At a glance.
- New DPRK ransomware operation.
- Intelligence services targeting media organizations.
- Gangland goes to war.
- "Cyber world war."
- CISA releases 30 ICS security advisories.
A North Korean ransomware operation.
Microsoft describes an emerging North Korean ransomware operation it tracks as DEV-0530 that's using a relatively new strain of ransomware called "H0lyGh0st." The blasphemous name, Microsoft points out, is the hood's own choice, not Redmond's. DEV-0530, a provisional designation assigned until more is known about the group, is noteworthy in that it appears to be entirely financially motivated, and in that it selects small and midsized businesses as its targets. "MSTIC [the Microsoft Threat Intelligence Center] assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM."
The gang's communications with its victims and others cop an altruistic and humanitarian line, claiming to be helping its victims improve their security posture (as if they were white-hat pentesters) and to be contributing to an egalitarian leveling of rich and poor to the advantage of the poor (as if they were Robin Hood).
The group is asking for between 1.2 and 5 Bitcoin in ransom (roughly $25,000 to $104,000 at current conversion rates), but so far, Microsoft says, their wallet seems to have remained empty, even though DEV-0530 has shown a willingness to negotiate their asking price.
Pyongyang has long used cybercrime as a source of income to redress the financial pressures it labors under due to the decades of international sanctions that have crippled the DPRK's economy. It's even more difficult to separate North Korean intelligence and security services from criminal activity than it is to tell the Russian privateers apart from the Russian organs, but this latest campaign is sufficiently ambiguous to suggest that it might be the work of a gang that's obtained access to some state actors' tools, or even the work of state actors who are moonlighting for personal gain. North Korean state actors have usually cast a broader net; DEV-0530 seems more tightly focused in its target selection. The activity remains under study, but in the meantime Microsoft has offered indicators of compromise and some advice for defenders.
Media organizations targeted by state actors.
Late yesterday Proofpoint released a study of recent activity by state actors directed against media organizations. The researchers find that China, North Korea, Turkey, and Iran have been particularly active in prospecting media organizations. "Proofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives." Journalists' social media accounts have been of particular interest to the threat groups.
Criminal gangs at war.
The most notorious early adherent to the Russian cause among the cyber gangs was the now (possibly) defunct, dispersed, and rebranded Conti, which on February 25th announced its "full support of the Russian government" and promised to use all the resources at its disposal against enemy infrastructure. This prompted a wave of doxing in which disaffected and possibly foreign Conti collaborators released the gang's internal chatter through their @ContiLeaks account. Cyjax, which was following developments, notes, "This leak caused significant unrest within the group, with the @ContiLeaks account itself tweeting: 'We know everything about you Conti, go to panic, you can[‘t] even trust your gf, we against you!'" Conti itself did a bit of back-pedaling for damage control, backing down from its promises of unconditional cyber war to a more measured claim that it would only target Western warmongers, but the reputational damage had been done, and may have contributed to the gang's subsequent occultation.
On March 4th, shortly after Conti's ill-advised patriotic screed, researchers at Cyjax noticed another leak-and-dump operation targeting a different Russian gang: Trickbot. The leakers tweeted under the name @trickleaks, and the main point of their doxing was to expose the close connection between Trickbot's criminal operators and Russia's FSB security service. @trickleaks announced itself to the world with the tweet, “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk).” The close collaboration between gangland and the Russian security service isn't surprising, but the degree of organization and interconnection among apparently disparate criminal groups is, Cyjax thinks, useful news that will help organizations defend themselves against organized cybercrime in the future. Gangland seems to have more mutual dependencies than had been generally appreciated.
A "cyber world war?"
The name seems a bit overheated, and a cyber war isn't, after all, as damaging as a full kinetic war (even when cyber attacks have kinetic effects), but in terms of scope the name doesn't seem too far off.
For example, Canada's Communications Security Establishment (CSE) yesterday warned that the current Russian cyber threat is not to be underestimated. The National Post quotes a CSE report as saying, “the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources.” The most immediate threat is heightened cyberespionage, but attacks against critical infrastructure are also held to be a real possibility. Canada has been an early, consistent, and strong supporter of Ukraine during the present war. Canada is also home to a large Ukrainian diaspora.
Politico has a long interview with Yurii Shchyhol, who directs Ukraine's State Service of Special Communications and Information Protection, the SSSCIP, which Politico describes as roughly equivalent in terms of its responsibilities to the US Cybersecurity and Infrastructure Security Agency (CISA). The article aims to describe what it characterizes as a generally successful Ukrainian defensive effort in cyberspace, and summarizes the Ukrainian view of how to fight Russia in cyberspace: first of all, isolate it, and deny it access to resources and technology.
Tracing the history of the cyber phases of the hybrid war, Shchyhol said that Russia's cyber campaign preceded the physical invasion by more than a month. "For Ukrainians, the first cyber world war started on Jan. 14, 2022, when there were attacks launched at the websites owned by state authorities. Twenty websites were defaced, and more than 90 information systems belonging to those government authorities were damaged." Attacks against Viasat ground terminals disabled the satellite-borne Internet provider a matter of hours before the invasion itself.
Shchyhol thinks the Russian cyber campaign has been well-resourced, but also that it's used familiar tools: "In terms of their technical capabilities, so far the attackers have been using modified viruses and software that we’ve been exposed to before, like the “Indestroyer2” virus, when they targeted and damaged our energy station here. It’s nothing more than a modification of the virus they developed back in 2017. We all have to be aware that those enemy hackers are very well-sponsored and have access to unlimited finances, especially when they want to take something off the shelf and modify it and update it." He emphasized the importance of denying Russia access to the "civilized world's" security companies and IT infrastructure, and in restricting Russia's participation in international IT organizations like the International Telecommunications Union.
He had some interesting if guarded disclosures about the help Ukraine is receiving from NSA and US Cyber Command:
"It’s an ongoing, continuous war, including the war in cyberspace. That’s why I won’t share any details with you, but let me tell you that we do enjoy continuous cooperation. There is a constant synergy with them, both in terms of providing us with the assistance that we need to ensure proper protection and safety of our websites and our cyberspace, especially of government institutions and military-related installations, but also they help us with their experts, some of whom are on-site here in Ukraine and are providing on-going consultations.
"Like in further supply of heavy weapons and other forms of weaponry, the same is true for cybersecurity. We expect that level of assistance, of those supplies, will only increase because only in this manner can we together ensure our joint victory against our common enemy."
Above all, Shchyhol warns against any relaxation of vigilance. He expects the war to continue, and that operational pauses happen in cyberspace much as they do in physical space:
"That’s why we all have to be ready for the following scenario to unfold: Those western countries and companies that are supporting the Ukrainian fight against Russia will be and are already under the constant threat of cyberattacks. This cyberwar will continue even after the conventional war stops.
"The fact that in the last two months there was a relative lull in the number and quality of cyberattacks of our enemy, both against Ukraine and the rest of the world, only follows the usual Russian tactics, which are that they are accumulating efforts and resources, readying themselves for a new attack which will be coming. It will be widespread, probably global. Right now our task here is not to miss it, to stay awake and aware to that threat."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
CISA releases thirty ICS security advisories.
Yesterday afternoon the US Cybersecurity and Infrastructure Security Agency (CISA) released an unusually large number of ICS advisories, thirty in all. They include one mitigation for a vulnerability in an Open Design Alliance system. The other twenty-nine involved Siemens products.