Cyber Intelligence Report
This report contains selected cyber-security information from 19th April to 3rd May 2024.
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release : 3rd May 2024.
Cyber Intelligence: Russia Collaborates With Cyber Criminals
This report contains selected cyber-security information from 19th April to 3rd May 2024.
Synopsis
1. There are reports on how much integration there is between some Russian hackers and Criminal Hackers. Russia tries more cyberattacks against Ukraine and American water plants. Ukraine hacks a Russian ISP while Belarus Partisans hacked Belarusian KGB. China does leverage companies like TikTok. The Great Firewall of China hides DNS attacks. What happened to ‘London Drugs’?
2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:
Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes: critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity.
How Much Integration Is There Between Cyber Crooks and Governments?
3. A recent report by ‘Trend Micro’ observes that nation-state hackers and cybercriminals can coexist in the same router botnet. Ubiquiti EdgeRouter devices were compromised by a criminal ‘botnet’ called ‘MooBot’. “In April 2022, the APT group Pawn Storm (also known as APT28 and Forest Blizzard) managed to gain access to the bots in this botnet,” … “which it used for its own persistent espionage campaigns.” … “Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest” … “hiding traces of their presence and making detection of malicious activities more difficult.”1 In this example the principal attackers are: ‘Pawn Storm/APT 28 – a Russian state-sponsored group, a financially motivated group called the ‘Canadian Pharmacy gang’, and the Ramnit group.2
4. In addition to hiding their hacking communications, the ‘MooBot’ network of compromised devices was used for:
• Secure Shell (SSH) brute forcing;
• Pharmaceutical spam;
• Employing server message block (SMB) reflectors in NTLMv2 hash relay attacks,
• Proxying stolen credentials on phishing sites;
• Multi-purpose proxying,
• cryptocurrency mining; and
• Sending spear phishing e-mails.3
5. Apparently the MooBot network has been in operation since ‘at least 2016’. Recently it was detected and shut down by law enforcement. During its operations, it collected a wide range of data about compromised devices which included:
• Any Linux-based internet facing router, especially those that were shipped with default credentials;
• Raspberry Pi devices; and
• VPS servers.4
6. Analysts Comment: The Trend Micro report inferred that the Russian government group Pawn Storm/APT 28 was the principal user of MooBot with the criminal groups active at different times. The criminal activity would provide the Russian government with ‘plausible deniability’ of its hacking and espionage activities.
Russian vs Ukraine Cyberattacks
7. Russia: Security experts at Deep Instinct Threat Lab uncovered a cyberattack against Ukraine using a Microsoft Office vulnerability. “The lure contained military-related content, suggesting it was targeting military personnel. … The Deep Instinct Threat Lab could not attribute the attacks to a known threat actor. Evidence collected by the experts demonstrates the sample originated from Ukraine, a Russian VPS provider hosted the second stage, and the Cobalt beacon C&C was registered in Warsaw, Poland.”5 The attack was detected on its first day of activity.
8. On 25th April, the ‘People’s Cyber Army of Russia’ claimed responsibility for a cyberattack on the wastewater treatment plant in Tipton, Indiana. Local media reports say the attack was detected and the plant was switched to manual control before any damage could be done.6 The group claimed credit for three cyber attacks on local water facilities in the rural Texas Panhandle. The attackers have been linked to the Russian government although they are usually assessed as ‘volunteer’ or ‘patriotic’ groups.7
9. Ukraine: On 27th April, Ukrainian news organization ‘Online.UA’ reported that “the Ukrainian hacking group BO Team and the Main Directorate of Intelligence carried out a hacking attack on the Russian company JSC MTT, which is a subsidiary of PJSC MTS.”8 The company is a major Russian service provider. The report states the hack caused Internet service outages in eight locations including Moscow and Saint Petersburg. BO Team is known for its cyberattacks on Russian resources, in particular payment systems.
10. Belarus: In a GeoPolitically related cyber attack, ‘the Belarusian Cyber-Partisans group’, claims to have infiltrated the network of Belarus’s main KGB security agency. On 26th April, “the website of the Belarusian KGB showed an empty page that displayed the message “in the process of development”9 … . The group “published a list of the website’s administrators, its database and server logs on its page in the messaging app Telegram. ” Further they claim to have “accessed personnel files of over 8,600 employees of the organization …”10. According to Security Affairs: “The official website of the KGB of the Republic of Belarus has not been working for more than 2 months. And all because the Cyber Partisans got there in the fall of 2023 and pumped out all the available information.”11 Belarus Cyber-Partisans is a hacktivist group formed in the wake of the disputed 2020 election. They target Belarusian government institutions, Belarusian state media, and Belarusian Railways multiple times, seizing control of its traffic lights and control system.
China
11. The Australian Strategic Policy Institute (ASPI) says “Chinese tech companies that serve as important links in the world’s digital supply chains are helping Beijing to execute and refine its propaganda strategy” … “Chinese tech brands – like rideshare operator Didi Chuxing and e-tailer Temu – enable Beijing to learn about consumer habits, societal characteristics of nations in which they operate, and even how people in different places make decisions.” The objective of the Chinese Communist Party is: “to gain insight into societal trends and preferences, and thereby improve its propaganda.” The authors reached their conclusions by “mapping links between the CCP, state-owned or controlled propaganda entities, and their data-collection activities” including investments in Chinese businesses.12
12. Analysts Comments. This parallels Russia’s leveraging of cybersecurity contractors to maximize cybersecurity effectiveness. The American concern about TikTok would appear to be well founded.
13. A new Chinese cyber actor has been identified and labelled ‘Muddling Meerkat’. This group is capable of controlling China’s Great Firewall. Infoblox says the group’s operations are complex. They “elicit fake DNS MX records from the firewall, a technique not previously reported.” … “They leverage open DNS resolvers and cleverly use super-aged domains to blend with regular DNS traffic, evading detection and demonstrating a deep nuanced understanding of DNS and security measures.”13 Stated another way, they can manipulate email records, avoid DNS blocklists and blend in with old malware. When an investigator examines their data, they may conclude “oh, it’s just the GFW.” (Great Firewall of China). “Every detail of Muddling Meerkat operations demonstrates sophistication and deep knowledge of DNS. The activity includes behaviour not previously reported for the GFW, the nature of which ties the actor to Chinese nation state actors,”14 Infoblox notes.
Canada
14. London Drugs: On Sunday, 28th April, ‘London Drugs’ a British Columbia based retail and pharmacy with eighty outlets from B.C. to Manitoba closed all of its stores due to an “operational issue”. One of the store’s social media posts read: “Pharmacists are standing by to support with urgent pharmacy needs,” … “We advise customers to phone their local store’s pharmacy to make arrangements.” On Monday 29th April, the store said to ‘The Register’: “As a necessary part of its internal investigation, London Drugs phone lines have been temporary taken down and will be restored as soon as the investigation permits it. Unfortunately the store’s phone system was down at that time.”15 Their telephone system appears to have been restored three days later and working on 2nd May (at the time of writing).
15. ‘London Drugs’ has not released any details of what happened. Their press release states: “Upon discovering the incident, London Drugs immediately undertook countermeasures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation.”16 After four days closed, speculation has commenced if personal data has been compromised and what that could mean to customers. A CTV News Vancouver report also notes the failure of the federal government to address either this incident or cybercrime in general.17 Analysts Comment: Given the ransomware attacks on other Canadian medical organizations, the Empire group attack as well as more recent cyber attacks on healthcare in the United States, this attack should have been foreseen. At a minimum, backups should have been in place to swiftly re-establish access to customers’ medical data. As for the lack of acknowledgement or reaction from the federal government, we are wondering what it will take to get a response from political leadership.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact cidc@cscis.org