Daily Drop (494): Russia's Information Space Domination, FBI's Misuse of Surveillance, Russia's Ingenious Hacker Group, Sysco's Cyberattack: Data Leak, China's Europe and Africa Expansion
05-20-2023
Saturday, May 20, 2023 // (IG): BB // Intro Exploit Dev // Coffee for Bob
Russia’s Unconventional Warfare: Moscow’s Domination of the Information Space
Analyst Comments: Russia, in particular, has demonstrated its proficiency in unconventional warfare, including information warfare and disinformation campaigns. The Kremlin's ability to tailor messages to specific audiences and exploit vulnerabilities in the information space is concerning. China's involvement, while less direct, also poses risks, particularly in economic and diplomatic arenas. The assessment emphasizes the challenges the U.S. faces in countering these threats, including the difficulty of combating disinformation within the framework of free-speech laws. Ongoing vigilance and efforts to enhance resilience against unconventional warfare tactics are necessary to mitigate the impact of these threats on U.S. national security.
FROM THE MEDIA: The United States recognizes China and Russia as the two greatest threats to its national security. While the U.S. has a military advantage in direct conflict, China and Russia have been conducting unconventional warfare against the U.S. for decades. Russia, in particular, is skilled at unconventional warfare due to its understanding of the American language and culture and its vast experience. Unconventional warfare includes military or quasi-military operations, proxy wars, and various forms of subversion, political, economic, and psychological warfare. Russia engages in both hot conflicts, such as the Ukraine war, and cold conflicts, using information warfare, influence operations, propaganda, cyber-attacks, and espionage. China's involvement in unconventional warfare is generally less direct but often has economic implications. Russia's information warfare strategy, including the weaponization of social media and cyber-enabled disinformation, poses a significant threat to the U.S. and its allies. Russia's use of disinformation campaigns during the Ukraine war demonstrates its ability to tailor messages to specific audiences and sow discord. China also participates in information warfare but with less direct involvement.
READ THE STORY: Modern Diplomacy
FBI misused controversial surveillance tool to investigate Jan. 6 protesters
Analyst Comments: The disclosure of improper searches by the FBI raises concerns about compliance and privacy protection within the agency. The FISA court opinion reveals significant abuse of surveillance powers, particularly in relation to querying the FISA database. Lawmakers from both parties have criticized the FBI's compliance issues, and there are calls for statutory reforms to ensure better checks and balances. The FBI's actions have sparked calls for Congress to take action to address these abuses and protect Americans' privacy rights. The release of the documents comes at a critical time as Congress grapples with the reauthorization of Section 702 and seeks to strike a balance between national security and civil liberties.
FROM THE MEDIA: Declassified documents reveal that the FBI improperly conducted searches on the personal communications of Americans involved in the January 6 Capitol attack and the 2020 protests against police violence. The searches were carried out under the Foreign Intelligence Surveillance Act (FISA) and were initially detailed in a classified April 2021 certification, which identified around 300,000 abuses logged between 2020 and early 2021. The Biden administration also released a redacted document outlining the FBI's ability to conduct physical searches under FISA. These revelations come as Congress debates the reauthorization of Section 702 of FISA, which allows warrantless surveillance of non-U.S. citizens abroad.
READ THE STORY: The Record
The Underground History of Russia’s Most Ingenious Hacker Group
Analyst Comments: Turla is considered an elite and highly skilled cyberspying group, and it has earned the admiration and attention of Western cybersecurity intelligence analysts. It’s longevity and technical prowess set it apart from other state-sponsored hacking groups. Turla's ability to continuously adapt and retool its techniques in response to exposure and disruption makes it a formidable adversary. The recent FBI operation to disrupt Turla's Snake malware may have dealt a blow to its spying campaigns, but it is unlikely to mark the end of the group's activities. Turla is expected to persist and evolve, posing an ongoing threat to Western countries.
FROM THE MEDIA: Turla, a Russian cyberspying group also known as Venomous Bear or Waterbug, has been silently infiltrating networks across the West for over two decades. It originated from the Moonlight Maze campaign, the first known cyberspying operation by an intelligence agency targeting the US. Throughout its history, Turla has demonstrated technical innovation and adaptability, using techniques such as USB worms, satellite-based hacking, and hijacking other hackers' infrastructure. Despite the recent disruption of its Snake malware by the US FBI, Turla is expected to continue its activities, evolving to become more stealthy and resilient.
READ THE STORY: Wired
Food distributor Sysco says cyberattack potentially leaked 125,000 Social Security numbers
Analyst Comments: The cyberattack on Sysco underscores the ongoing threat of data breaches and the potential impact on employees' personal information. The extended period of unauthorized access highlights the need for robust cybersecurity measures and continuous monitoring to detect and respond to threats promptly. The company's response, including conducting an investigation, notifying affected individuals, and offering identity protection services, demonstrates a commitment to addressing the incident and mitigating potential harm.
FROM THE MEDIA: Sysco, one of the world's largest food distributors, experienced a cyberattack in January that resulted in the exposure of sensitive personal information belonging to over 125,000 current and former employees. The hackers had unauthorized access to the company's systems for nearly three months before being discovered in March. While Sysco did not disclose whether it was a ransomware attack or identify the responsible group, the threat actor claimed to have acquired certain data. The compromised information may include personal data such as names, social security numbers, and account numbers. Sysco has initiated an investigation with a cybersecurity firm, notified law enforcement, and stated that its operating systems and customer services were not impacted by the incident.
READ THE STORY: The Record
China Expands its Reach to Europe and Africa
Analyst Comments: While the passage provides an overview of the shifting geopolitical landscape involving Iran, China, and Russia, it lacks detailed analysis and context to fully grasp the complexities of these dynamics. The assessment of US policy as "random acts of petulance" oversimplifies the situation, and further examination of specific policies and actions would be necessary for a comprehensive understanding. Additionally, the passage touches on winners and losers but does not delve into the potential consequences or impacts on various stakeholders in depth.
FROM THE MEDIA: The article discusses the changing geopolitical dynamics in the wake of Iran's revolution, the influence of the Supreme Leader in Iran's governance, and Iran's efforts to strengthen ties with the Shanghai Cooperation Organization. It also touches on concerns raised by Japan and Taiwan about China's assertiveness in maritime regions and the implications for energy supply routes. The passage highlights the lack of a cohesive US policy and offers examples such as the bombing of Nord Stream pipelines. It concludes by noting the growing influence of China and Russia, particularly in Africa, and through initiatives like the Belt and Road Initiative.
READ THE STORY: Modern Diplomacy
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
Analyst Comments: The identification of "Jack" as one of the individuals behind the Golden Chickens malware is significant for understanding the operations of this cybercrime group. The uncovering of his true identity provides valuable insights into his background, activities, and progression as a hacker. The discovery of his connection to "Chuck from Montreal" and their use of aliases to evade detection highlights their operational security tactics. eSentire's investigation sheds light on the evolution and sophistication of the Golden Chickens malware, as well as its utilization by prominent cybercrime groups. The fact that Jack has gone to great lengths to obfuscate the malware indicates the level of expertise and effort put into its development.
FROM THE MEDIA: Cybersecurity firm eSentire claims to have identified the true identity of "Jack," one of the threat actors behind the Golden Chickens malware. Jack, based in Bucharest, Romania, is the mastermind behind the malware and has been involved in cybercrime activities since 2008. He has developed various malicious programs and tools, including password stealers and the Golden Chickens malware suite. Jack's activities span multiple aliases and online forums, and he has taken extensive measures to obfuscate the malware to evade detection. The Golden Chickens malware has been used by financially motivated cybercrime groups such as Cobalt Group and FIN6.
READ THE STORY: THN
Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks
Analyst Comments: The resurgence of FIN7 and its deployment of the Cl0p ransomware indicate the group's continued presence and adaptability in the cybercrime landscape. By leveraging various ransomware families, FIN7 demonstrates its ability to evolve its tactics and evade detection. Organizations across multiple sectors should be vigilant and take proactive measures to enhance their cybersecurity posture. This includes implementing strong security controls, conducting regular security assessments, patching vulnerabilities promptly, and providing comprehensive employee training on phishing and ransomware awareness.
FROM THE MEDIA: The cybercrime group known as FIN7, also referred to as Carbanak, ELBRUS, and ITG14, has been observed deploying the Cl0p ransomware in a recent campaign, marking its return to ransomware attacks since late 2021. Microsoft, which detected the activity in April 2023, is tracking the group under the new taxonomy Sangria Tempest. FIN7 has a history of targeting a wide range of organizations across different industries and has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit. The group has also been known to set up fake security companies to recruit employees for conducting ransomware attacks. The recent use of the POWERTRASH script to deliver the Lizar post-exploitation tool and deploy Clop ransomware highlights FIN7's evolving tactics and monetization strategy, shifting from payment card data theft to extortion.
READ THE STORY: THN
Items of interest
Cyberattacks on Taiwan Surge Amid Chinese Aggression
Analyst Comments: The surge in malicious emails targeting Taiwan reflects the escalating tensions in the region and the use of cyberattacks as a tool to advance geopolitical agendas. The impersonation of law firms, vendors, and suppliers demonstrates the attackers' sophistication in leveraging social engineering techniques to deceive victims. The targeting of major brands' login pages and company-specific pages underscores the importance of implementing strong authentication mechanisms and raising awareness about phishing threats. The involvement of threat groups associated with the Chinese Ministry of State Security, such as PlugX and APT27, points to potential state-sponsored cyber espionage activities.
FROM THE MEDIA: Taiwan experienced a surge in malicious emails during April, with the volume increasing to four times the usual amount. Threat analysts believe that this increase is linked to the heightened tensions in the Taiwan Strait and the broader context of renewed conflicts between Taiwan and China. The malicious emails, sent by fraudsters impersonating law firms, vendors, and suppliers, aimed to deceive recipients into clicking on malicious links and attachments. The bait included fake payment overdue notifications and purchase orders. The threat actors also targeted major brands' login pages and company-specific pages to harvest credentials. Additionally, there was a significant increase in PlugX infections during the same period. The China-based hacktivist group claiming responsibility for most attacks, APT27_Attack, is believed to be a false-flag operation due to its distinct attack patterns differing from those of the real APT27.
READ THE STORY: BankInfoSec
USA vs China, The War You Can't See (Video)
FROM THE MEDIA: The war being fought is not a conventional one with soldiers on a battlefield, but rather a battle for technological dominance waged through government policies and business strategies. Microchips, also known as semiconductors or integrated circuits, are described as the "magic" pieces of metal that power numerous devices in our everyday lives.
China-Taiwan Cyber Warfare: Taiwan Builds Up Civilian Defense (Video)
FROM THE MEDIA: This episode of Taiwan Talks focuses on the growing threat of cyber warfare between China and Taiwan. The host interviews Puma Shan, co-founder of one of Taiwan's largest civilian defense organizations, who sheds light on China's influence and interference operations in Taiwan. They discuss the role of cognitive or information warfare employed by Beijing and the need for Taiwan to build up its civilian defense capabilities. The episode also touches on Switzerland's unique approach to national defense and the importance of international collaborations in countering cyber threats.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.
Share