Synopsis

1. Who is right? CBS ‘60 Minutes’ warned of an increase in ransomware attacks, while a cyber security company ‘Recorded Future’ said ‘Ransomware as a Service’ (RaaS) is largely over. Russia’s ‘Sandworm’ hacking group is designated ‘Advanced Persistent Threat’ (APT) due to expanded operations. Ukraine’s ‘Backjack’ hacking group hacks a Moscow company’s operational technology. Iranian linked hacking groups warn Israel to prepare for Iranian attacks and turn out the lights. Some hacked Canadian organizations are struggling to recover.

2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:

Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity. 

Are Ransomware Attacks Going to Increase or Decrease?

3. Two different cyber security narratives were released within days of each other, forecasting different prospects for the future. On Sunday 14th April, CBS ‘60 Minutes’ showed a 20 minute segment titled: “Why cybersecurity investigators fear ransomware hacks may get worse”. The narrative described the formation of a loose alliance between groups of English-speaking young men and Russian based cyber criminals, projecting an increase in cybercriminal activity. On 18th April, ‘Recorded Future’ a major provider of cyber security ‘Threat Intelligence’, forecast the end of Ransomware as a Service (RaaS) based on the arrest of several prominent RaaS groups.2 Both reports are missing important context.

4. The ‘60 Minutes’ report missed the link between the young hackers and Russian Intelligence services. The “FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more … ‘Scattered Spider’.” Another cyber security company describes ‘Scattered Spider’ as “one of many illicit hacking groups — all part of a sprawling collection of online criminals calling themselves ‘the Community,’ or ‘the Com.’ ” The report notes that the group has exploded in size, now numbering in the thousands, mostly males from thirteen to twenty-five. Russian cybercriminals have taken note of ‘the com’ “including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. … The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers. … The leadership are– are, you know, people in their 40s, late 30s. They’re people who’ve got experience. They’re people that have a financial background.”3 Analysts Comment: The ‘60 Minutes’ report does not follow the links any further, missing the connections between Russian cyber criminals and Russian Intelligence services. We assess that Russia has an interest in sustaining hacker communities like ‘the com’ and ‘Scattered Spider’ because it supports Russia’s objectives. 

5. The ‘Recorded Future’ report points out the arrest of members of the ‘LockBit’ RaaS group. It notes a decrease in the activities of major ransomware groups (in general) as well as hackers’ rapid and frequent efforts to reconstitute and re-brand. Recorded Future’s speakers expect to see more arrests of criminal hackers as law enforcement ‘catches up’ to criminal hacking activity. Recorded Future projects a major reduction in RaaS operations.4 Analysts Comment: The report got several things correct, but overall it is very optimistic. It misses the depth of criminal organization behind the operation of some Russian cybercriminal organizations, including the separation of various specialists (IE. malware programmers) from other parts of the organization. It did not take into account Russia’s interest in keeping hacker groups/ransomware groups busy. The Recorded Future webinar did not account for the impact of greed among ‘wannabe’ hackers.  

6. Analysts Comment: The data behind both reports is correct. That said, criminals can be highly adaptive, especially in exploiting technology. We assess:

    • Core leadership of several cybercriminal groups remains safe in Russia. 

    • Most top-tier malware programmers remain ‘at large’, many in Russia. 

    • Russia will continue to work at keeping hacker groups active. 

    • Russia will continue to exploit young English speaking western hackers. 

    • Russia will continue to provide ‘safe haven’ for criminal hackers who attack targets outside of Russia. 

    • Ransomware groups will attempt to re-establish themselves, with some groups probably trying new organization patterns. 

    • Other hacker attacks will be used until one (or more) new, profitable criminal hacking patterns are developed.5 

NOTE: This analysis does not include: the impact of the Russia vs Ukraine war, Israel vs Iran, nor the effect of other major players such as China.

Russia vs Ukraine

7. The Czech transport minister Martin Kupka “warned that Russia-linked threat actors conducted “thousands of attempts to weaken our systems … signalling systems and networks of the Czech national railway operator České dráhy”. “The Czech cyber security agency, NUKIB, warns of a surge in cyber attacks, particularly targeting the energy and transportation sectors.” The European cybersecurity agency ENISA warned “Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate … with ransomware and data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions.”6

8. Russia’s ‘Sandworm group’ appears to be expanding its operations. The group “has been around for at least 15 years and is known for being affiliated with the Russian GRU”. It is known for being highly integrated with Russian ground campaigns against Ukraine, intercepting communications via mobile networks or devices or conducting destructive malware attacks.7 Google’s security team is warning that Sandworm has expanded to ‘full spectrum operations’ including Espionage, cyber attack and Influence operations. The Google report states: “as the war has endured, APT44’s relative focus has transitioned away from disruption to intelligence collection. The group’s targets and methods have shifted significantly in the second year of the war, with increasing emphasis placed on espionage activity intended to provide battlefield advantage to Russia’s conventional forces.”8

9. Sandworm “has created hacktivist identities on Telegram channels to claim responsibility for its various disruptive wartime operations.” and ”Google’s Threat Analysis Group assesses that APT44 has created and controlled a persona called “CyberArmyofRussia_Reborn. (or CARR)” as well as ‘XAKNET’, and ‘Solntsepek’. One group has claimed Operational Technology (OT) attacks against targets in the United States9 and European Union.10 Other reports note that the group is using a new malware ‘backdoor’ Kapeka, as part of a “wider cyber-espionage campaign”.11 The Google Teams Threat Analysis Group assessment is: “We assess with high confidence that APT44 is seen by the Kremlin as a flexible instrument of power capable of servicing Russia’s wide ranging national interests and ambitions, including efforts to undermine democratic processes globally.”12

Ukraine 

10. Cyber security firm ‘Claroty’, known for Industrial and Enterprise protection, identified Ukrainian hacker group ‘Blackjack’ as having hacked industrial sensors and other systems belonging to a Moscow infrastructure firm ICS malware Fuxnet. “The hackers targeted ISPs, utilities, data centers and Russia’s military, and allegedly caused significant damage and exfiltrated sensitive information.” The hackers claim “Russia’s industrial sensor and monitoring infrastructure has been disabled … It includes Russia’s Network Operation Center (NOC) [that] monitors and controls gas, water, fire alarm and many others, including a vast network of remote sensors and IoT controllers. … including ones associated with airports, subway systems and gas pipelines.”13 Analysts Comment: It is not clear what impact this hack will have.

Iran vs Israel

11. A cyber attack was launched against Israeli websites the weekend of 13-14 April. Hacked sites displayed a warning from the Islamic Revolutionary Guard Corps (IRGC) urging residents to stockpile items and “prepare for war.”14 Concurrently, the ‘Cyber Avengers’, a hacker group linked to Iran, announced that they were responsible for recent power outages across Israel. “They’ve lambasted Israeli officials for down-playing the events as mere technical mishaps, alleging a deeper loss of control over their electricity networks. … the group has issued a stern warning of further, more impactful cyber assaults targeting critical Israeli infrastructure.”15

Canada

12. Three Canadian organizations are struggling to recover from hacks. Cyber thieves have stolen decades’ worth of personal and financial information from students and faculty members at the University of Winnipeg. The university was forced to reschedule exams.16 Giant Tiger lost 2.8 million records. Their entire database was leaked for free.17 The Liquor Control Board of Ontario (LCBO) says customers’ personal information was stolen from a third-party provider. This is the second time this year the LCBO lost customer data, this time from a company that does promotional work for the LCBO.