At a glance.
- Developments in Russia's hybrid war against Ukraine.
- Recent Iranian cyber activity.
- NSA warns of Chinese cyber threats.
- Royal ransomware targets the healthcare sector.
- Uber sustains a third-party breach.
- InfraGard user data for sale.
- Predatory loan app discovered embedded in mobile apps.
- Facebook phishing.
- SHA-1 is retired.
- Patch news.
- Crime and punishment.
- Policies, procurements, and agency equities.
Developments in Russia's hybrid war against Ukraine.
Mandiant on Thursday issued a report on a supply-chain attack in which Trojanized Windows 10 installers are being distributed to Ukrainian targets. The researchers track the activity as UNC4166, and while they’re commendably cautious in attribution, they do note that, significantly, there seems to be an overlap between this round of attacks and the target list of Ukrainian organizations against which the GRU deployed wipers early in the war. John Hultquist, Head of Intelligence Analysis at Mandiant, emphasizes that this is a supply chain attack, and in that respect at least reminiscent of the SolarWinds operation. He said in emailed comments, “Though it’s hardly as technically sophisticated as SolarWinds, this operation is similar in that it appears to be designed to compromise a large set of potential targets who can then be winnowed down for targets of interest. In this case those targets are the Ukrainian government. We can’t afford to ignore the supply chain. It can be used like a sledgehammer or it can be used like a scalpel.”
The State Service for Special Communications and Information Protection of Ukraine warned citizens to be alert for a phishing campaign. The phishing email misrepresents itself as being from the State Emergency Service of Ukraine. The phishbait in the subject line is "How to recognize a kamikaze drone," which shows an attempt to trade upon recent widespread fears of Russian drone attacks.
Wired reports that GPS signals are being jammed in some Russian cities. Russian electronic warfare operations have periodically disrupted GPS during the present war. The motive in this case may be interference with GPS-guided Ukrainian drones and missiles that have recently struck military targets inside Russia.
Both Check Point Research and Positive Technologies report renewed activity by Cloud Atlas, an APT of uncertain provenance that's also known as "Inception." There's a general consensus that Cloud Atlas is engaged in cyber espionage, and that it's at present collecting against targets related to Russia's war against Ukraine, notably in Russia and Belarus. Who Cloud Atlas is working for or what strategic interests the APT serves remain unclear. Neither Check Point nor Positive Technologies offer any attribution. In 2016 Kaspersky, writing in Virus Bulletin reported, very tentatively, that there were circumstantial signs of Chinese activity behind Cloud Atlas. But this was far from dispositive. It could equally well be evidence of code borrowing or false-flag operations.
A study, "Cyber Operations in Ukraine: Russia's Unmet Expectations," published by the Carnegie Endowment for International Peace offers the beginning of an answer to one of the most-discussed questions about Russia's war against Ukraine: why have Russian cyber operations fallen so far short of pre-war Western expectations? The essay offers three hypotheses to explain Russian failure in cyberspace: "the infancy and putative focus of the VIO, the preponderance of cyber talent in the Russian national security ecosystem, and the pivotal nature of the initial period of war." The common theme among the three hypotheses is Russian unreadiness.