The attacks suggest Russia might be going after businesses it believes are aiding Ukraine in the war, Microsoft researchers said at yesterday’s CyberWarCon conference.
Sandworm, which Microsoft calls Iridium, is an arm of the Russian military intelligence unit known as the GRU, according to the U.S. government. It shut off power in parts of Ukraine in 2015. In 2017, it unleashed the NotPetya malware in a global attack that did an estimated $10 billion worth of damage. And this fall, Sandworm’s ransomware known as “Prestige” targeted transportation and related logistics industries.
“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” according to a Microsoft Threat Intelligence Center (MSTIC) blog post. “More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”
Microsoft researchers elaborated on their Sandworm attribution at CyberWarCon, where other researchers also unveiled revelations about Russian hacking and influence operations.
Until Prestige, there was little evidence of ransomware attacks in Ukraine, said Christopher Glyer, principal security researcher at MSTIC. Prestige didn’t appear to be motivated by financial gain, but was instead intent on causing disruption, said Justin Warner, a MSTIC threat intelligence analyst.
The hackers originally gained access to targets as far back as March before launching attacks in late September.
“This is a major notable event for us,” Warner said. “From our perspective, Iridium has been practicing significant restraint in their war in Ukraine.”
- For example: NotPetya was an attack originally aimed at Ukraine, but because it wasn’t constrained to the country it spread elsewhere. Sandworm, in its wartime cyberattacks on Ukraine, has not done anything like that, Warner explained.
- The targeting of Poland now looks like “a small shift in the restraint calculus,” he said. “This is the first event since the kickoff of the invasion with the reported Viasat incident that we have seen an intentional targeting of a non-Ukrainian organization.”
“It’s the first disruptive attack … that seems directed at intentionally hitting a NATO target since the war began,” Ben Read, senior manager of cyberespionage analysis at Google-owned cyber firm Mandiant, told my colleague Ellen Nakashima.
Have your cake and eat it too
GRU-linked hackers have figured out how to balance their desire to collect intelligence in Ukraine with their desire to do damage by getting into the “edge” information technology infrastructure of target networks like routers and firewalls, Mandiant researchers said at CyberWarCon.
Using destructive malware that wipes victim hard drives might also wipe out the access of hackers staying inside a network for espionage purposes, said Gabby Roncone, a technical analyst on the cyberespionage team at Mandiant.
“So the problem is, can the GRU have their cake and eat it too?” asked Roncone.
Compromising “edge” infrastructure like mail servers or VPNs allows the hackers to maintain access while also giving them an avenue to deploy wiper malware. It’s something Mandiant witnessed with specific targets in Ukraine.
“What that shows us is that the GRU was able to maintain access to a network of their specific choosing; launch an attack and have an effect on that network; maintain that access despite the wiper operation; and launch another wiper operation at a moment of their choosing,” said John Wolfram, is a senior analyst on Mandiant’s advanced practices team.
But Russian hackers aren’t just focusing on Ukraine, Microsoft’s Warner said in another presentation about a hacking group that is often referred to as Berserk Bear.
“Since the start of the war, from our perspective, groups have not just stopped what they were doing to shift entirely to Ukraine,” he said.
In July, Microsoft saw a big spike in a Berserk Bear intrusion campaign targeting organizations and people in diplomatic roles in Eastern Europe.
“This is a really notable change in targeting for Bromine,” Warner said, referring to the name that Microsoft has given the group. “It’s not something we saw very common[ly] from them.”
Russian ransomware attack timing
The timing of Russian ransomware gang attacks on the United States and other Western nations overlaps with the goals of the Russian government, according to Karen Nershi, a postdoctoral fellow at the Stanford Internet Observatory.
Russian gangs upped their attacks as those nations got closer to elections, she said, whereas there was no statistically significant increase from non-Russian hackers.
“There may be a political aspect behind some of these attacks,” Nershi said.
- “Based on this evidence, we argue Russia maintains loose ties with ransomware groups,” she said. It allows Russia to ask the gangs to carry out attacks and maintain plausible deniability, while the gangs get safe harbor in return, she said.
Top security and privacy executives quit Twitter
Twitter head of moderation and safety Yoel Roth quit after Twitter owner Elon Musk held his first all-hands meeting with staffers, Joseph Menn, Cat Zakrzewski, Faiz Siddiqui, Nitasha Tiku and Drew Harwell report. That came after the resignations of Chief Information Security Officer Lea Kissner, the company’s chief privacy officer and its chief compliance officer.
Privacy staffers said they were most concerned by the quick release of new features without giving them full security reviews that are required under a consent decree with the Federal Trade Commission that requires the company to follow additional privacy and security requirements because of past data misuse allegations. They also cited Twitter owner Musk’s Wednesday night order that employees work in the office for 40 hours a week.
The FTC said it’s “tracking the developments at Twitter with deep concern” and is prepared to take action to ensure that Twitter is complying with the consent order. “No CEO or company is above the law, and companies must follow our consent decrees,” said FTC director of public affairs Douglas Farrar. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
European Commission unveils cyberdefense policy
The commission is proposing a boost of European Union cyberdefenses and increased coordination between the cybersecurity communities in the civilian and military spaces, Reuters’s John Chalmers reports. The commission said Russian cyberattacks on E.U. countries and partners represented a “wake-up” call, and that more action and coordination with NATO is needed.
In a speech in Rome, NATO Secretary General Jens Stoltenberg also warned about cyberthreats in a speech. “Cyber is a constantly contested space and the line between peace, crisis and conflict is blurred,” he said.
DOJ accuses man in Canada of participating in Lockbit ransomware
An FBI agent said in a court filing that the man, Mikhail Vasiliev, “was a member of the LockBit conspiracy” and that authorities found Lockbit-related information like screenshots, source code and cryptocurrency on his devices. Vasiliev, a dual Canadian and Russian national, is awaiting extradition from Canada to the United States, according to the Justice Department.
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” Deputy Attorney General Lisa Monaco said in a statement. “Let this be yet another warning to ransomware actors: working with partners around the world, the Department of Justice will continue to disrupt cyber threats and hold perpetrators to account. With our partners, we will use every available tool to disrupt, deter, and punish cyber criminals.”
Cybersecurity experts weighed in on the alleged Lockbit ransomware member who faces extradition to New Jersey:
Horrible place to be extradited to. Let’s hope this goes out as a warning to all of the other ransomware groups.
— SOS Intelligence (@SOSIntel) November 10, 2022
- Doreen Bogdan-Martin, the newly-elected secretary general of the International Telecommunication Union, and National Archives and Records Administration innovation chief Pamela Wright speak at an American University event today at 8:30 a.m.
Thanks for reading. See you next week.
