Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS.
N2K logoApr 14, 2023

The FBI makes an arrest in the Discord Papers case, and the US Department of Defense reviews its handling of classified material. CERT-Polska warns of an SVR cyberespionage campaign. Russian hacktivist auxiliaries continue DDoS attacks against Canadian targets.

Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS.

Renewed heavy assaults by Russian forces made slow progress at week's end against Ukrainian positions in Bakhmut, the UK's Ministry of Defence reports this morning. "Russia has re-energised its assault on the Donetsk Oblast town of Bakhmut as forces of the Russian MoD and Wagner Group have improved co-operation. The Ukrainian defence still holds the western districts of the town but has been subjected to particularly intense Russian artillery fire over the previous 48 hours. Wagner assault groups continue to conduct the main advance through the centre of town, while Russian airborne forces (VDV) have relieved some Wagner units securing the northern and southern flanks of the operation. Ukrainian forces face significant resupply issues but have made orderly withdrawals from the positions they have been forced to concede."

An arrest has been made in the Discord Papers case.

Whatever influencer fantasies may have driven OG and the Thug Shaker Central followers who hung on his posts, the reality principle asserted itself yesterday in the form of an FBI raid on the alleged leaker's home in Dighton, Massachusetts. Airman 1st Class Jack Teixeira was arrested at his home yesterday in connection with his alleged role in the leak of classified information over Discord. The 21-year-old cyber transport systems specialist is (or was) assigned to the Massachusetts Air National Guard's 102nd Intelligence Wing at Otis Air National Guard Base on Cape Cod. An Airman 1st Class is a junior enlisted rank, an E-3, the equivalent of a US Army Private First Class or a US Navy Seaman. The New York Times observes that how Airman Texieira obtained access to the range of classified information he's alleged to have shared under his nom-de-hack OG with the even younger members of his Discord Club remains unclear.

The investigation continues, and according to Reuters Discord is cooperating with the authorities. "In regards to the apparent breach of classified material, we are cooperating with law enforcement," Discord said. "As this remains an active investigation, we cannot provide further comment at this time." The US Department of Defense has pointed out that leaking doesn't amount to declassification. "Just because classified information may be posted online or elsewhere does not mean it has been declassified by a classification authority," Pentagon press secretary Brigadier General Jack Ryder said. "We're just not going to discuss or confirm classified information due to the potential impact on national security, as well as the safety and security of our personnel and those of our allies and our partners. And for that reason, we will continue to encourage those of you who are reporting this story to take these latter factors into account, and to consider the potential consequences of posting potentially sensitive documents or information online or elsewhere."

US Secretary of Defense Austin commended the FBI and the Department of Justice on their quick arrest in the case. He also said that he's directing a review of policies and procedures for handling and safeguarding classified material. "As Secretary of Defense," he said, "I will also not hesitate to take any additional measures necessary to safeguard our nation’s secrets. Accordingly, I am directing the Under Secretary of Defense for Intelligence and Security to conduct a review of our intelligence access, accountability and control procedures within the Department to inform our efforts to prevent this kind of incident from happening again." Indeed in this case the need-to-know principle seems to have been observed in a somewhat elastic sense. The Secretary added, "Finally, I want to underscore that every U.S. service member, DoD civilian and contractor with access to classified information has a solemn legal and moral obligation to safeguard it and to report any suspicious activity or behavior."

Cozy Bear sighting.

CERT Polska, Poland's cybersecurity authority, warns that APT29, the unit of Russia's SVR foreign intelligence service that's also tracked as Cozy Bear and NOBELIUM, is actively pursuing diplomatic targets in many nations, principally NATO members. The campaign's goal is espionage, and its approach is spearphishing. "In all observed cases, the actor utilised spear phishing techniques. Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts. The correspondence contained an invitation to a meeting or to work together on documents. In the body of the message or in an attached PDF document, a link was included purportedly directing to the ambassador's calendar, meeting details or a downloadable file."

APT29's activities over the past two years have included attacks using the distinctive tools SUNBURST, ENVYSCOUT, and BOOMBOX. The current campaign shows signs of evolution. "The activities described here differ from the previous ones in the use of software unique to this campaign and not previously described publicly," the Polish government's statement says. "New tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain continues, high operational tempo." Three tools in particular have been observed in use:

  1. "SNOWYAMBER – a tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.
  2. "HALFRIG – used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.
  3. "QUARTERRIG – a tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed."

Polish authorities recommend that organizations implement configuration changes to protect themselves from Cozy Bear's ministrations:

  1. "Blocking the ability to mount disk images on the file system. Most users doing office work have no need to download and use ISO or IMG files.
  2. "Monitoring of the mounting of disk image files by users with administrator roles.
  3. "Enabling and configuring Attack Surface Reduction Rules10.
  4. "Configuring Software Restriction Policy and blocking the possibility of starting-up executable files from unusual locations (in particular: temporary directories, %localappdata% and subdirectories, external media)."

Hacktivist auxiliaries continue to hit Canadian targets.

The Russian hacktivist auxiliary NoName057 (16) claimed responsibility for a distributed denial-of-service (DDoS) attack against Hydro-Québec yesterday. CTV News Montréal quotes the group's communiqué: "Continuing our visits to Canada. The website of Hydro-Québec, the company responsible for generating and transporting electricity in Québec, was put down." The Toronto Star reports that the power company's website and mobile app sustained disruption. Power generation and distribution were unaffected, a Hydro-Québec spokesman said, nor were customer data compromised. “They did not take any information from us,” the spokesman said. “It’s an attack on our website that makes it unavailable for our customers, unfortunately.” Hydro-Québec is the province's major supplier of electricity. It's also a major exporter of power to the US state of New York.

Canada, which has a large Ukrainian population and has been a strong supporter of Ukraine during Russia's war, has received a fair share of Russian hacktivist attention, Global News reports. Prime Minister Trudeau addressed the Russian cyber campaigns in a press conference yesterday. “Obviously, Canada’s unequivocally strong stance in support of Ukraine and against Russia’s illegal actions is bothersome to the Russian government and to pro-Russian hackers,” the Premier said, adding that the attacks would not affect Canadian policy or resolve. “We are not going to flinch in any way on our steadfast and total support of Ukraine and the cause for which it’s fighting…. Ukrainians right now are fighting for the fundamentals of democracy, for the UN Charter, for the principles and values that underpin our country and so many others."