US indicts six alleged Sandworm hackers.
The US Justice Department announced on Monday the unsealing of an indictment against six Russian GRU officers belonging to unit 74455, a group known to the industry as Sandworm. The indictment alleges a wide-ranging conspiracy that wanders from Ukraine’s power grid, through NotPetya, to the Winter Olympics in South Korea, and all the way to elections in France and other countries:
"The defendants, Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), 32; Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), 35; Pavel Valeryevich Frolov (Павел Валерьевич Фролов), 28; Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), 29; Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), 27; and Petr Nikolayevich Pliskin (Петр Николаевич Плискин), 32, are all charged in seven counts: conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Each defendant is charged in every count."
In the present indictment, the Justice Department notes that, while it previously indicted members of the Sandworm unit for election-related attacks, in this case they're being called out for actions related to the disruption of Ukraine’s power grid and the subsequent NotPetya destructive attack that spilled far beyond Ukraine. NotPetya had worldwide effects, "shutting down companies and causing immense harm." The Justice announcement points out that for three US victims, damages exceeded a billion dollars, and that, globally, the transportation and healthcare sectors were especially targeted. The indictment, Justice says, "lays bare Russia’s activities to disrupt the internal politics of other countries."
Justice is particularly hard on the Sandworm team, and calls the conspirators' actions on the part of the Russian government as "irresponsible," more like the activities of "a petulant child" than a responsible government. Bellingcat's Aric Toler points out that three of the six defendants had registered their cars to their GRU unit's physical address, which BankInfoSecurity calls "an epic OPSEC problem." Interestingly, the indictment also highlights how some of the defendants engaged in cybercriminal activity for personal profit.
Cisco’s Talos Group, Facebook, Twitter, and Google were thanked for their cooperation in the investigation, as were "Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, as well as many of the FBI’s Legal Attachés and other foreign authorities around the world."
Treasury sanctions Russian research institution over TRISIS.
The US Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for its alleged role in developing the TRISIS/Triton malware, which was designed to disable specific industrial safety systems. The malware was deployed against a Saudi petrochemical plant in 2017, but was thwarted by the plant's additional safety measures. Had the malware worked as intended, it could have caused physical destruction and potentially loss of life. The Treasury Department also emphasizes that, "In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities."
Dragos's Rob Lee stated that "This style of sanctioning is significant and honestly entirely appropriate against those involved in the first ever cyber attack to intentionally try to kill people in civilian infrastructure."
UK says Russia planned to target 2020 Olympics.
The Guardian reports that the UK's National Cyber Security Centre (NCSC) has disclosed that, working with its Five Eyes partner in the US NSA, NCSC discovered and tracked Russian plans to interfere with the (postponed) 2020 Tokyo Olympics. Foreign secretary, Dominic Raab, said, "The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms. The UK will continue to work with our allies to call out and counter future malicious cyber-attacks."
The Tokyo Games' organizing committee told the Guardian, "Tokyo 2020 sees cyber security as an important aspect of hosting the Games, and the Tokyo 2020 organising committee has been taking a range of measures and making thorough preparations. Although we are not able to disclose details of the countermeasures due to the nature of the topic, we will continue to work closely with the relevant organisations and authorities to ensure that they are thoroughly implemented."
The US Justice Department didn't include any operations against the Tokyo Olympics in the indictment it unsealed on Monday, and declined in its press conference to comment on the matter.
Updates on efforts to disrupt Trickbot.
CrowdStrike said late last week that the Trickbot botnet had recovered quickly from government and industry efforts to disrupt it, and that while the operation had "a definite impact on the TrickBot network....the impact of the disruption operation was manifested as a short-term setback." Intel 471 stated that "disruption operations against Trickbot are currently global in nature and have had success against Trickbot infrastructure. Regardless, there still is a small number of working controllers based in Brazil, Colombia, Indonesia and Kyrgyzstan that still are able to respond to Trickbot bot requests." Ars Technica summarizes how the botnet's structure makes it resilient against takedown efforts.
Microsoft on Tuesday issued an update on its ongoing attempts to fight the botnet, asserting that it was seeing success in its efforts and noting that these are temporary measures designed to impede ransomware attacks ahead of the US election:
"As expected, the criminals operating Trickbot scrambled to replace the infrastructure we initially disabled. We tracked this activity closely and identified 59 new servers they attempted to add to their infrastructure. We’ve now disabled all but one of these new servers. In sum, from the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world. To be clear, these numbers will change regularly as we expect action we’ve already taken will continue to impact the remaining infrastructure and as we and others continue to take new action between now and the election."
Microsoft added that it obtained more court orders to disable Trickbot's new infrastructure, and that it will continue to do so until election day. The company also notes, "What we’re seeing suggests Trickbot’s main focus has become setting up new infrastructure, rather than initiating fresh attacks, and it has had to turn elsewhere for operational help." Microsoft concludes that "it will be important to focus on the collective impact to Trickbot’s capabilities between now and the election, rather than to focus on potentially misleading simplified snapshots from any single moment in time."
Iranian operators linked to attempted election influence.
The US Director of National Intelligence on Wednesday said that threatening emails received by voters in several states were the work of Iranian threat actors, the AP reports. Both KnowBe4 and Proofpoint have published discussions of the emails. The text looked much like that found in sextortion phishing, except that in this case the threat conveyed was that the attackers knew who the voters were, where they lived, and would visit them with violence if they did not vote for President Trump’s reelection.
We asked KnowBe4, when they sent us their analysis, if this didn’t amount to phishing without the phish hooks. "As for CyberWire’s question, they’re correct,” KnowBe4 told us. “At first glance, this does appear to be a phishing email, as it resembles classic 'sextortion' emails that are now very common. That said, there are no malicious links or attachments, and no demands for money. The email mainly demands votes and changes of voter registration.”
The senders claimed to represent the Proud Boys, a white supremacist fringe group, but that claim was quickly disavowed and debunked. The threat the emails conveyed is also no more credible than the threats conveyed by sextortion scams. The intent appears to have been disruptive. Whatever Tehran takes its interests to be, as Defense One notes, the reelection of President Trump is unlikely in the extreme to figure among them. FireEye's John Hultquist commented that the incident represents "a fundamental shift in our understanding of Iran's willingness to interfere in the democratic process. While many of their operations have been focused on promoting propaganda in pursuit of Iran’s interests, this incident is clearly aimed at undermining voter confidence."
Reuters reports that a "dumb mistake" on the part of the threat actors allowed the US to publicly attribute the campaign to Iran. Some of the emails contained a video, apparently created by the hackers themselves, which showed a dramatization of someone hacking a voter registration system. The computer screen visible in this video displayed what was supposed to be taken as boilerplate hacking code, but which actually revealed IP addresses, filenames, and other data that were tied to previous Iranian hacking operations. An unnamed US government official told Reuters, "We are not concerned about this activity being some kind of false flag due to other supporting evidence. This was Iran."
The US Treasury Department on Thursday also announced sanctions on five Iranian entities for attempting to influence the US elections. Treasury said the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF), and Bayan Rasaneh Gostar Institute were designated "pursuant to Executive Order (E.O.) 13848 for having directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign interference in the 2020 U.S. presidential election. The Iranian Islamic Radio and Television Union (IRTVU) and International Union of Virtual Media (IUVM) were designated pursuant to E.O. 13848 for being owned or controlled by the IRGC-QF." Treasury Department stated that the Bayan Gostar Institute has been pushing propaganda on behalf of the IRGC-QF: "In the months leading up to the 2020 U.S. presidential election, Bayan Gostar personnel have planned to influence the election by exploiting social issues within the United States, including the COVID-19 pandemic, and denigrating U.S. political figures."
For more, see the CyberWire Pro Disinformation Briefing.
MuddyWater tied to wiper disguised as ransomware.
Researchers at ClearSky have observed a new campaign attributed to MuddyWater (also known as Static Kitten or Seedworm), a threat actor believed to be a contractor working on behalf of Iran's Islamic Republic Guard Corps. ClearSky says the actor is targeting "many prominent Israeli organizations" with destructive wiper malware disguised as ransomware. The researchers link the operation to a recent report from Palo Alto Networks, which described a destructive variant of the Thanos ransomware designed to overwrite an infected system's Master Boot Record (the same technique used by NotPetya).
ClearSky notes that, while other Iranian threat actors have been known to launch destructive attacks (most notably using the Shamoon wiper), MuddyWater has traditionally focused on espionage. The researchers say this is "the first known instance of a potentially destructive attack executed by MuddyWater." They add, "It is possible that due to the advancing confrontation with Israel, and simply developments of attack methods over time, that the group had undergone an organizational\strategic evolution (or simply received new instructions) into destructive attacks."
For more, see the CyberWire Pro Research Briefing.
Ransomware gangs continue to engage in data theft.
Digital Shadows has released a report on ransomware trends in Q3 2020, finding that more ransomware groups are incorporating data theft and subsequent extortion into their attacks. Seven new data dump sites sprang up during the third quarter, and the researchers believe this tactic "may pave the way for new or less well-known groups that are looking to get into the ransomware business." NetWalker and Conti ransomware, both relative newcomers to the scene, were responsible for 29% of activity related to data dumping. Conti's leaking site was only established in August 2020, yet it accounted for 17% of leaking activity. Maze, one of the first to adopt this form of extortion in late 2019, still leads the pack with 32% of leaking activity. REvil's Happy Blog came in third, at 13%. More than 80% of leaking activity was attributed to just five groups: Maze, Conti, REvil/Sodinokibi, NetWalker, and DoppelPaymer.
For more, see the CyberWire Pro Privacy Briefing.
NSS Labs ceases operations.
NSS Labs, the well-known specialist in security technology testing, has ceased operations. The company's website simply states, "Due to Covid-related impacts, NSS Labs ceased operations on October 15th." SecurityWeek points out that NSS has since last year been owned by private equity shop Consecutive, Inc. Some good people worked at NSS Labs, and now would be a good time to reach out to them if you're looking for cyber talent.
For more business news, including executive moves, see the CyberWire Pro Business Briefing.
Crime and punishment.
The German government will allow its intelligence services to monitor conversations on encrypted messaging platforms in order to combat terrorism, Security Week reports. Interior Minister Horst Seehofer stated, "I cannot accept our security authorities have to lag behind the enemies of our democracy because of a lack of powers."
Courts and torts.
The US Justice Department, along with eleven US states, has filed an antitrust lawsuit against Google "to stop Google from unlawfully maintaining monopolies through anticompetitive and exclusionary practices in the search and search advertising markets and to remedy the competitive harms." Justice stated, "Google has foreclosed any meaningful search competitor from gaining vital distribution and scale, eliminating competition for a majority of search queries in the United States. By restricting competition in search, Google’s conduct has harmed consumers by reducing the quality of search (including on dimensions such as privacy, data protection, and use of consumer data), lessening choice in search, and impeding innovation. By suppressing competition in advertising, Google has the power to charge advertisers more than it could in a competitive market and to reduce the quality of the services it provides them."
Quartz summarizes the hundreds of acquisitions that helped Google dominate the search and advertising market, and Bloomberg notes that the Justice Department highlighted the company's deal with Apple to make Google the default search engine on Apple's Safari browser.
Google called the lawsuit "deeply flawed," arguing that it will "artificially prop up lower-quality search alternatives, raise phone prices, and make it harder for people to get the search services they want to use."
Anyone who'd been concerned about where Mr. Edward Snowden would live can now rest easy. He still wants to get back to the States, but that will require a pardon. In the meantime, the New York Times reports, he's just been granted permanent resident status in Russia.
Policies, procurements, and agency equities.
Sweden has banned Huawei and ZTE from contributing to the country's 5G network, Reuters reports. The Diplomat observes that Sweden "an unusually forceful approach in announcing the decision," compared to other European countries. Sweden's telecommunications regulator PTS bluntly stated that, in order to address security assessments by the Swedish military and the Swedish Security Service, "New installations and new implementation of central functions for the radio use in the frequency bands must not be carried out with products from the suppliers Huawei or ZTE. If existing infrastructure for central functions is to be used to provide services in the concerned frequency bands, products from Huawei and ZTE must be phased out 1 January 2025 at the latest."
For more, see the CyberWire Pro Policy Briefing.