Ukraine at D+62: Moscow's privateering rises.
N2K logoApr 27, 2022

Ukrainian resistance stiffens, with delivery of air defense and artillery systems, and with a new willingness to strike targets inside Russia. Russian cyber activity is marked by increased privateering.

Ukraine at D+62: Moscow's privateering rises.

The British Ministry of Defence situation report this morning highlights air operations over Ukraine: "Ukraine retains control over the majority of its airspace. Russia has failed to  effectively destroy the Ukrainian Air Force or suppress Ukrainian air defences. Ukraine continues to hold Russian air assets at risk. Russian air activity is primarily focused on southern and eastern Ukraine, providing support to Russian ground forces. Russia has very limited air access to the north and west of Ukraine, limiting offensive actions to deep strikes with stand-off weapons. Russia continues to target Ukrainian military assets and logistics infrastructure across the country. The majority of Russian air strikes in Mariupol are likely being conducted using unguided free-falling bombs. These weapons reduce Russia’s ability to effectively discriminate when conducting strikes, increasing the risk of civilian casualties."

Ukraine has begun to take Russia's war into Russia, hitting targets across the border, the Telegraph reports.

Western support for Ukraine is increasing, with NATO members providing ammunition, armored vehicles, and artillery. The 155mm artillery is particularly noteworthy, accompanied as it has been with weapons locating radars. So far Russian artillery has been the invaders' one reliably effective arm. The Russian army is using cannon and rocket fire brutally and artlessly, but with successful terroristic effect against civilian targets. Once the newly delivered artillery is fielded, the Ukrainian forces will have a counterfire capability the Russian army has never before encountered. It's possible that their artillery may be neutralized quickly through effective Ukrainian counterbattery fire.

Privateering against Western brands.

Some recent ransomware attacks are being interpreted as privateering. Two groups in particular, the gangs behind Conti and Stormous, have been particularly active in the Russian interest. Conti, the better known of the two, has sustained doxing and compromise of internal chatter by hacktivists and (probably) Ukrainian intelligence services, but these seem not to have slowed it down, whatever fleeting embarrassment and reputational damage it may have suffered in the underworld. SecurityWeek reports that at least thirty new victims of Conti have been claimed on the gang's site in the month of April alone.

The other operation, Stormous, only came to prominence around the outset of Russia's invasion of Ukraine. This group has claimed, according to Security Affairs, to have successfully obtained access to some of the Coca-Cola Company's servers from which they've stolen some 116 gigabytes of information. Cybernews says that the filenames mentioned by Stormous suggest that the gang is claiming to have taken "financial data, passwords, commercial accounts, email addresses, and other data." Stormous crowed large on its site:

“Since it was a vote on giant beverage company ( Coca-Cola ) ! we hacked some of their servers and went over (161G) ! But the situation is not always as we want to sell it by any other ways we have opened our store on our own website in the dark web ! This company was the first victim. Browse a little on our site If you want to buy you can contact us and we will provide you some required data as initial proof! Then you can pay or buy depending on the amount of data you want ! Warning : It will only be a way to sell data to some big companies but for other companies we will leak their data like we always did !! Browse our site !"

(We recommend not. Let the hoods talk among themselves.) Stormous asked Coca-Cola for precisely $64,396.67 in ransom, which, chickenfeed as it is, suggests that their motivation is embarrassment and brand damage as opposed to financial gain. The gang says it picked Coca-Cola (an iconic and globally recognized American brand) in response to a vote taken among the followers of its Telegram channel.

Stormous has a dubious reputation. All criminals are dubious, of course, but the word on the street about Stormous is that they're not what they claim to be. Their victims tend not to have confirmed the attacks Stormous claims, and there's speculation reported by SOCRadar and others that Stormous is a "scavenger operation," that is, they simply scrape up material others have dumped and represent it as their own.

Erich Kron, security awareness advocate at KnowBe4, sets the Coca-Cola incident in the context of Russian privateering:

“With the ongoing hostilities between Russia and Ukraine, and with America supporting Ukraine in their defense, it is not surprising that pro-Russian groups have decided to target American organizations for attack. What is unfortunate to see is the amount of data, as much as 161 gigabytes including sensitive information, that was moved out of the network without being noticed, underlining the need for good Data Loss Prevention (DLP) tools in modern networks. Coca-Cola also faces the daunting task of finding out how the breach occurred, and ensuring any back doors or other malware were not left behind, allowing the attackers back in the network if they decide to do more damage.

"Because the most common method of gaining initial network access is email phishing, organizations that are concerned about being targeted should make sure their employees are trained to spot and report potential phishing attacks on a regular basis. In addition, ensuring that DLP is deployed and working, and that servers and devices are up to date with security patches can significantly reduce the risk of damage if the attackers successfully gain access to the network.”

Neil Jones, director of cybersecurity evangelism at Egnyte, notes that an attacker needn't succeed to have a measure of success:

"The alleged data breach of 161 GB of Coca-Cola's data by Stormous demonstrates that even potential breaches can impact an organization's brand reputation and necessitate formal media responses by the company. Although details of the incident are still emerging, an effective incident response plan needs to account for potential attacks that originate from financially-motivated cyber-attackers, disgruntled insiders and even competitors who are trying to gain an edge in a critical market. Best practices to reduce the likelihood of attacks such as Coca-Cola's include the following: 

"1) Restricting data access based on an end-users' 'business need to know.' 

"2) Implementing technology that detects suspicious log-ins, particularly from unexpected geographical regions.

"3) Proactively stating your company's status on potential breaches, via traditional PR efforts and on social media, and updating messaging as conditions change. With the explosion of social media across the world and the ease at which many organizations can be breached, I anticipate that this trend will continue."

And Laminar's CEO, Amit Shaked, points out that data are increasingly treated as a currency: "Data is no longer a commodity, it's a currency — as this incident represents. Information within an organization’s network is valuable to both businesses and attackers. With a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. Solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker detection of any data leakage.”

An update on sanctions.

Oil exports have enabled Russia to preserve its economy from collapse, Foreign Policy explains, largely because customers have been soft on the sanctions they say they're willing to impose:

"Despite predictions of doom for the heavily sanctioned Russian economy, nearly two months into Russian President Vladimir Putin’s invasion of Ukraine, his country’s oil exports to Europe and nations such as India and Turkey have actually risen, and its financial sector is so far avoiding a serious liquidity crisis.

"Sanctions may work in the long run, experts say, but for now many of the same countries that are sanctioning Russia are still seriously undercutting their efforts by buying energy from it—in some cases in even larger amounts during April than in March."

For its part, Bloomberg reports, Russia has imposed counter-sanctions on both Poland and Bulgaria to punish them for their support of Ukraine, cutting off deliveries of natural gas to those countries. Neither Warsaw nor Sophia seem likely to knuckle under to this pressure.

And the first significant Chinese company to shutter operations in Russia is, the Register reports, drone manufacturer DJI, which has also suspended operations in Ukraine.