By the CyberWire staff
At a glance
- Hybrid war in Ukraine.
- The spread of hybrid war from Gaza.
- North Korean cyber operations: supply chain attacks and cryptocurrency raids.
- SugarGh0st's cyberespionage.
- Ransomware privateering, and other developments in the cyber underworld.
Hybrid war in Ukraine: state action.
An essay the Polish Institute of International Affairs contributed to Defence Industry Europe warns of an increased operational tempo Russian cyberattacks against NATO now exhibit. "Russia mainly attempted to steal data, paralyse systems critical to the functioning of the state, or impersonate state institutions, among other things, in order to sow disinformation or gain access to data." The essay argues for greater cooperation in cyberspace by the members of the Atlantic Alliance.
Recent activity by the GRU's Sandworm threat group has been a matter of particular concern. European electrical utility executives and government ministers have also called for increased vigilance and security against the prospect of Russian cyberattacks against the continent's power grid. POLITICO quotes Polish Deputy Energy Minister Ireneusz Zyska: “It is clear that these attacks come from the East: the Russian Federation and non-democratic countries." Those hostile governments, he added, “have created special teams of people working on attacking the democratic states of the European Union cybernetically to cause havoc. We’re extremely concerned about the cyber threats and cyberattacks in the energy sector in the European Union."
CERT-EU has warned the European Union that at least seven of the EU's governments are being actively targeted by Russia's GRU, POLITICO reports. The specific threat actor is APT28 (also familiarly known as Fancy Bear). The long-term goal of the efforts, POLITICO speculates, is intelligence concerning next year's EU elections, and possibly influence over those elections.
Ukrainska Pravda reports that a speech by President Zelenskyy was inserted into Russian television programming serving occupied Crimea. The principal message was a promise of liberation from Russian control. "All IPTV channels in occupied Crimea showed an address by Ukrainian President Volodymyr Zelenskyy, Defence Intelligence Chief Kyrylo Budanov, and Valerii Zaluzhnyi, Commander-in-Chief of the Armed Forces of Ukraine. Residents noticed this at approximately 21:30 (20:30 Kyiv time). The Russians eventually turned off the broadcast and it was replaced by a black screen." The Sun quotes the promise of liberation: "Dear Ukrainians, you all feel that the Russian presence on our land will not last forever. I know this. Ukraine will return its territory, our people. We will not leave anyone to the occupiers.” The Sun also says that a more indelicate message accompanied the brief speech: "Putin is a d*ckhead."
Uplevel your cloud security posture with CSPM
Is cloud security posture management (CSPM) right for your organization? Watch the webinar to learn about the four generations of CSPMs and building versus buying CSPM tools as well as use cases and real-world CSPM examples. Register today.
Hybrid war in Ukraine: hacktivist auxiliaries.
An essay published by the Center for European Policy Analysis (CEPA) discusses the operations of the IT Army of Ukraine, pointing out that organizations of that kind can have an ambiguous legal status. There seems little mystery about the IT Army: it's an auxiliary, differing in mission but not in status from such US military auxiliaries as the Civil Air Patrol (CAP) and the Military Auxiliary Radio System (MARS). The IT Army seems to operate under effective authority, and it says it's a non-combatant (read, non-kinetic) service that observes the laws and usages of war. Both claims seem, on the available evidence, justified. CEPA characterizes the IT Army's most typical operation as distributed denial-of-service. CEPA also suggests that the IT Army offers a template for other nations too small or resource-poor to maintain a fully fledged military cyber command.
InformNapalm reports that hacktivists of Ukraine's Cyber Resistance have succeeded in penetrating networks belonging to the Department of Information and Mass Communications (DIMC) at the Russian Defense Ministry. They've made off with internal files that show how the Department monitors international media coverage of Russia's war, summarizes it for internal Ministry consumption, and then selectively repurposes its take to support disinformation campaigns. The general tenor of the Department's information operations is to represent the war as going well, according to plan, and to depict Russian forces as capable and effective.
NoName057(16) is recruiting volunteers. “Join our volunteer DDoSia Project to fight in the cyber war unleashed by the West against our Motherland,” a representative post in the group's Telegram channel reads. Volunteers will be paid (in cryptocurrency, naturally) and will have "ranks and merit awards depending on their time of service and achievements," the Australian Cyber Security Magazine reports, just like a real army. Where the pay will come from isn't clear, but a best guess would be that funds would be obtained from criminal proceeds. DDoSia, as its name implies, is a distributed denial-of-service attack project.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. CyberVista’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
Hybrid war between Hamas and Israel spreads in cyberspace.
Of the activity that's been attributed so far in this war, a great deal of it has been traced to Iran.
Commercial aircraft have described disruption of GPS signals during flights in the Middle East. WIRED reports that the incidents appear to be centered on Baghdad, Cairo, and Tel Aviv. It was long unclear who might have been responsible, but attribution has now been offered. According to AvWeb, the jamming seems centered on the outskirts of Tehran, a researcher at the University of Texas Radionavigation Laboratory has concluded. The goal of the spoofing seems to be jamming, and not aircraft diversion.
The Municipal Water Authority of Aliquippa, Pennsylvania, confirmed Saturday that the Iranian hacktivist group, the Cyber Av3ngers, had taken control of one of the local water utility's booster stations. The attack, which affected a station that monitors and regulates pressure for Raccoon and Potter Townships. KDKA (CBS News Pittsburgh) reported that the attack immediately tripped an alarm, and that neither the safety nor the availability of the townships' water were affected. The attackers displayed a message on the station's monitors expressing their political purpose: "You have been hacked Down with Israel Every equipment 'made in Israel' is Cyber Aveng3rs legal target" (sic). The utility uses a control system provided by Unitronics, an Israeli company.
The US Cybersecurity and Infrastructure Security Agency (CISA) explains that PLCs are used in the water and wastewater sector to "control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations." CISA urges water utilities using Unitronics PLCs to take measures to reduce their risk.
The Cyber Aveng3rs have claimed attacks on utilities before, but those utilities have been in Israel. In October they claimed to have attacked closed circuit television systems at the national water company, MEKOROT. That month they also claimed, falsely, to have compromised the Dorad power station, also in Israel. The Pennsylvania attack indicates an expansion of the group's activities, and represents a significant threat to the industrial control system supply chain. Unitronics PLCs are widely used in a range of sectors that extend far beyond water treatment and distribution systems. The company lists these categories of applications for their PLCs: "Pumps, Water/Waste Waters, Packaging, Manufacturing, Medical, Food & Beverage, Material Processing, Oil & Gas, Power & Energy, Automotive, Building Automation, Miscellaneous, Education, Refrigeration, Printing, [and] Textiles."
Another attack has surfaced, also in Pennsylvania, in which a Unitronics PLC at a Pittsburgh brewery was hacked to display the same message that appeared on the Aliquippa water system's controller, SentinelOne reports CyberScoop says that there are signs of other attacks on US water systems, but that so far those remain in the "single digits."
Other threat groups are also active in the war. Researchers have found a new strain of SysJoker malware. Check Point describes a variant written in Rust that's being actively deployed against targets, mostly Israeli, in connection with the ongoing war between Hamas and Israel. The researchers don't have an attribution to offer, but they do regard the malware's use as aligned with Hamas interests. They note that SysJoker has been used since 2021, and they connect it with attacks against infrastructure. The malware, formerly prepared in C++, has been completely rewritten in Rust. It appears to bear some connection with the Electric Powder Operation against Israel Electric Company in 2016 and 2017. That action was attributed to the Gaza Cybergang.
Intezer, who, as BleepingComputer notes, first described SysJoker, regards the current activity as the work of a hitherto unremarked advanced persistent threat (APT) it calls "WildCard." WildCard, whose precise place among various anti-Israeli actors remains obscure, makes its initial approach through social engineering, using phishing emails, bogus social media profiles, and fake news sites, all techniques in which it's invested considerable resources. The APT also abuses legitimate cloud services. Intezer concludes, "Clustering these different sets of activities showcases an APT group consistently targeting Israeli critical sectors like education, IT infrastructure, and possibly electric power generation active to this day."
Share your message with our audience of security leaders.
N2K Cyber’s 2024 sponsorship packages are now available. If you're looking to reach the eyes and ears of our influential security professionals, let's talk and see how we can build a program that meets your goals.
DPRK cyber operations at the low end of the spectrum of conflict: supply chains and cryptocurrencies.
Microsoft describes a supply chain attack by the North Korean threat actor Diamond Sleet. Redmond reported late last week that “Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.”
Separately, the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) have issued a joint advisory warning of North Korean hackers’ increased focus on software supply chain compromise. The advisory notes, “The actors have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminate organisations via their supply chains. The NCSC and the NIS consider these supply chain attacks to align and considerably help fulfil wider DPRK-state priorities, including revenue generation, espionage, and the theft of advanced technologies.” For more on current DPRK action against supply chains, see CyberWire Pro.
Researchers at SentinelOne described two North Korean cryptocurrency theft campaigns, tracked as “RustBucket” and “KandyKorn”: “The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ and called ‘KandyKorn.’” Recently, the threat actors have begun merging elements of the two campaigns, “with SwiftLoader droppers being used to deliver KandyKorn payloads.”
North Korea has increasingly turned to the theft of cryptocurrency as it seeks to redress its financial problems. Recorded Future's Insikt Group reports that "Since 2017, North Korea has greatly expanded its targeting of the cryptocurrency industry, stealing over an estimated $3 billion worth of cryptocurrency." It's a better bet than the earlier raids on more established financial systems, like the Lazarus Group's compromise of the SWIFT interbank transfer system, which drew too much legal and regulatory attention for comfort. Cryptocurrencies remain comparatively under-regulated, which renders them attractive targets. The methods North Korea uses don't differ in kind from those employed by ordinary criminal gangs. They do differ in scope: state support enables the Lazarus Group to operate on a much larger scale than conventional criminals. Its successes probably haven't gone unnoticed. The Insikt Group's report concludes, "It is even possible other heavily sanctioned entities, such as Russia, will attempt to duplicate this success or try to recruit insiders who are working at cryptocurrency firms and exchanges, following in North Korea’s footsteps."
"SugarGh0st" RAT prospects targets in Uzbekistan and South Korea.
Researchers at Cisco Talos describe cyberespionage against Uzbekistan and the Republic of Korea. They call the remote access Trojan (RAT) being used "SugarGh0st," which they regard as a descendant of the venerable Gh0st RAT. The initial attack is phishing, with bait documents tailored to the targets' presumed interests. Two different infection chains have been observed: "One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st." Attribution is unclear, but based on the artifacts they've observed, the researchers conclude "with low confidence" that it's a Chinese-speaking threat actor (and that's as far as they're prepared to go).
Black Basta's take (so far).
Black Basta, probably an offshoot of the Conti Group, and, like its parent, probably a state-connected, state-tolerated Russian privateer, has taken some $107 million from its victims since it emerged last year. Conti went into occultation in May of 2022, about the time Black Basta became active. A study by Elliptic and Corvus Insurance concludes that Black Basta has infected at least three-hundred-twenty-nine victims. The researchers say, "Much of the laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange." Black Basta has typically used Qakbot infestations spread by phishing emails to gain access to its targets.
The victimology suggests privateering. About 95% of Black Basta's victims belong to what Moscow has taken to calling "the collective West." That 95% is represented by the United States (well atop the leaderboard at almost 70%), Germany, Canada, the United Kingdom, Italy, Austria, and Switzerland. Elliptic notes the difficulty of tracing blockchain transactions, and says that the $107 million estimate of total ransomware payments is conservative. The true total is probably higher.
Rhysida's action against British, Chinese targets.
The Rhysida ransomware gang, first observed, according to SentinelOne, in May of this year, has claimed responsibility for an attack against the British Library that involved the theft of employees’ personal data, the Guardian reports. The ransomware-as-a-service group is selling the dataset for 20 bitcoin (approximately $749,000). Rhysida has also added the Chinese state-owned energy conglomerate China Energy Engineering Corporation (CEEC) to its list of victims, Security Affairs reports. The group is selling a trove of data stolen from the organization for 50 bitcoin (about $1.87 million). The gang appears, circumstantially, to be a Russian privateering organization, which makes the attack against a Chinese target surprising. Either Rhysida's affiliates are outside the gang's effective control (the likeliest explanation) or Rysida is slipping its own leash (also possible) or the Kremlin has decided to tolerate attacks on a nominally friendly state (unlikely, but still possible).
Twisted Spider observed conducting new ransomware campaigns.
Microsoft has reported a new active malvertising campaign in which the Twisted Spider criminal gang (also tracked as Storm-0216, or UNC2198, and believed to be based in Russia) has been distributing the Danabot Trojan through malicious advertising. "The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering," Microsoft researchers tweeted. "Danabot collects user credentials and other info that it sends to command and control, followed by lateral movement via RDP sign-in attempts, eventually leading to a handoff to Storm-0216." The campaign's goal is extortion. Once installed, Computing reports, Twisted Spider uses Danabot to install Cactus ransomware. The shift to a private version of Danabot is a change for Twisted Spider, which had formerly used Qakbot. Qakbot has been disrupted by law enforcement, and so the shift represents an adaptation by the gang.
Neanderthals and the Telekopye bot.
ESET has published a report on the criminal users of Telekopye, a Telegram bot that helps craft templates for phishing lures and websites. The researchers call the scammers “Neanderthals,” due to the crooks’ habit of calling their victims “mammoths.” Telekopye groups recruit new members via advertisements on criminal forums: “Aspiring Neanderthals are required to fill out an application, answering basic questions like where they learned about the group and what experience they have in this line of “work”. If approved by existing group members with sufficiently high role, the new Neanderthals can start using Telekopye to its full extent. Furthermore, every Neanderthal is required to join two channels: a group chat where Neanderthals communicate and where rules and manuals are kept, and a separate channel where transaction logs are kept.”
Ransomware attacks against healthcare organizations.
A ransomware attack against Tennessee-based healthcare provider Ardent Health Services on Thanksgiving disrupted services at hospitals across East Texas, New Jersey, Idaho, New Mexico, and Oklahoma, CNN reports. The attack forced hospitals to divert ambulances to different providers. Ardent owns thirty hospitals in the US, and the attack has impacted all of them, East Idaho News reports.
Separately, Vanderbilt University Medical Center in Nashville, Tennessee, is investigating a cybersecurity incident that led to a compromised database, the Record reports. A spokesperson for the center stated, “Preliminary results from the investigation indicate that the compromised database did not contain personal or protected information about patients or employees.”
And patient engagement company Welltok has disclosed that it was attacked by the Cl0p ransomware group earlier this year, leading to a breach of data belonging to at least 426,000 patients of Premier Health in Ohio and an unnamed Georgia-based company, 2 NEWS reports. For more on the risk of cyberattacks against the healthcare sector, see CyberWire Pro.
Patch news.
Adobe this week updated ColdFusion, Google patched a Chrome zero day, and Microsoft has addressed Outlook Desktop crashes with a temporary fix.
CISA has released four industrial control system advisories, for Delta Electronics InfraSuite Device Master, Franklin Electric Fueling Systems Colibri, Mitsubishi Electric GX Works2, and BD FACSChorus.
Crime and punishment.
Yuriy Shchyhol, the chief of Ukraine's State Service of Special Communications and Information Protection (SSSCIP), relieved on November 20th and declared a suspect in a case involving alleged diversion of funds for IT purchases were intended to be used in a network of protected data registers, was taken into custody last week. The alleged corruption occurred in 2021, the year before Russia's full-scale invasion of Ukraine. Mr. Shchyhol's former deputy, Viktor Zhora, was also relieved and faces charges in the same case; he was arrested this week. Both men were offered release on bond.
Law enforcement agencies from seven countries, supported by Eurojust and Europol, have taken action against a criminal network believed to have launched ransomware attacks against more than 1,800 victims in 71 countries, BleepingComputer reports. Eurojust says the operation “led to the arrest of the ringleader and the detention of four suspects in Ukraine. A total of 30 places were searched and over a hundred digital equipment tools were seized.”
Courts and torts.
The US Federal Bureau of Investigation (FBI) and partners in the UK (the Financial Intelligence Investigation Service) and Finland (the National Bureau of Investigation) have seized the Sinbad cryptomixer service. North Korea's Lazarus Group used Sinbad to mix stolen cryptocurrency across different wallets, thereby laundering the funds. Concurrently, the US Treasury Department's Office of Foreign Asset Control (OFAC) sanctioned Sinbad. OFAC explained, "Sinbad has processed millions of dollars’ worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists. Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces."
Policies, procurements, and agency equities.
The debate in the US over the renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorizes intelligence agencies’ warrantless collection against foreign targets, is approaching a conclusion. The US Administration sees Section 702 as essential to preventing and mitigating the damage of cyberattacks against critical US infrastructure, but opponents of the surveillance tool claim it violates citizens’ privacy rights. House Speaker Johnson and Senate Majority Leader Schumer are expected to attempt to save the program by including it in the National Defense Authorization Act (NDAA), Wired explains.
Senate Intelligence Chairman Mark R. Warner (Democrat, Virginia) introduced a bipartisan alternative on Tuesday that aims to strike a middle ground that aims to appease both proponents and opponents of Section 702. The Record reports that the bill would restrict the Federal Bureau of Investigation’s (FBI) authority to conduct backdoor queries of the data of Americans by prohibiting searches conducted solely to find evidence of a crime, while simultaneously enhancing the FBI's compliance requirements.
The US Department of Defense (DoD) has issued a statement on responsible use of artificial intelligence for military operations. Forty-seven countries have so far endorsed the US “Political Declaration on Responsible Military Use of Artificial Intelligence and Autonomy” released last February.
CISA has joined the UK's National Cyber Security Centre (NCSC) to release “Guidelines for Secure AI System Development,” which details recommendations for system developers that create products incorporating artificial intelligence tech. The first of its kind, the document combines the knowledge of twenty-one agencies and ministries, including the Australian Signals Directorate’s Australian Cyber Security Centre, Germany’s Federal Office for Information Security, Japan’s National center of Incident readiness and Strategy for Cybersecurity, and Nigeria’s National Information Technology Development Agency.
Labor markets.
Broadcom, having completed its acquisition of VMware, is cutting personnel now deemed redundant. the Silicon Valley Business Journal reports that Broadcom is eliminating 1267 VMware jobs in Palo Alto, California,
Mergers and acquisitions.
Godspeed Capital Management has launched Crimson Phoenix, "a data and intelligence solutions platform designed to support critical mission requirements of the U.S. Intelligence Community and U.S. Special Operations Command," Intelligence Community News reports.
New York City-based cybersecurity firm BlueVoyant has acquired cyber risk management platform provider Conquest Cyber.
Investments and exits.
BlueVoyant has also announced a $140 million Series E round to accompany the acquisition of Conquest. The round was led by Liberty Strategic Capital, ISTARI, and existing investors.
The Irish cyber risk management shop Cytidel has raised €1.3m in a seed funding round led by Elkstone Ventures, with participation from Enterprise Ireland.
And security innovation.
A report from Snyk looks at security issues introduced by AI-generated code, finding that 92% of developers said that AI coding tools occasionally generate insecure code suggestions.