At a glance.
- High-end and low-end extortion.
- Hacking Hondas (and maybe others)?
- Social media and open-source intelligence.
- Russian cyberattacks spread internationally.
- Preparing for cyber combat.
High-end and low-end cyber extortion.
Resecurity has reported that the BlackCat gang, also known as ALPHV, is upping its ransom demands, and that it's also following what Resecurity calls a “quadruple extortion” model. It encrypts victims' files and threatens to release sensitive stolen data (the now familiar double-extortion approach), but then goes on to add two more attacks. One of these is distributed denial-of-service (DDoS); the other is "harassment," a campaign of contacting the victims' “customers, business partners, employees, and media to tell them the organization was hacked.” BleepingComputer reports that a feature of this newer, polyvalent approach is the provision of a searchable database of non-paying victims, the better to expose them to reputational damage.
BlackCat represents the high-end of the ransomware-as-a-service C2C market. There are still many other extortion scams in circulation, however, that are much simpler and require far less talent and attention to detail. Researchers at Sygnia, for example, report on the activities of LunaMoth, and these are so low-end that one hesitates to even call their operation "ransomware." LunaMoth uses commodity RATs against its victims (and it does so opportunistically, with little evidence that they're phishing for particular targets). It doesn't bother encrypting data, and relies simply on the threat of doxing to extort payment.
Hacking Hondas (and others)?
Researchers claim to have demonstrated a proof-of-concept they're calling "Rolling-PWN" that affects the remote keyless entry systems in Honda models between 2012 and 2022. They say the exploit (which has been assigned the designation CVE-2021-46145) takes advantage of the keyless entry systems' rolling code system, which uses a synchronizing counter to prevent replay attacks. The rolling code system accepts, the researchers say, "a sliding window of codes" to account for the keyfob being pressed accidentally, or when it's out of range of the vehicle. "By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once [the] counter [is] resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will." The researchers worked on Hondas, but they think it likely that other makes are also vulnerable.
While there are some reports of others replicating these results, they remain controversial. Honda, for one, doesn't believe it, according to BleepingComputer. A statement Honda gave Vice dismissed the proof-of-concept as "old news." Honda added, in an email to Vice, “Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing. We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."
Social media and open-source intelligence.
The Telegraph cites a blogger accompanying Russian forces in Ukraine in support of its conclusion that NATO-supplied HIMARS rocket artillery systems have been "striking fear" into Russian troops: “'Yesterday I happened to witness a Himars strike on Chernobayevka in Kherson, practically in front of my eyes,' Roman Saponkov, a Russian military blogger embedded with frontline Russian forces wrote on Telegram on Monday. 'I’ve been under fire many times, but I was struck by the fact that the whole packet, five or six rockets, landed practically on a penny,' he wrote on Telegram. 'Usually MLRS lands in a wide area, and at maximum range it completely scatters like a fan. It makes an impression, I won’t dispute that. It is clear this is just the beginning,' he added. 'They are going to hammer Kherson and other border cities, Belgorod in particular. They will cover all the command posts and military installations they have gathered data on for the past four months.'” Mr. Saponkov sensibly advises his readers that a single wonder weapon is rarely a war-winner, but his comments on the effects of HIMARS fire are striking, and suggest the difficulty of moderating communication in social media, even where there's a strong motivation to do so, and a tradition of censorship to draw upon.
Open-source intelligence has played a prominent role in the special military operation from the outset. On the eve of the invasion, for example, foreign observers had a tolerably complete and realistic picture of the Russian order of battle, based on posts by Russian soldiers and, for example, by curious Belarusian civilians posting photos of Russian combat vehicles staging through their towns. (Bumper numbers of the vehicles often clearly visible.) This new opsec challenge is one all armies will henceforth face, to one degree or another. Clearance Jobs quotes security experts on the challenge. Their comments don't neglect the effect too much information can have on servicemembers' careers, but the broader opsec lessons are also clear. Domnick Eger, field chief technical officer (CTO) at Anjuna Security, said, “The advent of social media has created a whole other realm of over-sharing, tracking, and personal opinion narrative that can affect servicemembers’ careers and impact future endeavors and possible backlash around unpopular topics." Cybrary's chief impact officer Chloé Messdaghi cautioned that, “Service members must be aware of everything you post and have good device, platform and network security practice. One example of each of these might be, for example, requiring device logons that expire quickly when the device is inactive, keep your social media accounts private and be sure you know who you’re accepting and sharing content with, and don’t use public Wi-Fi without a VPN.”
Social media have largely replaced the traditional soldiers' letter home, and armies have yet to come to grips with the new media's immediacy, and the difficulty of controlling the way information transits them.
Russian cyberattacks spread internationally.
KIllnet, the threat actor that represents itself as a hacktivist tendency operating in the patriotic interest of Russia but not under the control of Moscow's security services, has extended its distributed denial-of-service (DDoS) attacks to Polish government sites, the Express reports. As was the case with earlier operations against Lithuania, the most recent DDoS attacks didn't rise above the level of a nuisance. Poland has strongly supported Ukraine both since the invasion and during the tensions that preceded Russia's war.
Margiris Abukevicius, Lithuania's vice minister of national defense, according to Delphi, while emphasizing that the effects of the DDoS attacks had a negligible effect on the country's IT infrastructure, cautioned that they're not to be dismissed, either. Cyberattacks of this kind are aimed at exerting influence quite apart from their effectiveness at disrupting networks. The audience, Mr. Abukevicius says, is at once both foreign (in Lithuania) and domestic (in Russia). The desired effect in Lithuania is erosion of confidence, leading Lithuanians to lose faith in their country's ability to protect itself in cyberspace. He also sees increased friction as a Russian goal: one aim of the cyberattacks is to "increase tension." The desired effect in Russia is the projection of an image of power, and of communicating an assurance that Russia's enemies will be punished.
Even talking about the incidents carries a cost to the victim, Mr. Abukevicius said. "We need to understand that publicity is a very important part of these attacks. If we don't talk about them, the other side will lose motivation. When we talk, when we talk about alleged victories, about alleged punishment of Lithuania, it's motivating the other side." He went on to urge that Russian cyber operations be kept in perspective. "We in Lithuania should not be so hooked on this and we often hear that the sky has been falling here for the last three weeks. It’s definitely not. Yes, we have attacks, some of them disruptive, but we don't see those incidents or those efforts that don't achieve any goal and don't affect the delivery of services at all. There are also many of those, and I think that's what we should say: that despite the effort, despite the coordination, the impact of these attacks is small."
Preparing for cyber combat.
The hybrid war Russia initiated against Ukraine has prompted considerable reflection on how one might train and organize the people who can carry out the defensive and offensive tasks the cyber phases of such a war involve. The CipherBrief describes a high-end, alliance-based approach. An essay by Rear Admiral (Retired) Mark Montgomery, a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, and his co-author Jiwon Ma (also at CCTI) commend three steps the US should consider as it seeks to build cyber operational capacity:
"First, improving the overall capacity of allies and partners to prevent, mitigate, and recover from cyberattacks can enhance U.S. economic stability and national security. For instance, to pressure Taiwan to cease resisting Beijing’s push toward unification, China could attack key supply chains, such as those for global semiconductors. Washington would then face a choice between abandoning a key partner or a global economic meltdown. But capacity building efforts such as CYBERCOM-led hunt forward operations could increase Taiwan’s cyber resilience, enabling Taipei to fend off a Chinese attack that would otherwise harm U.S. national security and the global economy.
"Second, cyber capacity building programs help the critical infrastructure of allies and partners, including electrical power grids, water systems, rail lines, ports, and airfields, to remain operational in the face of adversarial attacks — enabling U.S. armed forces to rely on this infrastructure to conduct military operations if necessary.
"Finally, a collective approach can reduce the burden on one nation by sharing information and intelligence on ongoing cyber threats. Collective action also carries more weight, particularly in enforcing cyber norms. For example, as the European Union and its member states condemned Russia’s malicious cyber activity against Ukraine, it also reaffirmed its political and financial support to Kyiv to strengthen Ukraine’s cyber resilience."
There's also a bottom-up, partisan approach to the challenge. The Record by Recorded Future describes the work of Nikita Knysh, a former employee of Ukraine’s Security Service (SBU) and founder of the cybersecurity consultancy HackControl, has been providing Ukrainians with both advice on self-protection (how to use anti-virus programs, how to use a VPN, etc.) and tips on conducting offensive cyber operations against the Russian enemy (mostly instructions on mounting distributed denial-of-service attacks). Mr. Knysh sees this as a contribution to guerrilla war against the invader. He dismisses the concerns some have raised about the risks of encouraging hacktivism, even in wartime. “Not attacking your enemy in cyberspace is stupid. In the past, soldiers destroyed logistics and production facilities, but now they also attack technology and information.”
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.