Srsly Risky Biz: Thursday April 14

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

"Cyberwar" Undermines Itself in Ukraine, China

State coordinated cyber attacks targeting power infrastructure in Ukraine and India are, at first glance, alarming. However, the campaign targeting Ukraine appears to have failed and the preparatory activity targeting India was so noisy it might actually wind up driving meaningfully improved defences there, too. Let's dive in:

Russian Campaign Against Ukraine Appears to Have Failed

Ukraine's CERT announced that it had thwarted a Russian attack on Ukrainian energy infrastructure. Victor Zhora, a top Ukrainian cybersecurity official, said in a Zoom press conference that the malware caused some disruption in one facility, but no customers lost power.

The Ukrainian government attributed the attack to the Sandworm group, which has been previously attributed to the Russian military. Colour us totally unsurprised. Sandworm was responsible for successful attacks on the Ukrainian electricity grid in both 2015 and 2016.

ESET's analysis of the incident reports that there were two 'arms' to the attack — one focussed on the victim organisation's Industrial Control System (ICS) network, another focussed on its Linux and Solaris IT network — with different malware families used in the IT or ICS network.

The ICS arm of the attack used a new variant of the 'Industroyer' malware that Sandworm used in 2016, and ESET believes (but has not yet confirmed) that this version was designed to communicate with industrial equipment and issue commands that would cut power. Wiper malware that ESET calls CaddyWiper was also used in the ICS network. ESET thinks this was deployed to "slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles".

In the IT network arm of the attack, self-propagating malware and Linux and Solaris wipers were deployed.  Sandworm's previous electricity network attacks affected hundreds of thousands of people, but also didn't last long, with the impact lasting for hours not days. Wiping both IT and ICS networks would make it significantly harder to recover quickly.

This is exactly the sort of destructive cyber operation that many people — including this newsletter — thought would be used in the early days of the invasion. Electricity network disruption could, at least theoretically, be used to gain some sort of tactical on-the-ground advantage for conventional military forces.

The malware was scheduled to execute on the evening of Friday 8 April, more than six weeks after the beginning of the invasion. Ukrainian cybersecurity official Victor Zhora told Reuters the attack was likely carried out to support Russian military activities in Eastern Ukraine. But information about the geographic targeting of this attack hasn't been released, so it is hard to know exactly what military advantage the Russians might have hoped to achieve by cutting power.

This incident also shows how difficult these types of attacks can be to execute. Despite a track record of launching multiple wipers (including the successful Viasat hack at the beginning of this war), literally years of preparatory activity and two successful previous attacks, the GRU weren't able to pull off this potentially high impact attack when it mattered most, in an actual shooting war.

At least to some extent,  Russia may have stymied itself by showing its hand in its 2015 and 2016 electricity network attacks. These attacks certainly alerted Ukraine — and policymakers more broadly — to the threat of critical infrastructure disruption. Joe Slowik, an ICS threat hunter who now manages threat intelligence and detections engineering at Gigamon, told this newsletter that these previous attacks "absolutely" meant Ukraine ended up in a better place to defend its networks.

It's not clear if it stemmed directly from these previous Russian attacks, but there is evidence that at least one Ukrainian energy company had a long-term program to improve security. Ukraine's CERT tweeted that "the last two years’ efforts" of cyber security improvements were the reason why Ukrenergo, Ukraine's national power company, had not suffered from cyber attacks. Perhaps this tweet is just coincidental, but we don't think so — it was sent the day after the attack was scheduled to take place. One in the eye for the GRU.

China's "Preparation of the Environment" in India Could Backfire

Moving beyond Ukraine, Recorded Future's Insikt Group reports the continuation of a Chinese state-linked campaign targeting Indian critical infrastructure close to the disputed India-China border near Ladakh.

Insikt first found activity by a group it calls RedEcho targeting India's power sector in mid 2020. Insikt saw this activity increase shortly after border clashes between Indian and Chinese troops resulted in at least 20 deaths, reportedly in hand-to-hand combat using stones and clubs. Insikt saw the activity decrease immediately after its first report on the activity was published, but has seen the it return in recent months.

This time round the focus on the power sector remains, but is aimed at an almost entirely different set of victim organisations. Beyond organisations in India's electricity sector, victims also include a national emergency response system and the Indian subsidiary of a multinational logistics company. This activity is similar to, but also distinct from RedEcho, so Insikt is not sure it is really the same group, although they describe it as "likely Chinese state-sponsored".

There aren't really many plausible explanations for continued targeting of power grids. As Insikt writes:

The prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities. We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity.

The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations.

In other words, the Chinese government wants to be able to take down or disrupt India's electricity network.

That these operations are detected, however, may mean that they end up being counterproductive.

From a cyber security perspective, for example, continued intrusions that look to be aimed at disruption encourage governments and electricity operators to focus on security. Trying to learn how to disrupt India's electricity grid may end up making it harder to disrupt India's electricity grid.

Perhaps worse yet from a geopolitical point of view, these activities may encourage further cyber security cooperation with the Quad, the four-country security grouping that includes the US, Australia, India and Japan.

Professor Harsh V Pant, Vice President of the Observer Research Foundation in New Delhi told Seriously Risky Business this campaign would "certainly encourage closer engagement with Quad partners".

"This is not the first time Chinese hackers have targeted Indian infrastructure… and [the] Indian govt's assessment is that it is only likely to grow.".

"Cyber security and emerging tech is already a big part of the Quad agenda and such incidents make it imperative to expedite this engagement from India's perspective," he said.

Finally, hacking critical infrastructure is more than a wee bit escalatory. From the victim state's point of view it can be hard to distinguish between preparatory work (even that is more than a bit annoying!) or deployment to crash critical infrastructure (prepare the guns).

Whereas Russia ignored the number two rule when it comes to cyber disruption of critical infrastructure — save it till you really need it — China is ignoring the number one rule. Do it very, very quietly.

Despite these Russian and Chinese missteps, we expect that they (and other countries) will continue to explore and develop the ability to disrupt adversary critical infrastructure. On Wednesday CISA warned certain threat actors had exhibited "the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices". Dragos has released a report on this malware which it calls Pipedream.

It looks like the US Government is taking this threat seriously. The Washington Post reports that collaboration between the government and energy sector companies has exponentially improved in recent months. Information sharing between government and companies is much better, and declassification of some information "has gone from months to in some cases hours," Bill Fehrman, president and chief executive of Berkshire Hathaway Energy (BHE), told The Post.

This collaboration even extends to the government receiving anonymised sensor data from corporate networks. Per The Washington Post:

In a campaign launched by the White House a year ago to boost the cyberdefenses of critical sectors, BHE deployed sensor software in its OT networks to look for malicious activity and vulnerabilities. The software it chose, developed by a company called Dragos, detects suspicious traffic from nation-state actors. It also anonymises the data and makes it available to analysts at the National Security Agency, the Energy Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

This is the kind of collaboration that will absolutely make critical infrastructure more resilient, but it requires that both government and industry have a shared understanding that there is a genuine threat.

Pokemon GO, War Zone Edition

Government apps are designed to make life easy. They can help people to get their tax refunds, book appointments and pay fines. And they can also be used to report enemy positions for drone targeting.

Early in the conflict Ukrainian officials modified its Diia app, a digital document and government services app, to allow citizens to upload Russian troop locations. Mstyslav Banik, a director at the ministry of digital transformation which created Diia, told The Financial Times the app's position reports played "really a great role" in defending Kyiv.

Before the changes to the app were made, Ukrainian security services launched a Telegram chatbot that would allow citizens to report enemy movements. From The Financial Times:

On the second day of the invasion elderly friends of his parents, who did not have a smartphone, called to tell them where they had seen a Russian convoy close to the airport. Lysovyy immediately opened "STOP Russian War," a Telegram chatbot created by the security services, and input the location. He also put a pin in the Google Maps location, screenshotted it and sent that, plus everything else he knew.

"I think many others made the same report," he said.

About 30 minutes later the convoy was attacked by the Ukrainian military. In the distance the sky glowed orange from the flames, Lysovyy recalled.

Ukraine has been able to keep cell service largely intact, too. In response to the invasion (explained in more detail in this excellent blog series by Cathal McDaid), Ukrainian operators and regulators:

• Allocated additional spectrum to provide more capacity as people fled
• Provided free service — customers wouldn't be cut off if they couldn't recharge
• Suspended all numbers roaming from Russia or Belarus to hinder enemy communications over civilian networks
• Enabled National or Emergency Roaming so that any subscriber could use any of the three mobile networks

Cellular network resiliency kept those sweet, sweet enemy position reports rolling in.

Ukraine's initiatives here provide somewhat of a roadmap for any country potentially facing invasion, but they also provide lessons for countries facing natural disasters such as fires and floods.

In Australia, for example, telecommunications operators have a variety of deployable kit they can roll out in a natural disaster to restore service quickly. These include wonderfully named COWs (cells on wheels), CALFs (ultraportable COWs), MEOWs (mobile exchanges on wheels), and SATCATS (satellite cell on a trailer). At least some of these have been funded by government grants.

But it's pretty inefficient for these operators to independently deploy kit three times over to provide comprehensive coverage in a disaster zone (which is what currently happens in Australia). But some telcos have realised cooperation in these circumstances makes sense — in the US AT&T and T-mobile shared access to allow roaming across networks after Hurricane Sandy in 2012, for example.

Cathal McDaid, CTO of Adaptive Mobile Security, told Seriously Risky Business that he expects "in the future we will definitely see more sharing and resilience in mobile networks planned for and built in, not least because it has been shown how critical mobile networks are".

He also thinks that emergency national roaming (where a subscriber can use any network) "is a valuable option to have in emergency situations, but many countries… don't have the legislation in place and processes agreed between the operators in place to enable national roaming". He expects many places to accelerate plans to implement emergency national roaming.

In a world with increasing disaster risk, requiring operators to implement emergency roaming in disaster zones just makes sense. Now it makes sense as a national security policy, too.

Three Reasons to be Cheerful this Week:

1. Byebye RaidForums: Europol and the US Department of Justice announced the takedown of the RaidForums criminal hacker forum. The international law enforcement effort took a year and involved authorities from the UK, the US, Sweden, Romania, Portugal and Germany. RaidForums' chief administrator, Diogo Santos Coelho, a 21-year-old Portuguese man and two of his accomplices were also arrested. The US DoJ indictment claims Coelho (aka Omnipotent) has been running the forum since the beginning of 2015, which implies he was 14 or 15 years old when he started! The Record has a 2021 interview with Omnipotent, in which he claims that RaidForums was originally a site to support Twitch raiders and somehow then evolved into a criminal forum. Definitely a 'see no evil' kinda guy, he told The Record "it was not my place to police" what happened on RaidForums.
2. Mummy, Where Does Software Come From?: The Google Security blog has recent posts about improving supply chain security and SLSA (Supply-chain Levels for Software Artefacts or salsa). The first describes how to use Github actions to trace software artefacts verifiably to source, the second describes how organisations can use SLSA. It's good to see some advice that addresses supply chain security by breaking the problem into smaller and more manageable bodies of work. Have a squizz if you want to cut code professionally.
3. Microsoft Strikes Back: Microsoft took control of seven domains being used by a group it calls Strontium, a GRU-linked actor. The domains were being used to target "Ukrainian institutions including media organisations… [and] government institutions and think tanks in the United States and the European Union involved in foreign policy". Microsoft also provided the tip off that alerted the Ukrainian energy company about the potentially destructive attack described in our first story, so that is good work too.

Shorts

Cyber Operations in War

CyberCX, a corporate sponsor of this newsletter, hosted a webinar on the "Russia-Ukraine War and the state of cyber". It features Ciaran Martin (former head of the UK's NCSC), Admiral (Retired) Mike Rogers, former head of the NSA and Cyber Command, along with CyberCX's Alastair MacGibbon, (former head of the ACSC) and Katherine Mansted (Cyber CX's Director Cyber Intelligence and Public Policy). It's worth watching particularly if you are interested in how cyber operations are used in warfare.

Who Can You Trust? Not Thieves, Apparently

Vice reports that T-Mobile attempted to prevent stolen customer data from being leaked by paying the hackers responsible for exclusive access. Vice claims that details contained in the extradition request for RaidForums' administrator Coelho are consistent with the T-mobile breach. In the extradition request a "major telecommunications company" used a third party to buy exclusive access to the database of customer data for USD$200k in Bitcoin. According to the extradition document it appears that the seller "continued to attempt to sell the databases after the third-party's purchase". This is a good reminder that paying thieves doesn't come with any guarantees.

Rule 41: If A Cyber Operation Exists, Lawyers Will Argue About It

For fans of legal reasoning, Cyberscoop has an excellent examination of the legal issues in the FBI's disruption of the GRU's Cyclops Blink botnet (as covered in last week's newsletter). We are curious about what will happen when one of these operations goes awry.

Tracking Bitcoin

Andy Greenberg has published a sample chapter from his upcoming book about tracking cryptocurrency transactions at Wired. It's fascinating but uncomfortable reading as it details how — starting with the IRS — investigators took down the world's largest child exploitation website.

RPC RCE

This month's Microsoft patch Tuesday update package includes one for a severe Remote Procedure Call (RPC) bug. RPC is, by design, intended to get a remote computer to do something so having an easily exploitable vulnerability in it is pretty bad. The bug doesn't require authentication or user interaction so is potentially wormable and Microsoft rates exploitation as "more likely". Microsoft's suggested mitigation is to block TCP port 445 until it is patched.

Seriously Risky Business is taking the week after Easter off. The next edition will be on 28 April.