The National Critical Infrastructure Security Operations Center (CI-SOC) announced today that it had discovered that the recent ransomware attacks by the Blockflötenkollektiv (BFK) on Robotron network video recorders was accompanied by the installation of a root kit utilizing the recently reported VerpfändenBausatz Linux vulnerability. “While the ransom payment for releasing the NVR’s is relatively small (0.03 bitcoin which currently equals about $1,100), the BKF is selling root access to the decrypted systems for 1 bitcoin.” Gen Buck Turgidson, CI-SOC Director, told reporters this morning.
BKF is a hacker collective loosely based out of Germany. It was started in 1990 by technical specialists connected to the East German Stasi, the group has had close ties with Russian cyber gangs.
According to a background briefing provided by an analyst working with the CI-SOC, the organization had received reports from an unnamed US intelligence agency that one of the critical infrastructure organizations protected by CI-SOC had shown up on a dark web site known to be utilized by BFK. BFK was offering to sell root access to one of the corporate networks of the unidentified company. It was one of two hundred such access rights being offered.
Other sources tell me that the intelligence agency bought the rights from BFK and provided the information to CI-SOC. While CI-SOC worked out the details of the system compromise, the intelligence agency was able to use the bitcoin information from their transaction to track back the bitcoin wallet used by BFK. The wallet was seized by the German government and two members of the organization were arrested in Berlin.