Updates on the cyber phases of Russia's hybrid war against Ukraine.
Microsoft late last week released more information on the threat actor it calls "Actinium" (which others call "Gamaredon" or "Primitive Bear"). The Microsoft Threat Intelligence Center (MSTIC) "has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage." Actinium, MSTIC concludes, represents a different set of activities than the pseudoransomware wiper deployed against Ukrainian sites in January. Thus they don't believe Actinium is responsible for WhisperGate. (Microsoft tracked that earlier activity as DEV-0586.)
Ukrainian security services have attributed the activity to the FSB, specifically an FSB unit operating out of Crimea, and it's significant that MSTIC also sees Actinium's geographical base as lying in the peninsula Russia seized in 2014. Microsoft sees Actinium's principal objective as collection, and establishing persistence within targeted organizations in furtherance of future cyberespionage. It's typically gained initial access through phishing. Some of its phishing emails misrepresented themselves as coming from the World Health Organization.
Task and Purpose reviews potential cyber threats from Russia and concludes that none of them amount to "shock and awe." It reviews five major cyber campaigns Russia has mounted against Ukraine (widely regarded as a testing ground as well as a theater of operations) since 2014—Election Interference (2014), Power Grid Sabotage (2015), Power Grid Sabotage (2016), NotPetya Economic Disruption (2017), and BadRabbit Economic Disruption (2017)—and rates the strategic effects of all but NotPetya as "negligible." (NotPetya's effect it rates as "unknown.") These are, of course, all actual attacks. There are other potential threats, especially large-scale and destructive attacks against power grids, whose consequences could be far more devastating than these. But the essay's account of the use of cyberattack as tactical adjuncts to military operations is interesting.
Ukraine's SBU security service announced its liquidation of two bot farms in the Ukrainian city of Lviv, which the SBU says were operating under Russian direction. Three arrests were made. Two of the suspects are accused of lending their apartments to bot-farming; the third maintained the equipment and software. The two farms controlled some 18,000 bots, and were largely engaged in disruptive influence operations, spreading rumors of bombings and the placement of "mines" in critical infrastructure. The Record describes the bot-farm's goal as "spreading panic." The bomb threats may be connected to a wave of such threats Euromaidan reported near the end of January. The SBU at that time characterized the campaign as a preparatory operation in a Russian hybrid war.
The CyberWire's continuing coverage of the crisis in Ukraine may be found here.
BlackCat's bad luck may look like DarkSide's (and that's not the only connection).
The BlackCat ransomware gang, thought to be responsible for fuel delivery disruptions in Germany, has been traced, tentatively at least, to former members of the BlackMatter/DarkSide group. ("BlackCat" is the name MalwareHunterTeam gave them when the threat actor emerged in November; the gang calls itself "ALPHV") BleepingComputer describes BlackCat as a "feature-rich operation," unusual in that it writes its code in Rust. It is, like its apparent predecessors, a ransomware-as-a-service player that gives its affiliates a highly customizable attack tool.
In a conversation with the Record, BlackCat does the usual horn-tooting and, amid other inside-baseball gassing, says it's a former DarkSide affiliate that "borrowed their advantages and eliminated their disadvantages.” They say they're apolitical and very good at what they do, but they quack like Russian privateers. An Emsisoft analyst, Brett Callow, thinks BlackCat isn't a former DarkSide affiliate at all, but simply DarkSide itself undergoing a rebranding after their loss of face due to an error that Emsisoft took advantage of to enable victims to recover their files without paying up. This cost affiliates millions. That's also essentially what DarkSIde's C2C rival Lockbit said back in December. DarkSide was brought down by the attention it drew when it attacked the Colonial Pipeline in the US, which suggests that BlackCat's attack on Oiltanking may be a case of history repeating itself.
Speaking of LockBit, the FBI's recent Flash Alert on that gang hints that LockBit may soon receive some unwelcome law-enforcement attention itself.
The British Foreign discloses a significant cyberattack (but not much else).
The Times reports that Britain's Foreign Office sustained a cyberattack last month. Details are publicly unknown, because they're a matter of official secrecy, but it is known that the attack was serious enough to warrant giving BAE Systems Applied Intelligence a £470,000 contract to help with remediation. The contract did not go through the normal competitive process “due to the urgency and criticality of the work.” Official sources offer no attribution, but the Times indulges some a priori speculation by pointing to recent warnings about Russian cyber threats.
ModifiedElephant seems to be engaged in digital frameups.
SentinelLabs has described a long-running operation by an APT it calls ModifiedElephant. The group has been active since 2012 at least, and its targets have for the most part been located in India. It's been engaging in apparent frameups, " ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence," the report says. The group uses "commercially available remote access trojans" and so may have connections with the "commercial surveillance" (or lawful intercept) industry. ModifiedElephant's preferred method of attack is the familiar spearphishing campaign, with the payloads usually carried in malicious Microsoft Office files. The researchers are cautious about attribution, but they do say that "ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases."
Chinese espionage services may have been after reporters' sources.
What were the Chinese state actors after in their compromise of News Corp? Sources, apparently, and CPO Magazine reports that those state actors took a particular interest in Wall Street Journal reporters. The attribution of the cyberespionage to China remains tentative, a best guess on the basis of the available evidence. The interest in sources has an obvious motivation: an authoritarian government would regard talking to the media, especially the foreign media, as first cousin to espionage.
North Korea's Lazarus Group phishes (again) with fake job offers as lures.
North Korea's Lazarus Group continues its tiresome practice of phishing for victims with bogus job offers imputed to major defense and aerospace companies. Northrop Grumman and BAE have been impersonated in the past. More recently, ZDNet reports, it's been Lockheed Martin. Researchers at Qualys, who’ve tracked the activity, are calling this particular campaign Lolzarus for its use of LolBins, that is, living-off-the-land binaries. The phishbait is familiar, but this incident shows some evolution of capability on behalf of the Lazarus Group. As Qualys puts it in the conclusion of their report, “Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lolbins as part of its campaign. Qualys will continue to monitor for other similar phishing lures related to Lazarus.”
Two advisories on ransomware.
A Joint Advisory by Australian, British, and US authorities outlines the current state of the ransomware threat. They see more underworld cooperation (especially ransomware-as-a-service operations and 24/7 help centers that “expedite ransom payment and restoration of encrypted systems or data,” a greater focus on the cloud, and more software supply-chain attacks. They also say that double extortion remains common–the Australian Cyber Security Center in particular is observing this–and that they’re beginning to see more threat actors using “triple extortion.” In triple extortion, the threat actor does three things: it publicly releases sensitive information, it disrupts the victim’s internet access, and it tells the victim’s “partners, shareholders, or suppliers about the incident.” The ransomware operators are also going after managed service providers and industrial systems. And there’s an interesting trend in timing. More ransomware approaches are being made on weekends and holidays, when organizations are presumed to have relaxed, if not actually their vigilance, at least the level of security support they make available to their people.
There’s also a private-sector advisory on ransomware out today. The National Cybersecurity Alliance and the PCI Security Standards Council warn that such extortion is on the rise, and they offer some advice on best practices organizations should follow: train your people, keep your systems up-to-date and secure, monitor your networks, and back everything up.
February's Patch Tuesday fell this week. Microsoft fixed some fifty problems, including issues with Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint. In some respects it was a relatively light Patch Tuesday: one zero-day was addressed (a kernel privilege-escalation vulnerability), but neither it nor the other forty-seven problems fixed were rated "critical." Threatpost calls the absence of any critical vulnerabilities in the list of patches "unheard of," Of course, even merely "important" vulnerabilities should be fixed.
CISA released a number of industrial control system security advisories this week. On Wednesday, the advisories covered two Mitsubishi Electric products, Mitsubishi Electric Factory Automation Engineering Products (Update F) and Mitsubishi Electric FA Engineering Software Products (Update D). Thursday's advisories were much more extensive: Siemens SIMATIC Industrial Products, Siemens SIMATIC WinCC and PCS, Siemens Simcenter Femap, SINEMA Remote Connect Server, SICAM TOOLBOX II, Siemens Spectrum Power 4, Siemens Solid Edge, JT2Go, and Teamcenter Visualization, Siemens COMOS Web (Update A), Siemens Healthineers syngo fastView (Update A), Siemens SIMATIC WinCC (Update A), Siemens LOGO! CMR and SIMATIC RTU 3000 (Update A), Siemens Industrial Products Intel CPUs (Update A), Siemens TCP/IP Stack Vulnerabilities–AMNESIA:33 in SENTRON PAC / 3VA Devices (Update C), Siemens SCALANCE & SIMATIC (Update F), Siemens Industrial Products SNMP (Update E), Siemens SCALANCE X Switches (Update A), Siemens SCALANCE X Switches (Update D), and Siemens PROFINET DCP (Update V).
Crime and punishment.
The US Department of Justice announced Tuesday that “Two individuals were arrested this morning in Manhattan for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange, presently valued at approximately $4.5 billion.” They're a married couple, Ilya Lichtenstein and Heather Morgan, and they're not charged with the Bitfinex hack itself, but rather with laundering the proceeds. The complaint against them alleges that they used a variety of tools in their attempt to launder the money, some old-school, like passing funds through business accounts, others more Twenty-first Century, including the assumption of fictitious identities, automated transfers, chain-hopping, and passing funds into and out of a variety of dark web accounts. Conviction could result in sentences of up to twenty years. The Justice Department wants to make the point that alt-coin is not only in principle traceable, but recoverable as well. In the Binance case, “Thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack.” That's more than what the alt-coin was worth at the time it was stolen in 2016, but it's risen substantially in value over the last five years.
Mr. Lichtenstein ("Dutch" to his friends) was apparently the low-key operator of the two, working the technical side of things. Ms Morgan seems more interesting, a woman of some parts: writer, economist, journalist (in that attenuated, influencer sense in which a Forbes Contributor can be said to be a journalist), entrepreneur, artist, rapper and motivational speaker. Writing occasional pieces for Forbes between 2017 and 2021, she published insufferably self-referential, fizzy, knowing puff-pieces about minor, trivially transgressive celebrities. She also sometimes wrote about entrepreneurship, negotiation, and security. We can't recommend her skillz as a rapper, but you'll have to take our word for it, since the performances have been made private on YouTube. She has a lot of self-given nicknames, like “the crocodile of Wall Street,” and she often used the name “Razzlekahn.” Her website is still up, as of this writing, if you’re curious about her presentation of self.
The US Attorney’s Office for the Northern District of Georgia has announced the indictment of six call centers in India, and their directors, on charges related to conspiracy to defraud. The scams included not only depressingly familiar Social Security police schtick, but also loan scams and IRS payment fraud.
Policies, procurements, and agency equities.
Governments around the world remain on alert for a resumption of cyber war that could spill over outside the theater of operations. The AP reports that Poland has appointed Brigadier General Karol Molenda to lead the country's new Cyber Defense Force. Defense Minister Mariusz Blaszczak framed the new command as a defensive measure taken in recognition of, especially, cyber threats from Russia. “We are perfectly aware that in the 21st century cyberattacks have become one of the tools of aggressive politics, also used by our neighbour. For that reason these capabilities are of fundamental, key nature to Poland’s Armed Forces.”
Reuters cites unnamed sources who say that the European Central Bank (ECB) has raised its level of alert for cyberattack, and has shifted its focus from the common financially motivated cybercrime to the prospect of state-directed attacks originating from Russia. The ECB is said to have queried banks about their readiness to withstand such attacks, and that the individual banks are holding drills to increase their own state of readiness. The measures seem driven more by prudential considerations concerning the continuing Russian threat to Ukraine and by Russia's record of offensive action in cyberspace than they are by specific intelligence of any particular imminent threat.
US Deputy National Security Advisor Anne Neuberger has been consulting with NATO allies to organize a coordinated response to cyber threats Russia poses to Ukraine (and by implication to Ukraine's neighbors and supporters). The Telegraph quotes her on the way in which a hybrid war is likely to develop. “We’ve been warning for weeks and months, both publicly and privately, that cyber attacks could be part of a broad-based Russian effort to destabilise and further invade Ukraine,” she said. “The Russians understand disabling or destroying critical infrastructure can augment pressure on the country’s government, military and population, and accelerate the receding to Russian objectives.”
Ukrainian preparation for defense against a Russian invasion have to some extent been crowdfunded. The blockchain analysis and cryptocurrency compliance firm Elliptic says that alt-coin contributions to Ukrainian groups, official or unofficial, rose by 900% in 2021, reaching a total of $500,000 for the year, and continuing into 2022. Some of the contributions have gone to hacktivist groups like the Ukrainian Cyber Alliance. Elliptic notes that the donations have been going on at a small level since Russia's 2014 seizure of Ukraine, increasing dramatically with rising tension over the Donbas.
Mergers and acquisitions.
Microsoft is considering buying Mandiant, Bloomberg reports. Mandiant was separated from FireEye following the sale of FireEye's products business to Symphony Technology Group (STG) last year. Microsoft and Mandiant declined to comment on the reports.