This report contains selected cyber-security information from 18th February to 3rd March 2023. 

Synopsis

1. Dutch Intelligence says that most of Russia’s cyber attacks are NOT public knowledge. Russia ups the tempo of its cyberattacks, has some success, but takes some hits in return. Russia’s actions are driving changes in the criminal cyber community. A ‘White Hat Hacker’ is charged with … hacking. 

2. Russian ‘Courses of Action’ for cyber forces, including allies such as ‘patriotic’, mercenary, and domestic criminal hackers are assessed as:   

Ongoing: Russian cyber forces, including allied forces, have launched a series of cyber campaigns against both strategic targets and general targets as well as vulnerable governments. 

Worst Case Scenario: President Putin decides to focus Russia’s cyber attacks on one country (such as Canada) or a small group of vulnerable countries. Assessed as UNLIKELY. 

Best Case Scenario: Russia agrees to cease or is forced to cease offensive cyber operations. Assessed as VERY UNLIKELY.  

Russia

3. Cyber Offence: Dutch Intelligence is warning that many of Russia’s cyber attacks on Ukraine and NATO have not been publicly disclosed. The Dutch General Intelligence and Security Service (AIVD), and the Military Intelligence and Security Service (MIVD) released a report that says:

“Before and during the war, Russian intelligence and security services engaged in widespread digital espionage, sabotage and influencing against Ukraine and NATO allies.” reads the joint report. “The pace of Russian cyber operations is fast and many of these attempts have not yet become public knowledge. … By far the largest part of Russian cyber operations is aimed at espionage to obtain military, diplomatic and economic information from both Ukraine and NATO allies.” 

“To hide their involvement in covertly spreading disinformation and propaganda through digital channels, Russian intelligence services employ many techniques they also use for cyber operations.” concludes the report. “In the case of the Information Operations Troops (VIO) of the Russian military intelligence service GRU, … the same units that are responsible for both cyber operations and covert influence.”

4. The Computer Emergency Response Team of Ukraine (CERT-UA) is warning that on February 23rd Russian cyber attackers managed to breach and plant backdoors in multiple Ukrainian government web sites. The attackers used the HoaxPen and HoaxApe backdoors. The hackers also used SSH backdoor CredPump (PAM module) to achieve remote SSH access (with a static password value) and logging of logins and passwords when connecting via SSH. Analysts Comment: This is not the first time Russia has managed to access the Ukrainian government’s web portals. Security sources suggest that Russian access was removed within 24 hours. 

5. Russian hackers continue their supporting operations. On the 16th February ‘KillNet’ claimed they ‘killed’ Lufthansa’s network with a three-million-requests-per-second DDoS attack. On 17th February a series of distributed denial-of-service (DDoS) attacks shut down seven German airports’ websites. A spokesman for the German airports association said: “Again today the airports fell victim to large-scale DDoS attacks. As far as we know, other systems are not affected.” “Anonymous Russia” took responsibility for the DDoS attacks.

6. Other supporting DDoS attacks include:

A. Attacks on NATO sites supporting search and rescue efforts in Turkey. 

B. Concurrently Scandinavian Airlines (SAS) posted a notice warning passengers that a recent multi-hour outage of its website and mobile app was caused by a cyberattack that also exposed customer data. The attack was claimed by ‘Anonymous Sudan’ claiming to be Islamic hacktivists. 

C. On February 24th Russia’s NoName 057(16) launched ten massive DDoS attacks against the Italian government, institution and organization web sites. Google’s Mandian security company described the attacks as “quite sophisticated and difficult to predict” … “was more complicated to manage than those launched so far in Italy by cybercriminals.”

D. Other Russian hacker groups attacked hospitals across a number of countries. An American ‘health network’ in Pennsylvania was attacked by the ‘BlackCat’ Ransomware group. The Lehigh Valley Health Network reported that “the attack has not disrupted operations”.

E. ‘Anonymous Sudan’ attacked nine hospitals in Denmark. Researchers found the group uses a paid cluster of 61 servers hosted in Germany. “The attacks are routed through open proxies to disguise the real origin of the attacks. … Additional evidence” shows the operation is being carefully funded by a willing donor and not “a spontaneous action by activists.” The politically motivated hacktivist group is believed to be based in Russia and is amplified by the country’s hacktivism sphere — including Killnet and Passion Net. Danish authorities reported that Region H hospital’s websites did go down, however, there was no “life-threatening impact on the medical centers’ operations or digital infrastructure.” 

7. Russian Cyber Trends: The number and quality of Russian cyber attacks continue to increase. Ukraine has faced an extraordinary number of cyber attacks, described by Wired Magazine as “More Data-Wiping Malware Last Year Than Anywhere, Ever

”. The magazine said: “the growing volume of destructive code hints at a new kind of cyberwar that has accompanied Russia’s physical invasion of Ukraine, with a pace and diversity of cyberattacks that’s unprecedented.” Fortinet counted 16 different “families” of wiper malware in Ukraine over the past 12 months, compared to just one or two per year in previous years. Derek Manky, the head of Fortinet’s threat intelligence team said: “It’s an explosion, another order of magnitude.” ‘We Live Security’ published a timeline showing the names of the viruses, the release dates and who (which defending organization) claimed responsibility for identifying the attack. Analysts Comment: This level of activity is significant however the only government agency reporting is Ukraine’s Computer Emergency Response Team (CERT-UA). We do not have reports from NATO, U.S. Cyber Command (or any other U.S. agency), EU Cyber Security or any other supporting government. We need to note the Dutch Joint Intelligence report said there are ‘many more’ attacks ‘that are not public knowledge’. 

8. Before the invasion, Russian Criminal Hackers included groups in: Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia. Unofficially ‘sanctuary was offered to the groups as long as the groups: “Refrain from targeting entities located in the Commonwealth of Independent States, so as to not draw the attention of law enforcement.” The day after the ground invasion began the Conti ransomware gang declared its “full support of the Russian government”. Ukrainian members of Conti, left the group – and Russia with “one Ukrainian security researcher leaking hundreds of Conti’s internal files. The so-called Conti Leaks then led to the Trickbot leaks, which used information disclosed in the Conti data dump to reveal Trickbot’s senior leadership. In the weeks that followed, Conti reportedly closed up shop.” Recorded Future had additional Key Takeaways in a report:

• • •  • Russia is experiencing a wave of IT “brain drain” that will likely decentralize the organized cybercriminal threat landscape.
    •  • International arrests, seizures, and disruptive actions have destabilized the business model associated with ‘commodified’ cybercrime.
    •  • Russia’s war against Ukraine has disrupted the dark web shop and marketplace ecosystems.
    •  • The resurgence of “crowdsourced hacktivism” will likely create a new generation of non-state threat actors.

Ukraine

9. Some of Ukraine’s cyber activity has been visible mostly by inference. For example during President Putin’s state TV address, the All-Russia State Television and Radio Broadcasting Company (VGTRK) website and the Smotrim live-streaming platform went down during periods of the speech. The ‘IT Army of Ukraine’ claimed credit for the attack announcing on Twitter: “We launched a DDoS attack on channels showing Putin’s address to the federal assembly: 1TV, VGTRK and SMOTRIM.”

10. Russian authorities claim Ukrainian hackers were behind a woman’s voice being broadcast through a number of radio stations – including Relax FM, Avatoradio, Yumor FM, and Comedy Radio – saying, “Attention, an air raid warning is being announced. Go to the shelter immediately. Attention, Attention, the threat of a missile strike.” in at least 10 cities. The next day (Feb 26th) hacktivists ‘CH01’ defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion. Both hacks were ‘very likely’ to have originated with ‘Anonymous’. 

11. ‘White Hat Hackers’: Dutch Police arrested three people in a hacking, data theft and blackmail probe. One of the three reportedly works as an “ethical hacker” for Dutch security organization DIVD, or Dutch Institute for Vulnerability Disclosure. DIVD is an association of security researchers that receives government funding. Analysts Comment: This is far from a ‘one time event’. I have observed many cases of questionable behaviour in ‘hackers’, black, white and grey. I believe in reliability checks and security clearances, NOT ‘ethics courses’. Be careful who you trust.