Srsly Risky Biz: Thursday March 17

Pulling Russia's Plug a Gift to Putin

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Pulling Russia's Plug is Counterproductive

Efforts by American companies to disconnect Russia from the Internet are understandable but ultimately counterproductive. To a degree, they play into Putin's hands.

Two of the world's largest backbone providers, Cogent and Lumen, stopped servicing customers in Russia. Similarly, the London Internet Exchange, one of the world's larger internet exchange points, booted Rostelecom and Megafon (Russia's largest ISP and second largest mobile telco) out of the exchange.

Cogent and Lucent both told CNN that they were concerned about their networks being used to carry offensive cyberattacks from Russia, which strikes us as dumb, especially since this their actions haven't actually disconnected Russia from the internet. Disconnecting the internet is not usually the best way to protect yourself from cyber attacks.

This kind of internet disconnection, however, if not exactly what Putin wants, at least aligns with the Russian government's own actions. It has already isolated itself from the Western internet by essentially banning Instagram, Facebook and Twitter on various pretexts. It's also creating its own certificate authority to overcome sanctions that prevent certificate renewal. But this is a perfect example of playing into Putin's hands — this move will enable Russian agencies to decrypt domestic HTTPS traffic and stage person-in-the-middle attacks.

At least when it comes to social media, Russian citizens aren't taking these bans lying down — they are actively installing VPN services. Rather than removing internet access, it might be more constructive to offer free VPN services and Tor bridge relay access to Russia.

Internet disconnection causes a lot of collateral damage. Yes, the Russian government uses the internet, but it's ordinary people who reap most of the benefits. Disconnection from Cogent, for example, also affected downstream internet in Kazakhstan, Tajikistan and Uzbekistan.

Removing Russia from the Internet might feel good but will prevent Russian people from seeing news from the outside world. Will unfiltered news in Russia encourage activism that results in the (political) demise of Putin? Probably not. But at least it will tilt things in that direction. Once Putin builds out a more sophisticated architecture of censorship and repression, a la the Great Firewall of China, that window of opportunity will be shut forever.

A Different, Much Worse Type of Hacktivism

Russia's invasion of Ukraine has already caused disruption in the ransomware ecosystem, but perhaps counterintuitively, this disruption could result in more deliberately destructive ransomware attacks. Polarisation in cybercrime communities coupled with reduced ransomware payments could result in a focus on disruption rather than payment.

Five Eyes cyber security agencies have all warned of a potentially heightened threat environment following the Russian invasion of Ukraine.

Until now, the concern has been Russian state-based attacks in retaliation for stringent international sanctions. This seems plausible. As international isolation bites there are few other options that could be used to impose costs and cause pain in the West.

There is also a second possibility that this newsletter has mentioned before — that Russia-based ransomware gangs will be given a green light, or even encouraged, to attack Western targets. This is still on the cards. The recent Conti leaks have not demonstrated direct tasking by Russian government agencies, but there does appear to be at least some (perhaps informal) relationship between the crime group and law enforcement.

So what would drive ransomware crews to lash out and launch destructive attacks on their own? Well, they're having *pRoBLeMs*.

Brett Callow, threat analyst at Emsisoft, told Seriously Risky Business that the war was causing "supply chain" disruption amongst Russian-based ransomware groups. "The war seems to have created some problems for Russia-based gangs due to them either having affiliates or other personnel based in Ukraine and/or using services such as money-laundering which operate from Ukraine."

In addition to direct disruption of Ukraine-based operations, Callow has also seen increased levels of distrust and dispute among cybercriminals. "They were already a paranoid bunch and the divisions created by the war have made them more paranoid than ever, especially as they don’t necessarily know the real identity and locations of the people they deal with," he says.

In addition to making criminals wildly paranoid, it appears the war is also polarising cybercrime communities and members are choosing sides. We saw this dynamic play out in the Conti leaks — as discussed in this newsletter the group's strongly pro-Russian stance of "full support of Russian government [sic]" led to a Ukrainian member (or security researcher) leaking years of Conti chat logs and other information.

In response, some ransomware groups have declared political neutrality, describing themselves as "apolitical" or issuing mealy-mouthed statements.

However, trying to paper over the horrors of this brutal war with PR-like statements simply doesn't work when cities are being destroyed and friends and family are being killed. An Accenture report collates evidence of the polarisation of the cybercriminal underground.

Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities in support of Ukraine. However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting "enemies of Russia," especially Western entities due to their claims of Western warmongering.

Strikingly, the report highlights a survey conducted on the Russian-language XSS cybercrime forum where 17% of respondents said that they were willing to target Russian entities. That's a large percentage when you consider these groups and forums have previously operated on a principle of not targeting organisations within Commonwealth of Independent States countries.

In addition to this disruption within gangs, Western financial sanctions will make collecting ransoms more difficult as victims are increasingly concerned about paying ransoms to sanctioned entities and cryptocurrency exchanges crack down on laundering. While recent US sanctions against Russia do not specifically mention ransomware groups, a US Treasury FinCEN alert warns institutions to be on the lookout for transactions related to Russian ransoms.

Caroline Malcolm, Head of International Policy at Chainalysis, told Seriously Risky Business that sanctions do apply to crypto assets and that they can be applied "much more efficiently in crypto".

"The cryptocurrency ecosystem can put measures in place to identify transactions from identified sanctioned entities and individuals," she says.

Binance, the world's largest exchange, claims to comply with sanctions while Coinbase, the largest US exchange, says it has over time blocked 25,000 Russia-linked addresses it believes are involved in illegal activity.

In the long term, all this sounds like good news — disruption in ransomware operations and reduced payments. Part of what makes ransomware groups effective is that they have the money to operate as businesses, so reduced funding would eventually flow through to reduced capability. What's not to like?

In normal times, being too disruptive, a la Colonial Pipeline, brings law enforcement and even international attention. The most damaging or extreme operations are likely moderated by the need to fly under the radar.

But now the threat from that 'radar' has essentially disappeared, at least from an international perspective. No matter how destructive or disruptive attacks are, there is now no conceivable international diplomatic pressure that could be applied to influence Russian government behaviour towards ransomware crews — Russia is already cut off, what more can be done?

In the short term, increased polarisation and nationalistic fervour coupled with the decreased likelihood of successful ransoms could result in more frequent and ruthless attacks. With a war taking place we think ransomware groups might want to strike back, especially given citizen action supporting Ukraine against Russian entities. And if you aren't going to get paid anyway, why moderate behaviour to maximise profits over time?

So far, at least, Callow has not yet seen evidence ransomware groups have changed their approach. "There is no obvious indication of either a significant increase or decrease at this point in time", he said.

So if you are a CISO, prepare for the worst, while we here at Risky Business hope we're wrong.

Three Reasons to be Cheerful this Week:

  1. More disclosure a good thing: This week the Strengthening American Cybersecurity Act passed — it places mandatory disclosure timelines on critical infrastructure operators for breaches and ransomware payments. And the US Securities and Exchange Commission has proposed stricter cyber security reporting requirements for public companies. The changes are designed to standardise disclosure practices, which the SEC says have improved but are still "inconsistent" across companies. The changes strengthen material cyber security incident reporting requirements (within four days) and also require regular reporting on cyber security risk management, strategy and governance.
  2. A (Pyrrhic) Win for CafePress Victims: The US Federal Trade Commission intends to fine CafePress, a custom t-shirt and merchandise store, USD$500k because it "employed careless security practices and concealed multiple breaches from consumers". The litany of security failures is pretty grim. Password reset questions and answers (stored unencrypted) were stolen, but despite knowing the information had been compromised CafePress still allowed password resets on affected accounts. Perhaps even worse, if a shopkeeper's account was hacked rather than helping resolve the problem, CafePress would close the account and charge the shopkeeper a USD$25 account closure fee. The USD$500k fine will go towards compensating the (millions) of victims of a February 2019 data breach.
  3. Double Happiness: Two ransomware affiliates have arrived in the US to face court proceedings. Yaroslav Vasinskyi, a Ukrainian man, was arraigned in Texas for allegedly using REvil ransomware to carry out the Kaseya hack which affected on the order of a thousand organisations and is perhaps the single biggest ransomware incident by number of companies affected. And Sebastian Vachon-Desjardins, a Canadian man, has been extradited to the US for "dozens of ransomware attacks". Desjardins looks to have been pretty successful — Canadian law enforcement found CAD$790k in cash at his home along with 719 BTC, valued at about USD$28m.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Proofpoint's Executive Vice President of Cybersecurity, Ryan Kalember, walks Patrick Gray through Proofpoint's Nexus People Explorer. It helps to manage risk by showing who the most targeted and most vulnerable people are in your organisation.

You can subscribe to our product demo page on YouTube here.


Robot Zelensky from Hell

A deepfake video of Ukrainian President Volodomyr Zelensky surrendering was distributed via a hacked Ukrainian news outlet. It was quickly debunked by Zelensky and has been removed from Facebook. The video doesn't seem to have had much impact beyond being a curiosity, probably because anyone looking at it can tell it's obviously fake. Various Ukrainian military accounts have warned of the possibility of a Zelensky surrender deepfake since early March.

Mystery Solved

Last year we wrote about the very-good-but-also-very-flawed OPSEC of Jonathon and Diana Toebbe, an American couple accused of attempting to sell nuclear submarine technology to a foreign government. We thought the foreign government was France at the time, especially since one of Toebbe's encrypted messages to his handler spoke of the "chance to stumble into each other at a cafe, share a bottle of wine and laugh over stories of their shared exploits".

But it turns out it was Brazil, which is embarking on a nuclear submarine program and apparently also has cafes and wine.

More GSM Military Comms

Last week we wrote "it doesn't appear that Russian generals are phoning Putin on their iPhones using Ukrainian SIM cards. Yet." This week, evidence emerged that Russian commanders are receiving instructions from Russia via mobile phone.

The Security Service of Ukraine announced it had found a SIM box being used by Russian forces to send texts to Ukrainian officials and also for command communications to and from Russia. Within Ukraine the SIM box routed messages and calls over the mobile network, but it carried the international leg of communications to and from Russia over an IP network.

Cathal McDaid, CTO of AdaptiveMobile Security, told this newsletter this approach would "be more useful for a field-initiated call, as these calls [from Ukraine to Russia] are reported to be blocked". Calls from Russia to Ukraine don't appear to be blocked but "are presumably monitored," so McDaid thinks the main motivation in calling via the SIM box from Russia is to avoid mobile network interception.

So not yet Putin himself, but perhaps next week.

Kaspersky? Nein!

The German Federal Office for Information Security warned that Kaspersky could be coerced by the Russian government to act against its client's interests. Well duh! Who would have thought it would take an invasion to realise that? Another protip for our German readers: relying on Russia for your energy supply is also very dumb.

Intrusion Truth on China attacking Ukraine

Intrusion Truth, the mysterious group that publishes blogs that dox Chinese intelligence operatives, has observed Chinese hackers "conducting cyber attacks against Ukraine". Its twitter thread implies that this is an indication the PRC might have chosen to support Russia in this conflict.

Depending on the nature of the attack, we don't think that necessarily follows. Many governments, not just China, have very strong intelligence interests in reducing the fog of war. What is really going on? How will the war develop? In isolation the existence of a cyber operation doesn't necessarily mean a country has chosen a side.

Fatal MFA re-enrollment flaw

CISA is warning that Russian groups are using stolen or brute-forced credentials to bypass MFA by taking advantage of 2FA re-enrollment for dormant accounts. It's worth examining policies for dormant accounts to make sure this loophole doesn't exist.

ViaSat hack evidence accumulates

Last week our lead story speculated that a Russian cyber operation disabled satellite communications terminals that the Ukrainian military used. Evidence continues to mount that our speculation was bang on. Victor Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, told reporters that the incident caused "huge loss in communications in the very beginning of the war".