"Read the Manual" and the ransomware-as-a-service market. Bitter APT against energy companies. Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Aan arrest in the Discord Papers case.

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case.

From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday April 14th, 2023.

"Read the Manual" and the ransomware-as-a-service market.

Trellix shared some behind-the-scenes insight into the operations and goals of the Read the Manual ransomware-as-a-service (RaaS) gang yesterday, known prior for their ransomware activity against corporate enterprises. The threat actors also have a notable, specific set of rules that require strict adherence from affiliates. The gang requires its affiliates to remain active or make their leave known, lest ten days pass without notification; in which case the offending affiliate will be locked out of the gang’s panel. Accessing the panel requires a username and password for affiliates, as well as the entry of a CAPTCHA code. Once the user has entered the panel, they can add ransomed victims, and set a timer for the release of the data. A section of a ransom note from the gang reads: “All your documents, photos, reports, customer and employee data, databases and other important files are encrypted and you cannot decrypt them yourself. They are also on our servers!”

Trellix reports that certain targets are off-limits. “CIS countries [former Soviet Republics] are excluded, as well as morgues, hospitals, and COVID-19 vaccine related corporations." For some reason dentistry is fair game (the use of the word “hospitals” rather than doctor’s offices as a point of exclusion is also highlighted by researchers). One rule in particular emphasizes the avoidance of making headlines, which also removes “vital infrastructure, law enforcement, and other major corporations” as targeting points. In the case that a major corporation is impacted and/or makes headlines, all references and traces connected to the RTM gang are to be immediately removed, with negotiations to take place on a differing platform.

The researchers suspect that there are affiliates and gang members on opposite sides of the war between Russia and Ukraine. In any case, the gang seems to be opportunistic in their attacks and driven by financial as opposed to political motives. 

Bitter APT may be targeting Asia-Pacific energy companies.

Intezer concludes that a new string of energy sector targeted phishing attacks are using tactics that resemble those previously used by Bitter APT. "Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia." The group makes its approach through phishing.

Although Bitter APT's involvement in the attacks is not fully confirmed, there are circumstantial grounds that point in its direction. The researchers have found that the threat actors are using the same tactics previously observed by the Bitter APT group such as “the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer (MSI) files.” The exploits have been noted to initiate with an email to personnel in the energy sector being invited to a conference or round table. Intezer writes, “The lures are designed to socially engineer the recipient to download and open an attached RAR file that contains either a Microsoft Compiled HTML Help (CHM) or Excel payload.” Intezer advises that “entities in government, energy, and engineering especially those in the Asia-Pacific region should remain vigilant when receiving emails, especially those claiming to be from other diplomatic entities. Always verify that the sender is trusted and understand that even if it claims to be from a particular person, it might not be.”

Cozy Bear sighting.

CERT Polska, Poland's cybersecurity authority, warns that APT29, the unit of Russia's SVR foreign intelligence service that's also tracked as Cozy Bear and NOBELIUM, is actively pursuing diplomatic targets in many nations, principally NATO members. The campaign's goal is espionage, and its approach is spearphishing. "In all observed cases, the actor utilised spear phishing techniques. Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts. The correspondence contained an invitation to a meeting or to work together on documents. In the body of the message or in an attached PDF document, a link was included purportedly directing to the ambassador's calendar, meeting details or a downloadable file." Polish authorities recommend that organizations implement configuration changes to protect themselves from Cozy Bear's ministrations.

Hacktivist auxiliaries continue to hit Canadian targets.

The Russian hacktivist auxiliary NoName057 (16) claimed responsibility for a distributed denial-of-service (DDoS) attack against Hydro-Québec yesterday. CTV News Montréal quotes the group's communiqué: "Continuing our visits to Canada. The website of Hydro-Québec, the company responsible for generating and transporting electricity in Québec, was put down." The Toronto Star reports that the power company's website and mobile app sustained disruption. Power generation and distribution were unaffected, a Hydro-Québec spokesman said, nor were customer data compromised. “They did not take any information from us,” the spokesman said. “It’s an attack on our website that makes it unavailable for our customers, unfortunately.” Hydro-Québec is the province's major supplier of electricity. It's also a major exporter of power to the US state of New York.

An arrest has been made in the Discord Papers case.

And, finally, whatever influencer fantasies may have been driving OG and the Thug Shaker Central followers who hung on his Discord posts, the reality principle asserted itself yesterday in the form of an FBI raid on the alleged leaker's home in Dighton, Massachusetts. Airman 1st Class Jack Teixeira [tuh-SHARE-uh] was arrested at his home yesterday in connection with his alleged role in the leak of classified information over Discord. The 21-year-old cyber transport systems specialist is (or was) assigned to the Massachusetts Air National Guard's 102nd Intelligence Wing at Otis Air National Guard Base on Cape Cod. An Airman 1st Class is a junior enlisted rank, an E-3, the equivalent of a US Army Private First Class or a US Navy Seaman. 

The New York Times observes that how Airman Texieira obtained access to the range of classified information he's alleged to have shared under his nom-de-hack OG with the even younger members of his Discord Club remains unclear. The investigation continues, and according to Reuters Discord is cooperating with the authorities. "In regards to the apparent breach of classified material, we are cooperating with law enforcement," Discord said. "As this remains an active investigation, we cannot provide further comment at this time."

The US Department of Defense has pointed out that leaking doesn't amount to declassification. "Just because classified information may be posted online or elsewhere does not mean it has been declassified by a classification authority," Pentagon press secretary Brigadier General Jack Ryder said. "We're just not going to discuss or confirm classified information due to the potential impact on national security, as well as the safety and security of our personnel and those of our allies and our partners. And for that reason, we will continue to encourage those of you who are reporting this story to take these latter factors into account, and to consider the potential consequences of posting potentially sensitive documents or information online or elsewhere."

So stand by. And beware of the leaks.

And that's the CyberWire. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. 

The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Tré Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Jason Cole, Joe Carrigan, Carole Theriault,  Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening.    

Selected reading.

Read The Manual Locker: A Private RaaS Provider (Trellix)

Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)

Espionage campaign linked to Russian intelligence services (Baza wiedzy)

Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online)

Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023)

Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star)

F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times)

DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense)