Law enforcement agencies from all over the world recently reported on an enormous ongoing sting operation assembled with evidence gleaned from a messaging application the FBI claims to have been running all along. The app, called ANOM, was marketed as an encrypted chat application “designed by criminals for criminals” according to a recent CBS news report.

The operation, dubbed Trojan Shield, was led by the FBI but also involved Europol and other agencies in countries across around the globe. The ANOM app was distributed throughout criminal organizations for close to two years already installed on specially prepared devices that purposely excluded features like microphones and cameras. The lack of these features and the endorsement of some high profile criminal organizations added an air of security to the devices.

However, all of the messages sent using the ANOM application were subject to monitoring by law enforcement. As the application gained popularity among organized crime networks around the world digital evidence apparently started to pile up with reports of murder and drug shipments/manufacturing being discussed openly on the app. This week the operation came to a head with a surge of arrests in places such as Australia, New Zealand, Germany, Sweden and Belgium. U.S. officials have reported that over 500 individuals have been arrested along with the seizure of millions of dollars and more than 30 tons of drugs and over 50 illegal drug labs.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

According to Harriet Ryan of the Los Angeles Times, the recent breach of the Azusa California Police Department not only exposed a great deal of private data on the internet – it also revealed that the Police Department had experienced another incident as recently as 2018.

The previous breach was confirmed by city officials after the paper sent queries regarding the current attack. The previous attack was a ransomware incident in which a group of foreign hackers took control of a number of servers at the department, locking them out of their own dispatch system and other data storage. This incident reportedly went on for about one week with other organizations helping to cover the city’s 911 dispatch. Eventually the cybersecurity insurance provider paid the attackers $65,000 to unlock the server running the dispatch system.

This ransom almost seems small compared to demands made in similar attacks recently. The demand made in department’s current breach was over ten times as much. Paying the $65,000 ransom allowed digital forensic examiners from the insurance provider to analyze that system and locate the keys to decrypt the rest of the affected servers without paying additional ransom. The attack was eventually traced back to a single email attachment from a spoofed message which was opened by an employee.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Jane Harper of The Virginian-Pilot recently published an article about a Norfolk, VA postal service employee who was arrested last week and charged with taking bribes and diverting packages filled with drugs. Gary Kent Turner Jr. was arrested on Monday May 24 and has been released on a personal recognizance bond.

The investigation into Turner began in May 2019 when the USPS and the Inspector General’s Office discovered that numerous packages of suspected drugs were being sent to an address on Turner’s delivery route. Hidden surveillance cameras were later installed in his postal vehicle. The surveillance footage from the vehicle and from security cameras at a local parking garage assisted in the investigation.

The footage revealed that Turner met with an individual identified as M.C. approximately 15 times from November 2019 to May of 2020. “The meetings took place at the garage and other locations along Turner’s route” writes Harper. The footage also revealed Turner receiving an envelope in exchange for giving packages to M.C., and he was often recorded counting money after the exchanges.

The investigators seized a package meant for Turner’s route in May of 2020 and discovered that it contained 3.5 pounds of marijuana. Investigators arrested M.C. weeks later and found around 3 pounds of marijuana in package, a .380 caliber pistol, and approximately $12,000 in cash.

Investigators also found numerous phone calls between Turner and M.C. The phone calls took place from July 2019 to March 2020 and seemed to have been placed before or after Turner delivered the packages. A confidential source informed investigators that Turner made $100 per package and netted $2,000 to $3,000 a month for those deliveries. The investigation also revealed that one of the addresses that packages were sent to did not exist and the other address was under renovation at the time.

Turner is currently charged with one count of bribery of a public official. That charge carries a maximum penalty of 15 years in prison.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Daniel Seiden form Bloomberg Law reports that a discovery dispute between two whistleblowers and Gilead Sciences, Inc. has emerged in a Pennsylvania federal court. The two False Claims Act whistleblowers, Chris Purcell and Kimberly Groom, are seeking spoliation sanctions against Gilead for the failure to preserve text messages for two employees.

The sanctions by the two whistleblowers stem from previous motions filed by Gilead in an April 22 court order that alleged that Purcell acted in bad faith after his own iPhone lost text messages, causing him to pay attorney’s fees and costs for an expert hired for the cellphone examination. “The court said it couldn’t conclude Purcell acted in bad faith, and therefore a sanction wasn’t appropriate” writes Seiden.

Renewed motions for sanctions were filed by Gilead on May 17, the reason being that they found “Purcell’s explanations for the missing text messages aren’t credible” states Seiden. The whistleblowers discovered that two Gilead employees had also lost text messages from their mobile phones. One employee, a former sales representative, discovered that almost all messages on her phone were gone on the eve of her deposition.

The article asserts that Gilead’s counsel had apparently known about this for several weeks. “The employee testified that neither she nor Gilead did anything to back up or save the texts during the nearly five months they were under subpoena and for more than 13 months after the whistleblowers served document requests seeking them, the whistleblowers said” writes Seiden. The messages that were produced were few and showed that the employee engaged in a fraudulent manner by recruiting a doctor and paying the doctor to participate in an advisory board.

The second claim of spoliation comes from a regional sales director at Gilead that lost all of his texts when his device was water damaged. Similarly to the previous employee, the company had done nothing to preserve the messages and the damaged phone was discarded.

The whistleblowers are seeking sanctions in the form of attorney fees, expenses for the costs incurred for the data recovery attempts, and an instruction to the jury that the deleted messages were likely relevant to the matter at hand. The whistleblowers claim that Gilead engaged in a kickback scheme to physicians for the increase in hepatitis drug prescriptions.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

According to a recent report made by New Hampshire Fish and Game, mobile forensics recently played a key role in locating one lost hiker this month.

The 24 year-old hiker had ventured into the Mount Shannon trail system mid-day on May 21^st but had not returned home or contacted any friends or family members by 6PM that evening when her husband reported her missing. Two local fire and rescue teams as well on the local police department were drafted for the initial search attempt with the Fish and Game authority being called in after several hours with no success.

Eventually, cell tower records were forensically reviewed to determine where the hiker’s phone had been throughout the day. Not only were the examiners able to determine the hiker’s movement during the day, they were able to determine that the phone had most recently been on a specific trail around the same time the missing person’s report was made. By focusing their efforts on that location rescuers were able to locate the hiker about 50 yards off that trail at about 1AM on May 22^nd.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

According to Rob Manning at OPB.org, the Centennial School District in Multnomah County, just outside of Portland Oregon, recently reported a cyberattack that prompted the district to shut down its entire computer network.

While there is never a good time for an incident like this, it comes at a particularly difficult time for the district. This is because much of the student instruction was still taking place remotely or relying on the school’s online platforms for some hybrid learning that had recently began.

Officials have reported that the attack was first uncovered when it became clear an “unknown actor” had begun encrypting files across the school’s network. This prompted the school to shut down all of their network, including their website and email, while the scope of the breach is assessed. An internal investigation has been launched and an emergency school board meeting was planned to enter into contact with a digital forensics firm to assist in dealing with the attack. The incident seems to have put learning on hold for the students for at least one week while the school struggles to deal with the situation.  

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

A Nigerian man was arrested in Washington last week after allegedly trying to leave the country. Abidemi Rufai of Lekki is being charged with stealing more than 100 Washington residents’ identities to make unemployment claims. He allegedly made around $350,000 from the elaborate scheme. Rufai was claiming the benefits from the Washington State Employment Security Department during the ongoing COVID-19 pandemic, according to Q13 Fox.

The complaint alleges that much of the evidence in this matter was located in Rufai’s email account. Special agents requested information regarding the account from Google and were handed over the account recovery SMS phone number, which linked to Rufai. After a judge ordered a search warrant for Rufai’s email account, investigators reported finding evidence of fraud.

Last year, officials announced they were temporarily suspending unemployment  benefit payments due to the discovery that criminals had obtained Social Security numbers to begin filing false claims in an attempt to collect benefits.

Tessa Gorman, acting U.S. Attorney for the Western District of Washington, stated that “ This is the first, but will not be the last, significant arrest in our ongoing investigation of Employment Security Department fraud.”

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

According to a WIRED article, an emerging threat in the cybersecurity field is gaining traction. Antivirus company Emsisost is warning customers that they have noticed multiple incidents where the attacker intentionally “layers two types of ransomware on top of each other” which acts as a double-encryption technique. Meaning, once a victim pays a ransom and receives a decryption key, their data may still be unavailable.

Brett Callow, a threat analyst an Emsisosft, says that it’s possible that victims will get notice of the double encryption before the ransom is paid. In other instances, victims will only learn about the double-encryption after they’ve paid to restore their systems from the first layer. Callow says, “we are seeing this double-encryption tactic often enough that we feel it’s something organizations should be aware of when considering their response.”

How do you decide whether to pay a ransom or not? Well, that’s a popular discussion in the cybersecurity world. There is no guarantee that your data will ever be returned after successful payment. In a Forbes article from this year, it was discovered that only 8% of organizations that paid the ransom after an attack got all their data back.

This new and emerging threat of double-encryption in ransomware attacks places a huge importance on ensuring regular backups are occurring in order to mitigate the severity of any future attacks.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

The US Attorney’s Office of the Northern District of Ohio recently released a press report detailing that Christian Ferguson of Cleveland, OH was found guilty on two counts of attempted kidnapping. Ferguson was arrested on May 8, 2020 after placing a fake distress call to law enforcement officers. The FBI apparently received a call-in complaint in April of 2020 about a violent and extremist posting made in an online chatroom. It was later determined that the poster of the comments was identified as Ferguson.

 The release states “In these postings, Ferguson expressed a desire to call in false in-progress calls to the police in order to lure law enforcement to a remote location where they could be robbed of their weapons and body armor and possibly killed.” The FBI then introduced a confidential source into the chatroom, which Ferguson controlled.

More details about Ferguson’s plot were discussed in March of 2020 on the chatroom site. Through the use of confidential sources, the FBI and other local agencies were able to thwart the plot and make the arrest. A federal jury found Ferguson guilty on May 7, 2020 of the two kidnapping charges. Ferguson’s sentencing is set to take place August 27, 2020. The Acting U.S. Attorney Bridget M. Brennan said “’The community members who reported this plan, and the federal agents who worked to prevent it, should be commended for their actions. Lives were saved.”

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Andy Greenberg from Wired reports that an attack against the Colonial Pipeline Company’s network caused them to shut down a large portion of their pipeline. The company is responsible for providing 45% of the gasoline, natural gas and diesel fuels to much of the Eastern states. The company shut down parts of pipeline in order to contain the threat against their network and systems.  Greenberg writes “The incident represents one of the largest disruptions of American critical infrastructure by hackers in history.”

A statement from Colonial Pipeline explains that the company has begun an investigation into the incident, and that its investigation is currently ongoing. The release from Colonial Pipeline, which was last updated May 9, 2020, states that the company determined that ransomware was involved in the incident. The company’s statement also indicates that they have retained leading third-party cybersecurity experts to assist in the investigation to determine the scope and nature of the incident. They are also working in conjunction with law enforcement and other federal agencies.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics