Cyberwarfare: Russia vs Ukraine 

This report contains selected cyber-security information from 13th to 26th May 2023.

Synopsis

1. Russia tries to cyber attack Ukraine through foreign Embassy’s. Russian hackers launched DDoS attacks on Iceland, Poland and Sweden. Four non-NATO countries have joined NATO’s Cyber Centre. TikTok really is bad news. Canada issues two cyber alerts.

2. Russia appears to be committed to the following ‘Course of Action’ for its cyber forces:

Ongoing: Russian cyber forces, including allied forces, have launched a series of cyber campaigns against both Ukrainian targets and their allies. Targeting Includes strategic and general targets as well as vulnerable governments. Russian cyber attacks are increasing against Ukrainian Allies.

Russia

3. Cyber Attacks on Ukraine: The Computer Emergency Response Team of Ukraine (CERT-UA) warned of spear-phishing emails targeting ‘state bodies’ in the country as part of an espionage campaign. Email, was sent to Ukrainian government organizations from embassies such as: Tajikistan, Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.1 It is not clear from the reporting if all the embassies were compromised or if some of the compromised systems were outside Ukraine. What is certain is that the targets were all Ukrainian government organizations. The attacker was identified by CERT-UA as UAC-0063, a Russian government hacking group. Analysts Comment: The Foreign Intelligence Service of the Russian Federation (SVR RF) is the organization most often associated with Russian cyber attacks on embassies.

4. Cyber Attacks on Other Countries: On the 16th May authorities in Iceland reported ‘cyber attacks on various Icelandic websites’ … just after 9 AM. “The website of the Government Office, the Court of Justice, the Communications Office and the Environment Agency were also difficult to access due to the attack and the CERT-IS site was down.”. The web sites were back in operation within a few hours. The Russian hacker group ‘NoName057’ claimed responsibility for the attacks in a notice on the CERT-IS website. The Computer Emergency Response Team for Iceland or CERT-IS reported: “Distributed attacks (DDoS attacks) were directed against individual websites and hosts, which temporarily suspended many websites. … and “that intrusion attempts in the system have been made following a series of scattered attacks.”2 “In addition to attacking government websites, illicit attempts have also been made to access people‘s electronic identification certificates (rafræn skilríki).”3

5. On the 19th May Poland’s media reported Distributed Denial of Service (DDoS) attacks on media sites including the daily newspapers, Gazeta Wyborcza, Rzeczpospolita and Super Express as well as the online news sites: Polityka wPolityce.pl and Niezależna. Polish Minister of Cyber Security Janusz Cieszynski was asked if Russian groups were behind the attacks, Cieszynski said “we have such information.”4 The media outlets targeted represent a range of different political views. wPolityce and Niezależna, for example, are supportive of the ruling party but Gazeta Wyborcza is strongly critical of it.5

6. Bloomberg reports that since February Anonymous Sudan “has targeted dozens of Swedish airports, hospitals and banks with distributed denial-of-service attacks”. These attacks are “ostensibly in response to the burning of a Koran in front of the Turkish embassy in Stockholm earlier this year.”. Truesec, one of Sweden’s biggest cybersecurity firms launched a ‘closer inspection’ of the attacks. The lead investigator said: “Anonymous Sudan shows signs of being a well-organized unit of Russians with a nuanced knowledge of Swedish politics and social issues. Their apparent motivation is to craft attacks designed to amplify tensions with the country’s Muslim minority and pressure Turkey to stand firm in rejecting Sweden’s bid to join the North Atlantic Treaty Organization. If they were to succeed, it could make Sweden more vulnerable to future attacks.” 6

7. Among the clues that Anonymous Sudan is not what they appear are:

• The hacker collective Anonymous denies any relationship with the group,
• The groups aligns with KillNet, the Russian ‘patriotic hacker network’,
• Information on and the use of the groups Telegram channel,
• the groups funding (their ability to hire 61 German servers),
• as well as timings and methodologies (Tactics Techniques and Procedures).

8. The evidence has lead independent researchers to assess that “the timing and organization of the attacks, the hackers’ knowledge of religious and political friction points in Sweden, and the attacks’ similarities to other Russian influence operations led her to conclude that the group was controlled or guided by Russia’s intelligence services.” 7

9. One of the effects of Russia’s international hacking efforts is that four nations have joined NATO’s Cyber Centre. On May 17th, Ukraine, Ireland, Japan and Iceland joined NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE).8 The organization is located in Tallinn, Estonia, and conducts research, training, and exercises in the field of cyber defence, and provides a platform for sharing expertise and best practices.9 The CCDCOE recently conducted the annual Locked Shields cyber defense exercise where Red Teams compete against Blue Teams, which are tasked with defending a country’s information systems and critical infrastructure from large-scale attacks.10

9. A Russian IT worker, Yevgeny Kotikov, has been sentenced to three years in a penal colony and ordered to pay 800,000 rubles (about $10,000) for participating in pro-Ukraine denial of service attacks against Russian government websites. Russia’s Federal Security Service (FSB) accused Kotikov of supporting Ukraine at the outset of the invasion. Colony settlements are essentially labour camps, which make up the majority of Russia’s prison system.11 Russia has imprisoned other hackers for the same offense however they received 3 years of suspended sentence, not a real sentence. Independent security researcher, Oleg Shakirov said “The conflict with Ukraine was apparently an important factor that contributed to the severity of the sentence. The authorities would like to deter Russians from helping the Ukrainian cause, including in cyberspace.“12

10. Last year Australian health insurer Medibank suffered a landmark data breach which exposed the personal data of its 9.7 million current and former customers to Russian-based attackers. Australian Federal Police (AFP) commissioner Reece Kershaw revealed the AFP shared key information to the Russian state regarding individuals and groups related to the hack, for which Russia has not returned the favour. Kershaw said interactions between Russian and Australian police are a “one-way street”, and suggested Russia’s refusal to co-operate enables a safe haven for cyber criminals targeting Australia. Kershaw and the AFP haven’t publicly announced who they think carried out the attack – but common speculation points to notorious Russia-linked ransomware gang, Revil.13 The Russian authorities have previously provided hacker information and have surrendered some hackers to western authorities.

China

11. An article in Security Weekly reported that a former TikTok executive reported that the Chinese government does have access to TikTok data. The former executive made a “raft” of allegations against his former employer including: “it stole content from competitors like Instagram and Snapchat, and served as a “propaganda tool” for the Chinese government by suppressing or promoting content favorable to the country’s interests. … and scraped data from U.S. users when they were abroad”. The statements were filed by Yintao Yu as part of a wrongful termination lawsuit filed earlier this month in San Francisco Superior Court. Yu claims he was fired for disclosing “wrongful conduct” he saw at the company. “In the complaint, Yu alleges the Chinese government monitored ByteDance’s work from within its Beijing headquarters and provided guidance on advancing “core communist values.” Yu said government officials had the ability to turn off the Chinese version of ByteDance’s apps, and maintained access to all company data, including information stored in the United States.”14

12. Analysts Comment: The Chinese governments network regulations require any organization operating in China to provide the government access to their network. Warrants or other judicial processes are not required. Based on Chinese regulations and the observed activities of the Chinese government over a number of years, I assess Yintao Yu’s complaint as very probably (70-89%) true. Stated another way, it does not matter if TikTok’s user base understand the issues, there are serious security implications for anyone using or exposed to the platform.

Canada

13. Canada issued two cyber alerts during the last two weeks. The first alert was issued by the Bank of Canada. It said in its annual review of Canada’s financial system “A successful cyberattack in one part of the financial system could quickly spread to other parts and threaten overall financial stability … A severe incident could disrupt the delivery of services, cause major damage to compromised institutions and weaken public confidence in the financial system … This is particularly the case if the targeted supplier provides a critical service, such as telecommunications, to a large commercial bank or a prominent financial market infrastructure.”15

14. In the second ‘Alert’ the Canadian Security Establishment (CSE) joined its five eyes cyber security partners warning that China is attacking critical infrastructure. The attacking campaign has been named “Volt Typhoon”. The extent and the objective of the campaign are not yet clear. What makes Volt Typhoon particularly hard to detect is that it utilizes built-in tools to accomplish its objectives, a technique called ‘Living off the land’. 16 The Joint Cybersecurity Advisory does not say who is being targeted. It does say the actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity.17 By inference the range of targets is from very big (critical infrastructure) to small business.