Russian hackers hide in Ukraine telecoms for months.

Sandworm was in Kyivstar's networks for months. Museums face online outages. Emsisoft suggests a ransomware payment ban. An ambulance service suffers a data breach. Mandiant’s social media gets hacked. GXC Team's latest offerings in the C2C underground market. 23andMe blames their breach on password reuse. Lawyers are using outdated encryption. On today’s Threat Vector segment, David Moulton chats with Garrett Boyd,  senior consultant at Palo Alto Networks Unit 42  about the importance of internal training and mentorship in cybersecurity. And in Russia, holiday cheers turn to political jeers. 

It’s Thursday, January 4th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Sandworm was in Kyivstar's networks for months.

We begin today with reports that Russia’s Sandworm was in Kyivstar’s networks for at least seven months. Illia Vitiuk, who leads Ukraine's SBU cybersecurity department, has told Reuters that the Sandworm element of Russia's GRU had gained access to telecom provider Kyivstar's networks at least as long ago as May of 2023. Sandworm probably began its attempts against Kyivstar as early as March of that year. Its goal was collection, mostly of data on individual users of Kyivstar's services, followed in the last stages of the operation by destruction of data and disruption of services. A nominally hacktivist group, Solntsepyok [so-linn-TSEP-yawk] had claimed credit for the attack, but Solntsepyok is almost surely a GRU front.

The effects of the attack on Kyivstar were severe and widespread, but mostly affected civilian users as opposed to military operations--the Ukrainian military doesn't make much tactical use of civilian telecoms. Vitiuk sees the attack as a warning. "This attack is a big message, a big warning," he said, "not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable." Kyivstar is a large, wealthy, private company, a subsidiary of the Netherlands multinational VEON, and it was by no means a soft target. 

Museums face online outages.

Several prestigious museums have faced outages in displaying their collections online due to a cyberattack on Gallery Systems, a key service provider aiding hundreds of cultural institutions with digital displays and document management. Institutions like the Museum of Fine Arts Boston, Rubin Museum of Art, and Crystal Bridges Museum of American Art reported disruptions following the incident, first detected on December 28 when Gallery Systems found its software encrypted and inoperative. Immediate isolation and investigation measures were taken, including engaging cybersecurity experts and notifying law enforcement. While some systems have been restored, others remain down, affecting access to critical internal documents like donor names, loan agreements, and artwork storage details. The attack highlights the growing threat to cultural organizations, with recent similar incidents at the British Library, Metropolitan Opera, and Philadelphia Orchestra, often due to ransomware groups. Museums hosting their databases independently, like the Metropolitan Museum of Art and the Whitney Museum, reported no impact. 

Emsisoft promotes ransomware payment ban.

In 2023, the U.S. was heavily targeted by ransomware attacks, with over twenty two hundred known incidents affecting hospitals, schools, governments, and private companies. A report by Emsisoft Malware Lab presents a dire view of the situation, suggesting that despite various countermeasures, ransomware remains a prevalent threat, causing not only economic damage but also potentially endangering lives, particularly in healthcare settings. Indeed, the number of ransomware attacks on critical institutions like hospital systems and educational institutions has significantly increased over the past three years.

The authors argue that the only effective solution to the ransomware crisis is to completely ban the payment of ransoms. They contend that ransomware is a profit-driven crime and making it unprofitable will lead to a drastic reduction in attacks. Security experts like Kevin Beaumont and Allan Liska support this view, acknowledging that while a ban on ransom payments might lead to a short-term increase in attacks, it's the only viable long-term solution.

The report also notes the evolving nature of ransomware attacks, with threat actors employing more aggressive tactics and demanding increasingly higher ransoms. It underscores the fact that these are not mere disruptions but constitute a crisis with significant and far-reaching consequences.

The report calls for urgent and decisive action to combat ransomware. It suggests that a ban on ransom payments, coupled with improved cybersecurity practices and international cooperation, is crucial to stemming the tide of this damaging and dangerous cybercrime wave.

Ambulance service suffers data breach.

Transformative Healthcare, a Massachusetts-based company, reported a data breach affecting nearly 912,000 people. The breach, linked to Fallon Ambulance Services which it acquired in 2018, was detected in April 2023 with unauthorized activity dating back to February. Compromised data includes names, addresses, Social Security numbers, medical details, and employment-related information. The company has offered two years of free identity protection to victims and is under investigation by federal law enforcement and a national consumer rights law firm. The ambulance company had been shut down before the breach occurred, but the parent company had a legal obligation to retain copies of the records that were subsequently stolen. 

Mandiant’s social media gets hacked.

Cybersecurity firm Mandiant had its X/Twitter account hijacked and used to impersonate the Phantom crypto wallet, spreading a cryptocurrency scam. The attacker promoted a fake site offering free $PHNTM tokens, leading users to install a fraudulent Phantom wallet aimed at draining their cryptocurrency. The real Phantom Wallet has since warned users and disabled interaction with the scam site. The threat actor briefly used the account to troll Mandiant before the company regained control and began restoration efforts. 

GXC Team's latest offerings in the C2C underground market.

Resecurity has identified a cybercriminal group, "GXC Team," known for creating tools aiding online banking theft and social engineering. Recently, they started selling an AI-powered tool for generating fake invoices to execute business email compromise (BEC) attacks, replacing legitimate banking details in business transactions. This tool adds to their repertoire of fraudulent platforms, including phishing kits and payment data checkers. 

Data breach blamed on password reuse.

Genetic testing company 23andMe has attracted criticism for its response to a major data breach the company sustained in December, TechCrunch reports. The hackers gained initial access by brute-forcing the accounts of 14,000 customers, then gaining access to the data of 6.9 million users who had opted-in to the service’s DNA Relatives feature. 23andMe’s response to the breach has been widely perceived as victim-blaming.

The company stated in an email to customers who are suing the company that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

Hassan Zavareei, one of the lawyers representing victims of the breach, told TechCrunch, “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Lawyers are using outdated encryption.

Software engineer Kate Sills has written an interesting blog post outlining how the International Criminal Court and the broader American legal and forensics community continue to use the outdated MD5 hashing algorithm, despite longstanding warnings against its use due to security vulnerabilities. In law, cryptographic hashing is crucial for verifying the identity and integrity of documents, but MD5's flaws can be exploited to create different documents with the same hash, undermining these protections. Kate Sills makes the case that the persistence in using MD5 is due to a combination of misunderstanding its flaws, inertia within the legal community, and a lack of awareness of better alternatives like SHA3. The post argues for an urgent shift to more secure hashing methods and a cultural change within the legal sector to embrace regular technological updates for maintaining the integrity and trustworthiness of legal processes.

Tip of the hat to Metacurity’s Cynthia Brumfield for sharing this story on Mastodon. 

Next up on our Threat Vector segment, David Moulton from Palo Alto Networks Unit 42 discusses the impact of mentorship and training for cybersecurity growth with Garrett Boyd.

"Happy New Year" changed to "Glory to Ukraine."

And finally, our international hijinks desk reports that a holiday display in Novgorod, Russia, was altered so that instead of spelling out "Happy New Year," it displayed "Glory to Ukraine." Police confiscated the LED display and charged the owners of the apartment with public actions aimed at discrediting the use of the Armed Forces of the Russian Federation.

The Record explains the wayward messaging as a firmware exploit developed in Ukraine during December and subsequently distributed to users of the decoration in Russia. The message was designed to switch at the stroke of midnight on New Year's Eve. It's hard luck for the hapless consumer, who after all now must appear in court after doing nothing more subversive than setting up an apparently innocent holiday sign that switched from holiday cheer to geopolitical jeer. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.