At a glance.
- Sandworm goes to war.
- Threats and trends.
- US midterm elections proceed without cyber disruption.
- Microsoft accuses China of using vulnerability disclosure to develop zero-days.
- Layoffs abound in the tech industry.
- RanHassan decryptor available.
- Details on the OPERA1ER threat activity.
- Communications security lessons learned.
- New APT41 subgroup identified.
- A look at Cozy Bear's use of credential roaming.
Sandworm is back in Russia's hybrid war.
As Russian forces complete their withdrawal from the southern Ukrainian city of Kherson (a major strategic defeat for Moscow), a familiar GRU cyber unit makes its presence felt in the war. Researchers at Microsoft report that Sandworm, the GRU threat actor the company tracks as Iridium, has deployed a new strain of ransomware, "Prestige," against targets in Poland and Ukraine. Prestige announced itself in a series of coordinated attacks against targets in the transportation and related logistics sectors.
Microsoft, which acknowledges the cooperation of CERT-UA, Ukraine's cybersecurity organization, in the research, writes: "The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war."
The attacks show a renewed willingness on the part of a Russian intelligence service to attempt disruption in addition to collection. Ransomware as a tactic is well-adapted to do both. The Washington Post quotes Mandiant researchers who see this approach as an attempt by the GRU to "have its cake and eat it, too." Mandiant senior analyst John Wolfram told the Post, “What that shows us is that the GRU was able to maintain access to a network of their specific choosing; launch an attack and have an effect on that network; maintain that access despite the wiper operation; and launch another wiper operation at a moment of their choosing." Russia had used wipers with some success early in the war, but those attacks soon ebbed. They may be returning.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.