Changelog: Russia doubles down on Ukrainian telecom attacks

Max Kukurudziak / Unsplash

Welcome to Changelog for 12/14/2023, published by Synack! README senior editor Nathaniel Mott here to bring you the latest cybersecurity news in the penultimate installment of the year.

The payload

Ukraine’s largest telecom is recovering from a Russian cyberattack that disrupted cellular and home internet service on Tuesday. The company, Kyivstar, said today that it has re-enabled voice communication over its cellular network and that its home internet service “has been restored by 93%.”

NBC News reported that Kyivstar’s outage “disrupted air alert systems in multiple cities, forcing authorities to use backup alarms,” and that Russia “launched a missile attack Wednesday morning” that resulted in “53 people being injured and 20 being hospitalized.” The outage reportedly also caused problems for ATMs, point-of-sale machines and internet-connected streetlights that rely on Kyivstar’s network.

Russia has combined disruptions to Ukraine’s communications with kinetic warfare since the invasion began in February 2022. The conflict started with Russian hackers targeting Viasat, a satellite internet provider, in an attack that “took out tens of thousands of government and private sector modems on February 24.” Kyivstar is simply the latest company in the sector to be caught up in the so-called hybrid war.

A group known as Solntsepek claimed responsibility for the attack. That doesn’t exactly come as a surprise—Wired reported that the group has been “linked to Russia’s notorious Sandworm hackers” responsible for several high-profile attacks targeting Ukraine over the last decade, including recent campaigns against a “critical infrastructure organization” and telecommunications companies.

Some of these incidents have been kept quiet; we didn’t learn about the October 2022 attack until Mandiant published a report on it on Nov. 9. But it’s harder to maintain that level of discretion when a reported “24.3 million people in Ukraine – over half the country’s population – found themselves without any mobile signal” the morning before Russia launched additional strikes within the country.

The week, compiled

Here’s a tip for cybercrime groups: don’t mess with Microsoft’s revenues. The company announced on Dec. 13 that it had disrupted the operations of a group it tracks as Storm-1152, which it said “runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms,” among other things.

Storm-1152 seems to have been running quite the racket. Microsoft said it has “created for sale approximately 750 million fraudulent Microsoft accounts, earning the group millions of dollars in illicit revenue, and costing Microsoft and other companies even more to combat their criminal activity.” (The group also operated a number of services devoted to solving automated CAPTCHAs.)


Alexander Grey / Unsplash

The accounts served as “the gateway to a host of cybercrime, including mass phishing, identity theft and fraud, and distributed denial of service (DDoS) attacks,” Microsoft said. But it was their creation, not how they’re used, that led the Southern District of New York to provide a court order to “seize U.S.-based infrastructure and take offline websites used by Storm-1152 to harm Microsoft customers.”

Now Storm-1152’s customers—which reportedly includes the Scattered Spider group believed to be responsible for the MGM Resorts and Caesars Entertainment hacks—will have to find a new source of fraudulent Microsoft accounts. (Which, unfortunately, shouldn’t prove to be too difficult.) Or they can do what legitimate Windows users have to do and suffer through the account creation process themselves.

Here are some other stories from around the web:

The Record: The latest draft of the UN Cybercrime Treaty has raised the ire of “dozens of cybersecurity experts and human rights groups,” The Record reported on Dec. 13, with some telling the publication that it “would effectively criminalize cybersecurity research and overlook human rights.” The draft treaty is set to be voted on at the end of January 2024, so there isn’t long to address these concerns.

TechCrunch: Apple is making it harder for law enforcement organizations to access data about push notifications—which recently became a hot-button issue when Sen. Ron Wyden revealed the previously secret practice of collecting this information—by requiring them to obtain a court order or search warrant rather than handing over this potentially sensitive data in response to a subpoena.

404 Media: Sometimes the headlines write themselves. Case in point: 404 Media reported on Dec. 13 that “Hackers Popped a Porn Site for Inflation Fetishists.” The hack, which the site’s administrators reportedly said was random instead of a targeted attack, is said to have led to the compromise and exposure of “users’ email address, usernames, IP addresses, public profile information and password hashes.”

A message from Synack 

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

Every programming language is loved and loathed by at least some developers, but I don’t think any have been memed about as often as Perl, a “high-level, general-purpose, interpreted, dynamic programming language” that was officially released on Dec. 18, 1987 and continues to be maintained today.

Many of the memes about Perl claim the language is unreadable. Sometimes that’s deliberate—the Obfuscated Perl Contest tasked developers with creating "devious, inhuman, disgusting, amusing, amazing, and bizarre Perl code"—but it’s usually just an accidental byproduct of writing Perl.

But a programming language doesn’t survive for 36-plus years without a good reason. (Even if that reason is often “because a legacy codebase everyone is afraid to modify or replace is written in that language.”) Perl has a large number of libraries, for example, and is often heralded for its regular expressions support.

So here’s to Perl. Long may it confound and confuse the developers who have to read it.

Local files

The Register: Records containing personally identifiable information about nearly a million people have been exposed by a database operated by DonorView, which The Register described as the “provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals,” though the company seems to have secured the data now.

DataBreaches: The Hunters International cybercrime group has been “leaking what appears to be more and more patients’ protected health information (PHI) and employees’ personal information” from Covenant Care, which DataBreaches said provides “skilled nursing, residential care, therapy services, and home health care at 29 locations in California and Nevada,” following a November attack on the company.

BleepingComputer: French police arrested a Russian national accused of laundering money for the Hive ransomware gang. BleepingComputer reported that the suspect was linked “to digital wallets that received millions of U.S. dollars from suspicious sources based on his activity on social networks” and that police “seized €570,000 worth of cryptocurrency assets” when they detained the suspect on Dec. 5.


I forgot how famous David Beckham… is? used to be? I didn’t watch professional soccer until earlier this year, and I was too young to notice how often he and Victoria Beckham appeared on the front covers of seemingly every tabloid, so there wasn’t a good reason for me to know who he was. Yet I—and, apparently, pretty much everyone else with a TV—knew of David Beckham all the same.


Fisnik Murtezi / Unsplash

This passing familiarity combined with my growing interest in soccer has led me to Netflix’s four-part documentary series, “Beckham,” which I plan to finish shortly after this newsletter is published. It’s been a fascinating watch, especially since I didn’t already know all that much about Beckham’s career. (Or the borderline unhealthy obsession many people seemed to have with his haircut, I guess.)

I recommend the series to anyone who, like me, learned of Beckham via some sort of cultural osmosis rather than his accomplishments on and off the pitch. I still don’t necessarily understand how he became a global phenomenon, but at least now I have some context for the name that’s been swirling around our collective subconsciousness for nearly as long as I’ve been alive.