Cyber Intelligence Report
This report contains selected cyber-security information from 18th to 30th October 2024.
This report is TLP:CLEAR1
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release : 1st November 2024.
This report contains selected cyber-security information from 18th to 30th October 2024.
This report is TLP:CLEAR1 and MAY be shared freely.
Cyber Intelligence: Russia, Iran and the State of Cyber Crime
This report contains selected cyber-security information from 18th to 30th October 2024.
Synopsis
1. New Russian cyber campaigns targeted Governor Walz and Ukraine. Russia’s ruling party admitted it got DDoSed – as did its Foreign Ministry. Japan and Taiwan were targeted by Russian Hackers. Hezbollah invites attacks on Israeli hospitals. Iran DDoSes Israeli Credit Card System. ‘Sophisticated’ PRC Threat Actor is Scanning Canadian Internet Domains. A summary of the State of Cyber Crime in Canada.
2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:
Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity.
Russia vs Ukraine
3. U.S. Political Disinformation. On 22nd of October, “the [U.S.] Office of the Director of National Intelligence says the intelligence community found Russian disinformation groups were behind recent “manufactured and amplified inauthentic content claiming illegal activity” targeting” Governor Tim Walz. “At least four separate claims have been spread since early October.”2 All claims have been backtracked to known spreaders of disinformation working for Russia. The disinformation was carried on ‘X’ and ‘Rumble’. Neither organization responded to queries.
4. New Email Campaign. On 26th October the Computer Emergency Response Team of Ukraine (CERT-UA) announced it had identified a new malicious email campaign targeting Ukrainian government agencies, enterprises, and the military. Emails contain attachments that are Remote Desktop Protocol (‘.rdp’) configuration files. “Once executed, the RDP files establish a connection with a remote server, enabling the threat actors to gain remote access to the compromised hosts, steal data, and plant additional malware for follow-on attacks.”3 The attack has been attributed to ATP29 also known as UAC-0215, known Russian government hackers.
5. Japan Targeted By Russian Hackers. On 14th October two pro-Russian cyberthreat groups, NoName057(16) and the Russian Cyber Army Team, started attacking Japanese logistics, shipbuilding, and manufacturing firms. The cyber security firm ‘Netscout’ said the Russian hackers “leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets, … As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact.”4 There is speculation that Japan was attacked because their newly elected leaders are not fans of Russia but are supporters of Ukraine.
6. Taiwan Targeted By Russian Hackers. On 9th September, hackers launched over 50 DDoS attacks targeting Taiwan’s tax, aviation and other agencies. Cyber Security firm ‘Radware’ identified the attackers as: “NoName057(16), RipperSec and Cyber Army of Russia (aka People’s Cyber Army)”. The Administration for Cyber Security at Taiwan’s Ministry of Digital Affairs (MODA) has confirmed the participation of pro-Russia hackers NoName057 and RipperSec9. According to Radware, RipperSec “is a pro-Muslim hacktivist group operating from Malaysia”5.
7. Russian Foreign Ministry DDoSed. On 23rd October, as Russia prepared to launch its press conference for the BRICS Summit, Russia’s Ministry of Foreign Affairs received a “powerful” distributed denial-of-service (DDoS) attack. The BRICS press conference was delayed a number of hours. “Russian Federation spokesperson Maria Zakharova said the ministry regularly experiences cyber attacks but called the latest one “unprecedented in scale”.”6 The attacker has not been identified.
8. Russia’s ‘United Russia’ Party DDoSed. On 24th October Russia’s ruling ‘United Russia’ party said on its official Telegram channel “it experienced “massive” distributed denial-of-service (DDoS) attacks on all of its services but assured that the party’s critical digital infrastructure remained operational. … The attack targeted United Russia’s servers, websites and domains, rendering the party’s digital platforms partially inaccessible.”7 The attack was attributed to Ukraine’s military intelligence agency, the GUR. The attack was mitigated in a few hours.
Israel vs Iran
9. Hezbollah Launches Disinformation Campaign Against Israeli Hospitals. Following the bombing of a hospital in Beirut, Israel claimed the hospital had links to Hezbollah including underground ‘bank vaults’. Hezbollah’s response was to post “photos of [Israeli] Carmel and Assuta hospitals on social media. … The posts ask, ‘What is underneath?’ ” A separate post said: “Urgent report! Carmel Medical Center in Haifa. The basement and second floor contain weapons, missile ammunition, and millions of dollars in cash. Take this seriously and target it with precise missiles and drones. God, do not soften toward the enemy.”8 The post included a picture.
10. Iran DDoSes Israel’s Credit Card Industry. On Tuesday, 29th October, Iran launched a Distributed Denial-of-Service (DDoS) service attack against Israel’s ‘leading provider of transaction infrastructure and financial information solutions’. The attack ran from 07:00 until 09:50 when it was mitigated. The targeted company was Shva, whose ‘primary focus [is] on clearing credit card transactions’.9 “Gil Shwed, the outgoing CEO of cybersecurity firm Check Point, was quoted by Bizportal as saying on Tuesday that “the number and sophistication of [cyber] attacks on Israel are among the highest in the world, with over 2,300 attacks per week—a 100% increase compared to 2023.”10
11. Iran Works At ‘Brute-Forcing’ U.S. And Allied Critical Infrastructure. Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. are warning “Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors … The end goal of these attacks is to likely obtain credentials and information describing the victim’s network”.11 Analysts Comment: This campaign has been ongoing for a year. Iranian hackers have accessed a few water treatment plants. Although the attacks have been ineffective, they have demonstrated progressive improvement in cyber capability and political determination to fund and build additional capabilty. This will be a long-term problem.
Canada
12. PRC ‘Threat Actor’ Scanning Canadian Domains. “The Canadian Centre for Cyber Security (Cyber Centre) says a sophisticated Chinese threat actor has performed numerous reconnaissance scans against government organizations.“12 The Cyber Centre claims the scans have occurred throughout 2024. They are being run by “a sophisticated state-sponsored threat actor from the People’s Republic of China”. The scans are described as “a low-level but constant cyber threat … against multiple organizations across multiple sectors. … The majority of affected organizations targeted were Government of Canada departments and agencies, including federal political parties, the House of Commons and Senate. They also targeted dozens of organizations, including democratic institutions, critical infrastructure, the defence sector, media organizations, think tanks and NGOs. … While we observe reconnaissance scanning on a near-constant basis, this widespread activity from a sophisticated threat actor against multiple organizations across multiple sectors is an opportunity to increase awareness of the potential threats”.13
13. Reconnaissance scans are the equivalent of a thief ‘casing’ a building to figure out how to break in. They are used to gather information, look for vulnerabilities, and can be an indicator of future cyber-attacks.
14. Analysts Comment: We have been actively tracking cyber threats from the People’s Republic of China (PRC) since 2012. Even then, there were multiple, overlapping cyber-threats with different objectives. The Canadian Cyber Centre is very late in this warning. Worse, the warning itself is so non-specific and bland that it has not been appropriately covered by Canadian media. The vast majority of Canadians and Canadian organizations will continue to be unaware of the threat.
15. State of CyberCrime in Canada. During the last two weeks, the Government of Canada released two cyber-security documents. ‘Statistics Canada’ (StatsCan) released ‘Impact of cybercrime on Canadian Businesses 2023’ and on 30th October the Canadian Cyber Centre released the ‘National Cyber Threat Assessment 2025-2026’. StatsCan reported:
• “6 (16%) Canadian businesses were impacted by cyber security incidents”;
• large businesses (-7 percentage points) reported the largest drop in 2023 but remained the most likely to be impacted (30%); and
• the trend is consistent with the UK’s Cyber Security Breaches Survey.
16. While the trends and data may be in accordance with what StatsCan receives, the data does NOT match the UK or any other western country. For example, the UK reported that “50% of businesses experienced some form of cyber security breach in 2023”.14 (See image at right for a breakdown of UK businesses that have experienced cyebr-crime in 2023) When the StatsCan data is compared to vicim reports such as the Kon Briefing (tracking MOVEit victims)15, the statistics make no sense. We recently attended a local cyber-fraud briefing in Vulcan, AB. In a population of less than 2,000, the R.C.M.P. Detachment reported they were receiving more than two to three fraud reports per week.16 By any metric, cybercrime in Canada is much worse than reported.
17. This raises the question of: how bad is cyber-crime? Returning to the reporting from the ‘Independent’:
• Cyber-crime is expected to grow by 15% in 2024
• Cyber-crime costs could reach US $10.5 trillion (£8.4 trillion GBP) annually by 2025
• Stated another way, cybercrime is the world’s third largest economy. (See image at right)17
18. Turning to the Canadian Cyber Centre’s ‘National Cyber Threat Assessment 2025-2026’, as bad as the threat descriptions are, they are woefully understated. Some details are simply wrong. For example one sub-heading states: “Ransomware ecosystem is splintering under law enforcement pressure”18. While it is true that law enforcement has enjoyed some notable successes, the return of several major cyber-criminal groups after ‘arrest’, the return of identifiable malicious code and the growth of groups such as ‘Scattered Spider’/’the Con’ suggest that the ransomware ecosystem is adapting to law enforcement tactics.
19. Analysts Comment: Canadians have an inherent distaste/distrust of ‘reporting to government’. As witnessed in Vulcan, this includes being personally scammed in a cyber-fraud19. Across more than a decade in cyber-security, we have witnessed many Canadian organizations who refused to take cyber-threats seriously or admit they were hacked even as their business collapsed around them. Canadians are often convinced they are ‘the only ones dumb enough to get hacked’ because they see very little in the media and virtually nothing from their governments. Unfortunately, this reluctance to report cybercrime is highly likely to continue until something happens to make voters demand governments take action.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact cidc@cscis.org