The Russian threat in a hybrid war.
As international sanctions tighten against Moscow, and in particular as its banking sector is incrementally blocked from access to the SWIFT system, VentureBeat reports that organizations around the world are bracing for Russian retaliation in cyberspace. President Putin's calculus may have led him to believe that restraint will gain him little. "Putin/Russia getting completely isolated economically & diplomatically. The West is completely united. Even China is getting scared of secondary sanctions," Silverado Policy Accelerator chairman and CrowdStrike co-founder Dmitri Alperovitch tweeted. “The danger: Putin has very little to lose now. He is cornered. May go all out on economic and cyber retaliation,”
SecurityWeek has an update on ESET's research into Russian cyberattacks against Ukrainian targets. The company says it's detected a worm, HermeticWizard, that's spreading HermeticWiper, which, as its name suggests, is data-erasing malware. ESET has also found HermeticRansom in the wild, which adds a capability for extortion to the campaign. CrowdStrike has also detected the Go-based ransomware, which it's calling "Party Ticket," but which it confirms is the same malware as HermeticRansom. Kaspersky assesses the ransomware as misdirection for the wiper campaign, which would be consistent with Russian practice at the outset of the war against Ukraine.
RiskIQ confirms that it's seeing Ghostwriter activity against Ukrainian troops. Ghostwriter has been associated with the Belarusian government, and with the group being tracked, by Recorded Future and others, as UNC1151. Recorded Future thinks it likely that Russian elements, particularly the GRU, have used Belarusian infrastructure and cooperated with Belarusian intelligence services to run operations against Ukraine.
And Proofpoint has published a report on a phishing campaign it's calling "AsylumAmbuscade," and which it links to UNC1151, which Proofpoint associates with the Belarusian threat actor it tracks as TA445. That group is most familiar in its Ghostwriter guise, in which throughout 2021 it mounted influence campaigns against European targets, especially in Latvia, Lithuania, and Poland. AsylumAmbuscade represents an intelligence collection effort. It seems particularly interested in the movement of refugees around and out of Ukraine, and it is, the Record reports, paying particular attention to targeting European officials involved in refugee relief. (There may now be around a million Ukrainian refugees, according to the AP.)
Conti, the familiar ransomware gang, says it will strike those who oppose Russia. According to Reuters, Conti blogged, "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy." Thus any serious suppression of cyber criminal gangs by Russian security authorities has proven to be, as was foreseeable, largely illusory, at best temporary and tactical.
The BBC reports that other hackers have rallied to the Russian colors and volunteered to hit Ukrainian online assets.
The US Federal Communications Commission (FCC) is investigating potential Russian threats to BGP routing, Next TV reports.
Cyber operations against Russia.
Hacker News reports that Russia's National Computer Incident Response and Coordination Center has warned its domestic clientele that cyberattacks against Russian critical infrastructure are to be expected. The hacktivist group Anonymous seems to be siding with Ukraine (although as always it's difficult to know who speaks for an anarcho-syndicalist collective), according to ZDNet. As always, statements by hacktivists should be received with cautious skepticism. Anonymous, however, has claimed responsibility for an attack against Russian media outlet RT, and RT was indeed knocked offline by a cyberattack, the Daily Beast reports.
Ukraine's government hasn't been reluctant to call for hacktivist volunteers as it's called for volunteer fighters. BleepingComputer reports that Kyiv is calling for "an IT army" to take on Russian targets, and that it's also released a target list: "Russian government agencies, government IP addresses, government storage devices and mail servers, three banks, large corporations supporting critical infrastructure, and even the popular Russian search engine and email portal, Yandex."
Of arguably more significance have been signs that Ukraine has been able to obtain, and publish, material from online Russian sources. Ukrainska Pravda reports that "The Centre for Defence Strategies has acquired the names of 120,000 Russian servicemen who are fighting in Ukraine." These have been posted online. That's unlikely to have any tactical effect, but it can't be good for either morale or for Russian confidence in the security of its networks. There are also reports that some FSB files have been taken.