Articles

Microsoft’s Defending Ukraine report offers fresh details on digital…

Russia will use what it learned from its destructive cyber actions in Ukraine for other operations. “There is no going back to normal.”

Last week Microsoft published an in-depth examination of the early cyber lessons learned from the war in Ukraine, offering fresh insight into the scope of Russia’s malicious digital activities and new details about the sophisticated and widespread Russian foreign influence operations surrounding the war. Microsoft has been uniquely positioned to observe the digital landscape in Ukraine since Russia invaded on February 24 and even before then.

Company President Brad Smith noted in March that in addition to funding humanitarian technical relief efforts, Microsoft deployed its RiskIQ platform to identify cybersecurity vulnerabilities in the Ukrainian government system. The company “provided a list of exposed and vulnerable systems to the Ukrainian government that had unpatched high-impact common vulnerabilities and exposures (CVEs) that could provide a foothold for attackers.”

Microsoft security specialists were among the first to discover pre-invasion malware attacks in January that took down around 70 Ukrainian government websites. The company also deployed protections for newly discovered and destructive malware into Microsoft 365 Defender Endpoint Detection (EDR) and Anti-virus (AV) protection on-premises and in the cloud.

In his foreword to the new report, Smith discusses the importance of the first shot of any war, drawing parallels between the current conflict in Ukraine and the 1914 assassination of Archduke Franz Ferdinand, which launched World War I. In the present context, Russia’s first shot against Ukraine was a damaging cyber tool deployed against Ukrainian computers called Foxblade as early as February 23, right before the war began.

Smith said that Russia’s invasion strategy in Ukraine includes “three distinct and sometimes coordinated efforts—destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Space-based assets aren’t immune to cyberattacks

Russia’s attack on Viasat satellites exposed how vulnerable space-based assets are and the potential for spillover damage.

One of the most significant cybersecurity incidents related to Russia’s war on Ukraine was a “multi-faceted” attack against satellite provider Viasat’s KA-SAT network on February 24, one hour before Russia’s invasion began. The assault, which both Ukraine and Western intelligence authorities attribute to Russia, was intended to degrade the Ukrainian national command and control.

However, the attack, which was localized to a single consumer KA-SAT network operated on Viasat’s behalf by another satellite company, a Eutelsat subsidiary called Skylogic, disrupted broadband service to several thousand Ukrainian customers and tens of thousands of other fixed broadband customers across Europe. It also highlighted how space-based assets, such as satellites are as vulnerable to malicious exploitation as any other piece of critical infrastructure.

Against this backdrop, the timing was perfect for the Space Cybersecurity Symposium III hosted by the U.S. National Institute of Standards and Technology (NIST) last week. “The multi-faceted and deliberate cyberattacks which took place during the invasion highlight the need for the United States Government to work with our international partners as well as the private sector to strengthen cyber resilience of existing and future space systems,” said Richard DalBello, director, U.S. Office of Space Commerce, National Oceanic, and Atmospheric Administration, said in kicking off the summit.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by TheoLeo from Pixabay

 

 

Articles

Ukraine energy facility hit by two waves of cyberattacks…

Sandworm succeeded in planting a new version of the Industroyer malware to disrupt ICS infrastructure at multiple levels, but was thwarted from doing serious damage.

Ukraine’s Governmental Computer Emergency Response Team (CERT-UA) announced that Russia’s state-backed threat group Sandworm launched two waves of cyberattacks against an unnamed Ukrainian energy facility. The attackers tried to decommission several infrastructural components of the facility that span both IT and operational technology, including high-voltage substations, Windows computers, servers running Linux operating systems, and network equipment.

CERT-UA said that the initial compromise took place no later than February 2022, although it did not specify how the compromise occurred. Disconnection of electrical substations and decommissioning of the company’s infrastructure were scheduled for Friday evening, April 8, 2022, but “the implementation of the malicious plan” was prevented.

The Ukrainian team received help from both Microsoft and ESET in deflecting any significant fallout from the attacks. ESET issued a report presenting its analysis of the attacks, saying its collaboration with CERT-UA resulted in its discovery of a new variant of Industroyer malware, the same malware that the Sandworm group used to take down the power grid in Ukraine in 2016.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

New threat group underscores mounting concerns over Russian cyber…

Crowdstrike says Ember Bear is likely responsible for the wiper attack against Ukrainian networks and that future Russian cyberattacks might target the West.

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organizations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Ember Bear is responsible for using the WhisperGate wiper malware against Ukrainian networks in January before Russia invaded Ukraine. The malware masquerades as ransomware but lacks a payment or data recovery mechanism, masking WhisperGate’s true intent, which is the destruction of data. The WhisperGate campaigns began with website defacements containing threatening messages in Ukrainian, Russian and Polish languages.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Zdeněk Macháček on Unsplash

Articles

U.S. State Department unveils new Bureau of Cyberspace and…

The new Bureau could enhance the United States’ ability to work effectively with other nations on cybersecurity matters.

The U.S. State Department announced that its Bureau of Cyberspace and Digital Policy (CDP) began operations on Monday as part of Secretary Antony Blinken’s modernization agenda. The Department says the CDP will address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.

The Bureau, ultimately to be led by a Senate-confirmed ambassador-at-Large, will, in the interim, be guided by Jennifer Bachus, a career member of the Senior Foreign Service, as principal deputy assistant secretary for the Bureau. The CDP will include three policy units led by acting deputy assistant secretaries, including international cyberspace security, international information and communications policy, and digital freedom.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Cristina Glebova on Unsplash

 

 

 

 

Articles

Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here’s how events are unfolding along with unanswered questions.

It’s been almost six weeks since Russian troops entered Ukraine and the large-scale “cyberwar” expected to accompany the invasion has not yet materialized. Observers and experts have offered many theories about why Russia hasn’t launched a destructive cyberattack on Ukraine yet despite its full capability to do so.

The reasons range from Russia saving its most dangerous cyberattack until the bitter end to the Kremlin’s fear of a devastating Western response. The most intriguing explanation for why Russia hasn’t seemingly unleashed its cyber arsenal is because we’re already in the middle of what Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies, calls a secret cyberwar.

The digital cyberwar is playing out in the shadows, Rid argues, with the more apparent cyberattacks taking place to divert attention from the incidents that we’re not supposed to see. Cyberwar has been playing tricks on us, he argues, emerging in the form of seemingly random attacks and then slipping away into the future.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by opsa from Pixabay

 

 

 

Articles

Purported massive leak of Russian soldiers’ data could sink…

The publication of personal data on 120,000 Russian soldiers, if accurate, could provide a means to demoralize troops in Ukraine and make them targets for cyber campaigns.

In what security experts say is an unprecedented wartime leak, Ukrainian newspaper Ukrayinska Pravda published what it claims are the personal details of 120,000 Russian service personnel fighting in Ukraine. The nearly 6,000 pages of information, if accurate, contain names, registration numbers, and place of service for well over half of the estimated number of Russian soldiers who have invaded Ukraine.

The data was obtained by a Ukrainian think tank called The Center for Defense Strategies, which was created to monitor defense reforms and develop key government policies affecting Ukraine’s security and defense sector, with a particular focus on building independent analytical capabilities “at the level of the United States and Britain.” The Center is headed by former Ukraine Defense Minister Andriy Zahorodniuk. Its board includes international security expert Alina Frolova, state asset management expert Oleksiy Martsenyuk, former Ukrainian Foreign Minister Volodymyr Ohryzko, and economic and energy security expert Oleksandr Kharchenko.

High-profile Western security experts also sit on the Center’s board. Among them are the former U.S. Ambassador to Ukraine William Taylor, former Commander-In-Chief of U.S. European Command General Wesley Clark, former Special Defense Advisor to the Ukrainian Defense Ministry from Britain Phil Jones, and Professor of the Department of War Studies at King’s College Neville Bolt.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Kevin Schmid on Unsplash

 

 

Articles

Rash of hacktivism incidents accompany Russia’s invasion of Ukraine

Some in the cybersecurity community say actions on behalf of Ukraine help even the odds, while others warn that unauthorized hacking could interfere with government cyber operations.

In keeping with the hybrid nature of Russia’s invasion of Ukraine, several hacktivist groups and hackers have joined the fight in the embattled nation, including some hacktivists encouraged by the government of Ukraine itself. Although the hacktivists have been waging their version of cyber warfare mostly against Russian organizations, hacktivists sympathetic to Russia are also turning their weapons against Ukraine.

The following are notable hacktivist events that have occurred so far related to the Russian invasion of Ukraine.

  • IT Army of Ukraine emerges: Developers in Ukraine are joining an “IT army,” the IT Army of Ukraine, which has assigned them specific challenges. Announced on February 26, the group already has nearly 200,000 users on its main Telegram channel that it uses to hand out assignments and coordinate operations. The group was ostensibly responsible for shutting down the API for Sberbank, one of Russia’s major banks and Kremlin-aligned Belarus’s official information policy site. It’s not clear if the Ukraine government is behind the IT Army of Ukraine, even though Ukrainian officials have endorsed the effort.
  • Anonymous claims credit for website take-downs. Late last week, a Twitter account purporting to represent Anonymous wrote that “The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.” The Russian state-run TV channel RT website said it was a victim of a hacker attack, which it attributed to Anonymous.
  • Cyber Partisans of Belarus claim train hacks. Activist hackers in Belarus called the Cyber Partisans allegedly breached computers that control that country’s trains and brought some to a halt in the cities of Minsk and Orsha and the town of Osipovichi. The hackers purportedly compromised the railway system’s routing and switching devices and rendered them inoperable by encrypting data stored on them.
  • AgainstTheWest targeted Russian interests. Another hacktivist group known as AgainstTheWest claims to have hacked a steady stream of Russian websites and corporations, including Russian Government contractor promen48.ru, Russian Railways, the State University Dubna, and the Joint Institute for Nuclear Research.
  • The Anon Leaks says it messed with Putin’s yacht information. The Anon Leaks, a group purportedly an offshoot of Anonymous, said it changed the callsign of Russian President Vladimir Putin’s superyacht Graceful on MarineTraffic.com to FCKPTN. The hackers also found a way to alter the yacht’s tracking data, making it look as if it had crashed into Ukraine’s Snake Island and changing its destination to “hell.”
  • Presumed hacktivists hacked Russian EV charging stations. Hackers, presumably activists, hacked electric vehicle charging stations along Russia’s M11 motorway to display anti-Russian messages. The hackers likely gained access through a Ukrainian parts supplier called AutoEnterprise.
  • “Patriotic Russian hackers” helped hit Ukraine websites with DDoS attacks: Last week, some independent Russian hackers, so-called “patriotic Russian hackers,” or vigilantes who operate in a hacktivist-like mode, claim they helped bring down Ukrainian websites during the second round of DDoS attacks that hit the country.
  • Russian media outlets hacked to display anti-Russian messages. The websites of several Russian media outlets were hacked to display anti-Russian messages, with some of the sites going offline. The sites affected were TASS rbc.ru, kommersant.ru, fontanka.ru, and iz.ru of the Izvestia outlet. Some Russian media sources say anonymous was the source of these hacks.
  • Researcher leaked Conti gang’s messages: A Ukrainian security researcher leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang publicly sided with Russia over the invasion of Ukraine. (Conti backpedaled from its robust support of Russia after its Ukrainian affiliates objected). The leaked messages were taken by a Ukrainian security researcher who reportedly had access to Conti’s backend XMPP server from a log server for the Jabber communication system used by the ransomware gang.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Max Kukurudziak on Unsplash

 

Articles

Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here’s how events are unfolding along with unanswered questions.

On Saturday night, January 15, Microsoft shook the cybersecurity world with a report that destructive wiper malware had penetrated dozens of government, non-profit, and IT organizations in Ukraine. This news capped a week of mounting apprehension of cyberattacks in Ukraine that could presage or accompany a real-world Russian military invasion of the country.

Since January 11, several possibly interconnected developments related to Russia’s cybersecurity posture paint a complex and unclear portrait of what’s happening in Ukraine. The following is a timeline of these increasingly high-stakes developments:

January 11: U.S. releases cybersecurity advisory

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint cybersecurity advisory (CSA) providing an overview of Russian state-sponsored cyber operations. It covered commonly observed tactics, techniques and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.

CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US sanctions Russian government, security firms for SolarWinds breach,…

The Biden administration places economic sanctions on Russian government organizations, individuals, and companies including several security firms.

The Biden Administration announced a robust, coordinated series of punitive measures to confront Russia’s growing malign behavior, including its massive hack of SolarWind’s software, attempts to interfere with the 2020 elections, and other destructive deeds against the US. The administration’s actions levy financial sanctions on the country and the companies usually involved in malicious cyber activity against the US. It also exposes previously withheld details about the Russian ruling regime’s digital and disinformation operations. In addition to the White House, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Homeland Security, and Treasury Department all play a role in the complex set of actions against Russia.

First, President Biden signed a new sanctions executive order that strengthens authorities to “impose costs in a strategic and economically impactful manner on Russia if it continues or escalates its destabilizing international actions.” Under the EO, the Treasury Department is implementing multiple actions to target “aggressive and harmful activities” against the Russian government, including a directive that “generally prohibits US financial institutions from participating in the primary market for ruble or non-ruble denominated bond issued after June 14, 2021.”

This article appeared in CSO Online. To read the rest of the article please visit here.