A brief update on Russia's war against Ukraine.
Russian forces continue to encounter strong resistance and self-inflicted logistical problems. Talks between the two sides continued, but expectations are modest. Situation reports by the UK's Ministry of Defence tell a familiar story of Russian combat failure and indiscriminate attacks against civilians. The brutal reduction of Ukrainian cities, particularly Kharkiv and Mariupol, continues, as does the high rate of casualties among Russian forces.
Cyber operations against Ukraine.
ESET researchers found a new wiper they're calling "CaddyWiper," the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine. "This new malware erases user data and partition information from attached drives," ESET tweeted. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." First observed Monday morning at 0938 UTC (that's 1138 Kyiv time, or 0538 US Eastern Time), the malware seems to have been compiled the same day it was deployed. CaddyWiper has little in common with its two predecessors. As ESET put it, "CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us." It did share one tactic with HermeticWiper: deployment via Group Policy Object (GPO), which suggests to ESET that "the attackers had prior control of the target's network beforehand." The wiper's operators are apparently interested in maintaining persistence in the targets' networks. "Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations." The Verge reports that the effect of the attack seems so far to have been small. One unnamed organization appears to have been affected, but the consequences of that attack remain publicly unknown.
Triolan, a major Ukrainian Internet service provider, has faced periodic disruption since the Russian invasion began. CPO Magazine reports that attackers, presumably Russian, had set Triolan internal devices back to factory defaults, which effectively knocked them offline. Other ISPs, including Ukrtelecom have experienced similar service disruptions as recently as last week.
Satellite Internet service delivered by Viasat was interrupted on February 24th, around H-hour of Russia's invasion. The US National Security Agency, France's ANSSI, and Ukrainian intelligence services are jointly investigating whether the incident was a Russian cyberattack. The target and the timing, at least, suggest that it was. "The hackers disabled modems that communicate with Viasat Inc's KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later some remain offline," Reuters reports.
Reuters says the Viasat incident is presumed to have been a Russian operation, and, while technical details on the incident have been sparsely shared, senior Ukrainian cybersecurity official Victor Zhora said, “I believe that one of their goals is to destroy providers’ infrastructure and to prevent the Ukrainian armed force to actually communicate with each other."
Zhora also shared his assessment of why Russian cyber operations have been less devastating than was confidently predicted during the run-up to the war. The Washington Post gives Zhora's top three reasons for Russian cyber's failure to show up in overwhelming force:
- "Russian hackers aren’t nimble enough to identify and compromise the most important Ukrainian government and industry targets during fast-moving military operations.
- "Stealthy cyberattacks aren’t that useful in comparison to the damage Russian troops are causing with bombs and missiles.
- "Russian cyber operators are too busy protecting their own digital infrastructure."
Cyber operations against Russia (and those connected with Russia).
Anonymous claims to have compromised the networks of Rosneft Deutschland, the German subsidiary of the Russian energy firm Rosneft. The collective appears most interested in tracking former German Chancellor Gerhard Schröder's activities. Herr Schröder chairs Rosneft’s supervisory board. The company itself is led by oligarch Igor Ivanovich Sechin, a close associate of President Putin.
Anonymous has resumed (or continued) its campaign of defacement against Russian networked closed-circuit cameras, rigging them to display such messages as "Putin is killing children,” and “352 Ukraine civilians dead. Russians lied to 200RF.com. Slava Ukraini! Hacked by Anonymous,” Vice reports.
Russian government websites have also come under attack. In an unusual announcement, Russia's Ministry of Digital Development and Communications said the attacks were "unprecedented." They appear, from the account offered by the Washington Post, to be a mixture of distributed denial-of-service (DDoS) attacks and website defacements. Among the website defacements was one affecting the Russian Emergency Situations Ministry website whose content was changed. The Ministry's hotline number was replaced by a heading "Come back from Ukraine alive," followed by a number Russian soldiers could call for assistance should they be interested in desertion.
Restraint in cyberspace, both Russian and Western.
The Viasat incident seems the most serious cyberattack of the war. Cyber incidents traceable to Russia have been observed outside the Ukrainian theater of operations (as in, for example, a case under investigation in County Kerry, Ireland) but these seem for the most part to be familiar criminal or at worst privateering that have long been run by the Russian underworld with Moscow's toleration and frequent encouragement. While Russia's war against Ukraine has indeed been a hybrid war with cyber phases, those phases have been characterized by low-grade distributed denial-of-service (DDoS) attacks and website defacement. An essay by Jan Kalberg in the CyberWire offers an explanation of why this might be so: destructive attacks, once executed, are difficult to repeat, and deploying the cyber weapons such attacks would use should wait until it makes strategic sense to do so. If there's no combat advantage in, for example, taking down a power grid, it shouldn't be surprising that such attacks haven't yet materialized. The effects of a cyberattack, however devastating, are of finite duration, and it's difficult to repeat them at need. A similar calculus seems to be informing US restraint against Russian assets, POLITICO reports.
CISA issues advisories prompted by Russia's war against Ukraine.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a new Joint Advisory on "Russian state-sponsored" activity. The activity has been in progress for some time, traceable back to May of last year, and seems to bear no immediate connection to Russia's present war against Ukraine. The unnamed threat actors "gained network access through exploitation of default MFA protocols and a known vulnerability." (That vulnerability was PrintNightmare.) CISA advises organizations to take three steps: enforce multifactor authentication and ensure configuration policies prevent fail-open and reenrollment problems, disable inactive accounts, and, finally, patch systems (especially against known exploited vulnerabilities).
CISA and the FBI also advised satellite communications operators to take a number of steps to increase the security of their systems. For immediate action they recommend that operators take the following steps "today:"
- "Use secure methods for authentication."
- "Enforce principle of least privilege."
- "Review trust relationships."
- "Implement encryption."
- "Ensure robust patching and system configuration audits."
- "Monitor logs for suspicious activity."
- "Ensure incident response, resilience, and continuity of operations plans are in place."
It’s familiar advice, but nonetheless valuable for having been offered before: basic cyber hygiene is always a good idea.
The alert doesn't explicitly mention a Russian threat to satellite systems, but, as SecurityWeek points out, it's likely that the warning was prompted by the ongoing investigation of probable Russian interference with Viasat service in Ukraine and parts of Eastern Europe. It's significant that the agencies recommend reading the recent Annual Threat Assessment of the U.S. Intelligence Community for what it has to say about "state-sponsored threats" to satellite systems.
Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists).
Researchers at Aqua Security review the techniques, many involving commodity malware and cloud-native services, being used in the cyber phases of Russia's hybrid war against Ukraine.
Help Net Security reports that "financially motivated" (that is, criminal) cyber groups are choosing sides in Russia's war against Ukraine. In a rough-and-ready way, the criminals have tended to side with Russia (for whom many of them have historically served as privateers) and the hacktivists (like Anonymous) have tended to side with Ukraine. But this may be changing, as some Russophone gangs are expressing a willingness to hack Russian targets if there's a good prospect of making it pay. There also appear to be personal and ideological rifts in the underworld that are leading some gangs toward one side rather than the other. Thus privateering is converging with hacktivism. Accenture reports that this is something new: "previously coexisting, financially motivated threat actors divided along ideological factions."
Cloud security firm Snyk has found malicious code in the npm open-source ecosystem that seems motivated by a hacktivist determination to strike Russia and its increasingly shy junior partner Belarus. Snyk explained: "On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing what can only be described as a supply chain attack impacting the npm ecosystem. This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package.... This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms."
Not-so-deepfakes.
A faked video appeared this week that seemed to show President Zelenskyy asking Ukrainian soldiers to lay down their arms. According to NPR, the video was crudely prepared, badly lip synced, voice and accent wrong, head not quite matching body, etc., which would make it seem more shallow- than deepfake. It was swiftly debunked, but was nonetheless widely amplified on Vkontakte and other Russian platforms. President Zelenskyy said in response that the only people he'd invited to lay down their arms were Russian soldiers.
Israel sustains a DDoS campaign.
The Israeli National Cyber Directorate has confirmed that Israel sustained a DDoS attack on Monday, CyberScoop reports. The attack briefly knocked some government sites offline. While most service was quickly restored, some overseas sites remained unavailable into this morning. Netblocks traced the outages to two leading Israeli telcos, Bezeq and Cellcom. Haaretz says that "a defense establishment source" told the paper that it was the largest such attack the country has experienced, and that it was believed to be the work of an unnamed nation-state. That state is widely thought to be Iran, but the Israeli government has offered no specific attribution.
Notes on the underworld.
Another Toyota supplier has been hit with a cyberattack, Reuters reports. The criminal gang Pandora claimed responsibility for the attack on Denso, a company that manufactures a wide range of automotive parts. The incident hasn't affected manufacturing or other operations.
The Lapsus$ gang has racked up another victim, Security Affairs says. This time it's game-maker Ubisoft. The company confirmed that it came under cyberattack last week, but that its games and services were now performing normally.
Tire manufacturer Bridgestone Americas has confirmed that it sustained a ransomware attack on February 27th. BleepingComputer says the LockBit gang has claimed responsibility, and the group is threatening to release stolen data if the ransom isn't paid.
Trends in phishing.
Researchers at Trustwave's SpiderLabs describe "chameleon phishing pages," that is, a page that adapts its colors and logos to fit the intended victim's predilections and presuppositions, the better to induce them to enter the credentials the scammers are trying to steal. The elements that change include "the page’s background, a blurred logo, the title tab, [and] the capitalized text of the domain from the email address provider." Phishing pages are typically short-lived and quickly exposed. Chameleon pages offer criminals the advantage of being able to easily reuse them.
Armorblox describes a campaign that's targeting employees at a large US insurance company. The scammers send an email purporting to be from "Instagram support," telling the intended victim that they've been reported for violating copyright laws. The emails contain a link to a spoofed Instagram login page.
And Avanan has an account of how criminals are using CAPTCHA to bypass security filters. The scammers use CAPTCHA forms, sent from legitimate domains, in their emails. This often bypasses scanners and permits the phishing email to reach the victim's inbox. Once the victim tries to access the content, the attacker asks that they enter their credentials to do so.
Patch news.
CISA on Tuesday issued ICS security advisories for ABB OPC Server for AC 800M and PTC Axeda agent and Axeda Desktop Server. CISA has also added to its Known Exploited Vulnerabilities Catalog. On Friday the agency released another advisory covering Treck TCP/IP Stack (Update H).
Under Binding Operational Directive (BOD) 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities), US Federal civilian agencies are required to address each listed vulnerability by its prescribed deadline. BOD 22-01 is mandatory for the Feds, advisory for everyone else.
Crime and punishment.
Ukraine has arrested an individual (identified only as a "hacker") who was allegedly engaged in helping Russian commanders send instructions to their troops via cellular networks, CNN reports.
In Russia, some of President Putin's anger and frustration over the course his war has taken appear to have been visited upon the FSB. The Times reported last Saturday that Sergey Beseda, head of the FSB’s Fifth Service, the foreign intelligence branch whose particular remit is the Near Abroad, was arrested along with his deputy, Anatoly Bolyukh. The formal basis for the arrests is a charge that the two men were embezzling funds allocated for covert activities in Ukraine, but the real reason is widely believed to be the poor intelligence the FSB provided before the war concerning the political situation in Ukraine. Thus the arrests appear to be the beginning of scapegoating for combat and intelligence failures.
Nigeria’s Economic and Financial Crimes Commission (EFCC) announced the arrest of Osondu Victor Igwilo, who’s been wanted by the FBI and others for several years. He was apprehended when the EFCC's Lago Command "swooped on him," as they say. Mr. Igwilo is accused of money laundering, aggravated identity theft, and conspiracy to commit wire fraud. He and his colleagues are thought to have scammed people of about $100 million through advance fee cons.
Policies, procurements, and agency equities.
Addressing "Americans and friends," Volodymyr Zelenskyy spoke to a joint session of the US Congress Wednesday morning. His general aim was to argue that Ukraine's cause was, substantially, humanity's cause. His specific, immediate goal was to obtain a no-fly zone, or, failing that, shipments of combat aircraft and air defense systems. He also made a case for more sanctions and a complete withdrawal of Western companies from the Russian market.
Twenty-two US Senators have sent a letter to Homeland Security Secretary Majorkas asking for a briefing on the Russian cyber threat. They want to know, specifically, what CISA is doing to protect the US against that threat, which specific US "entities or sectors" are likely to be targets, how is Shields Up Technical Guidance being disseminated, what the Department of Homeland Security is doing against Russian disinformation, and how is CISA coordinating with international partners.