At a glance.
- ESET identifies new version of Sandworm loader.
- Sanctions and cyberattacks against Russia.
- Killnet boasts of ops against Italy.
- Conti's dissolution.
- US Cyber Command is twelve years old.
New loader identified in wiper campaigns.
The GRU's Sandworm group, ESET reports, has deployed a new version of its ArguePatch loader. ArguePatch had seen previous use in both Industroyer and CaddyWiper attacks against Ukrainian targets. "The new variant of ArguePatch – named so by the Computer Emergency Response Team of Ukraine (CERT-UA) and detected by ESET products as Win32/Agent.AEGY – now includes a feature to execute the next stage of an attack at a specified time. This bypasses the need for setting up a scheduled task in Windows and is likely intended to help the attackers stay under the radar."
President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity.
Reuters reports that on Friday President Putin complained to his security council that cyberattacks against Russia had increased. Mr. Putin also reprehended the way in which sanctions had affected the country's IT capabilities. "Restrictions on foreign IT, software and products have become one of the tools of sanctions pressure on Russia. A number of Western suppliers have unilaterally stopped technical support of their equipment in Russia." Russia needs, President Putin says, to shore up its cyber defenses, but he put a bold face on the situation, as Mashable quotes him: "Already today we can say that cyber aggression against us, as well as in general the sanctions attack on Russia, have failed,”
Killnet crows large over Italian operations.
The Wall Street Journal reports that, even as Italian police sought to verify Killnet's claims of responsibility for attacks against various Italian websites, the Russian hacktivist group (at least a nominal, deniable, hacktivist group) claimed in its Telegram channels to have "killed Italy like a mosquito." Anonymous has taken official notice (in its decentralized, anarcho-syndicalist way). Infosecurity Magazine reports that Anonymous claims that it's "declared war" on Killnet. "The #Anonymous collective is officially in cyber war against the pro-Russian hacker group #Killnet," the group tweeted, adding "R.I.P. killnet [dot] ru."
The preceding sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Conti's dissolution doesn't mean its operators' disappearance.
AdvIntel Friday described what they're observing with the Conti ransomware operation as the retirement of a brand, but not necessarily the dissolution of a gang, and almost certainly not the retirement of the gang's members. The admin panel of its "shame blog" (AdvIntel's phrase) Conti News, has shut down. The blog itself persists as a rump of its former self, but its posts are now merely poorly written anti-American screeds. There are no significant signs of Conti News's former role as a site that pressured victims to pay. AdvIntel sees the gang's dismantling itself into smaller affiliates as a business move. Conti's brand was under pressure from law enforcement, and its public adherence to the Russian cause in the war against Ukraine seems to have made it more difficult to receive ransom payments. Its high-profile attack against the Costa Rican government, then, seems to have been misdirection for spin-out and rebranding as opposed to a serious attempt to foment insurrection.
Breaking into smaller groups has both business and security advantages, as the Record observes. But AdvIntel sees the root cause of Conti's decision in the toxicity the brand had developed. "This situation presents the first, and foremost reason for Conti’s timely end—toxic branding. Indeed, the first two months of 2022 left a major mark on the Conti name. While there is no tangible evidence to suggest that the well-known Conti leaks had any impact on the group’s operations, the event which provoked the leak— Conti’s claim to support the Russian government, seems to have been the fatal blow for the group, despite being revoked almost immediately." Conti alumni will no doubt, however, continue to enjoy the toleration and enablement that the Russian government has long extended privateers operating from its territory. As long as they hit enemies of the regime and stay deniable, the gangs will be permitted to profit.
Why did Conti choose Costa Rica for its last hurrah? The country was a target of opportunity, TechCrunch explains.. Its online services were wreckable, and there was money to be made from wrecking them, and so Conti...wrecked them.
Happy birthday, US Cyber Command.
Cyber Command dates its founding to May 21st, 2010, when two task forces merged under US Strategic Command. Since then it's grown into a "full-spectrum" Combatant Command. Happy twelfth birthday.