“Cold River” hackers, ransomware updates and Operation Aurora’s legacy
Russian hackers have been chasing U.S. nuclear secrets, according to a recent report. Ilja Nedilko / Unsplash
Welcome to Changelog for 1/8/23, published by Synack! It’s me, Blake, hoping you all had a restful holiday season. I made a cyber New Year’s resolution to delete some defunct accounts and discovered that the internet has already swallowed up my very first email from EarthLink. Sorry if I never replied to your message from the early aughts. Here’s the week’s news, compiled with help from README senior editor Nate Mott:
The payload
The Cold River hacking crew has been called “one of the most important hacking groups you’ve never heard of.”
The suspected Russian cyberespionage group is linked to a series of hack-and-leak operations — including one that affected the former head of British intelligence agency MI6.
Cold River’s latest targets are even more concerning. According to a Reuters report Friday, the hacking team has been trying to pry into the networks at three U.S. national labs known for leading sensitive national security research.
The Brookhaven, Argonne and Lawrence Livermore National Laboratories are based in New York, Illinois and California, respectively. All three Department of Energy research facilities share a penchant for conducting cutting-edge nuclear experiments on everything from particle physics to fusion ignition. Argonne in particular can trace its origins to early research tied to the Manhattan Project.
The Cold River hackers set up fake login pages for each of these Department of Energy labs and reportedly sent phishing messages to scientists. (It’s unclear if any of the attempted breaches succeeded.)
The Reuters story on Cold River’s exploits is a marvel of reporting and even ties some of the group’s infrastructure back to a 35-year-old IT worker in the Russian city of Syktyvkar. But key details have yet to emerge: What did the hackers want with DOE national labs — and did they succeed in getting any information?
I worry we haven’t heard the last from Cold River yet.
The week, compiled
Where is the best place to receive information about securing Windows, Exchange and other Microsoft products? It’s not always straight from Microsoft, as Rackspace learned when it fell victim to a ransomware attack last month.
Rackspace said on Dec. 6 that it had proactively shut down its managed Exchange service after it was compromised. The company migrated customers to Microsoft 365 so it could shutter the previous service rather than attempt to recover from this incident. It was, as we noted in a previous edition of Changelog, the latest sign that Microsoft may be the only organization capable of securely managing Exchange.
But there’s a new twist: BankInfoSecurity reported Jan. 4 that Rackspace was compromised because it followed Microsoft’s advice for mitigating the so-called ProxyNotShell vulnerabilities rather than upgrading to a patched version of Exchange. Threat actors could bypass those mitigations to exploit these vulnerabilities anyway.
People who follow security researchers Kevin Beaumont and Will Dormann on social media knew that bypass was possible. Those relying solely on Microsoft for security guidance — which apparently included Rackspace — didn’t. Rackspace now faces several lawsuits, is shutting down a service that brought in an estimated $30 million annually and recently disclosed that some of its customers’ email data was accessed by the Play ransomware as a result of this disparity. If only there were a word for sharing knowledge with each other… Oh, yes: Exchange.
Here are a few other things that happened in the past week:
CyberScoop: Russian hacking group Turla has targeted organizations in Ukraine with malware dating back to 2013, according to Mandiant. The Google subsidiary said the group also re-registered expired domains associated with the Andromeda botnet to “enable follow-on compromises at a wide array of entities.” CyberScoop reported that Turla has been active since at least the mid-90s and “has a long history of making life miserable for the defenders of Western computer systems.”
The Washington Post: Peiter “Mudge” Zatko has landed a new gig — the first since he left Twitter in January 2022 — at Rapid7. WaPo reported that Zatko, known as much for his affiliation with L0pht as for blowing the whistle on Twitter’s security practices, will “advise a range of consulting clients” in this new role.
The Register: A ransomware attack on The Guardian caused the British newspaper to close its offices until at least Jan. 23, according to The Register, which said the paper will continue to publish both its print and online editions despite the “serious network disruption” caused by this incident.
A message from Synack
Insecure and unmanaged APIs can lead to multimillion-dollar security incidents, according to Gartner. Join Synack co-founder and CTO Mark Kuhr and Sabre application security principal Cris Rodriguez for a webinar to learn of a better way to pentest for APIs. They break down the top API vulnerabilities and share best practices for securing this critical part of organizations’ attack surfaces. Learn more and view the webinar on demand here.
Flash memory
Google announced on Jan. 12, 2010 that it was taking “a new approach to China” due to “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property.” That attack would come to be known as Operation Aurora.
The company said that Operation Aurora’s primary goal appeared to be “accessing the Gmail accounts of Chinese human rights activists.” The attack was unsuccessful, Google said, but it still represented a shift in how large companies view their security.
Cybersecurity entrepreneur Dmitri Alperovitch told Wired at the time that Operation Aurora was an inflection point in cyber arena. “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” Alperovitch said. “It’s totally changing the threat model.”
The Council on Foreign Relations said that other Western tech companies such as Adobe, Rackspace and Yahoo as well as firms like Northrop Grumman and Morgan Stanley were also believed to have been targeted as part of Operation Aurora. But none of those companies were as forthcoming about the attack as Google.
Operation Aurora’s legacy lives on. The attack was explored in a series of videos Google published in October 2022 called “Hacking Google.” The tech giant described Operation Aurora as a “historic attack” that resulted in the company “[revolutionizing] its approach to security — overhauling everything and developing highly specialized teams of elite experts to stay ahead of the ever-evolving threat landscape.”
Local files
The Record: Financial institutions in Portugal and Spain have been targeted with the Raspberry Robin malware, according to Security Joes, which said the framework is unique in “that it is heavily obfuscated and highly complex to statically disassemble” despite being fairly high-profile. (Microsoft, Red Canary and other firms published reports on Raspberry Robin in 2022.)
Mass Live: Just a few days into the new year, Swansea Public Schools in Massachusetts canceled its classes because of a ransomware attack. The school’s superintendent said on Twitter that classes would resume on Jan. 5, however, because “the cyber attack has been remediated.”
TechCrunch: The Housing Authority of the City of Los Angeles (HACLA) said on Jan. 3 that it’s investigating an attack on its network. TechCrunch reported that the organization, which “provides affordable housing to more than 19,000 low-income families across Los Angeles,” appeared on the leak site operated by the LockBit ransomware gang on Dec. 31.
Off-script
The cyber raconteurs over at malware library vx-underground dug up a deleted 2015 music video from Fortinet that — fair warning — cannot be unseen.
But if you like Pitbull and perimeter defenses, maybe this one’s for you.
That’s all for this week — please send any tips or feedback to bsobczak@synack.com or nmott@synack.com. See you next Sunday!