Ukraine and Russia seems to be at the moments on both traditional and cyber war. We could call that hybrid warfare. We are at a cyber war. Countless examples exist of damage to infrastructure from hostile acts via computer attacks. Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar. On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. Russia started to conduct attacks to Ukraine on February 24. Before physical attacks Russia did several cyber attacks towards IT systems in Ukraine.
Here are links to some material on the cyber side of this war:
How the Eastern Europe Conflict Has Polarized Cyberspace
https://blog.checkpoint.com/2022/02/27/how-the-eastern-europe-conflict-polarized-cyberspace/
The war between Russia and Ukraine is advancing. People everywhere are deciding who they will support. The same dynamic happens in the cyberspace. Hacktivists, cybercriminals, white hat researchers or even technology companies are picking a clear side, emboldened to act on behalf of their choices. Historically, Russia has had superiority over Ukraine in the cyberspace. And last week, Ukraine was attacked by destructive wiping malware. However, the situation is starting to change, as most of the non-nation cyber state actors are taking the side of Ukraine. To defend itself, the Ukrainian government has created an international IT army of hacktivists.
As war escalates in Europe, it’s ‘shields up’ for the cybersecurity industry
https://techcrunch.com/2022/03/02/as-war-escalates-in-europe-its-shields-up-for-the-cybersecurity-industry/
In unprecedented times, even government bureaucracy moves quickly. As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — issued an unprecedented warning recommending that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”
Digital technology and the war in Ukraine
https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/
All of us who work at Microsoft are following closely the tragic, unlawful and unjustified invasion of Ukraine. This has become both a kinetic and digital war, with horrifying images from across Ukraine as well as less visible cyberattacks on computer networks and internet-based disinformation campaigns. We are fielding a growing number of inquiries about these aspects and our work, and therefore we are putting in one place a short summary about them in this blog. This includes four areas: protecting Ukraine from cyberattacks; protection from state-sponsored disinformation campaigns; support for humanitarian assistance; and the protection of our employees.. Also:
https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/
Ukraine: Cyberwar creates chaos, ‘it won’t win the war’
https://www.dw.com/en/ukraine-cyberwar-creates-chaos-it-wont-win-the-war/a-60999197
There have been at least 150 cyberattacks in Ukraine since Russia’s invasion. Their effect is mainly psychological, and experts say they won’t decide the war.
Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar.
The global technology company Microsoft has said its Threat Intelligence Center (MSTIC) detected “destructive cyberattacks directed against Ukraine’s digital infrastructure” hours before the first launch of missiles or movement of tanks on February 24.
Those attacks, which Microsoft dubbed FoxBlade, included so-called wipers — malicious software or malware — that make their way inside computer networks and literally wipe the data from all connected devices.
Cybersecurity experts in Germany have said there have been over a hundred cyberattacks, in various forms, since then. But their effect has mainly been psychological.
Why Russia Hasn’t Launched Major Cyber Attacks Since the Invasion of Ukraine
https://time.com/6153902/russia-major-cyber-attacks-invasion-ukraine/
In the relatively short and rapidly evolving history of cyber conflict, perhaps nothing has been established with greater certainty and more widely accepted than the idea that Russia has significant cyber capabilities and isn’t afraid to use them—especially on Ukraine. In 2015, Russian government hackers breached the Ukrainian power grid, leading to widespread outages. In 2017, Russia deployed the notorious NotPetya malware via Ukrainian accounting software and the virus quickly spread across the globe costing businesses billions of dollars in damage and disruption.
As tensions escalated between Russia and Ukraine, many people were expecting the conflict to have significant cyber components.
But as the invasion continues with few signs of any sophisticated cyber conflict, it seems less and less likely that Russia has significant cyber capabilities in reserve, ready to deploy if needed. Instead, it begins to look like Russia’s much vaunted cyber capabilities have been neglected in recent years, in favor of developing less expensive, less effective cyber weapons that cause less widespread damage and are considerably easier to contain and defend against. For instance, many of the cyberattacks directed at Ukraine in the past month have been relatively basic distributed denial-of-service attacks.
Given Russia’s past willingness to deploy cyberattacks with far-reaching, devastating consequences, it would be a mistake to count out their cyber capabilities just because they have so far proven unimpressive. And it’s all but impossible to prove the absence of cyber weapons in a nation’s arsenal. But the longer the conflict goes on without any signs of sophisticated cyber sabotage, the more plausible it becomes that the once formidable Russian hackers are no longer playing a central role in the country’s military operations.
Crowd-sourced attacks present new risk of crisis escalation
https://blog.talosintelligence.com/2022/03/ukraine-update.html
An unpredictable and largely unknown set of actors present a threat to organizations, despite their sometimes unsophisticated techniques.
Customers who are typically focused on top-tier, state-sponsored attacks should remain aware of these highly motivated threat actors, as well. Misattribution of these actors carries the risk of nations escalating an already dangerous conflict in Ukraine. Based on data from our fellow researchers at Cisco Kenna, customers should be most concerned about threat actors exploiting several recently disclosed vulnerabilities, highlighting the importance of consistently updating software and related systems.
Russia, Ukraine and the Danger of a Global Cyberwar
https://www.securityweek.com/russia-ukraine-and-danger-global-cyberwar
On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.
Russia has been waging its own cyberwar against Ukraine for many years.
Since the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.
The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population.
The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened.
“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do.
This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. ““It would be a mistake for any one nation to think it could attack another without being known,” said Willett.That is absolutely wrong,” said Willett.
But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.
On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.
Ukraine Digital Army Brews Cyberattacks, Intel and Infowar
https://www.securityweek.com/ukraine-digital-army-brews-cyberattacks-intel-and-infowar
Formed in a fury to counter Russia’s blitzkrieg attack, Ukraine’s hundreds-strong volunteer “hacker” corps is much more than a paramilitary cyberattack force in Europe’s first major war of the internet age. It is crucial to information combat and to crowdsourcing intelligence.
Inventions of the volunteer hackers range from software tools that let smartphone and computer owners anywhere participate in distributed denial-of-service attacks on official Russian websites to bots on the Telegram messaging platform that block disinformation, let people report Russian troop locations and offer instructions on assembling Molotov cocktails and basic first aid.
The movement is global, drawing on IT professionals in the Ukrainian diaspora whose handiwork includes web defacements with antiwar messaging and graphic images of death and destruction in the hopes of mobilizing Russians against the invasion.
The cyber volunteers’ effectiveness is difficult to gauge. Russian government websites have been repeatedly knocked offline, if briefly, by the DDoS attacks, but generally weather them with countermeasures.
It’s impossible to say how much of the disruption — including more damaging hacks — is caused by freelancers working independently of but in solidarity with Ukrainian hackers.
A tool called “Liberator” lets anyone in the world with a digital device become part of a DDoS attack network, or botnet. The tool’s programmers code in new targets as priorities change.
Ukraine Cyber Official: We Only Attack Military Targets
https://www.securityweek.com/ukraine-cyber-official-we-only-attack-military-targets
A top Ukrainian cybersecurity official said Friday a volunteer army of hundreds of hackers enlisted to fight Russia in cyberspace is attacking only what it deems military targets, prioritizing government services including the financial sector, Kremlin-controlled media and railways.
Victor Zhora, deputy chair of the state special communications service, also said that there had been about 10 hostile hijackings of local government websites in Ukraine to spread false text propaganda saying his government had capitulated. He said most of Ukraine’s telecommunications and internet were fully operational.
Zhora told reporters in a teleconference that presumed Russian hackers continued to try to spread destructive malware in targeted email attacks on Ukrainian officials and — in what he considers a new tactic — trying to infect the devices of individual citizens.
Army of Cyber Hackers Rise Up to Back Ukraine
https://www.securityweek.com/army-cyber-hackers-rise-back-ukraine
An army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other “hacktivists” to stay out of a potentially very dangerous computer war.
According to Livia Tibirna, an analyst at cyber security firm Sekoia, nearly 260,000 people have joined the “IT Army” of volunteer hackers, which was set up at the initiative of Ukraine’s digital minister Mykhailo Fedorov.
The group, which can be accessed via the encrypted messaging service Telegram, has a list of potential targets in Russia, companies and institutions, for the hackers to target.
It’s difficult to judge the effect the cyber-army is having.
Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks
https://thehackernews.com/2022/03/russia-releases-list-of-ips-domains.html
Russia Blocks Access to Facebook Over War
https://www.securityweek.com/russia-blocks-access-facebook-over-war
Russia’s state communications watchdog has ordered to completely block access to Facebook in Russia amid the tensions over the war in Ukraine.
The agency, Roskomnadzor, said Friday it decided to cut access to Facebook over its alleged “discrimination” of the Russian media and state information resources. It said the restrictions introduced by Facebook owner Meta on the RT and other state-controlled media violate the Russian law.
Cyberattack Knocks Thousands Offline in Europe
https://www.securityweek.com/cyberattack-knocks-thousands-offline-europe
Thousands of internet users across Europe have been thrown offline after what sources said Friday was a likely cyberattack at the beginning of Russia’s offensive in Ukraine.
According to Orange, “nearly 9,000 subscribers” of a satellite internet service provided by its subsidiary Nordnet in France are without internet following a “cyber event” on February 24 at Viasat, a US satellite operator of which it is a client.
Eutelsat, the parent company of the bigblu satellite internet service, also confirmed to AFP on Friday that around one-third of bigblu’s 40,000 subscribers in Europe, in Germany, France, Hungary, Greece, Italy and Poland, were affected by the outage on Viasat.
In the US, Viasat said on Wednesday that a “cyber event” had caused a “partial network outage” for customers “in Ukraine and elsewhere” in Europe who rely on its KA-SAT satellite.
Viasat gave no further details, saying only that “police and state partners” had been notified and were “assisting” with investigations.
General Michel Friedling, head of France’s Space Command said there had been a cyberattack.
Cybercriminals Seek to Profit From Russia-Ukraine Conflict
https://www.securityweek.com/cybercriminals-seek-profit-russia-ukraine-conflict
Dark web threat actors are looking to take advantage of the tensions between Russia and Ukraine, offering network access and databases that could be relevant to those involved in the conflict, according to a new report from Accenture.
Since mid-January, cybercriminals have started to advertise compromised assets relevant to the Russia-Ukraine conflict, and they are expected to increase their offering of databases and network access, with potentially crippling effects for the targeted organizations.
Just over a month ago, soon after the destructive WhisperGate attacks on multiple government, IT, and non-profit organizations in Ukraine, threat actors started to advertise on the dark web access to both breached networks and databases that allegedly contained personally identifiable information (PII).
Amid Russian invasion, Ukraine granted formal role with NATO cyber hub https://therecord.media/amid-russian-invasion-ukraine-granted-formal-role-with-nato-cyber-hub/
Ukraine was granted the formal role of “contributing participant” to the hub, known as the Cooperative Cyber Defence Centre of Excellence (CCDCOE), by its 27-member steering committee, the organization announced. “Ukraine’s presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations, ” Col.
Jaak Tarien, the institution’s director, said in a statement.
This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites https://therecord.media/this-ukrainian-cyber-firm-is-offering-hackers-bounties-for-taking-down-russian-sites/
In the days following Russia’s invasion of Ukraine, dozens of hacking groups have taken sides in the conflict, launching attacks on various organizations and government institutions. Cyber Unit Technologies, a Kyiv-based cybersecurity startup, has been particularly outspoken on Tuesday, the company started a campaign to reward hackers for taking down Russian websites and pledged an initial $100, 000 to the program.
High Above Ukraine, Satellites Get Embroiled in the War
https://www.wired.com/story/ukraine-russia-satellites/
While the Russian invasion rages on the ground, companies that operate data-collecting satellites find themselves in an awkward position.
Some researchers are worried that the reliance on satellite imagery has given too much power to the companies that control this technology. “There’s companies like Maxar and Planet that are privately owned and they have the final say on whether or not they want to share the information, ” says Anuradha Damale. The role of private companies in conflicts such as Ukraine means commercial satellites could become targets. In the days before Russia invaded, US space officials warned satellite companies that the conflict could extend into space.
CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine https://www.cisa.gov/uscert/ncas/current-activity/2022/02/26/cisa-releases-advisory-destructive-malware-targeting-organizations
CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.
Alert: https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
US firms should be wary of destructive malware unleashed on Ukraine, FBI and CISA warn – CNNPolitics
https://www.cnn.com/2022/02/26/politics/ukraine-malware-warning-cybersecurity-fbi-cisa/index.html
EU Activates Cyber Rapid Response Team Amid Ukraine Crisis
https://www.bankinfosecurity.com/eu-activates-cyber-rapid-response-team-amid-ukraine-crisis-a-18584
Amid rapid escalation in the Russia-Ukraine conflict derived from historical grievances and qualms with Ukraine’s plan to join the military alliance NATO, the world’s network defenders remain on high alert. And on Tuesday, the European Union confirmed that it will activate its elite cybersecurity team to assist Ukrainians if Russian cyberattacks occur.
UK alludes to retaliatory cyber-attacks on Russia
https://therecord.media/uk-alludes-to-retaliatory-cyber-attacks-on-russia/
The UK government alluded yesterday that it might launch offensive cyber operations against Russia if the Kremlin attacks UK computer systems after an invasion of Ukraine.
Amazon: Charities, aid orgs in Ukraine attacked with malware
https://www.bleepingcomputer.com/news/security/amazon-charities-aid-orgs-in-ukraine-attacked-with-malware/
Charities and non-governmental organizations (NGOs) providing critical support in Ukraine are targeted in malware attacks aiming to disrupt their operations and relief efforts seeking to assist those affected by Russia’s war. Amazon has detected these attacks while working with the employees of NGOs, charities, and aid organizations, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.
Ransomware Used as Decoy in Destructive Cyberattacks on Ukraine
https://www.securityweek.com/ransomware-used-decoy-destructive-cyberattacks-ukraine
Destructive ‘HermeticWiper’ Malware Targets Computers in Ukraine
https://www.securityweek.com/destructive-hermeticwiper-malware-targets-computers-ukraine
Just as Russia was preparing to launch an invasion of Ukraine, Ukrainian government websites were disrupted by DDoS attacks and cybersecurity firms reported seeing what appeared to be a new piece of malware on hundreds of devices in the country.
The new malware, dubbed “HermeticWiper” by the cybersecurity community, is designed to erase infected Windows devices. The name references a digital certificate used to sign a malware sample — the certificate was issued to a Cyprus-based company called Hermetica Digital.
“At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” explained endpoint security firm SentinelOne, whose researchers have been analyzing the new malware.
The malware has also been analyzed by researchers at ESET and Symantec. Each of the companies has shared indicators of compromise (IoCs) associated with HermeticWiper.
ESET first spotted HermeticWiper on Wednesday afternoon (Ukraine time) and the company said hundreds of computers in Ukraine had been compromised.
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure. This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack. This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available. Also:
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/
The day before the invasion of Ukraine by Russian forces on February 24, a new data wiper was unleashed against a number of Ukrainian entities. This malware was given the name “HermeticWiper” based on a stolen digital certificate from a company called Hermetica Digital Ltd. This wiper is remarkable for its ability to bypass Windows security features and gain write access to many low-level data-structures on the disk. In addition, the attackers wanted to fragment files on disk and overwrite them to make recovery almost impossible.
In Ukraine, Online Gig Workers Keep Coding Through the War
https://www.wired.com/story/gig-work-in-ukraine/
Freelancers or gig workers who piece together work on online platforms are a hidden engine of the Ukrainian economyand the world’s. They work as software engineers, project managers, IT technicians, graphic designers, editors, and copywriters. And they work for everyone.
Invading Russian forces have plunged freelancers’ home offices into chaos and uncertainty. Vlad, a video editor in southern Ukraine, says he’s grown accustomed to the air alarm signal, and hiding until it has passed. Now there are battles 30 miles from his home. “But as long as there is water, electricity, and internet, I can work, ” he says.
“Because we all need to live for something, eat
Leaving Russia? Experts Say Wipe Your Phone Before You Go
https://www.forbes.com/sites/thomasbrewster/2022/03/04/russians-escaping-putins-repression-urged-to-wipe-their-phones/
Russians fleeing President Vladimir Putin’s regime as it cracks down on anti-war sentimentand rumors of martial law grow louderare being advised to wipe their phones, especially of any traces of support for Ukraine. If they don’t, experts say they may face detention. They’re starting by deleting messages on Signal, Telegram or any app that promises security. For those leaving the country, they’re deleting the apps themselves, and urging others to do the same. Russian media has first-hand accounts of lengthy interrogations at the border, along with phone and laptop searches, though Forbes could not corroborate those claims.
Why ICANN Won’t Revoke Russian Internet Domains
The organization says cutting the country off would have “devastating” effects on the global internet system.
https://www.wired.com/story/why-icann-wont-revoke-russian-internet-domains/#intcid=_wired-bottom-recirc_8e802014-a05f-48c5-89e8-9dad931361ad_text2vec1-reranked-by-vidi
Ukraine on Monday asked ICANN to revoke Russian top-level domains such as .ru, .рф, and .su; to “contribute to the revoking for SSL certificates” of those domains; and to shut down DNS root servers in Russia. Fedorov argued that the requested “measures will help users seek for reliable information in alternative domain zones, preventing propaganda and disinformation.”
Ukraine’s request to cut Russia off from core parts of the internet has been rejected by the nonprofit group that oversees the Internet’s Domain Name System (DNS). CEO Göran Marby of the Internet Corporation for Assigned Names and Numbers (ICANN) said the group must “maintain neutrality and act in support of the global internet.”
“Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the internet—regardless of the provocations,” Marby wrote in his response to Ukraine Vice Prime Minister Mykhailo Fedorov.
https://www.icann.org/en/system/files/correspondence/marby-to-fedorov-02mar22-en.pdf
TikTok Was Designed for War
As Russia’s invasion of Ukraine plays out online, the platform’s design and algorithm prove ideal for the messiness of war—but a nightmare for the truth.
https://www.wired.com/story/ukraine-russia-war-tiktok/#intcid=_wired-bottom-recirc_8e802014-a05f-48c5-89e8-9dad931361ad_text2vec1-reranked-by-vidi
2,362 Comments
Tomi Engdahl says:
Some Twitter traffic briefly funneled through Russian ISP, thanks to BGP mishap https://arstechnica.com/information-technology/2022/03/absence-of-malice-russian-isps-hijacking-of-twitter-ips-appears-to-be-a-goof/
Some Internet traffic in and out of Twitter on Monday was briefly funneled through Russia after a major ISP in that country misconfigured the Internet’s routing table, network monitoring services said.
Tomi Engdahl says:
Supo varoittaa: Venäjän vakavien kyberiskujen uhka on kasvanut suomalaisten syytä varautua vihamieliseen vaikuttamiseen
https://yle.fi/uutiset/3-12378792
Suojelupoliisin mukaan suurimpia kansallisen turvallisuuden uhkia ovat Venäjän laaja-alainen vaikuttaminen Suomeen ja laiton tiedustelu.
Terroriuhka on edelleen aiemmalla kohonneella tasolla.
Tomi Engdahl says:
With War Next Door, EU is Warned on Cybersecurity Gaps
https://www.securityweek.com/war-next-door-eu-warned-cybersecurity-gaps
As Russia’s invasion of Ukraine accelerates European Union defense cooperation, a watchdog said Tuesday that EU institutions face vulnerabilities on another front: cybersecurity.
The warning by the European Court of Auditors covers the wide range of EU bodies — from the executive arm based in Brussels to specialist agencies located across Europe — that run the 27-nation bloc’s day-to-day business.
“The EU must step up its efforts to protect its own organizations,” Bettina Jakobsen, a member of the ECA, said in a statement accompanying a special report on cyberthreats. “Such attacks can have significant political implications.”
Cyberattacks against EU bodies are increasing “sharply,” with major incidents jumping more than tenfold between 2018 and 2021, according to the Luxembourg-based ECA.
Cybersecurity has jumped up the political agenda in Europe following attacks in recent years that targeted EU nations such as Germany and other industrialized countries including the United States, Britain and Australia.
In 2020, the EU imposed cyber sanctions for the first time, blacklisting a number of Russian, Chinese and North Korean hackers.
Nonetheless, the European auditors said Tuesday that EU organizations were failing to enact some “essential” cybersecurity controls and underspending in this area. The auditors also alleged a lack of “systematic” cybersecurity training and information sharing.
EU entities as a whole handle political, diplomatic, financial, economic and regulatory matters. The spectrum of activities underpins the bloc’s status as a geopolitical force, a global setter of industrial rules and the world’s most lucrative single market.
The sensitive information processed by EU bodies makes them attractive targets for hackers, according to the report, which said the risks have grown as a result of remote working prompted by the COVID-19 pandemic.
“This has considerably increased the number of potential access points for attackers,” the ECA said.
Tomi Engdahl says:
US Brands Russian Cybersecurity Firm Kaspersky ‘Security Threat’
https://www.securityweek.com/us-brands-russian-cybersecurity-firm-kaspersky-security-threat
US regulators have deemed antivirus software maker Kaspersky a “threat to national security,” a designation that will restrict its dealings in the United States.
The Federal Communications Commission has added Kaspersky to a threat list — which blocks paying the firm with certain US government subsidies — that also includes Chinese companies like Huawei and ZTE.
The FCC’s statement released Friday did not mention Russia’s invasion of Ukraine, but Kaspersky responded to the designation by saying it was imposed “on political grounds.”
“This decision is not based on any technical assessment of Kaspersky products,” the firm added in a statement.
German cyber security agency BSI urged consumers earlier this month against using Kaspersky’s antivirus software, warning that the company could be implicated — willingly or unwillingly — in hacking assaults amid Russia’s war in Ukraine.
Tomi Engdahl says:
Cyber Attacks from Chinese IPs on NATO Countries Surge by 116% https://blog.checkpoint.com/2022/03/21/cyber-attacks-from-chinese-ips-on-nato-countries-surge-by-116/
Last week, Check Point Research (CPR) observed an increase in cyber attacks aimed for NATO countries that were sourced from Chinese IP addresses. CPR examined the trend before and after Russia’s invasion into Ukraine, learning that cyber attacks from Chinese IPs jumped by 116% on NATO countries, and 72% world-wide. CPR can not attribute the cyber attacks to the Chinese entities or to any known Chinese threat actor. The observation indicates a trend that hackers, likely within China and abroad, are increasingly using Chinese IPs as a resource to launch cyber attacks after the advent of the Russia-Ukraine conflict.
Tomi Engdahl says:
Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/
Ukrainian security officials have warned of ongoing attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon. Last week, the Computer Emergency Response Team for Ukraine (CERT-UA) said that the department has been advised of new phishing campaigns taking place against Ukrainian organizations that spread the LoadEdge backdoor. According to CERT-UA, phishing emails are being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.
Tomi Engdahl says:
While Russian tanks attack, Ukrainian supporters hack back https://therecord.media/while-russian-tanks-attack-ukrainian-supporters-hack-back/
The Ukrainian government began recruiting local tech specialists for its so-called “cyber forces” unit even before the latest Russian invasion. Its main purpose was to track and repel attacks in cyberspace, according to Serhii Demediuk, a top Ukrainian cybersecurity official. And now instead of professionally-trained cybersecurity specialists, Ukraine has turned for help to volunteers with different levels of IT skills organized in official and unofficial groups that can be hard to track often “hacking back.”
Tomi Engdahl says:
Anti-War Hacktivism is Leading to Digital Xenophobia and a More Hostile Internet https://www.eff.org/deeplinks/2022/03/anti-war-hacktivism-leading-digital-xenophobia-and-more-hostile-internet
The horrific Russian military invasion of Ukraine has understandably led to a backlash against Russia. The temptation is to label anything Russian, from state media and students to cats, as bad and block it to signal outrage and ostracization. This type of thinking has infected the open source and internet security communities as well. The trend of half-baked hacktivism involving everyday internet users is now growing into sites and games that encourage users to become part of DDoS attacks against some Russian digital assets. Randomly sending attacks without thinking through the consequences and potential collateral damage are feel-good actions that amount to shooting in the dark. Also unknown are the consequences for users that were part of this campaign.
Tomi Engdahl says:
More Conti ransomware source code leaked on Twitter out of revenge https://www.bleepingcomputer.com/news/security/more-conti-ransomware-source-code-leaked-on-twitter-out-of-revenge/
A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine. Last month, the researcher published almost 170, 000 internal chat conversations between the Conti ransomware gang members. The researcher later leaked old Conti ransomware source code dated September 15th, 2020. While the code was rather old, it allowed researchers and law enforcement to analyze the malware to understand better how it works. Today, Conti Leaks uploaded the source code for Conti version 3 to VirusTotal and posted a link on Twitter. This source code is much newer than the previously released version, with the last modified dates being January 25th, 2021, making it over one year newer than the previously released code.
Tomi Engdahl says:
Sota Ukrainassa lisännyt kyberhyökkäyksiä myös Suomessa
https://etn.fi/index.php/13-news/13366-sota-ukrainassa-lisaennyt-kyberhyoekkaeyksiae-myoes-suomessa
Eurooppalaisiin organisaatioihin kyberhyökätään nyt 18 prosenttia enemmän kuin ennen Venäjän hyökkäystä Ukrainaan. Suomessakin hyökkäysten määrä on kasvanut 26 prosenttia, kertoo tietoturvayhtiö Check Point Research.
Viime viikolla sekä Venäjällä että Ukrainassa kyberhyökkäykset lisääntyivät selvästi (10 ja 17 prosenttia). CPR on myös havainnut kyberhyökkäysten lisääntyneen maailmanlaajuisesti 16 prosenttia sodan. CPR uskoo, että hakkerit pyrkivät hyödyntämään Venäjän ja Ukrainan välistä konfliktia joka puolelta.
Kyberhyökkäysten määrän kasvaa nyt sekä Venäjää että Ukrainaa vastaan. Ukrainassa keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1697, mikä on 39 prosenttia enemmän kuin ennen konfliktin alkamista ja 17 prosenttia enemmän kuin viikkoa aiemmin. Venäjällä keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1550, mikä on 22 prosenttia enemmän kuin ennen konfliktin alkamista ja 10 prosenttia enemmän kuin viikkoa aiemmin.
Euroopassa keskimääräiset viikoittaiset hyökkäykset organisaatiota kohden olivat viime viikolla 1101, mikä on 18 prosenttia enemmän kuin ennen sotaa.
https://blog.checkpoint.com/2022/03/28/resurgence-of-increased-cyber-attacks-on-both-russia-and-ukraine-a-month-into-the-war/
Tomi Engdahl says:
Venäjän ”tulivalmistelu” verkossa epä¬onnistui pahoin – tässä syyt
https://www.is.fi/digitoday/tietoturva/art-2000008667365.html
Tomi Engdahl says:
The Russian – Ukraine war is fast becoming a proxy war for the CCP.
One wonders how much Intel is being harvested (and fed to the Russians) by the DJI drones , the Tik ToK accounts ( its the Tik Tok war with more views than fb or google AND has access to all your mobile usage) , Huawei devices – not to mention traditional satellite , AI Big Data and all the large scale data vacuuming that they do.
Maybe its time to get serious about decoupling from these apps/devices.
China’s DJI rejects claims of data leaks to Russia on Ukrainian military positions
https://www.reuters.com/world/china/chinas-dji-rejects-claim-that-russian-military-uses-its-drones-ukraine-2022-03-28/
Chinese drone maker DJI has dismissed as “utterly false” accusations that it is leaking data on Ukrainian military positions to Russia, after a German retailer cited such information as a reason for taking its products off shelves.
The rejection followed Friday’s Twitter revelation of the removal by German electronics and home appliances giant MediaMarkt in response to “information from various sources”, although it gave no details of the information it had.
MediaMarkt said, “In the last few days, we have received more and more information from various sources that the Russian army is using products and data from the Chinese drone supplier DJI for military activities in Ukraine.”
While the company had noticed footage online that suggested the Russian military was using its products, the spokesperson added, it had not been able to confirm this and had no control over the use of its products.
In its Twitter statement on Saturday, DJI had said, “We do not support any use that does harm to people’s lives, rights and interests,” adding, “DJI promotes civilian drone applications that benefit society.”
MediaMarkt was replying to a user who accused DJI of leaking GPS data of Ukrainian military positions to Russia.
The firm has found itself in an uncomfortable position after Russia invaded Ukraine more than a month ago in what Moscow calls a “special military operation”.
While Western firms have pulled out of Russia in protest, DJI has stayed on, like many Chinese companies, taking a cue from Beijing’s stance of refraining from criticism of Moscow over the invasion. [USN:L2N2VA001]
Ukrainian officials and citizens have accused DJI of leaking data on the Ukrainian military to Russia.
Tomi Engdahl says:
https://www.iflscience.com/technology/russian-troops-at-chornobyl-reportedly-stole-dirty-bomb-ingredients-should-we-worry/
Tomi Engdahl says:
Hyvässä propagandassa on aina totuuden siemen, jonka ympärille narratiivi rakennetaan.. “Rekawek painottaa, että Azovin pataljoona oli vain yksi kymmenistä samoihin aikoihin perustetuista vapaaehtoispataljoonista. Valtaosa niistä ei ollut äärioikeistolaisia.”
Kiistanalaiset sankarit
https://yle.fi/uutiset/3-12366403?origin=rss
Venäjä on leimannut Mariupolia puolustavan Azovin rykmentin “natsipataljoonaksi”. Tutkijan mukaan yksikkö on pyrkinyt irti äärioikeistolaisista juuristaan.
Tomi Engdahl says:
Why Russian radios in Ukraine are getting spammed with heavy metal
Ukrainians are eavesdropping on the invaders and broadcasting on their frequencies
https://www.economist.com/the-economist-explains/2022/03/28/why-russian-radios-ukraine-war-intercepted-heavy-metal
One of the many surprising failures of the Russian invasion force in Ukraine has been in radio communications. There have been stories of troops resorting to commercial walkie-talkies and Ukrainians intercepting their frequencies. This may not sound as serious as a lack of modern tanks or missiles, but it helps explain why Russian forces seem poorly co-ordinated, are falling victim to ambushes and have lost so many troops, reportedly including seven generals. What is going wrong with Russian radios?
Modern military-grade radios encrypt signals and change the frequency on which they operate many times a second, making their transmissions impossible to intercept.
But many Russian forces are communicating on unencrypted high-frequency (HF) channels that allow anyone with a ham radio to eavesdrop. The Russian army does have some modern tech. It started receiving Azart radios, which have built-in encryption and can operate on much higher frequencies, in 2012. Thomas Withington, a military analyst specialising in electronic warfare, says that the Azart system seems adequate, if inferior to the equipment used by NATO forces. But there are not enough radios to go around. Russian news reports have talked enthusiastically about deliveries of a few hundred radios shipped to whole army groups comprising several thousand troops.
Tomi Engdahl says:
Using Russian tech? It’s time to look at the risks again, says cybersecurity chief
If you are relying on Russian software or services it might be time to consider the level of risk that involves, says NCSC.
https://www.zdnet.com/google-amp/article/using-russian-tech-its-time-to-look-at-the-risks-again-says-cybersecurity-chief/
Organisations using Russian-linked software or products have been told to take time to consider the risk involved with using those technologies following Russia’s invasion of Ukraine.
New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyberattacks.
NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so might increase in a time of war.
Tomi Engdahl says:
Rosaviatsiya has switched to pen and paper after losing 65TB of data. According to sources, it suffered a major cyberattack on Saturday.
Russian aviation authority switches to paper after losing 65TB of data
https://cybernews.com/cyber-war/russian-aviation-authority-switches-to-paper-after-losing-65tb-of-data/?utm_source=facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post
Rosaviatsiya has switched to pen and paper after losing 65TB of data. According to sources, it suffered a major cyberattack on Saturday.
The Federal Air Transport Agency Rosaviatsiya is responsible for overseeing the civil aviation industry in Russia. Its website favt.ru went offline on Monday and has been unreachable since.
“Due to the temporary lack of access to the Internet and a malfunction in the electronic document management system of the Federal Air Transport Agency, the Federal Air Transport Agency is switching to a paper version,” reads the Rosaviatsiya statement signed by the agency’s head Alexander Neradko.
Russian Telegram channel Aviatorshina said that Rosaviatsiya was hit by a severe cyberattack on Saturday, leading to the collapse of its entire network. Documents, mail, files were allegedly erased – approximately 65 TB of data was been lost.
According to Aviatorshina’s source close to the matter, the agency lost a 1,5-year-worth of emails and has no backups to restore its system. The source also said that the prosecutor’s office and the FSB have been working with Rosaviatsiya since Saturday.
Russian media outlet Kommersant quotes two independent sources close to the agency. They confirm that outages were likely caused by a cyberattack. The agency has presumably regained its access to the email service and expects to fully restore access to its data storage soon.
Meanwhile, Rosaviatsiya keeps posting updates on its social media channels, including Telegram and VK, and linking to its website as if nothing happened.
Tomi Engdahl says:
Venäjä keitti sakean sopan Yhdysvaltain tukemasta Ukrainan ”bioaseohjelmasta” – propaganda-aseeksi otettiin myös Joe Bidenin poika https://www.is.fi/ulkomaat/art-2000008717240.html
Tomi Engdahl says:
Kommentti: Lavrovin maalailema ”etnisesti suunnattu bioase” ylittää jopa Mengelen mielikuvituksen – näin Kremlin propaganda rakensi uuden natsitarinan Ukrainasta https://www.is.fi/ulkomaat/art-2000008716690.html
Tomi Engdahl says:
Ukraina iski Venäjän informaatio-operaatioon: ”Tavoitteena paniikin lietsominen” https://www.is.fi/digitoday/art-2000008717784.html
Tomi Engdahl says:
Tracking cyber activity in Eastern Europe https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links. Lisäksi:
https://therecord.media/china-iran-north-korea-russia-and-others-using-ukraine-invasion-in-phishing-attacks-google/
Tomi Engdahl says:
State-backed hacking attacks are a big worry, but most firms don’t know what to watch out for https://www.zdnet.com/article/state-backed-hacking-attacks-are-a-big-worry-but-most-firms-dont-know-what-to-watch-out-for/
The vast majority of information security personnel think their business is a target for foreign cyberattacks – but identifying and defending against them is a challenge.
Tomi Engdahl says:
Google: Russian phishing attacks target NATO, European military https://www.bleepingcomputer.com/news/security/google-russian-phishing-attacks-target-nato-european-military/
The Google Threat Analysis Group (TAG) says more and more threat actors are now using Russia’s war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks. Lisäksi:
https://www.bleepingcomputer.com/news/security/google-russian-phishing-attacks-target-nato-european-military/
Tomi Engdahl says:
Hackers who crippled Viasat modems in Ukraine are still active- company official
https://www.reuters.com/business/media-telecom/exclusive-hackers-who-crippled-viasat-modems-ukraine-are-still-active-company-2022-03-30/
WASHINGTON, March 30 (Reuters) – Hackers who crippled tens of thousands of satellite modems in Ukraine and across Europe are still trying to hobble U.S. telecommunications company Viasat as it works to bring its users back online, a company official told Reuters. Lisäksi:
Lisäksi:
https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-sat-satellite-service-cyberattack/.
Lisäksi:
https://www.spiegel.de/netzwelt/web/viasat-satellitennetzwerk-offenbar-gezielt-in-osteuropa-gehackt-a-afd98117-5c32-4946-ab8a-619f1e7af024
Tomi Engdahl says:
Tyler Wilde / PC Gamer:
Valve says it is working to resolve issues as Steam game developers in Ukraine, Russia, and Belarus are unable to receive payments due to new regulations
Game developers in Ukraine hope Steam will be able to pay them soon
By Tyler Wilde published 1 day ago
In Ukraine and Russia, Steam publishers are currently unable to receive earnings unless they open foreign bank accounts.
https://www.pcgamer.com/uk/steam-ukraine-russia-payments/
Tomi Engdahl says:
https://blog.checkpoint.com/2022/03/28/resurgence-of-increased-cyber-attacks-on-both-russia-and-ukraine-a-month-into-the-war/
Tomi Engdahl says:
Venäjä kieltää ulkomaiset ohjelmistot ja laitteistot
https://www.hs.fi/ulkomaat/art-2000008719695.html
Venäjän kriittisen infrastruktuurin toimijat, kuten sähkölaitokset tai teleoperaattorit, eivät saa enää hankkia ulkomaisia ohjelmistoja, jos venäläinen vastike on tarjolla. Täyskielto astuu voimaan vuonna 2025.
VENÄJÄN presidentti Vladimir Putin allekirjoitti keskiviikkona määräyksen, jonka mukaan Venäjän valtion kriittisen infrastruktuurin toimijat eivät voi enää torstaista alkaen hankkia ulkomaisia ohjelmistoja ilman erillistä hyväksyntää.
Käytännössä lupa ulkomaisten ohjelmistojen hankkimiseen voidaan siis myöntää, jos ohjelmisto on välttämätön, selventää esimerkiksi venäläinen Vedomosti.
Tarkoituksena on kieltää ulkomaiset ohjelmistot kokonaan vuoden 2025 alusta. Perusteluna on se, että Venäjä haluaa vähentää riippuvuuttaan länsimaisesta teknologiasta ja turvata kriittisen infrastruktuurinsa.
Venäjän kansallisen turvallisuuden strategian mukaan riippuvaisuus läntisestä teknologiasta on Venäjälle uhka. Samoista syistä Venäjä on jo useiden vuosien ajan pyrkinyt kehittämään tietoverkoistaan sellaisia, että ne voidaan tarvittaessa irrottaa kansainvälisen internetin rakenteista.
Tomi Engdahl says:
US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers
https://edition.cnn.com/2022/03/30/politics/ukraine-cyberattack-viasat-satellite/index.html
A multi-faceted cyberattack at the onset of Russia’s war on Ukraine knocked out internet service for tens of thousands of satellite modems in Ukraine and elsewhere in Europe, the US-based telecommunications provider that owns the network said Wednesday.
It’s the most detailed public account yet of one of the most consequential hacks of the war. US officials are investigating the incident as a potential Russian state-sponsored cyberattack, CNN previously reported.
The hackers not only flooded the satellite modems owned by Viasat, a California-based firm, with traffic to knock them offline, but also used “destructive commands” to overwrite key data on the modems, Viasat said in its report — a sign of how intent the hackers were on disrupting service in Ukraine.
The hack occurred February 24 as the Russian military began their onslaught against Ukraine. A top Ukrainian cyber official, Victor Zhora, on March 15 called the hack “a really huge loss in communications in the very beginning of the war.”
Reuters first reported on the Viasat findings Wednesday.
Viasat has been working to respond to the hack in the weeks since. It has shipped nearly 30,000 modems to customers to get them back online, the firm said Wednesday.
Viasat hired US cybersecurity firm Mandiant to investigate the incident.
The hack affected residential modems on Viasat’s KA-SAT satellite network, Viasat said Wednesday. “This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite,” the firm added.
“It isn’t surprising that the effects of the attack were not limited to Viasat residential customers on Ukrainian territory,” Brian Kime, a vice president at cybersecurity firm ZeroFox, told CNN. “Collateral damage happens in all wars and, if this was directed by Putin’s government and successfully targeted government and military customers of Viasat, there easily could have been a similar impact on non-Ukrainian customers, including NATO members.”
The battle for communications during the war in Ukraine has made satellite owners and other telecommunications providers a prime target for hacking.
Triolan, an internet service provider with customers in key Ukrainian cities, said March 10 that a cyberattack had disrupted service and blamed “the enemy” in an apparent reference to Russia.
Tomi Engdahl says:
Putin yrittää saada Venäjän irti lännen teknologiasta https://www.is.fi/digitoday/art-2000008721975.html
Tomi Engdahl says:
Viasat confirms satellite modems were wiped with AcidRain malware
https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/
A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe.
The malware, dubbed AcidRain by researchers at SentinelOne, is designed to brute-force device file names and wipe every file it can find, making it easy to redeploy in future attacks.
AcidRain was first spotted on March 15 after its upload onto the VirusTotal malware analysis platform from an IP address in Italy as a 32-bit MIPS ELF binary using the “ukrop” filename.
“The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,”
After AcidRain’s data wiping processes are completed, the malware reboots the device, rendering it unusable.
Used to wipe satellite communication modems in Ukraine
Based on the name of the AcidRain binary uploaded to VirusTotal, which could be an abbreviation of “Ukraine Operation,” SentinelOne said the malware might have been developed explicitly for an operation against Ukraine and likely used to wipe modems in the KA-SAT cyberattack.
This directly contradicts a Viasat incident report on the KA-SAT incident saying it found “no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.”
However, Viasat confirmed SentinelOne’s hypothesis, saying the data destroying malware was deployed on modems using “legitimate management” commands.
“The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described,” a Viasat spokesperson told BleepingComputer.
The fact that Viasat shipped almost 30,000 modems since the February 2022 attack to bring customers back online and continues to even more to expedite service restoration also hints that SentinelOne’s supply-chain attack theory holds water.
As a side note, the IOCTLs used by this malware also match the ones used by the VPNFilter malware ‘dstr’ wiper plugin, a malicious tool attributed to Russian GRU hackers (Fancy Bear or Sandworm).
AcidRain is the seventh data wiper malware deployed in attacks against Ukraine, with six others having been used to target the country since the start of the year.
The Computer Emergency Response Team of Ukraine recently reported that a data wiper it tracks as DoubleZero has been deployed in attacks targeting Ukrainian enterprises.
One day before the Russian invasion of Ukraine started, ESET spotted a data-wiping malware now known as HermeticWiper, that was used against organizations in Ukraine together with ransomware decoys.
The day Russia invaded Ukraine, they also discovered a data wiper dubbed IsaacWiper
ESET also spotted a fourth data-destroying malware strain they dubbed CaddyWiper, a wiper that deletes user data and partition information from attached drivers and also wipes data across Windows domains it’s deployed on.
A fifth wiper malware, tracked as WhisperKill
As noted in our report: “the attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.”
Additionally, we don’t view this as a supply chain attack or vulnerability.
Tomi Engdahl says:
Why attack Viasat?
The Turkish-built Bayraktar TB2 drones used by the Ukrainian Armed Forces have an airborne modem/transceiver, manufactured by Viasat, to transfer airborne videos for surveillance and reconnaissance tasks.
https://www.viasat.com/content/dam/us-site/government/documents/EnerLinks_III_HD_Brochure_021_web_1081048-2.pdf
Tomi Engdahl says:
Viasat confirms satellite modems were wiped with AcidRain malware
https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/
Tomi Engdahl says:
Tällaista Venäjän informaatiovaikuttaminen Suomeen olisi – asiantuntija kertoo, mitä on odotettavissa https://www.is.fi/digitoday/art-2000008719816.html
Tomi Engdahl says:
Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attempts https://www.zdnet.com/article/google-multiple-hacking-groups-are-using-the-war-in-ukraine-as-a-lure-in-phishing-attempts/
Hostile hacking groups are exploiting Russia’s invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world.
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat
(APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure. In this article, CPR will provide an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. (El Machete, Lyceum ja SideWinder).
Tomi Engdahl says:
New AcidRain data wiper malware targets modems and routers https://www.bleepingcomputer.com/news/security/new-acidrain-data-wiper-malware-targets-modems-and-routers/
A newly discovered data wiper malware that wipes routers and modems has been loosely linked to the cyberattack that targeted the KA-SAT satellite broadband service on February 24, affecting thousands in Ukraine and tens of thousands across Europe. Based on the name of the AcidRain binary uploaded to VirusTotal, which could be an abbreviation of “Ukraine Operation” SentinelOne suspects that the malware might have been developed explicitly for an operation against Ukraine and likely used to wipe modems in the KA-SAT cyberattack.
Tomi Engdahl says:
New Modem Wiper Malware May be Connected to Viasat Hack
https://www.securityweek.com/sentinellabs-new-modem-wiper-malware-may-be-connected-viasat-hack
A pair of security researchers at SentinelLabs have intercepted a piece of destructive wiper malware hitting routers and modems and found digital breadcrumbs suggesting a link to the devastating Viasat hack that took down wind turbines in Germany.
SentinelLabs malware hunters Juan Andres Guerrero-Saade and Max van Amerongen believe the newest wiper — called AcidRain — is part of a larger supply chain attack aimed at crippling Viasat’s satellite internet service.
In an official statement, Viasat confirmed a dual-pronged attack against its KA-SAT network ended with malicious software commands rendering tens of thousands of modems across Europe inoperable by overwriting key data in their internal memory.
The Viasat attack, coming just as Russia was launching its invasion of Ukraine, also impacted modem service in France and Italy and even paralyzed wind turbines in Germany, according to published reports.
Tomi Engdahl says:
Liudas Dapkus / Associated Press:
Since Ukraine invasion, an estimated 70,000 tech workers have left Russia, despite income taxes eliminated till 2024, relocating to Poland, Latvia, and more
As Russia sees tech brain drain, other nations hope to gain
https://apnews.com/article/russia-ukraine-putin-immigration-kazakhstan-technology-c041eb0b7472668087bb94207de2f71d
FILE – People walk through Red Square after sunset in Moscow, Russia, on March 3, 2019, with the St. Basil’s left, and the Spasskaya Tower, second right, in the background. Russian technology workers are fleeing the country by the tens of thousands as the economy goes into a tailspin under pressure from international sanctions. For some countries, Russia’s loss is being seen as their potential gain and an opportunity to bring fresh expertise to their own high-tech industries. (AP Photo/Alexander Zemlianichenko, File)
1 of 2
FILE – People walk through Red Square after sunset in Moscow, Russia, on March 3, 2019, with the St. Basil’s left, and the Spasskaya Tower, second right, in the background. Russian technology workers are fleeing the country by the tens of thousands as the economy goes into a tailspin under pressure from international sanctions. For some countries, Russia’s loss is being seen as their potential gain and an opportunity to bring fresh expertise to their own high-tech industries. (AP Photo/Alexander Zemlianichenko, File)
VILNIUS, Lithuania (AP) — Russia’s tech workers are looking for safer and more secure professional pastures.
By one estimate, up to 70,000 computer specialists, spooked by a sudden frost in the business and political climate, have bolted the country since Russia invaded Ukraine five weeks ago. Many more are expected to follow.
For some countries, Russia’s loss is being seen as their potential gain and an opportunity to bring fresh expertise to their own high-tech industries.
Russian President Vladimir Putin has noticed the brain drain even in the throes of a war that, according to the U.N. refugee agency, has caused more than 4 million people to flee Ukraine and displaced millions more within the country.
This week, Putin reacted to the exodus of tech professionals by approving legislation to eliminate income taxes between now and 2024 for individuals who work for information technology companies.
Some people in the vast new pool of high-tech exiles say they are in no rush to return home. An elite crowd furnished with European Union visas has relocated to Poland or the Baltic nations of Latvia and Lithuania.
“When we heard about the war on (Feb. 24), we thought it was probably time to leave, but that we might wait and see. On February 25, we bought our tickets and left,” Anastasia said. “There wasn’t much thinking to do.”
Tomi Engdahl says:
Alastair Marsh / Bloomberg:
Q&A with Michael Chobanian, founder of Ukraine’s biggest crypto exchange KUNA, on Kyiv’s crypto scene before the war, crypto donations and their utility, more
https://www.bloomberg.com/news/articles/2022-03-31/ukraine-s-crypto-banker-describes-how-war-is-changing-his-life
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers: an allegedly Russia-tied wiper malware, AcidRain, which shares similarities with the malware VPNFilter, was behind the attack on Viasat in February — AcidRain is the seventh wiper associated with the Russian invasion of Ukraine — Viasat—the high-speed-satellite-broadband …
Mystery solved in destructive attack that knocked out >10k Viasat modems
AcidRain is the seventh wiper associated with the Russian invasion of Ukraine.
https://arstechnica.com/information-technology/2022/03/mystery-solved-in-destructive-attack-that-knocked-out-10k-viasat-modems/
Tomi Engdahl says:
Wall Street Journal:
Sources: The White House is split over Kaspersky sanctions, which could spur Russian cyberattacks and make enforcement hard due to the company’s large clientele — Some officials are said to fear that sanctioning Kaspersky Lab could increase risk of Russian cyberattack
Proposal to Sanction Russian Cybersecurity Firm Over Ukraine Invasion Splits Biden Administration
Some officials are said to fear that sanctioning Kaspersky Lab could increase risk of Russian cyberattack
https://www.wsj.com/articles/proposal-to-sanction-russian-cybersecurity-firm-over-ukraine-invasion-splits-biden-administration-11648671905?mod=djemalertNEWS
Tomi Engdahl says:
Entrepreneurs in Poland rush printers to the stricken neighboring country for use creating protective gear, tourniquets, periscopes – and even drones – for the Ukrainian defense.
https://www.forbes.com/sites/amyfeldman/2022/03/31/putting-3d-printers-to-work-in-ukraines-war-zone/?sh=2b57ea2f5015&utm_campaign=socialflowForbesMainFB&utm_source=ForbesMainFacebook&utm_medium=social
Tomi Engdahl says:
Apple to cut iPhone, AirPods output amid Ukraine war uncertainty
https://asia.nikkei.com/Spotlight/Supply-Chain/Apple-to-cut-iPhone-AirPods-output-amid-Ukraine-war-uncertainty
Tomi Engdahl says:
Taiwan chipmaker Winbond sees ‘long-term’ impact from Ukraine war
Apple supplier eyes EV, smart agriculture, cybersecurity as growth catalysts
https://asia.nikkei.com/Business/Tech/Semiconductors/Taiwan-chipmaker-Winbond-sees-long-term-impact-from-Ukraine-war
TAIPEI — The war in Ukraine is poised to have a “long-term” impact on the chip industry by compounding the mounting risks from inflation, according to Taiwanese memory chipmaker and key Apple and Samsung supplier Winbond Electronics.
Tomi Engdahl says:
Sean Lyngaas / CNN:
Interview with pseudonymous Ukrainian IT specialist Danylo, who released chat logs from the Russia-linked Conti ransomware gang, on his motivations and more
‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
By Sean Lyngaas, CNN
https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/
Washington (CNN)As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how — by sabotaging one of the most formidable ransomware gangs in Russia.
Four days into Russia’s invasion, the researcher began publishing the biggest leak ever of files and data from Conti, a syndicate of Russian and Eastern Europe cybercriminals wanted by the FBI for conducting attacks on hundreds of US organizations and causing millions of dollars in losses.
The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage.
The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.
To protect his identity, CNN agreed to refer to him by a pseudonym: Danylo.
“I cannot shoot anything, but I can fight with a keyboard and mouse,” Danylo told CNN.
The trove of data Danylo leaked in late February illustrates why cybersecurity has been such a fraught issue in US-Russia relations. It includes cryptocurrency accounts the Conti hackers used to allegedly reap millions of dollars in ransom payments, their discussions of how to extort US companies and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.
But it also shows how hard it can be to disable ransomware operations. Despite Danylo unmasking their operations, the hackers continue to announce new victim organizations.
Danylo, who has worked as a cybersecurity researcher for years and studied the underground cybercriminal economy in Europe, is just one vigilante in a shadow war that has emerged between hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the biggest land war in Europe since World War II drags on.
But by disrupting a group as notorious as Conti, Danylo has gained more attention than others. The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.
CNN corroborated Danylo’s claim that he was the leaker by reviewing evidence that he had access to the Twitter account that was publishing the Conti data, as well as a website that Danylo and another person, who was granted anonymity for their protection, were using to share data contained in the leaks.
Digital retribution
Danylo claims that he first gained access to computer systems used by what would become the Conti syndicate in 2016. Though he declined to explain in detail how he did this, independent security experts have verified to CNN the dataset belongs to the hackers. (Conti is both the name of malicious software and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)
“Sometimes they make mistakes,” Danylo said, referring to ransomware groups. “You need to catch them when they make a mistake. I just was in the right place at the right time. I was monitoring them.”
For years, Danylo said, he quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials.
Conti ransomware has been rampant in the last two years, with the hackers claiming numerous victims a week.
The dark work was lucrative: hackers using the Conti ransomware received at least $25.5 million in ransom payments in the span of just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.
But something snapped in Danylo on February 25, 2022, when Conti operatives published a statement pledging their “full support” for the Russian government as it attacked Ukraine.
A Russian airstrike had landed not far from a family member’s house. The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union. He didn’t want to see it slip back into Russian hands.
Conti members tried to walk their statement back, claiming they weren’t supporting any government, but Danylo had heard enough.
Asked again why he dumped the Conti data, Danylo said with a laugh: “To prove that they are motherf**kers.” He was exhausted from a long day navigating military checkpoints in Ukraine, on the hunt for cigarettes and looking to the sky for signs of the next air raid.
Contacted by the FBI
Conti is exactly the type of prolific ransomware group that President Joe Biden last year exhorted Russian President Vladimir Putin to bring to heel amid a spate of attacks on US critical infrastructure.
After he started leaking the data, Danylo said, an FBI special agent contacted him and asked him to stop. Exposing Conti infrastructure could, in theory, make it more difficult for the FBI to track the group because it might set up new computer systems.
Danylo has stopped leaking for now. But he says he still has access to some Conti computer systems.
At least one law enforcement official who spoke to CNN would have preferred that Danylo had maintained that covert access, rather than alert the ransomware syndicate to his presence by leaking the data.
“Publicly releasing information like [the leaker did] is reckless,” a US law enforcement official told CNN. “Working cooperatively with law enforcement can achieve a more substantial and lasting impact in disrupting the operations of groups like Conti.”
But John Fokker, a former cybercrime investigator with the Dutch police, said the leak could actually be useful to cops chasing cyber crooks.
“Yes, infrastructure can be burned. However, the amount of data provided in the leaks make me confident that law enforcement got the information they need to write indictments on key individuals,” said Fokker, who works closely with European law enforcement as head of cyber investigations at security firm Trellix.
A catalog of misdeeds
The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-dollar criminal enterprise.
CNN evaluated and translated the original cache of documents that Danylo shared with the world via Twitter.
The communications show Conti members, each going by aliases in the chat logs, discussing the wisdom of extorting US small businesses, seemingly refraining from hacking Russian targets, and taking an interest in a journalist writing about Navalny, the Russian opposition figure who has been jailed and poisoned.
Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which happens to be home to local FSB offices, according to Kimberly Goody, director of cyber crime analysis at security firm Mandiant.
“Generally speaking, it would be relatively unsurprising to learn that an operation as extensive as this would not in some way be leveraged as an asset [by the Russian government] at a point in time,” Goody told CNN.
‘It’s my work’
Cyberattacks have played a supporting role in the war in Ukraine. The White House has accused the Russian GRU military intelligence agency of knocking key Ukrainian government websites offline prior to the invasion. (A charge the Kremlin denies.) US officials are also investigating a hack of a satellite network serving parts of Ukraine, which occurred as the Russian invasion began, as a potential Russian state-sponsored hack, CNN previously reported.
For its part, the Ukrainian government has encouraged an “IT army” of volunteer hackers in Ukraine and abroad to conduct cyberattacks on Russian organizations.
In the free-for-all that is Ukrainian cyberspace, combatants like Danylo engage on their own terms.
After weeks of living the war, Danylo told CNN he slipped safely out of Ukraine with his laptop this week.
Tomi Engdahl says:
Financial Times:
Sources: Masayoshi Son told SoftBank leadership that the company needs to slow investments, amid the war in Ukraine, falling tech stocks, and China’s crackdown
SoftBank to slow investments following crash in tech holdings
https://www.ft.com/content/9ad348de-f9aa-4673-ac52-272e325e3884
Tomi Engdahl says:
https://krebsonsecurity.com/2022/03/pro-ukraine-protestware-pushes-antiwar-ads-geo-targeted-malware/
Tomi Engdahl says:
Ukraine war: How reliant is the world on Russia for oil and gas?
https://www.bbc.com/news/58888451
President Vladimir Putin has threatened to cut gas supplies to “unfriendly” countries if they don’t start paying for gas imports in Russian roubles.
The US, EU, and UK placed restrictions on oil and gas imports from Russia after it invaded Ukraine in February.
What sanctions are there on Russian oil and gas?
The US has declared a complete ban on Russian oil, gas and coal imports.
The UK is to phase out Russian oil by the end of the year, and the EU is reducing its Russian gas imports by two-thirds.
The UK government says this allows enough time for it to find alternative supplies.
Deputy Russian Prime Minister Alexander Novak has said rejecting Russian oil would lead to “catastrophic consequences for the global market”.
Oil and gas prices have risen since the invasion of Ukraine, and if Russia were to halt exports they could rise further.
Tomi Engdahl says:
Could Ukraine ‘win’ the war? And other questions
https://www.bbc.com/news/world-60945122
Tomi Engdahl says:
US satellite operator says persistent cyberattack at beginning of Ukraine war affected tens of thousands of customers
https://amp.cnn.com/cnn/2022/03/30/politics/ukraine-cyberattack-viasat-satellite/index.html
Tomi Engdahl says:
Mark Hannah / Foreign Policy:
Journalists and media outlets in the US tend to be war hawks as they rely on military sources, not on civil society voices, and think war is morally clear-cut — The United States’ most reputable media outlets have a long history of tilting toward military action.
Why Is the Wartime Press Corps So Hawkish?
The United States’ most reputable media outlets have a long history of tilting toward military action.
https://foreignpolicy.com/2022/03/30/ukraine-war-media-coverage-hawkish-journalism/
Armed conflict has a way of bringing out both the best and the worst in U.S. journalism. Since Russia invaded Ukraine, war correspondents have courageously delivered battlefield news reports that lay bare Russian President Vladimir Putin’s brutality. Yet many journalists and commentators—most of whom live comfortably removed from the front lines—have lately been calling on the United States to escalate its involvement in dangerous ways. Leading national security journalists have openly suggested that the U.S. military simply bomb Russian convoys or enact a no-fly zone over Ukraine, which would require shooting down Russian planes. The White House press corps has barraged the White House press secretary with questions, practically goading the president to intervene. Some frame the war as a matter of existential importance for U.S. security, comparing failure to intervene with appeasing former Nazi dictator Adolf Hitler.
These calls for the United States to join the fight seem especially shocking and glib, considering the serious dangers of conflict between two nuclear-armed powers. As the Atlantic Council’s Damir Marusic explains, even minor skirmishes can escalate to nuclear exchanges terrifyingly fast. Given these risks, U.S. President Joe Biden has been understandably cautious—a trait that doesn’t always play well in a polarized news culture. Fox News invited a Ukrainian official to characterize the president making the no-fly zone decision as “afraid” and a Republican senator to call it “heartless.” The Wall Street Journal editorial board thinks Putin has “succeeded in intimidating Mr. Biden” with the threat of nuclear escalation. Meanwhile, the American people are not fully informed on the details or likely consequences of such an action. Polling finds Americans supportive of a no-fly zone at first glance, with support for the idea dropping like a rock once pollsters explain it would almost certainly result in an honest-to-goodness shooting war with Russia.
In times of war, the United States’ most reputable journalists and media outlets have a long history of tilting toward military action.