Investigation into the incident, which may have been caused by a successful phishing attack, is still underway, reported officials, who noted that the recovery of impacted law enforcement systems is being prioritized.
Intrusions involved the use of the domain, crowdstrike-office365[.]com, to lure users into downloading a recovery tool purportedly addressing update-related boot loop issues but delivers a malware loader.
Such an arrest, which was based on suspected Blackmail and Computer Misuse Act violations and also resulted in the sequestration of the teen's digital devices.
Intrusions conducted by PatchWork commenced with the distribution of a malicious LNK file enabling the download of a fraudulent PDF to conceal compromise with Brute Ratel C4 and PGoShell malware.
Attackers leveraged phishing emails with a malicious Word attachment having the same text as Microsoft's support bulletin regarding its Recovery Tool for outage-hit devices that contains macros, which when enabled facilitates the download of a DLL file.
Intrusions offering a fraudulent fix for the issue were reported by cybersecurity researcher g0njxa and AnyRun to have been conducted to deploy the Remcos RAT trojan.