Daily Drop(65)
3-3-22
Thursday, March 03, 2022 // (IG): BB //Weekly Sponsor: ISG
Why Russia Hasn't Launched Major Cyber Attacks Since the Invasion of Ukraine
FROM THE MEDIA: In the relatively short and rapidly evolving history of cyber conflict, perhaps nothing has been established with greater certainty and more widely accepted than the idea that Russia has significant cyber capabilities and isn’t afraid to use them—especially on Ukraine. In 2015, Russian government hackers breached the Ukrainian power grid, leading to widespread outages. In 2017, Russia deployed the notorious NotPetya malware via Ukrainian accounting software and the virus quickly spread across the globe costing businesses billions of dollars in damage and disruption. In the months that followed the NotPetya attacks, many people speculated that Ukraine served as a sort of “testing ground” for Russia’s cyberwar capabilities and that those capabilities were only growing in their sophistication and reach. As tensions escalated between Russia and Ukraine, many people were expecting the conflict to have significant cyber components—the United States Department of Homeland Security even issued a warning to businesses to be on high alert for Russian cyberattacks, as did the U.K.’s National Cyber Security Centre. What is surprising is that—so far, at least—the devastating Russian cyberattacks everyone has been expecting have yet to materialize. There’s no guarantee, of course, that a large-scale cyberattack on Ukraine’s electrical grid or global banks or anything else isn’t just around the corner. Russia has proven time and again that it has few compunctions about targeting critical infrastructure and causing considerable collateral damage through acts of cyber aggression.
READ THE STORY: time
A QUICK LOOK:
Cyber Realism in a Time of War
FROM THE MEDIA: It turns out that the next war was not fought in cyberspace after all. Or at least the start of it has not been. There has been no shortage of predictions over the past two decades about the importance of the digital domain in conflict since John Arquilla and David Ronfeldt warned that “cyberwar is coming” in a Rand Corporation paper back in 1993. As recently as November 2021, British Prime Minister Boris Johnson remarked in a testy exchange with Tobias Ellwood, chairman of the committee of the House of Commons that oversees defense, that “the old concept of fighting big tank battles on the European land mass are over … there are other big things that we should be investing in … [like] cyber—this is how warfare of the future is going to be.” Ellwood, a strong critic of the British government’s decision to cut Army personnel in favor of investment in cyber capabilities, replied, “You can’t hold ground in cyber.” And on military tactics, if nothing else, Russian President Vladimir Putin seems to have agreed with him. Despite being one of the world’s foremost offensive cyber powers, the Russian invasion of Ukraine has, thus far, been utterly conventional in its brutality as the horrific pictures from Kyiv, Kharikiv and other cities show on an hourly basis. And Ukraine’s heroic resistance is similarly centered on the traditional understanding of war.
READ THE STORY: Lawfare Blog
A QUICK LOOK:
What happens during a ransomware attack: Understanding stages of targeting and response
FROM THE MEDIA: To prepare for and respond to ransomware attacks, it helps to understand the anatomy of a ransomware attack – that is, the sequence of events that typically occur, and what steps organizations should take for both responsible and effective response. Of course, the potential fallout of ransomware attack was made clear in the last couple years, particularly as impact hit not only initial targets but supply chain partners as well. Challenges were laid bare in the findings of a recent survey of 300 IT and cybersecurity decision-makers and influencers, which found that 43% suffered at least one ransomware attack during the past two years. Among them, 58% paid a ransom, 29% found their stolen data on the dark web, and 44% suffered financial losses. Another 37% said they lack an adequate security budget, while 32% believe they're powerless to prevent ransomware attacks because threat actors are too well-funded and sophisticated. So what do organizations need to know about the anatomy of ransomware attacks, to both help with preventative efforts and to ensure they are not caught blindsided? Here is a rundown on the stages of an attack, and of response.
READ THE STORY: SC Magazine
A QUICK LOOK:
Conti Ransomware Group Diaries, Part II: The Office
FROM THE MEDIA: Earlier this week, a Ukrainian security researcher leaked almost two years’ worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday’s story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we’ll explore what it’s like to work for Conti, as described by the Conti employees themselves. The Conti group’s chats reveal a great deal about its internal structure and hierarchy. Conti maintains many of the same business units as a legitimate, small- to medium-sized enterprise, including a Human Resources department that is in charge of constantly interviewing potential new hires. Conti appears to have contracted out much of its spamming operations, or at least there was no mention of “Spammers” as direct employees. Conti’s leaders seem to have set strict budgets for each of its organizational units, although it occasionally borrowed funds allocated for one department to address the pressing cashflow needs of another.
READ THE STORY: Krebs on Security
A QUICK LOOK:
Russian ally Iran launches global cyber espionage campaign
FROM THE MEDIA: Russia’s invasion of Ukraine has turned to a bombardment of cyber attacks – and one of its allies has now launched its own cyber espionage campaign. As the Russian attacks on Ukraine spill over into the cyber realm, state-sponsored Iranian hackers have launched a global cyber espionage campaign targeting Europe, North America and Australia. In a rare joint release, US and UK security agencies put out the warning that a group known as MuddyWater is targeting a range of industries including government organizations and small private businesses. Some of the sectors targeted include transportation, health care and critical infrastructure. The US Cybersecurity and Infrastructure Security Agency (CISA) said MuddyWater is under the control of the Iranian Ministry of Intelligence and Security. The group’s remit is to steal data including passwords and online accesses from other countries. It is then given to the Iranian government and its allies. Iran has traditionally been a staunch Russian ally. With increasing hostilities between Iran and the West over its nuclear program, it is relying on Russia more than ever for support in the international arena. And while Iran has said it opposes the war in Ukraine, it has refused to denounce the military operation. It joined China in abstaining in a United Nation’s vote to reprimand Russia for the invasion.
READ THE STORY: News
A QUICK LOOK:
Ukraine hit by destructive attacks before and during the Russian invasion with HermeticWiper and IsaacWiper
FROM THE MEDIA: As the Russian invasion was starting in Ukraine, ESET researchers discovered two new wiper malware families targeting Ukrainian organisations. The first cyberattack started a few hours prior to the Russian military invasion as ESET Research reported on its Twitter account, and after the distributed denial-of-service (DDoS) attacks against major Ukrainian websites earlier that day. These destructive attacks leveraged at least three components: HermeticWiper for wiping the data, HermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware. Malware artifacts suggest that the attacks had been planned for several months. As the Russian invasion started, a second destructive attack against a Ukrainian governmental network started, using a wiper that ESET Research has named IsaacWiper. “With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organisation that was not affected by HermeticWiper”, says ESET Head of Threat Research Jean-Ian Boutin. ESET researchers assess with high confidence that the affected organisations were compromised well in advance of the wiper’s deployment. “This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers”, says Boutin.
READ THE STORY: Tahawultech
A QUICK LOOK:
Russia Conflict May Test Insurers On Cyber War Exclusions
FROM THE MEDIA: Russia's invasion of Ukraine has increased the risk of cyberattacks across the globe, which is likely to put even more pressure on cyber insurers already inundated with claims and further test their ability to mitigate risk through existing policy exclusions for war or hostile acts, according to a new report. Cyber insurers have more pressure on them as the risk of cyberattacks increases because of Russia's invasion of Ukraine. The proliferation of these attacks is elevated due to the current conflict, according to a new report. (AP Photo/Mindaugas Kulbis) "The proliferation of potential cyberattacks from well-organized, state-sponsored hackers is elevated given the current conflict," according to the report published by Fitch Ratings on Monday. That may place even more pressure on cyber insurers that have scrambled in recent years to change their approach to coverage to keep up with the increasing pace of ransomware claims from policyholders. Insurers have responded to this new environment both by relying on existing policy exclusions and by changing the ways they price and write policies. Both of those strategies may be put to the test as a result of Russia's invasion of Ukraine, the Fitch report predicts.
The potential attacks may "further test the effectiveness of 'war exclusion' and 'hostile act exclusion' language, which has come under greater scrutiny following a recent court ruling that found an insurer liable for losses stemming from the 2017 NotPetya malware attack," the Fitch report warned.
READ THE STORY: Law360
A QUICK LOOK:
Insurance Broker Aon Discloses Cyberattack
FROM THE MEDIA: Global insurance broker Aon has disclosed in a filing with the U.S. Securities and Exchange Commission that the company suffered a cyber incident that it says affected a limited number of systems. "On February 25, 2022, Aon plc. identified a cyber incident impacting a limited number of systems. Promptly upon its identification of the incident, the company launched an investigation, and engaged the services of third-party advisors, incident response professionals, and counsel," the company says. The multinational firm says there is currently no indication of a breach of any customer information or confidential corporate information. Aon's 8-K filing says that it is in the early stages of assessing the incident. It say it does not expect the incident to have a material impact on its business, operations or financial condition. A spokesperson for Aon did not immediately confirm if the incident was a ransomware attack, but directed Information Security Media Group to the SEC filing. Aon has not yet provided more details of the attack. The company only says that the attack occurred last week and affected a limited number of systems. Aon is a global professional services company offering a broad spectrum of risk, retirement, cybersecurity consulting, wealth management products and healthcare solutions. The company generated around $12.2 billion revenue in 2021 and has more than 50,000 employees in 120 countries, according to its website.
READ THE STORY: Govinfosecurity
A QUICK LOOK:
Conti ransomware gang dismantles infrastructure amid Ukraine row
FROM THE MEDIA: The Conti ransomware gang quickly dismantled back-end and command-and-control infrastructure Wednesday night following a week-long revolt by its affiliates after the gang signaled its support for Russia during Ukrainian hostilities. Conti generated $180 million in revenue in 2021 according to a Chainalysis report, making it the most active ransomware group for the year. Wednesday evening, Radoje Vasovic, founder of the European cybersecurity firm Cybernite, noted internal chatter from Conti's chat servers discussing the tear-down of the group's infrastructure. "All VM farms are cleared and deleted, all servers are disabled," wrote one member in Russian. The abrupt shutdown of infrastructure follows a rough week for the criminal nuisance. On Friday, Conti issued a statement saying that it would retaliate against Western critical infrastructure if Western nations targeted Russian infrastructure during the Ukraine conflict. That proved to be a misstep with many of Conti's business partners. Conti, a ransomware-as-a-service provider (RaaS), licenses the use of the ransomware it codes to separate hacker groups, many of whom are based in Ukraine or otherwise backing the Ukraine side of the conflict. One group retaliated by leaking source code and internal chat logs, implicating Conti as taking orders from Russian intelligence during one operation. After the damage to Conti became clear, rival RaaS group LockBit issued its own statement, declaring neutrality.
READ THE STORY: SC Magazine
A QUICK LOOK:
US can use electronic warfare to help Ukrainians — without risking nuclear war
FROM THE MEDIA: The United States and its allies are belatedly ramping up their weapons aid to Ukraine as invading Russian forces bog down against surprising resistance and winter mud. Russian air superiority could stop these arms and ammunition shipments any day now, but the US military could do more to help Ukrainian troops without unduly escalating the conflict. Political leaders and analysts have been proposing operations like no-fly zones or strikes against Russian armored columns to help Ukrainian forces stop Russia’s advance. While rhetorically satisfying, these operations could provide President Vladimir Putin exactly the excuse he needs for Russia’s lackluster performance thus far and help him establish a narrative of America as the aggressor that would prop up support at home. Instead, the US military should get involved in the conflict in ways that are reversible, deniable or peripheral. Electronic warfare was one of the US military’s asymmetric advantages in the Cold War and could slow or confuse Russian forces using reversible effects and without causing direct casualties.
READ THE STORY: NYPOST
A QUICK LOOK:
Chinese Company Outs U.S. Cyber Espionage and Sends a Message
FROM THE MEDIA: In late February 2022, Qi An Pangu Lab, a Chinese cybersecurity company, “declassified” technical details of a cyber espionage campaign allegedly perpetrated by an elite hacking group working under the U.S. National Security Agency (NSA). Per the company’s findings, these state actors dubbed the “Equation Group” by the cybersecurity community created an advanced backdoor that was used to monitor approximately 45 countries for over a decade. These countries ranged from those traditionally friendly to the United States (e.g., Japan, Germany) as well as those that were more adversarial (e.g., China, Russia). Pangu Lab asserted that this cyber espionage campaign exploited Chinese communications, scientific research, and economic sectors. It also made the link to the NSA hackers when it found private keys to unlock a suspected backdoor Pangu researchers found on a victimized computer host in China in 2013. The keys were published by the Shadow Brokers, a group that some disks full of NSA tools and data and dumping them onto the Internet. More importantly, among them was the only encryption private key that could activate the backdoor and control it remotely. Per Pangu Lab, additional programs revealed by the Shadow Brokers matched “the unique identifiers” used in the NSA’s operating manuals that Edward Snowden divulged when he exposed its PRISM tool. This further strengthened the tie between the backdoor to suspected NSA/Equation hackers. Based on the Lab’s analysis of the backdoor, the technical complexity and overall sophistication of the tool and its ability to circumvent detection and countermeasures is consistent with a group largely considered to be one of if not the most sophisticated advanced persistent threat (APT) actor tracked today.
READ THE STORY: OODALOOP
A QUICK LOOK:
Items of interest
A cyberattack on Russian satellites is an act of war, the invasion of Ukraine no(Article)
FROM THE MEDIA: Russia considers it legitimate to invade another country but warns it will consider cyberattacks on its satellites an act of war. Yesterday, the hacking group Network Battalion 65 (‘NB65’) which is affiliated with Anonymous, announced to have shut down the Control Center of the Russian Space Agency ‘Roscosmos’. According to the group, Russia lost control over some of its satellites due to the attack, anyway, it is likely that the attack was not so serious and the impact on the targeted servers was only temporary.
READ THE STORY: Security Affairs
Crypto AG – The Greatest Espionage Operation Ever, Part 1 | Malicious Life(Video)
FROM THE MEDIA: General McArthur, Egpyt’s Anwar Sadat, and Iran’s Ayatollah Khomeini: These are just a few of the dozens, likely hundreds of targets of arguably the biggest, most ambitious hacking operation ever. A secret mission that lasted nearly a century, and influenced the course of so many of the most important events of history. The history you thought you knew.
Amy Zegart: Spies, Lies and Algorithms(Video)
FROM THE MEDIA: Amy Zegart is one of America’s leading intelligence experts, but she recognizes that few people understand the world of spying, at a time when it has never been more ubiquitous, particularly using technology. She hopes to change this situation. In Spies, Lies, and Algorithms, Zegart separates fact from fiction on spying and offers an account of the past, present and future of American espionage as it faces a revolution driven by digital technology. Zegart explores the history of U.S. espionage, from George Washington’s Revolutionary War spies to today’s spy satellites; examines how fictional spies are influencing real officials; gives an overview of intelligence basics and life inside America’s intelligence agencies; explains the deadly cognitive biases that can mislead analysts; and explores the complicated issues of traitors, covert action and congressional oversight. Zegart also provides an important description of how technology is empowering new enemies and opportunities, and creating powerful new players, in espionage—including private citizens using their home computers and sophisticated technology available by a click.
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com