Microsoft’s take on hybrid war, a REvil comeback and Elon Musk’s push for secure Twitter DMs
Ministry of Defense of Ukraine/Flickr
Welcome to Changelog for 5/1/22, published by Synack! Blake here, reporting from Washington, D.C. I’ll be moderating a panel on ransomware threats to critical infrastructure Wednesday at Crowell & Moring LLP here, so say hello if you’ll be attending the fifth edition of the educational “Hack the Capitol” event. (You can also find free virtual tickets here.) Here’s what caught my eye last week:
The payload
When Ukrainian authorities announced on April 12 they had thwarted a cyberattack on an energy company that could have knocked out electricity to 2 million people, they offered “special thanks” to Slovakia-based cybersecurity company ESET and Microsoft.
ESET quickly shared a blog post on the Industroyer2 malware and its CaddyWiper data-destroying accomplice, which were aimed at wreaking havoc in the industrial control systems of Ukrainian high-voltage substations. But Microsoft stayed quiet, at least until last Wednesday, when the technology giant released perhaps the most detailed recap of the cyber conflict in Ukraine to date and broke its silence on Industroyer2.
“The targeting of ICS was an escalation beyond what we had observed up to early April in that it was intended to produce physical effects on critical infrastructure,” Microsoft said in its overview of Russian state-sponsored cyberattacks in Ukraine.
The report does not hold many surprises. WhisperGate, Industroyer2, HermeticWiper: these destructive malware variants are familiar names for close followers of the “hybrid war” in Ukraine.
But the document offers a clear-eyed and compelling play-by-play of recent cyberthreats in Ukraine, dating all the way back to early 2021, when Russian President Vladimir Putin started positioning more troops near the border with Ukraine and large-scale phishing campaigns picked up steam. At least six suspected Russian APT threat actors have been targeting Ukraine in connection with the ongoing war, Microsoft said, and the Russian government appears to have timed kinetic attacks in tandem with cyber in some cases.
Most notable for U.S. companies is Microsoft’s sobering assessment of what the future of the conflict may hold.
“As the war progresses, actors with a vested interest in the conflict will operate under increasingly urgent requirements to fill critical intelligence gaps and achieve specific tactical objectives,” Microsoft concluded. “How cyber operators choose to meet these requirements may pose significant risk to the global cybersecurity landscape… Highly reserved capabilities such as zero-days, critical infrastructure attacks, supply-chain attacks, and other novel techniques will almost-certainly be showcased in the medium-term.”
The week, compiled
Ransomware groups come and go like weeds. Uproot one, and another is likely to grow up to take its place, looking suspiciously familiar.
But the REvil ransomware gang’s recent comeback is unusual even by the stubborn standards of cybercriminal organizations, as Kim Crawley reports for README. After all, Interpol, Europol and the U.S. Department of Justice unleashed a string of disruptive takedowns against REvil last year that would have sent many lesser ransomware groups packing.
“ Over the course of several months last year, we strategically sequenced actions with foreign partners on three continents and the State, Justice, and Treasury Departments to release decryption keys to victims, seize virtual currency proceeds in excess of $7 million, and arrest three affiliates of the group,” FBI Cyber Division Assistant Director Bryan Vorndran told Congress in March.
Even Russia joined the pile-on, arresting over a dozen alleged members of REVil in January at the behest of the U.S. in a rare and fleeting example of U.S.-Russo cyber cooperation.
But now REvil, reviled for its attacks on Brazilian meat processing conglomerate JBS and U.S. IT management software providers Kaseya last year, is creeping back into the news with hacks of two major Indian companies.
They may not have staying power in the underground, as one pseudonymous cybersecurity researcher told Crawley.
“No right minded person would join them again with all the negative attention and reset arrests,” pancake3 said.
Here are a few other bits and bytes from last week:
The Washington Post: Elon Musk, Twitter’s billionaire new owner, said he wants the social media company to offer end-to-end encryption for direct messages “like Signal.” While security experts have broadly cheered Musks’s comments, the “how” is still an open question and carries tradeoffs for users.
The Wall Street Journal: The FBI last year led as many as 3.4 million searches of U.S. data without a warrant, according to the Office of the Director of National Intelligence, with more than half the searches relating to Russian efforts to hack U.S. critical infrastructure. The previous 12-month period saw about 1.3 million searches, which can include individual names, phone numbers, social security numbers and email addresses, among other data.
Bleeping Computer: Good oral hygiene may not carry over to cyber hygiene: The American Dental Association industry group was hit by a ransomware attack that forced some of its networks offline.
A message from Synack
Going to the RSA Conference this year? Stop by Synack’s “Journey by the Bay” experience that includes executive thought leadership sessions, demonstrations of Synack solutions and a showcase of emerging cybersecurity companies. And don’t miss our parties that will rock the City by the Bay with live music, libations and food. Find us anytime at Fogo de Chão — 98 steps from RSAC at the Moscone Convention Center. Find out more here.
Flash memory
Welcome to May! Five years ago, suspected Chinese state-backed hackers broke into the networks of credit reporting company Equifax and tooled around through at least July, siphoning off sensitive information from an estimated 147 million people.
Equifax first disclosed the breach in September 2017, teeing up a firestorm of questions, criticism, scathing Congressional investigations and ultimately a massive class-action lawsuit.
Hackers took advantage of a critical vulnerability in the open-source Apache Struts Web Framework to gain a foothold in Equifax’s networks. The Apache Software Foundation issued a statement on the breach urging businesses and individuals to “understand which supporting frameworks and libraries are used in your software products and in which versions,” among other steps.
Now, why does that recommendation still sound so familiar?
Local files
Wired: Russia is being pummeled by pro-Ukrainian cyberattacks, largely consisting of DDoS barrages that disrupt online services to Russian citizens. The hacking campaigns could push Moscow to further isolate its networks from the rest of the world, with implications for internet governance.
CyberScoop: A coordinated physical attack on fiber optic cables in France cut off internet to parts of the country and is stoking concerns about similar sabotage to critical land connections or undersea cables in other parts of the world.
Off-script
Do you have a second?
Are you sure?
The precise meaning of a second may be in for a change, as the New York Times reported Monday. The International Bureau of Weights and Measures (abbreviated B.I.P.M. in French) is honing the definition of the core unit of time, widely considered to be one of the most measured quantities on Earth. The infinitesimal makeover is made possible by incredibly fine-tuned pieces of technology like yterrbium lattice atomic clocks, which can count natural “ticks” of atoms.
B.I.P.M. could usher in the first official update to the unit in decades — or about 1.5 billion seconds, give or take.
That’s it for this week — please send tips, feedback and RSA pitches to bsobczak@synack.com. See you in a week!