Large-scale cyberattacks have yet to be seen from Russia.
Russian cyberattacks have been surprisingly limited since the outbreak of President Putin's war against Ukraine, but they haven't been absent. Ukraine's State Service of Special Communications and Information Protection (SSSCIP) tweeted Saturday, "Russian hackers keep on attacking Ukrainian information resources nonstop.... Despite all the involved enemy’s resources, the sites of the central governmental bodies are available. The only thing the occupants managed to do was to substitute the front pages at the sites of some local authorities."
US and European policymakers continue to watch for a significant increase in the Russian cyber threat, waiting, as the Record puts it, for the other shoe to drop. In the EU, Reuters reports, the telecommunications ministers of the twenty-seven members have called upon Europe to establish an emergency fund that would be used to respond to major cyberattacks. Citing the war in Ukraine, the ministers, who met to discuss the proposal, said, "The current geopolitical landscape and its impacts in cyberspace strengthen the need for the EU to fully prepare to face large-scale cyberattacks. Such a fund will directly contribute to this objective,"
The US Intelligence Community's recently released Annual Threat Report, for example, published as Russia was completing its preparations to invade Ukraine, highlights the threat in cyberspace and suggests that Russia would wish to avoid direct, kinetic combat with the US.
Preparing for cyberattacks.
Security Scorecard has an account of the distributed denial-of-service (DDoS) attacks various Ukrainian assets have sustained. They identify three distinct DDoS attacks, but say that the attacks "appeared to have had a minimal, temporary impact on their targets."
KrebsOnSecurity reports a significant increase in attacks against Ukrainian citizens, mostly phishing attempts, but these are still falling short of the widely anticipated destructive or disruptive attacks Russia had shown itself capable of.
Russian cyberattacks have not, so far, affected the world outside Ukraine at more than their customary, criminal-and-privateering level, but observers continue to think that may change. Task & Purpose mulls some of the reasons this may be so. The Russians might have been unprepared for cyberwar, which seems unlikely, or they may have believed that their invasion would be a walk-over, making cyber operations superfluous. Accenture's blog is following the state of play in cyberspace. Pondurance has a review of steps organizations can take to prepare for that widely expected eventuality.
Cyber operations against Russia.
Anonymous claims to have successfully gained access to internal files of Roskomnadzor, and has leaked 820 gigabytes of data taken from Russia's information governance agency. The files pertain for the most part to disinformation and censorship operations. The International Business Times says that the leaks deal primarily with Roskomnadzor's efforts to keep people from calling Russia's invasion of Ukraine an "invasion."
Russian defense firm Rostech has, BleepingComputer reports, shut down its website after sustaining a distributed denial-of-service attack.
Prebunking, provocation, disinformation, and debunking.
Western intelligence services, particularly in the US and UK, have been unusually open in discussing Russian actions against Ukraine. Much of that openness has been devoted to what some journalists have called "prebunking," hitting the credibility of disinformation before it's found its legs and gained traction. Yesterday's warning by the White House that Russia may be planning to use chemical weapons seems to be another case of prebunking a building provocation the Kremlin may be preparing. Russian sources have claimed that Ukraine (probably with American assistance) has been preparing biological weapons, and those claims have been seconded and amplified by Chinese media.
Western sources see this as an incipient provocation. The Atlantic Council describes the early stages of an information operation, as the Russian Foreign Ministry claims Ukraine had intended to use the nuclear plants at Chernobyl and Zaporizhia for "nuclear provocations." That same Ministry "confirmed" that it had proof that Ukraine, with US support, tried to destroy evidence of ongoing biological warfare programs.
White House Press Secretary Psaki tweeted a US response, denying that any such biological or chemical weapons programs existed, and noting both Russia's use of Novichok nerve agent in the attempted assassination of a GRU defector and its support of the Assad regime's use of chemical agents against internal enemies in Syria. The disinformation fits Moscow's style of provocation: "Also, Russia has a track record of accusing the West of the very violations that Russia itself is perpetrating. In December, Russia falsely accused the U.S. of deploying contractors with chemical weapons in Ukraine."
The provocations may extend to a faked radiological attack. In a grisly story that should be received with caution, the Telegraph reports that Russian forces are stockpiling the dead bodies of Ukrainian soldiers killed in action to use in staging some sort of provocation at Chernobyl.
Lapsus$ gang hits tech companies.
The Lapsus$ gang has followed its extortion attempt against NVIDIA with a similar attack against Samsung, claiming to have obtained sensitive information, 190 GB of which it's now released online, Computing reports. Samsung has acknowledged a data breach, but says customers are unaffected. It appears that the Lapsus$ gang is targeting tech firms. BleepingComputer said Friday that Lapsus$ claims to have:
- "source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control)
- "algorithms for all biometric unlock operations
- "bootloader source code for all recent Samsung devices
- "confidential source code from Qualcomm
- "source code for Samsung’s activation servers [and]
- "full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services."
Concerning the NVIDIA hack, Lapsus$ said that the victim retaliated by hacking back. “They were able to connect to a [virtual machine] we use," the gang said with some sense of outrage in its Telegram channel. "Yes, they successfully encrypted the data." But, added Lapsus$, they'd followed anti-ransomware best practice and backed up the stolen data. (Avast argues that hacking back represents "a slippery slope.")
The timing and scope of a cyberattack against Viasat's KA-SAT network that disrupted Viasat-carried Internet service in much of Europe, including control over some 5800 wind turbines operated by Germany's Enercon, suggest a connection with Russia's war against Ukraine. Spiegel reports that sources within the German government have concluded that the attack is related to the war.
Possible cyberwar preparation for an economic war.
Bloomberg reports that Resecurity found that threat actors succeeded in accessing the networks of twenty-one companies, most of them in the oil and gas sector, over a two-week period in February. Resecurity declined to attribute the activity to any nation, but did go so far as to say that the activity seemed to be state-sponsored. Bloomberg notes that some of the incidents appeared to overlap those Microsoft attributed to Strontium (also known as APT28 and Fancy Bear, that is, Russia's GRU military intelligence service). The timing and target selection are suggestive, circumstantially, of a Russian operation.
Mustang Panda targets European diplomatic entities.
Proofpoint says the China-linked threat actor TA416 (also known as "Mustang Panda" and "RedDelta") is conducting email reconnaissance campaigns against European diplomatic entities. The threat actor is using tracking pixels in benign emails to identify potential targets for future spearphishing attacks:
"Since 2020, Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a 'sign of life' to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads. The operational tempo of these campaigns, specifically those against European governments, have increased sharply since Russian troops began amassing on the border of Ukraine."
Google's Threat Analysis Group (TAG) has observed similar activity, stating, "Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders with Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings. Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets."
Hive ransomware hits Romanian gas stations.
The Hive ransomware gang has hit Romania's Rompetrol oil company, disrupting fuel stations throughout the country. BleepingComputer says that the gang has demanded a $2 million ransom.
China's APT41 breaches US state governments.
Researchers at Mandiant say that the Chinese state-sponsored actor APT41 breached six US state government networks between May 2021 and February 2022. The threat actor gained access via "vulnerable Internet facing web applications, including using a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228)":
"Although APT41 has historically performed mass scanning and exploitation of vulnerabilities, our investigations into APT41 activity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting U.S. state governments. During this timeframe, APT41 successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications, often written in ASP.NET. In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities."
The researchers add, "The goals of this campaign are currently unknown, though Mandiant has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII). Although the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain."
Google blocks espionage directed against US Government Gmail users.
SecurityWeek reports that Google claims to have blocked a Chinese espionage operation directed against Gmail users within the US Government. “In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government. 100% of these emails were automatically classified as spam and blocked by Gmail,” Shane Huntley of Google's Threat Analysis Group tweeted. APT31 is also known as Zirconium and Judgment Panda.
Symantec researchers continue to investigate the Daxin backdoor used by Chinese threat actors. SC Magazine cites Vikram Thakur of Symantec Threat Intelligence as saying that they've tracked the tool to a "persona" they're watching in Chinese fora. Symantec has posted updates to its research in two parts, one describing Daxin's "driver initialization, networking, key exchange, and backdoor functionality," the other covering its "communications and networking features." Daxin has been quietly in use for a decade.
Conti remains active.
The US Cybersecurity and Infrastructure Security Agency (CISA) revised its September alert about Conti ransomware. The updates bring ninety-eight new domain names to CISA's list of Conti's indicators of compromise. The new information does not appear derived from material provided by a Ukrainian researcher who succeeded in infiltrating the gang. BleepingComputer notes that, despite the reputational and possibly operational hits Conti took from that infiltration, the gang hasn't trimmed its sails. "Since the beginning of March, Conti listed on its website more than two dozen victims in the U.S. Canada, Germany, Switzerland, U.K., Italy, Serbia, and Saudi Arabia."
Researchers at Abnormal Security have reported finding Conti's gangland parent Wizard Spider using website contact forms to distribute BazarLoader to their targets. (Contact forms represent an alternative to the more customary emails.)
GPS interference reported around the Finnish-Russian border.
Finland's Transport and Communications Agency (Traficom) reports observing unusual interference with GPS signals near the country's eastern border, BleepingComputer writes. The source of the interference is unknown, but Russia has a record of GPR interference and shares a border with Finland.
The Zero Day Initiative summarizes this past week's Patch Tuesday. Microsoft issued seventy-one patches in addition to the twenty-one issues Microsoft Edge fixed earlier this month, which brings the total number of March fixes to ninety two. Three of the vulnerabilities are rated "critical." Sixty-eight others are rated "important." Among the products affected are Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. None of the flaws patched are believed to be under active attack. Adobe issued three patches that affected Adobe Photoshop, Illustrator and After Effects. None of those vulnerabilities is known to be under active attack in the wild either.
Last Friday the US Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory affecting Trailer Power Line Communications (PLC) J2497. CISA also issued three ICS security advisories on Tuesday, for PTC Axeda agent and Axeda Desktop Server, AVEVA System Platform, and Sensormatic PowerManage. On Thursday, the agency released twenty-four more industrial control system advisories, for Siemens RUGGEDCOM Devices, Siemens SIMOTICS CONNECT 400, Siemens SINEC NMS, Siemens SINEMA Mendix Forgot Password Appstore,Siemens Simcenter STAR-CCM+ Viewer, Siemens COMOS, Siemens Climatix POL909, Siemens Polarion ALM, Siemens SINEC INS, Siemens Simcenter Femap, Siemens SINUMERIK MC, Siemens RUGGEDCOM ROS, Siemens Mendix, PTC Axeda agent and Axeda Desktop Server |, Siemens SIMATIC Industrial Products, SICAM TOOLBOX II, Siemens Solid Edge, JT2Go, and Teamcenter Visualization, Siemens SIMATIC WinCC (Update A), Siemens Climatix POL909 (Update A), Siemens Industrial Products Intel CPUs (Update A), Siemens SIMOTICS CONNECT 400 (Update A), Siemens Industrial Products (Update F), Wibu-Systems CodeMeter (Update F), and Siemens Industrial Products (Update P).
Crime and punishment.
CBC reports that Sébastien Vachon-Desjardins, formerly a Canadian civil servant, has been extradited to the US to face charges in connection with NetWalker ransomware.
Policies, procurements, and agency equities.
US President Joe Biden issued an Executive Order on “Ensuring Responsible Development of Digital Assets.” The White House calls it, “the first ever, whole-of-government approach to addressing the risks and harnessing the potential benefits of digital assets and their underlying technology.” As an accompanying fact sheet explains, digital assets like crypto have surged in recent years, swelling from $14 billion globally five years ago to over $3 trillion as of last November, and the EO represents the White House’s effort to support digital currency innovation while also protecting individuals, companies, and the global economy from inherent risks of the new asset classes.
Fortunes of commerce.
Many companies have stopped doing business in Russia to protest Moscow's invasion of Ukraine, BleepingComputer reports. Cisco's CEO Chuck Robbins announced last week that the company was pulling out of Russia and Belarus, stating that Cisco "will continue to focus on supporting our Ukrainian employees, customers and partners while providing humanitarian aid and accelerating our efforts to protect organizations in Ukraine from cyber threats." Other companies that have ceased operations in Russia include Microsoft, Google, Apple, Oracle, SAP, Nokia, Intel, and AMD.