At a glance.
- Space Pirates interested in Russia's aerospace sector.
- Lazarus Group exploits Log4j vulnerabilities.
- Crypters in the C2C market.
- Nikkei Asia discloses ransomware attack.
- Canada to exclude Huawei from 5G infrastructure.
- CISA issues ICS advisory.
- Clawing back ad fraud proceeds.
- Fronton botnet as a disinformation machine.
- Continuing expectations of escalation in cyberspace.
"Space Pirates" interested in Russia's aerospace sector.
Security Affairs reports that a cyberespionage group, “Space Pirates,” is targeting the Russian aerospace industry. Active since at least 2017, the group is believed to be associated with China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Positive Technologies discovered the attacks in 2019 targeting a Russian aerospace enterprise. They've seen the malware reappear in 2020 against Russian government organizations, and again in 2021 against another Russian enterprise. Positive Technologies stops short of directly attributing the activity to Beijing, but circumstantial evidence points in that direction.
Check Point has also observed the activity, and they're not reticent about either attribution or identifying victims. A report yesterday "details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT. In the below blog, the researchers reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads, including previously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques." They think the activity bears significant similarities to earlier campaigns by Twisted Panda.
Lazarus Group undertakes new SolarWinds exploitation.
North Korea’s Lazarus Group is exploiting the Log4j vulnerability to target unpatched VMware Horizon Apache Tomcat servers, BleepingComputer reports. Researchers at ASEC observed the attacks last month, saying the attackers are deploying either the NukeSped backdoor or the Jin Miner cryptominer on the compromised servers. In the cases where NukeSped was used, the goal of the attack was assessed to be information gathering.
Crypters in the C2C market.
IBM X-Force researchers have analyzed thirteen crypters created by cybercriminal group ITG23 that have been used with malware by ITG23 and its third-party distributors. Crypters are applications that encrypt and obscure malware so that it isn’t detected by antivirus software and malware analysts. One crypter has seen repeated use with the Qakbot banking Trojan, with one notable appearance with the Gozi banking Trojan. X-Force found evidence that ITG23 had been scaling up their crypter efforts by mid-2021, with some used by Emotet and IcedID malware, which suggests a possible link between ITG23 and Emotet and IcedID operators.
Nikkei Asia discloses ransomware attack.
BleepingComputer reports that media giant Nikkei’s Singapore headquarters fell victim to a ransomware attack on May 13. Nikkei disclosed that it had detected unauthorized server access on May 13. The company said it "immediately shut down the affected server and took other measures to minimize the impact." The company is investigating whether customer data were compromised, but says there’s so far no evidence of data loss.
Canada to exclude Huawei from 5G networks on security grounds.
Reuters reports that Canada will join the other members of the Five Eyes in banning Huawei from its 5G infrastructure. "We intend to exclude Huawei and ZTE from our 5G networks," Industry Minister Francois-Philippe Champagne said. "Providers who already have this equipment installed will be required to cease its use and remove it under the plans we're announcing today."
CISA issues ICS advisory.
Clawing back ad fraud proceeds.
The US Department of Justice reported Wednesday that it has recovered just over $15 million taken in an international fraud scheme. The Record by Recorded Future reports that the scheme, “3ve” or “Eve,” used a botnet of infected computers that the actors remotely accessed, utilizing hidden browsers to falsify web traffic to sites involved in order to fraudulently bring in advertising payments from December 2015 through October 2018. The scheme was concocted by Sergey Ovsyannikov, Yevgeniy Timchenko, and Aleksandr Isaev. Ovsyannikov and Timchenko, both Kazakh citizens, were arrested in 2018 and pleaded guilty in 2019. Isaev, a Russian citizen, is still at large.
The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Fronton botnet shows versatility.
Fronton, a botnet allegedly built by a subcontractor of Russia’s Federal Security Service (FSB), is much more versatile than initially thought, ZDNet reports. When the botnet was first exposed by a hacktivist group in 2020, its primary goal was presumed to be launching DDoS attacks. Now, researchers at Nisos say the botnet is more properly viewed as “a system developed for coordinated inauthentic behavior on a massive scale.” Nisos explains that Fronton “includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse.”
Continuing expectations of escalation in cyberspace.
Microsoft President Brad Smith, speaking yesterday in London at the Microsoft Envision conference, renewed calls for laws of conflict in cyberspace, Infosecurity Magazine reports. The rules he envisions are essentially transpositions of traditional jus in bello considerations: proportionality, discrimination, and the avoidance of perfidy. They're none the less sound for being familiar. Smith sees the hybrid war in Ukraine as having lent new urgency to the development of international norms.
The cyber phases of Russia's hybrid war have shown some correlation with kinetic operations, but less than many had expected. PCMag describes the ways in which cyber operations appear to have been conducted without close coordination with conventional forces.