Srsly Risky Biz: Thursday March 10

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Hackers! In Space!!

Interesting — but not conclusive — reporting suggests that a destructive cyber incident targeting satellite communications provider ViaSat was aimed at disrupting Ukrainian military communications.

ViaSat suffered network outages on 24 February — the same day as the invasion of Ukraine — on KA-SAT spot beams servicing Eastern Europe including Ukraine. The outages had effects beyond Ukraine, including disconnecting 5,800 wind turbines in Germany from their monitoring system and also affected other customers in Germany, France, Hungary, Greece, Italy and Poland.

This newsletter didn't report the incident at the time as there wasn't a clear motive for a Russian attack — why disrupt only satellite access when the Russians didn't appear to be trying to disrupt internet access in Ukraine?

But more information has come to light.

German newspaper Der Spiegel reports that KA-SAT services were used "intensively by the Ukrainian military". And speaking at a press conference, General Michel Friedling, head of France's Space Command, revealed that "tens of thousands of terminals have been damaged, made inoperable and probably cannot be repaired".

So a crime, with a motive. And security researcher Reuben Santamarta has decribed some ways the attack could be carried out. His research, previously presented at BlackHat in 2014 and 2018, illustrates a couple of different ways that terminals could be permanently disabled. For example, network operators have a lot of control over customer terminals, so if an attacker could spoof commands from the network they could issue commands that effectively disable terminals. It's also possible an attacker just pushed a bad firmware update.

So yes, chances are it was Russia wot dunnit.

Inside Russia's Battlefield Communications Failures

Russia's war in Ukraine is giving us insight into what it looks like when the wheels fall off secure communications, with COMSEC failures providing a treasure trove of SIGINT collection opportunities.

There are a number of reports Russian forces are using unencrypted communications from handheld radios and cell phones. The most eye-catching public example is an intercepted phone call from a deployed FSB officer reporting back to his boss in Russia. In this phone call, the major news the officer in Ukraine relays is the death of Major General Vitaly Gerasimov, Chief of Staff of the 41st Army (not of the Gerasimov "doctrine" btw). He also reports that they've lost all secure communications, hence the use of a local SIM card on the Ukrainian telecommunications network allowing interception.

One of the secure communications options available to the FSB officer is the Russian Ministry of Defence Era smartphone, which was intended to securely provide smartphones to military users on bases. It's not intended for battlefield use, and here's why: In Kharkiv, where the FSB officer was calling from, the 3/4G network had been taken down by the Russians themselves — there was no data connection and therefore no secure comms available via the Era smartphone.

So why are Russian intelligence officers trying to use smart phones from the front?

Russian secrecy likely played a big role here. A Russian officer told The New York Times he only learned of the invasion the night before and soldiers below the rank of sergeant were only told after they'd crossed the border.

This excessive secrecy may also have prevented or interfered with the effective distribution of key material for Russian encryption equipment — perhaps not enough keymat was provisioned or maybe it wasn't effectively synchronised across its force. Key distribution is hard.

Additionally, it's also possible that Russian forces decided to forgo encryption for some tactical comms. Although a well-equipped modern army would use secure communications for everything from strategic command all the way down to tactical squad-level messaging, at the squad level the rationale for encryption is less pressing. The value of tactical intelligence is short-lived and the radios are relatively short-range and therefore less likely to be intercepted.

At the tactical level the Russian military has the encrypted frequency hopping Azart radio and it is being used in Ukraine, but the story behind these units is interesting in itself.

The Azart radio's acquisition was plagued by corruption — perhaps a third of the contract funds were allegedly embezzled as the military was charged inflated prices whilst production was outsourced on the cheap to China. It's possible that the radios simply aren't up to scratch and we question the wisdom of outsourcing their production to foreign manufacturers. A shortage may also reflect a deliberate decision to allocate funds elsewhere, such as, for example, focussing on securing more strategically important communications links.

At that more strategic level Russia also has a variety of mobile radio relay stations that they could use in Ukraine — some of these were seen near Ukraine in Belarus and Russia in the build up to the invasion. These types of vehicles can theoretically relay encrypted communications 30 to 40km (line of sight) and are used to set up longer range secure comms links. Ideally, these kinds of radio relay stations would be located on high ground with antennas mounted on tall masts. This means these vehicles are not only attractive targets, but also very visible ones. At least one may have been destroyed in Ukraine. These relays also need fuel to continue operating, so fuel supply difficulties could also be affecting their operation.

There are other options beyond line of sight relay stations including HF and satellite comms. HF, however, is very low bandwidth and requires well-practised, expert operators. A former SIGINT intelligence officer told this newsletter the difficulty of establishing reliable communications especially when moving was "more art than science" and HF was a second or even third choice in a modern battlefield.

And satellite communications? Well, we don't know, and that is part of the point — in open source reporting we see the spillover, not communications that are covert and encrypted. The Kremlin would certainly have an insatiable appetite for news from Ukraine, and we've seen none of those high-level messages being reported publicly. It doesn't appear that Russian generals are phoning Putin on their iPhones using Ukrainian SIM cards. Yet.

And make no mistake, there are a LOT of smartphones on the battlefield, courtesy of Russian soldiers. There are a host of understandable reasons that even well-trained troops break COMSEC protocols. Soldiers, perhaps young and frightened, want to stay in touch with friends, family and loved ones. Perhaps their wife is going through a difficult pregnancy, their parents are ill, or they are simply addicted to social media. For all these reasons and more soldiers — even in well-trained professional forces — will sneak cellphones into the field.

This all adds up to a treasure trove for NATO country SIGINT operations. Reconnaissance aircraft operating in Romania and Poland are hoovering up all they can to find out about Russian forces (and passing it to the Ukrainians), and we have no doubt the Ukrainian services are having a field day on their cellular networks. This is a unique opportunity to see how Russian forces communicate when they are operating under pressure, without holding capabilities in reserve as they would in other collection opportunities such as military exercises.

And for Ukraine in particular, Russia's porous COMSEC allows them to seize the propaganda advantage by publicising the right intercepts such as that GSM phone call from that FSB officer in Kharkiv.

Ukraine Launches CrimesCrowd™ Breach Bounty Platform

Going one step beyond the volunteer IT Army of Ukraine, a Ukrainian cyber security firm, Kyiv-based Cyber Unit Technologies, is offering a bounty to anyone who hacks a Russian organisation on its target list.

As we expressed in last week's newsletter, these kinds of citizen actions could be annoying to Russia, but won't materially contribute to resolving the war and could even be counterproductive. When a nuclear-armed state is the problem, only other states have the power to change its trajectory, but widespread hacking could actually compromise more impactful operations already underway.

Right now it feels like joining the IT Army would be taking a small role in a "just war", and we are sceptical that anyone will be prosecuted for joining Ukraine's cyber militia. But what is the correct response if our citizens are involved in cyber attacks on Russian critical infrastructure?

The world is an uncertain place, so it is at least possible that the kind of conflict that results in volunteer cyber militias will become more common. So it's probably not a bad idea for governments to try to set boundaries so that volunteers don't accidentally set off the next NotPetya.

Three Reasons to be Cheerful this Week:

1. Twitter has a Tor Onion service now: Tor is not perfect, but since Twitter is being blocked or at least throttled in Russia spinning up a Tor onion service is a good move for Twitter.
2. Russian cyber attacks miss the mark: In testimony to the House Select Intelligence Committee General Paul Nakasone, Director of US Cyber Command, said that Russia had conducted three or four cyber offensive operations against Ukraine, but some of the intended effects had been prevented because of good Ukrainian defence, “some of the challenges that the Russians have encountered, and some of the work that others have been able to [do to] prevent their actions”.
3. The Strengthening American Cybersecurity Act passed the Senate: The bill mandates that critical infrastructure providers report incidents to Homeland Security within 72 hours of a breach and within 24 hours of paying a ransom.

Paying the Bills

In our latest demo Eugenio Pace shows Patrick how the Auth0 platform integrates modern authentication into an application. If you happen to subscribe to our product demo page on YouTube we sure would appreciate it.

Shorts

The APTs are Restless

A PRC-aligned group, Mustang Panda (aka Red Delta or TA416) has been targeting European diplomats using the war in Ukraine as a lure. Both Google's TAG and Proofpoint (a corporate sponsor of this newsletter) report on the activity, which looks to be the same based on the use of the same lure document "Situation at the EU borders with Ukraine.zip". Interestingly, although Google reports that Mustang Panda focuses on Southeast Asia, Proofpoint found consistent targeting of European diplomatic entities dating back to 2020.

In another report from the beginning of this month, Proofpoint describes a state-sponsored group they call TA445 targeting "European government personnel involved in managing the logistics of refugees fleeing Ukraine". TA445 could well be the same as the (reportedly) Belarusian Ghostwriter team, known for its disinformation campaigns. The phishing campaign used a macro-enabled "list of persons.xls", likely referring to a "kill list" of Ukrainian citizens that the Russian FSB is purportedly developing. It's all pretty grim, and makes us wonder if Ghostwriter was responsible for the Red Cross hack we wrote about last month.

Azure's Absolute Clanger

A researcher at Orca Security, Yanir Tsarimi, found that Microsoft's Azure Automation service would give out authentication tokens that belonged to other accounts. The access granted by the stolen tokens depended upon the permissions granted by the legitimate Azure customer, but could potentially be very broad. Tsarimi points out how using cloud services can be a double-edged sword: "Cloud service vulnerabilities are scary. Think about all the companies potentially impacted by one single bug. On the flip side, it was fixed within a few days with minimal work". This vulnerability was awarded a USD$40k bounty.

A second big bounty payout this week involved Meta. Security researcher Youssef Sammouda found a set of bugs in the way Facebook hosts online games. These bugs allowed a malicious game to steal a user's Facebook access token and take over a user's account and any other account linked to it (eg Instagram). This earned Sammouda a USD$98k bounty.

This isn't Sammouda's first go at some of these bugs — he'd previously earned USD$126k for bugs in the same Facebook technology and one of the new bugs was a bypass for a previous fix. Why get paid just once?

Conti Members Doxxed but Undeterred, For Now

Following in the footsteps of ContiLeaks, which has been leaking Conti chat logs and source code (as discussed last week), other twitter accounts have been doxxing Conti members with details including photos, email addresses and phone numbers.

Brian Krebs' series based on Conti's leaked chat messages, covering Evasion, The Office, Weaponry and Cryptocrime, is stellar. It covers tooling, ransom negotiations, hacking and open source tools, and cryptocurrency pump and dump schemes. One thing that is not entirely illuminated is Conti's relationship with Russian law enforcement and the FSB in particular. It looks like Conti received tips about law enforcement investigations into them and perhaps even some protection — a Conti member was assured that law enforcement investigations would go nowhere. But Krebs doesn't report any indication of direct tasking from the police or FSB.

Despite Conti members being outed, however, it appears that the group has bounced back and resumed operations again. If a core group in Russia is immune from law enforcement action it'll be a constant battle to keep a lid on the group.

Ni Hao Brown Cow (Or, 你好马 lol)

APT41 used a vulnerability in the USAHerds animal health management web application to compromise at least six US state governments, Mandiant reports. Giddy up!

Mandiant also says APT41 has developed a Linux version of the KEYPLUG backdoor it has been using to target Windows environments. This version is now being deployed via Log4Shell into Linux environments. Mandiant also noticed APT41 had "substantially increased" use of Cloudflare services for command and control and data exfiltration.

APT41 is a prolific Chinese cybercrime and espionage group with a history of significant supply chain compromises including the Ccleaner and ASUS attacks. It is not clear what interest it has in US state governments.

In other Mandiant-related news, it's just been bought by Google. Hopefully Mandiant maintains its robust track record of unveiling state hacking groups, although we worry that this isn't compatible with Google's approach.

Alexa's Self-Abuse

Amazon Echo devices can issue commands to themselves via the Alexa voice assistant. An attacker could connect to it via Bluetooth and command the Echo to buy things, call phone numbers or change calendar appointments, for example.