Attacks on industrial systems in Europe and Africa. LolekHosted arrests. Notes from the hybrid war. The CSRB will investigate the cyberespionage campaign that exploited Microsoft Exchange.
An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange.
I’m Dave Bittner with your CyberWire intel briefing for Monday, August 14th, 2023.
African power generator hit with ransomware.
Kaspersky warns that a new version of the SystemBC malware was used in an attack against a critical infrastructure power generator in an unnamed south African nation: “[A]n unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack. This attack occurred in the third and fourth week of March 2023, as a part of a small wave of attacks involving both DroxiDat and CobaltStrike beacons across the world. DroxiDat, a lean ~8kb variant of SystemBC serving as a system profiler and simple SOCKS5-capable bot, was detected in the electric utility. The C2 infrastructure for this electric utility incident involved an energy-related domain ‘powersupportplan[.]com’ that resolved to an already suspicious IP host.”
Kaspersky offered tentative attribution of the incident to a Russian-speaking cybercriminal gang, specifically to FIN12 (which has also been called Pistachio Tempest). FIN12 has hitherto been known for attacks against the healthcare sector. In May of 2022 it was one of the gangs prominently featured in the US Department of Health and Human Services report, Ransomware Trends in the HPH Sector. FIN12 has changed its target selection but not its playbook. The group's motivation is financial.
Some news reports have said the incident occurred in South Africa, but that’s incorrect. As we noted above, it took place in an unidentified country in the southern part of the African continent.
APT31 linked to attacks on industrial systems in Eastern Europe.
Earlier last week another report from Kaspersky found that APT31 (also known as “Judgment Panda” or “Zirconium”) is targeting industrial systems in Eastern Europe. The researchers state, “The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.”
Kaspersky notes that the attack’s architecture “allows the threat actor to change the execution flow by replacing a single module in the chain.”
APT31 is generally regarded as an intelligence operation of the Chinese government. Much of its activity has involved industrial espionage, but the group has also been implicated in collection of political intelligence.
Arrests in the LolekHosted takedown.
A joint Polish-US operation brought down the LolekHosted bulletproof hosting provider last week, the Record reports. The US Federal Bureau of Investigation (FBI) and the Internal Revenue Service (IRS) were joined in the action by the Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow. Europol announced the arrests of five administrators of the service in Poland. LolekHosted was a player in the criminal-to-criminal marketplace.
Ukraine's SBU claims Russia's GRU is attacking Starlink with custom malware.
The Telegraph reports that Ukraine's State Security Service (SBU) has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. There’s little else out on this story, but we’ll be following it closely for any developments.
Russian Ministry of Digital Development bans Apple mobile devices.
Workers at Russia's Ministry of Digital Development are no longer permitted to use either iPhones or iPads for work purposes. The responsible Minister, Maksut Shadaev, announced the order Friday, Reuters reports. Personnel at the Ministry will still be permitted to use iPhones for "personal needs," but they're henceforth prohibited from using them for work email or for accessing work applications. The ban is generally believed, as Livemint observes, to have been prompted by an FSB report in June that Apple devices had been compromised by the US NSA, probably with Apple's connivance. Apple has denied both the compromise and its alleged cooperation in undercutting its own security. If iOS devices represented the security risk the FSB says they do, a dilatory partial ban seems a curious response.
Microsoft will not renew Russian licenses for its products.
Microsoft stopped sales to Russia when Russia invaded Ukraine in February 2022. It did continue to license products that had been purchased before the invasion. Radio Free Europe | Radio Liberty reports that Microsoft has now served notice that such licenses will not be renewed after September 30th. Active licenses will run through their expiration dates, and then will terminate. This decision will further isolate the Russian IT sector from the global supply chain, and Russia’s IT sector is far from self-sufficient.
Cyber Safety Review Board will look into cyberespionage against Microsoft Exchange.
The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has announced that its third investigation will focus on “approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud.” The board stated, “The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July. The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves.”
Microsoft characterized the incident as a case of cyber espionage, and it attributed the operation to a Chinese-associated group it tracks as Storm-0558. The group typically gained access to email accounts via stolen credentials.
The CSRB, a relatively young organization chartered in September 2021 as directed by Executive Order 14028: Improving the Nation's Cybersecurity, is neither a regulatory nor an enforcement agency. Like the National Transportation Safety Board (the NTSB) on which it was modeled, the CSRB investigates important incidents with a view “to identify relevant lessons learned to inform future improvements and better protect our communities.”
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Don’t forget to check out the “Grumpy Old Geeks” podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find “Grumpy Old Geeks” where all the fine podcasts are listed. And check out the “Recorded Future” podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That’s at recordedfuture.com/podcast.
We’d love to know what you think of this podcast. You can email us at firstname.lastname@example.org—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.
N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.
This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.
DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine)
New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News)
Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs)
Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT)
APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine)
LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer)
Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld)
Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty)
Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security)