Archive for Russia

Ukraine Hit By Cyberattack By Russian Hacker Group

Posted in Commentary with tags , , on April 12, 2022 by itnerd

This morning, it came to light that there was an attack on Ukraine’s critical infrastructure by cyber-criminal group Sandworm:

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia’s GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

It shows that this war is on multiple fronts including cyberspace. And Justin Fier, VP of Tactical Risk and Response at Darktrace agrees:

This news represents a major step up from the relatively unsophisticated previous DDoS attacks, and it’s particularly interesting to see that Sandworm has reared its head again. CISA and other government agencies in the Five Eyes have been anticipating an attack like this and issuing sophisticated warnings for some time. Ukraine has been dealing with this type of threat for years and has been preparing with the help of global allies, including the U.S. 

While we cannot confirm these allegations, the hope is that governments worldwide will take this seriously and realize that the same type of attack could happen to them. Any attack on Ukrainian soil could also occur anywhere else, be replicated by other cyber-criminal groups or nation-states, or cause ripple effects across the global supply chain. During this ongoing “World War Wired,” we must be concerned not only with the prospect of an inbound warhead but also infrastructure destroying cyber-attacks. The responsibility will fall on each potentially at-risk organization to bolster their defenses: they must fight fire with fire, arming themselves with the latest technologies. You go to war with the army you have, not the one you wish you built, and organizations must prepare now.

In short, the time to prepare for this sort of attack is now because you can expect targets outside of Ukraine to be hit with this sort of attack in the near future.

Russian Entities Are Being Attacked By Modified Conti Ransomware

Posted in Commentary with tags , on April 9, 2022 by itnerd

Here’s a bit of a plot twist that I perhaps should have seen coming. You might recall that the Conti ransomware group kind of fell apart over Russia’s invasion of Ukraine and some of their source code leaked out to the public. Now it seems a group has used this source code to launch attacks on Russian entities.

You read that correctly. Russian entities are being attacked by ransomware. The group is known as NB65 and Bleeping Computer has the details:

For the past month, a hacking group known as NB65 has been breaching Russian entities, stealing their data, and leaking it online, warning that the attacks are due to Russia’s invasion of Ukraine.

The Russian entities claimed to have been attacked by the hacking group include document management operator Tensor, Russian space agency Roscosmos, and VGTRK, the state-owned  Russian Television and Radio broadcaster.

The attack on VGTRK was particularly significant as it led to the alleged theft of 786.2 GB of data, including 900,000 emails and 4,000 files, which were published on the DDoS Secrets website.

More recently, the NB65 hackers have turned to a new tactic — targeting Russian organizations with ransomware attacks since the end of March.

What makes this more interesting, is that the hacking group created their ransomware using the leaked source code for the Conti Ransomware operation, which are Russian threat actors who prohibit their members from attacking entities in Russia.

Bleeping Computer has actually made contact with NB65 and this is what the group had to say:

A representative for the NB65 hacking group told BleepingComputer that they based their encryptor on the first Conti source code leak but modified it for each victim so that existing decryptors would not work.

“It’s been modified in a way that all versions of Conti’s decryptor won’t work. Each deployment generates a randomized key based off of a couple variables that we change for each target,” NB65 told BleepingComputer.

“There’s really no way to decrypt without making contact with us.”

At this time, NB65 has not received any communications from their victims and told us that they were not expecting any.

As for NB65’s reasons for attacking Russian organizations, we will let them speak for themselves.

“After Bucha we elected to target certain companies, that may be civilian owned, but still would have an impact on Russias ability to operate normally.  The Russian popular support for Putin’s war crimes is overwhelming.  From the very beginning we made it clear.  We’re supporting Ukraine.  We will honor our word.  When Russia ceases all hostilities in Ukraine and ends this ridiculous war NB65 will stop attacking Russian internet facing assets and companies.

Until then, fuck em. 

We will not be hitting any targets outside of Russia.  Groups like Conti and Sandworm, along with other Russian APTs have been hitting the west for years with ransomware, supply chain hits (Solarwinds or defense contractors)… We figured it was time for them to deal with that themselves.”

This should be very interesting to watch what happens next, and how Russia responds.

White House Warns Russia Preparing Possible Cyberattacks Against US

Posted in Commentary with tags , , on March 21, 2022 by itnerd

The Biden administration has warned in recent weeks that Russia could look to target infrastructure in the U.S. or elsewhere with cyberattacks, but officials previously said there was no specific or credible threats against the U.S.

White House deputy national security adviser Anne Neuberger said Monday that officials have seen some “preparatory activity” and that the administration briefed companies who could be affected in a classified setting last week.

Lucas Budman, CEO of TruU (www.truu.ai) has this comment:

“Enterprises need to act and ensure all attack surfaces are covered. While network and endpoint protection are important, identity is the biggest laggard and the ripest for attack with approximately 80% of breaches linking back to it. Most business still use passwords but there is no safety in numbers as credentials can be compromised from phishing, brute force, credential stuffing, or buying lists of already compromised accounts. After all, people tend to reuse passwords which results in 2FA effectively being secured by just the second factor alone. Passwordless MFA inclusive of biometrics, presence, and behavior is one of the few modern options to dramatically limit the identity attack surface.”

I’m not really surprised by this as Russia is known for housing groups that perpetrate cyberattacks. Thus businesses in the US and beyond should heed this warning and do what they need to do to prepare themselves for what is sure to be a barrage of cyberattacks in the next few weeks.

Firefox Yanks Russian Search Providers From Their Browser

Posted in Commentary with tags , on March 16, 2022 by itnerd

This morning I woke up to Firefox wanting to do an update to version 98.0.1. So I dutifully did the update that it requested. And when I checked to see what changed, I saw this:

Those are Russian search engines. That immediately got my attention as I was not aware that Firefox used any Russian search engines. I am going to go out on a limb and suggest that Mozilla is concerned about mis-information being spread via having those search engines in Firefox. Which these days is a legitimate concern.

I’m now waiting for the announcement that Firefox is banned in Russia as a result of this move.

Kaspersky Is Likely Doomed After The BSI Publishes A Warning To Not Use Their Products

Posted in Commentary with tags , on March 15, 2022 by itnerd

Russian anti-virus maker Kaspersky is likely in very deep trouble after Germany’s cyber security agency the BSI came out with a warning (translation here) for Germans not to use Kaspersky’s products:

Antivirus software, including the associated real-time capable cloud services, has extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers . Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.

The actions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current military conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers.

These accusations are not new as Kaspersky has been in the crosshairs of various countries because they are a Russian company. But given the current political climate, and the likelihood that this warning will be echoed by the US and other countries, it is safe to say that Kaspersky is in trouble. And I would go further to say that they will not survive this.

RIP Kaspersky.

It Seems That The Russian Regime Can’t Stop Their Citizens From Using VPNs

Posted in Commentary with tags on March 15, 2022 by itnerd

Vladimir Putin is in the midst of blocking all the things on the Internet so that it keep the truth about the war in Ukraine out of Russia. Or so he thinks as it appears that Russian citizens are turning to VPNs in huge numbers to evade those blocks:

To defeat Russia’s internet censorship, many are turning to specialized circumvention technology that’s been widely used in other countries with restricted online freedoms, including China and Iran. Digital rights experts say Putin may have inadvertently sparked a massive, permanent shift in digital literacy in Russia that will work against the regime for years. 

Since the invasion of Ukraine, Russians have been flocking to virtual private networks (VPNs) and encrypted messaging apps, tools that can be used to access blocked websites such as Facebook or safely share news about the war in Ukraine without running afoul of new, draconian laws banning what Russian authorities consider to be “fake” claims about the conflict.

During the week of February 28, Russian internet users downloaded the five leading VPN apps on Apple and Google’s app stores a total of 2.7 million times, a nearly three-fold increase in demand compared to the week before, according to the market research firm SensorTower. 

That growth dovetails with what some VPN providers have reported. Switzerland-based Proton, for example, told CNN Business it has seen a 1,000% spike in signups from Russia this month. (The company declined to provide a baseline figure for comparison, however.)

I’ve had a guest post from Atlas VPN that has said the same thing. And the bottom line is that Putin or as Former President George W. Bush used call him “Pootie-Poot” isn’t able to stop this from happening unless he goes insanely draconian with some sort of massive crackdown on VPN usage.

This is a #EpicFail for the Russian regime.

Rosneft Energy Plant Hit With A Cyber Attack

Posted in Commentary with tags , , on March 14, 2022 by itnerd

German newspaper die Welt is reporting ‘Hackers meet German Rosneft (translation here) subsidiary’, citing Germany’s BSI cybersecurity watchdog, which issued a cybersecurity warning to companies in the energy sector after a cyber attack occurred sometime between Friday night and early Saturday morning. While the attack has currently not effected Rosneft’s business or the supply situation, the company’s systems have been affected. And it’s thought that the hacker collective Anonymous might be behind this as the company has a relationship with Russia. Who aren’t the most popular people at the moment.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

 “With the global opposition to the Russian invasion of Ukraine, I doubt there is much sympathy for Rosneft, even as a subsidiary in Germany. This attack shows that globally, threat actor groups and nation states are both potential disruptors to critical infrastructure or any private sector company. All organizations should stay vigilant and continue to invest in cyber security solutions that employ advanced analytics and automated detection and response to thwart threat actors from disrupting operations, stealing sensitive data, or detonating ransomware. Certainly, solutions that employ a large set of machine learning models that are self-training to adapt to newer attacks and techniques is absolutely critical.”

I for one will be interested to see what the damage of this hack is, and if it makes other German companies reconsider their security posture if they have a relationship with Russia.

Facebook Kind Of Flip Flops On Letting People Call For The Death Of Putin And Muddies The Waters In The Process

Posted in Commentary with tags , on March 14, 2022 by itnerd

Last week, I highlighted a policy change by Facebook which let a handful of countries around Russia do things like call for the death of Vladimir Putin. At the time I said this:

Not that I want to defend Putin. But if I put up a post on this blog calling for the death of US President Joe Biden, I am certain that some US law enforcement agency would be on my doorstep looking for me by the end of the day. In other words, while rules cannot be absolute, this doesn’t seem right to me. Even if its application is limited in scope as is the case here. And I have to wonder if this policy will do more harm than good. Because everything that Facebook does does more harm than good.

It now seems that Facebook has flipped flopped on this… Sort of:

Last week, Facebook temporarily relaxed its policies so that Ukrainian users could post threats of violence against the Russian military, which invaded its neighbor in late February. The change led to some public confusion as to what was allowed, and what was not, on Facebook and Instagram. Meta’s President of Global Affairs Nick Clegg posted a statement Friday saying the move is aimed at protecting Ukrainian rights and doesn’t signal tolerance for “discrimination, harassment or violence towards Russians.” On Sunday, he tried to further explain the company’s stance to employees in an internal post. “We are now narrowing the focus to make it explicitly clear in the guidance that it is never to be interpreted as condoning violence against Russians in general,” Clegg wrote in the internal post, which was reviewed by Bloomberg.

So, is that clear? You can post a threat of violence against the military but not Putin? Right. This change doesn’t help.

#Fail Facebook.

Instagram Now Blocked In Russia By Russia

Posted in Commentary with tags , on March 14, 2022 by itnerd

Russia followed through on its threat to block Meta-owned Instagram on Monday, cutting off access to tens of millions of users in the country:

Instagram is popular in Russia. It’s Meta’s second most popular app there, according to data from Sensor Tower, behind ubiquitous messaging service WhatsApp. The app has been installed 166 million times across the Russian App Store and Google Play since 2014, making it three times as popular as Facebook. After Russian censor Roskomnadzor announced that the government would restrict access to the app following a 48-hour “transition period,” Head of Instagram Adam Mosseri condemned Russia’s actions, which will affect 80 million people in the country.

This is likely in response to things like Facebook allowing people in a handful of countries around Russia to post things like death threats on Facebook. Which led to attempts by the Russian Government to brand Facebook and Instagram “extremist”.

Clearly the Kremlin wants to cut people off from any information that isn’t favourable to the Russian regime. And they’re willing to do that even if it upsets their own citizens because roughly 60 million of them use the platform, and some make money off of the platform:

On the platform, emotions ran high Sunday among Russians who were about to lose thousands of dollars they received to promote various products, as well as access to millions of followers amassed over the years.

“I’m writing this post now and crying,” Olga Buzova, a Russian reality television star, wrote, saying she hoped “it’s all not true and we will remain here.”

I’m going to be watching this as I can see a scenario where this causes a backlash inside of Russia. And that may make this rather situation go in directions that nobody expected.

In A Significant Escalation, Russia Is Trying To Get Facebook And Instagram Labeled As Extremist

Posted in Commentary with tags , on March 11, 2022 by itnerd

Russian prosecutors have asked a court to ban Meta Platforms’s Facebook and Instagram as “extremist,” Interfax reported, the latest move in a growing crackdown on social networks:

Authorities blocked access to Facebook last week under a new media law, but the “extremist” designation, if approved by a court, would effectively criminalize all of Meta’s operations in Russia. The company’s Instagram app would also be blocked. The move comes amid increasing tension between Moscow and U.S. tech companies. Earlier Friday, the speaker of the lower house of parliament, Vyacheslav Volodin, called on prosecutors to investigate Meta after Reuters reported that the company had temporarily eased internal restrictions on calling for violence against Russian soldiers due to the invasion of Ukraine. Russia has already banned certain social media companies like Facebook and Twitter, while tech companies have demonetized Russian state-sponsored media and blocked them in Europe.

And it looks like this may have already started:

This is a major escalation in Putin’s fight against social networks who have posts that he doesn’t agree with. Though this story from earlier today has me thinking that this may not be all bad. It will be interesting to see how this plays out.