Synopsis

1. Russia ‘phishes’ German political parties. Russian volunteer hackers cyber-attack Slovenia. Ukraine has another successful cyber-campaign against Russia and recognizes volunteer hackers. China behind the massive cyber-espionage campaign of APT 31. Microsoft’s Exchange Server (email server) is having security issues. A new bad actor is deploying credential-stealing malware.

2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:

Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes: critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity.

Russia’s Cyber-Attacks

3. Mandiant, a U.S. cyber-security firm, is warning that APT 29, a hacking team linked to Russia’s Foreign Intelligence Service (SVR), is targeting German political parties with a phishing campaign. The phishing lure was an invitation from the Christian Democratic Union (CDU), a German political party, to a dinner reception. The campaign is designed to deliver a new ‘backdoor’ tracked as ‘WINELOADER’.1 Mandiant warns: “This is the first time we have seen this APT 29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. … APT 29’s malware delivery operations are ‘highly adaptive, and continue to evolve in lockstep with Russia’s geopolitical realities.’ ”2

4. On the 29th of March “A Russian cybercriminal group known as Cyber Army Russia Reborn … took responsibility for a recent spate of cyberattacks in Slovenia.” The attacks targeted ‘several government bodies’ and the ‘public broadcaster’. The reason for the attack was Slovenia’s support for Ukraine.3

Ukraine Cyber Attacks

5. According to Microsoft: “In early March, DI (Defence Intelligence) hackers launched a massive DDoS attack on the servers of the Russian Ministry of Defense. They gained access to data and documents, including classified ones. … Recently, hackers intercepted correspondence between the head of the Russian parliament Vyacheslav Volodin and the Kremlin leader Vladimir Putin. Volodin proposed to Putin to strengthen control in Russia and confront Western countries after the ‘election’.” “On March 23rd cyberattacks were carried out on servers of the aggressor state authorities”, specifically websites: www.avard.gov.ru (state awards of the Russian Federation), www.gov.ru (Russian state authorities), and fso.gov.ru (the website of the Federal Security Service of the Russian Federation).4

6. Analysts Comment: The operational security of Ukraine’s Cyber Forces remains very good. That limits the amount of information we see on their campaign(s). What we do see infers that;

• Ukraine’s cyber forces are maintaining consistent access to ‘Russia’s
Internet,
• a high level of operational planning and selective targeting, and,
• a good success rate.

7. Ukraine Recognizes Supporting Hackers: Kristopher Kortright, an IT worker from Michigan, and his team of ‘vigilante hackers’ called ‘One Fist’ have been recognized by Ukraine for their cyber-attacks against Russia. “One Fist is made up of hackers from eight different countries including the UK, US and Poland. They have collectively launched dozens of cyber-attacks – celebrating each one on social media. … One Fist, has stolen data from Russian military firms and hacked cameras to spy on troops. … Although many nations, including the UK and the US, have official award systems for ethical hacking, this is thought to be the first time a country has awarded hackers for malicious and possibly criminal hacks. … certificates were sent to them all for “a significant contribution to the development and maintenance of vital activities of the military”. They were signed by the commander of the Airborne Assault Forces of Ukraine. … Kristopher recognizes that receiving military awards is controversial, but is determined to keep hacking for Ukraine.”5

8. Analysts Comment: Hackers crave recognition, in many cases more than they crave money. This act of recognition will increase morale and probably increase participation in Ukraine’s volunteer cyber army. The cyber-attacks documented in the article together with the recognition infer that the hacking groups’ contributions are significant contributions to Ukraine’s war effort.

China’s cyber-espionage hackers, APT 31

9. On 27th March Finnish Police attributed the March 2021 cyber attack on the Finnish Parliament to ‘China’s APT 31’. The cyber-attacks occurred between autumn 2020 and early 2021. Finnish Police described the attacks as: “aggravated espionage, aggravated unlawful access to an information system, and aggravated violation of the secrecy of communications. … The multi-year investigation revealed a complex criminal infrastructure used by the nation-state actors.”6

10. The Finnish cyber-attack is one of a chorus of cyber attacks that caused the United States and Britain to file charges on Chinese individuals and companies tied to a hacking group identified as APT 31. Reuters describes the hackers as: “a collective of Chinese state-sponsored intelligence officers, contract hackers and attendant staff that engage in hacking activities and “malicious cyber operations. … The group, also known as Zirconium, operated through a front company, Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), from at least 2010 until January 2024.”7

11. The scope of the cyber-attack is massive.8 “The conspiracy involved over 10,000 malicious emails across multiple continents in a ‘prolific global hacking operation’ … APT31 and Chinese security authorities targeted thousands of U.S. and foreign politicians, foreign policy experts and others“.9 China denies the charges. “We urge the U.S. and British sides to stop politicizing the issue of cybersecurity, stop slandering and smearing China and imposing unilateral sanctions, and stop cyber-attacks against China.”10

Microsoft Exchange Security Issues

12. Background. Many Accountants, corporate executives and many governments insist that there is: increased value, lower risk and net lower costs in using Microsoft Exchange Servers for email and collaborative products than Open Source Software – or other proprietary software. They have assumed that a large corporation will deliver better and more consistent support than possible options.

A. The BSI (German Federal Office for Information Security) is trying to get its citizens to patch Microsoft Exchange Servers in a timely manner. “The German Federal Office for Information Security (BSI) has issued an urgent alert about the poor state of Microsoft Exchange Server patching in the country. The government regulator says there are 17,000 or more Exchange Server instances in Germany vulnerable to at least one critical vulnerability, out of around 45,000 public-facing servers in the Euro nation running the software. Of these servers, 12 percent are running a version of Exchange Server that is ordinarily no longer supported, such as Exchange 2010 and 2013, and around a quarter are running Exchange 2016 and 2019 but without vital patches – meaning at least 37 percent are classed as “vulnerable.”11 According to the report in the Register, BSI is emailing network providers daily, requesting they patch their systems.

Analysts Comment: These statistics can be used as a baseline for other countries. This suggests that many Microsoft Exchange servers globally need updating and/or patching. Further, this implies there are critical Microsoft Exchange security vulnerabilities available to hackers for exploitation.

B. A review of the June 2023 attack by Chinese hackers “Storm-0558” on Microsoft’s Exchange Online hosted email service, conducted by the US government’s Cybersecurity and Infrastructure Security Agency’s Cyber Safety Review Board (CSRB), calls for “rapid cultural change” at Microsoft. The CSRB found “that the incident would have been preventable save for Microsoft’s lax infosec culture and sub-par cloud security precautions.” The success of the attack was attributed to a “cascade of Microsoft’s avoidable errors.” Issues at Microsoft meant “the attacker was able to create tokens that allowed it to access Microsoft clients – such as the US State Department.” The report said Microsoft: “did not prioritize security risk management at a level commensurate with the threat and with Microsoft technology’s vital importance to more than one billion of its customers worldwide.”12 13

13. Analysts Comment: Full disclosure. I have not been a fan of Microsoft since the early 1990s. That said, the failures listed and the language of the report damns Microsoft thoroughly, much worse than my critiques. When the U.S. report is taken together with the German government’s report, the inference is that there are serious security risks for any organization using Microsoft Exchange Server, even if the system is fully patched and up to date. If Microsoft’s attitudes towards security are that bad, it’s time to rethink its dependence on Microsoft or prepare for the consequences.

New ‘Bad Actor’ Deploying Credential Stealing Malware

14. Researchers at Palo Alto Networks’ Unit 42 threat intelligence arm have detected a campaign delivering an evolving information stealer called ‘StrelaStealer’. In November 2023 over 250 U.S. organizations and just under 100 European organizations were hit. These numbers doubled in January 2024, returning to November numbers in February. “StrelaStealer targets email credentials, … sending it back to the attacker’s command and control (C2) server.”14 The campaign uses spear phishing with zip file attachments. StrelaStealer’s operators are unknown.