hackers

May 11 (UPI) — Google announced Monday that it identified a cyber threat it believes hackers developed using artificial intelligence, meant to exploit networks on a large scale.

Google Threat Intelligence Group said the hackers were using a zero-day exploit, a security vulnerability that is unknown to security companies, and planned to use it for mass exploitation.

Google said this is the first time it has identified a threat with evidence that AI was used to develop it.

“AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments,” Google Threat Intelligence Group said in a news release.

Google’s AI Gemini and Claude Mythos were highlighted as AI models it does not believe were used in this threat attempt.

If the threat was successful, hackers would have been able to bypass two-factor authentication on “a popular open-source, web-based system administration tool,” Google said. The attempt occurred within the last couple months but Google did not specify when exactly.

AI is also being used for cybersecurity, as a tool to identify potential security risks. Google says Monday’s report shows criminal hacker groups are also interested in using AI for their goals.

“For every zero-day we can trace back to AI, there are probably more out there,” John Hultquist, chief analyst at Google Intelligence Group, said in a statement. “Threat actors are using AI to boost the speed, scale, and sophistication of their attacks.

WASHINGTON — The Justice Department recovered $2.3 million in cryptocurrency ransom that Colonial Pipeline paid to hackers whose cyberattack last month shut down its major East Coast pipeline, leading to gas shortages up and down the East Coast, authorities said.

Deputy Atty. Gen. Lisa Monaco said the FBI on Monday seized the majority of the ransom that Colonial Pipeline paid to hackers who used malware developed by DarkSide, a Russia-linked hacking group, to encrypt and lock up the company’s computer systems. The company, which Monaco credited with quickly alerting the FBI to the attack, said it paid the hackers $4.4 million in bitcoin to regain access to its systems.

“Today we turned the tables on DarkSide,” Monaco said, calling such ransomware attacks an “epidemic” that poses a “national security and economic threat” to the U.S. “This was an attack against some of our most critical infrastructure.”

Though the malware did not affect systems that operate the company’s pipelines, which stretch from New Jersey to Texas, Colonial discovered the hack on May 7 and closed its spigots for five days out of an abundance of caution. The pipeline supplies about 45% of the jet fuel, gasoline and heating oil consumed on the East Coast, and the shutdown sparked panic from drivers, who raced to top off tanks, leading gas stations to run out of fuel.

The Justice Department did not disclose how much Colonial paid in ransom, but the company’s chief executive told the Wall Street Journal last month that it made a $4.4-million payment in bitcoin. Colonial CEO Joseph Blount said the company paid the extortion demand because he was concerned a prolonged disruption of the pipeline would hurt the nation.

“I know that’s a highly controversial decision,” Blount told the newspaper. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

Ransomware hackers typically trick unwitting employees into opening an email and clicking on an attachment or a link, which then infects computer servers with malware that encrypts data and locks the systems. Victims must pay a ransom to the hackers to obtain a decryption key to unlock and recover the information. DarkSide’s malware poses a double whammy — it can also siphon out information, giving hackers more leverage because they can threaten to disclose sensitive data if they are not paid.

FBI Deputy Director Paul Abbate said DarkSide produces ransomware that it sells to hackers who conduct cyberattacks and share a percentage of their proceeds with the malware’s developers. DarkSide’s product is one of about 100 ransomware variants the FBI is investigating, Abbate said.

The bureau has been investigating DarkSide since last year, Abbate said, and has identified more than 90 victims of its ransomware in manufacturing, legal, insurance and healthcare industries. Working with other U.S. government agencies, the FBI identified “a virtual currency wallet” that the DarkSide hackers were using to collect payment from a victim, Abbate said.

The Justice Department then obtained a warrant to seize those bitcoins, officials said.

“The old adage ‘follow the money’ still applies,” said Monaco, the deputy attorney general. “That’s exactly what we do.”

The Colonial Pipeline attack was the latest in a series of ransomware assaults that has crippled government agencies, hospitals and businesses, including a major meat producer that was forced last week to idle plants, sparking concerns about potential increases in meat prices and shortages. A task force of more than 60 experts from industry, government and nonprofits issued a report in April that calls ransomware “a flourishing criminal industry that not only risks the personal and financial security of individuals, but also threatens national security and human life.”

The report, published by the nonprofit Institute for Security and Technology, estimates that nearly 2,400 governments, healthcare facilities and schools were victims of ransomware attacks last year. Ransom payments rose to $350 million last year, a 300% increase over 2019, the report says. The average such payment topped $300,000.

Cybersecurity experts and former federal prosecutors and agents blamed several trends for the increase. The rise of difficult-to-trace cryptocurrency has made it far easier for criminal gangs to collect payments, the experts said. Cybercriminals have also begun to increasingly operate within the borders of U.S. adversaries, particularly Russia. The Kremlin, for example, allows hackers to operate with impunity if they do not target Russian businesses or citizens and focus their energy on sowing chaos and confusion in the West.

The Biden administration is seeking to find ways to combat the rise. President Biden said he will discuss ransomware attacks this week with U.S. allies during a European trip, and bring up the subject during a June 16 meeting with Russian President Vladimir Putin. The Justice Department has launched a task force to better coordinate its approach to the crime wave. Justice Department officials said the Colonial Pipeline ransom seizure was the first such payment recovery by the task force. Justice Department officials could not say how many other ransoms they have recovered.

“This is a big deal,” said Scott Jasper, a lecturer at the Naval Postgraduate School and author of “Russian Cyber Operations: Coding the Boundaries of Conflict.” “The question is: Will this be big enough to change the behavior of DarkSide or of other cyber actors? It’s too early to tell. It’s a slow game, a long-term game. This is a significant, big business. This is a big enterprise.”

April 8 (UPI) — A Russian hacking group financed by the spy agency GRU managed a large-scale campaign to steal information about militaries and governments by hacking into Wi-Fi routers, the FBI said.

The group known as Fancy Bear is behind the hack done to governments around the world. Intelligence and police services in the United States, Canada, Ukraine, Germany, Italy, Poland, Slovenia, Romania and others discovered the operation, which attacked poorly protected Wi-Fi routers, they announced in a joint statement Tuesday.

The hackers took “passwords, authentication tokens and other sensitive information, including emails” Ukraine’s security service, the SBU, said in a statement.

“This way, they acted as ‘intermediaries’ in the online space to collect passwords, authentication tokens and other sensitive information, including emails, which under normal circumstances are protected by SSL [Secure Sockets Layer] and TLS [Transport Layer Security] cryptographic protocols,” SBU said.

The GRU operatives, who have been using this technique since at least 2024, planned to use the information to “carry out cyberattacks, information sabotage and the collection of intelligence,” SBU said.

The FBI said the GRU has “indiscriminately compromised a wide pool of U.S. and global victims and then filtered down impacted users, especially targeting information related to military, government and critical infrastructure.”

Romania, which participated in the investigation, said the GRU operatives “were collecting military, governmental, and critical infrastructure-related information,” Romanian President Nicușor Dan said.

“Russia therefore continues its hybrid war against Western countries — only those acting in bad faith could fail to see this,” Dan said in a post on X.

The FBI also urged “all network defenders and owners of small office/home office (SOHO) routers to update to the latest firmware versions, change default usernames and passwords, disable remote management interfaces from the internet, and stay alert for certificate warnings in web browsers and email clients.”

March 11 (UPI) — Medical device maker Stryker is experiencing a global tech issue Wednesday from a cyberattack by a group of pro-Iranian hackers.

Employees found their work devices locked up with the symbol of the hacker group Handala displayed on their screens. It is being described as a “wiper attack,” not meant to extort money but to cause maximum damage to Stryker’s systems.

Handala has claimed responsibility for the cyberattack in a social media post, writing that it is retaliation for the deadly strike on the Shajareh Tayyiba girls school in Minab, Iran.

“We announce to the world that, in retaliation for the brutal attack on the Minab school school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance,” the post reads. “In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.”

The cyberattack has not only impacted employees in the United States but also employees in Ireland.

“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyberattack,” Stryker said in a statement. “We have no indication of ransomware or malware and believe the incident is contained. Our teams are working rapidly to understand the impact of the attack on our systems. Stryker has business continuity measures in place to continue to support our customers and partners.”

Stryker is headquartered in Portage, Mich., and employs 50,000 people worldwide, including about 1,000 at its headquarters. It manufactures an array of medical equipment including orthopedic implants, surgical instruments and imaging systems. It is one of the largest medical technology manufacturers in the world.

The headquarters closed for the day on Wednesday with signs posted on its doors warning workers not to access Stryker’s network, use its devices or connect to its WiFi.