Russia's Cyber War Gets Smarter… And Dumber

PLUS: Predatory Sparrow Won't Move the Needle in the Middle East

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Stairwell.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

City security camera, Stable Diffusion

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment.

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras.

It turns out, however, that many of the video surveillance cameras sold in Ukraine prior to the war were managed with a system known as Trassir, that had been developed by a Russian company. Trassir software was used by individuals and enterprises and was even installed at critical infrastructure facilities such as the Chernobyl nuclear power plant. Worse yet, the video feeds from these cameras were routed via Russian servers.

So although the SBU mentioned just two cameras in this case, Russian efforts to compromise cameras could be very widespread. Early in 2022 the SBU blocked a large number of Russian IP addresses, including those of Trassir servers. Presumably, this explains why the hacked devices the SBU reported on were altered to stream video via YouTube rather than directly to a Russia-based IP address. In this month’s announcement, the SBU said it had stopped the operation of 10,000 IP cameras since the start of the invasion and appealed for Ukrainian citizens to report online camera streams to its official chatbot.

Hijacking surveillance cameras to provide targeting support is also a fairly sensible use of cyber operations, because it complements conventional military capabilities with the intent of making them more effective. It's quiet, but potentially deadly.

By contrast, a December 12 attack on Kyivstar, Ukraine's largest mobile operator, is the stuff of cyberwar fantasies. However, the attack feels like a squandered opportunity as Russia does not appear to have taken significant advantage of it.

The Kyivstar attack left over half of Ukraine's population without mobile and home internet services for two days. It also disrupted some banks and ATM services, point-of-sale terminals and air-raid sirens.

Illia Vitiuk, the SBU's cyber security chief, told Reuters this was a long-term operation and that the hackers had been in Kyivstar's networks since at least May 2023. Vitiuk said they  had probably had "full access" since at least November.

He described the attack as wiping "almost everything" including thousands of virtual servers and said it "completely destroyed the core of a telecoms operator".

Despite what sounds like pretty comprehensive destruction, the disruption was relatively short-lived. Kyivstar services were back up within a matter of days and the company's CEO said services were fully restored just eight days after the attack.

The attack was not combined with any other significant Russian military action, such as a major drone or missile attack. And, according to Ukrainian government sources, there was relatively little impact on Ukrainian military communications.

When it comes to assessing the impact of this attack, timing is everything. If this type of attack had been executed in February 2022, at the beginning of Russia's invasion and combined with Russia's attack on Viasat's KA-SAT satellite service, it could have measurably improved the chances of Russian military success.

In December 2023, however, we think this attack is actually a net negative for Russia's military prospects, because maintaining enduring access into Kyivstar would have been tremendously valuable. Vitiuk told Reuters the SBU assessed:

…the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.

These capabilities would have been an intelligence goldmine that could have enabled many more impactful military actions over the longer term.

Destroying Kyivstar results in a short-term sugar rush, but pretty much guaranteed that the Russians lost access. This cuts against the trend in Russian operations towards intelligence gathering that we wrote about last September, so we are left wondering what the motivation for this particular operation was.

The SBU's Vitiuk attributed the attack to Russia's Sandworm group (the GRU, Russian military intelligence) and regarding the timing of the operation said "maybe some colonel wanted to become a general". We don't have a better explanation.

Predatory Sparrow Won't Move the Needle in the Middle East

Israel is trying to use cyber operations to warn off regional foes, but the current conflict is just too hot for this strategy to work.

In mid-December, Predatory Sparrow, a purported hacktivist group believed to be a persona of the Israeli military, disrupted petrol supply systems in Iran. In a statement on Telegram, the group claimed to have disrupted "a majority of the gas pumps throughout Iran… in response to the aggression of the Islamic Republic and its proxies in the region".

Although we don't know yet if the technical details are the same, this appears to be a repeat of an October 2021 attack that Predatory Sparrow launched against Iran's fuel subsidy system. In that attack, petrol stations shut down because they were unable to charge customers for fuel.

As in that attack, Predatory Sparrow took steps to show that it was operating responsibly. In a recent Telegram statement it wrote:

As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services.

We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation.

In this case, the operation is all about sending a message to Iranian leadership. In its Telegram posts, Predatory Sparrow directly warned Iran's supreme leader, saying "Khamenei, playing with fire has a price" and a few days later said "Khamenei! Playing with proxies a girl can get burned".

Previous Predatory Sparrow attacks took place in the context of a series of tit-for-tat destructive operations between Iran and Israel that appear to have been kickstarted by an Iranian cyber attack on Israeli water infrastructure. At the time, we wrote:

Following reports of cyber attacks against Israeli water infrastructure in 2020, a suspiciously large number of things have caught fire or gone boom in Iran since, including the Natanz uranium enrichment facility, a missile production facility, an oil pipeline, a shipyard in the Iranian port of Bushehr, Iran's largest warship, and an oil refinery.

Other less physically destructive incidents have involved cyber attacks on the port of Bandar Abbas and a wiper attack on Iran's national rail system. Some of these incidents could be the result of deliberate state-backed actions; others may simply be accidents.

This one wasn't an accident, though: In November last year, Iran's top nuclear scientist was assassinated with a self-destructing remotely-controlled machine-gun.

At one level, using precisely executed cyber operations to send a warning is clearly better than using operations that cause a lot of collateral damage and therefore escalate conflict.

Having said that, however, we are not sure that signalling via cyber operations has actually worked for Predatory Sparrow. Its previous petrol station hack occurred in October 2021 and by June 2022 it was carrying out spectacular destructive attacks on three Iranian steel mills. If its signalling had worked, would it have needed to carry out further operations?

The geopolitical situation is also vastly different today. Israel is involved in a war against Hamas, Israel and Hezbollah are exchanging strikes back and forth across Lebanon, and Iranian-backed Houthi rebels are attacking cargo ships in the Red Sea. There's genuine diplomatic concern that the Israel-Hamas war could expand to encompass Hezbollah in Lebanon.

Given the situation, will the repeat of a two-year-old fuel supply disruption operation move the needle at all? We don't think so.

Three Reasons to Be Cheerful This Week:

  1. ALPHV Disruption: In mid-December the US Department of Justice announced that it had disrupted the ALPHV (aka BlackCat) ransomware gang, which it described as the second most prolific ransomware-as-a-service brand. The DoJ also revealed the FBI had developed a decryption tool that it had offered to 500 affected victims. That's the good news, but the weird addendum is that although the FBI was able to get credentials for the site it wasn't able to prevent ALPHV from 'unseizing' it. This 'tug of tor' is well described at Ars Technica.
  2. Scam city seized by Myanmar rebels: A city that is a hub for online scams known as 'pig butchering' has been ceded by Myanmar's military government to rebel forces that claim to be focused on cleaning up scam centres. The change in control ultimately seems to be driven by the PRC's frustration with the pig butchering epidemic that has affected thousands of Chinese nationals. This ABC report has good coverage of the broader issues.
  3. More cyber-focussed FBI agents overseas: The FBI told CyberScoop that it is increasing the number of cyber-focussed FBI assistant legal attachés at American embassies overseas by six people to 22. Given the international nature of cybercrime, we are actually surprised that there are so few.

In this Risky Business News sponsor interview Tom Uren talks to Chris St Myers, Stairwell’s head of threat research, about managing the risk from software you absolutely must use.


Russia Hates Democrats, China Loves China

Last edition we talked about the inevitability of election interference. Since then, both the US and the UK governments have released reports describing attempted interference. The Taiwanese government has also committed to releasing a report on PRC interference after its election is completed on January 13.

The report from the US intelligence community, assesses that Russian interference is mostly about denigrating the Democratic Party, PRC interference is about promoting pro-China interests without favouring any particular party, and a number of other foreign parties interfere more narrowly. It expects interference to peak during Presidential election years and the report says:

The involvement of more foreign actors probably reflects shifting geopolitical risk calculus, perceptions that election influence activity has been normalised, the low cost but potentially high reward of such activities, and a greater emphasis on election security in IC collection and analysis.

Extradition Tug-of-War Ends Up with Russian Victory

Russian cyber security executive Nikita Kislitsin, who was the subject of an extradition tug-of-war between the US and Russia after his arrest in Kazakhstan, will ultimately end up in Russia.

We examined this case in July last year when we looked at the underlying drivers behind these diplomatic contests that occur whenever a Russian citizen is arrested internationally on cybercrime charges.

SEC Twitter Hack Moves Bitcoin

On Tuesday the @SECGov X (formerly Twitter) account was hacked and used to release a message stating that the commission had granted approval for a Bitcoin exchange-traded fund (ETF). This briefly moved the market for Bitcoin from $46,700 to $48,000 before the false tweet was exposed.

On Wednesday, however, the SEC really did approve  Bitcoin ETFs. Rather than a clever hack to make money by manipulating markets, the hacker appears to have just posted a draft tweet.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.

From Risky Biz News:

Turkish APT group Sea Turtle returns: Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations. In recent reports, the three security firms claim the group has now re-tooled and changed its modus operandi, although some connections to its old infrastructure remained.

[more on Risky Business News]

Ransomware wrecks Paraguay's largest telco: A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data centre were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.

At least 300 companies were impacted downstream. The companies lost phone service and files hosted on Tigo servers.

[more on Risky Business News]

Ukraine repels attack on state payment system: Ukraine says it repelled Russian cyberattacks against its state payment system for the second week in a row. Officials say Russian hackers tried to destroy vital systems used for budget payments. The operation comes after Russian hackers successfully wiped servers inside Kyivstar, the country's largest mobile operator.