, the use of tools and methods typical of special services, and the focus of attacks on geopolitical targets such as NATO, the European Union, and political parties in Western countries. APT28 is focused on state cyber espionage and interference in international affairs.
Their tasks include intelligence gathering, discrediting opponents, interfering in political processes, and military intelligence. APT28 is a highly organized group with a clear division of roles. Software developers are responsible for creating malware, operators carry out attacks, manage command and control servers, and interact with victims through phishing campaigns or vulnerable systems. Intelligence analysts process the collected data to make it useful for further operations.
For example, they systematize documents stolen from political party servers. APT28 operates in conditions of strict secrecy. Group members rarely have full information about the scale of an operation. The decentralized approach minimizes the risk of information leakage if one of the participants is caught. APT28 is known for its patience.
They can remain in the victim’s system for years, quietly collecting data. The emergence of APT28 is associated with the strengthening of the role of cyber intelligence in the strategy of Russian special services in the early 2000s. Unlike APT29, KOZI-B, which is also associated with Russia, APT28 is more focused on political interference than espionage. APT28 is known for its strategic long-term vision. Some of its operations, such as the NATO hacks, began as early as 207, long before they became public.
Phishing attacks are a key method of infiltration for APT28. The group thoroughly studies its victims before an attack, including their habits, contacts, and interests. Emails are created to look as authentic as possible, such as messages from colleagues, banks, or government agencies. Attachments with malicious macros, such as Word or Excel documents, are often used.
In 2016, the group used phishing emails to hack into the accounts of employees of the US National Committee of the Communist Party. The emails contained links to fake Google login pages. The victims entered their credentials, which immediately fell into the hands of the hackers. APT28 actively uses zero vulnerabilities. Previously unknown vulnerabilities in software. In attacks on NATO and the European Union, the group used vulnerabilities in Microsoft Word and Windows that allow remote code use.
APT28 maintains an extensive arsenal of exploits for various operating systems and applications. They develop their own malware, which is highly complex. APT28 actively tries to hide its affiliation with Russia. They use symbols of other countries to confuse investigators, for example, leaving false traces pointing to China, using tools with English-language interfaces.
In 2016, the United States was preparing for the presidential elections, in which the main candidates were Hillary Clinton and Donald Trump. APT28 used spear phishing to gain access to DNS systems. Victims were sent emails that mimicked security notifications from Google. The emails contained a link to a fake Google login page. When employees entered their credentials, the hackers gained access to their accounts.
One of the hacked accounts belonged to John Podesta, Hillary Clinton’s campaign chairman. His emails contained sensitive data about the campaign’s strategy. The stolen data was passed on to WikiLeaks, which began publishing it several months before the election. The exposed data caused a scandal, as a result of which the head of DNS resigned. US intelligence agencies accused Russia of coordinating the attack.
In 2016, sanctions were imposed on Russia, including the expulsion of 35 Russian diplomats. In 2016, APT28 carried out a series of attacks on the World Anti-Doping Agency. Background to the attack. A major doping scandal erupted in 2015. The VAD investigation revealed systematic doping by Russian athletes. As a result, the Russian team was temporarily suspended from international competitions, including the Olympics.
Hackers used phishing to gain access to VAD internal documents. Medical records of famous athletes were stolen, including permission to use banned substances. The stolen materials were posted on the FSNB website and actively distributed through social networks. They claimed that Western athletes were legally using banned substances.
The hackers focused on the fact that world-famous sports stars such as Serena Williams and Simone Biles allegedly enjoyed privileges that allowed them to take drugs banned for other athletes. Instead of discussing doping in Russia, the public began to discuss double standards in international sports. The FSNB claimed that VADOS was turning a blind eye to doping in Western countries, which undermined trust in the organization. The scandal caused a wave of mistrust in the anti-doping system. The
leak was widely covered by the media, which increased disagreements between countries on the issue of fairness in sports. These events increased tensions between the West and Russia. The cyberattack on the presidential campaign of Emmanuel Macron in 2017 was one of the most high-profile operations allegedly linked to the APT28 group. The 2017 French elections were held amid heightened international tensions. Experts believe that the aim of the attack was to undermine Macron's election campaign and strengthen the position of more pro-Russian candidates.
The hackers used phishing techniques, sending fake emails to campaign staff disguised as internal messages. The attackers gained access to accounts and data. As a result of the attack, the hackers stole more than 20,000 documents, including correspondence, financial statements, strategic plans and personal information. Two days before the second round of the election, the stolen data was published online under the name Macron Leaks.
The documents were distributed through forums, Twitter and other platforms. The hackers tried to find compromising information in the stolen documents that could damage Macron’s reputation and reduce his chances of winning. Fake materials were embedded among the real documents, including false claims of financial fraud and tax evasion. Macron’s team knew in advance about the hackers’ attempts to penetrate their system, rather than intentionally uploading fake documents to confuse the attackers and reduce the impact of the leaks.
French law prohibited media from publishing or discussing the leaks two days before the election, significantly reducing their impact. Despite the leak, Macron won a landslide victory, receiving over 66% of the vote. The metadata of some of the stolen documents contained Russian characters, which became indirect evidence of APT28’s involvement.
APT28 has repeatedly carried out cyberattacks on NATO structures and related government agencies. These attacks, conducted over a period of more than 10 years, were aimed at espionage and disinformation. They were part of a larger cyberwar related to geopolitical tensions between Russia and NATO countries. One of APT28’s most notorious and destructive campaigns was the cyberattacks on the energy sector in Ukraine.
In 2015, 3 Ukrainian energy companies servicing the regions of Ivano-Frankivsk, Kyiv region and Lviv. 225 thousand people were left without electricity for several hours. Hackers sent fake emails to employees of energy companies with attachments containing malware. The program penetrated the companies' networks, allowing the attackers to seize control of their systems. The hackers gained access to Escado systems and manually turned off the substations.
Kill Disk software was used to destroy critical files and complicate the restoration of systems. Hackers also attacked the phone lines of energy companies to prevent prompt restoration of work. For the first time in history, the attack was carried out entirely remotely, without physical access to the facilities. APT28 continues to be one of the most influential and discussed hacker groups.
