Why Russia's Cyber War Against Ukraine Failed

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Trail of Bits.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Why Russia's Cyber War Against Ukraine Failed

In a joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch spoke with Ilia Vitiuik, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about how Ukraine has countered Russia's cyber operations.

Vitiuk described Russian cyber operations against Ukraine as a "cyber war" with destructive campaigns against Ukraine starting in 2014, eight years before the full-scale invasion. Significant destructive cyber operations he cited included NotPetya, electricity network attacks in 2015 and 2016 and a less well-known attempt to cause a train collision by interfering with a railroad control system.

Vitiuk said these incidents motivated Ukraine to improve its cyber security.

"During that time, we improved our legislation, we adopted a new cybersecurity strategy," Vitiuk said. "We invented tools and techniques that are actually effective [in] countering these Russian aggressive potential cyber attacks."

The number of cyber attacks the SBU dealt with that it believes comes from Russia have grown fivefold between 2020 and 2022. As a result, well before the physical invasion, the SBU had tremendous experience remediating and recovering from Russian attacks. Today, SBU deals with 10 to 15 "serious events" daily.

Vitiuk said experience gained over the previous eight years was probably "the crucial thing" that enabled Ukraine to counter Russian cyber operations.

There were many disruptive operations leading up to the invasion, Vitiuk said.

"It was a mixture of everything. Defacing websites, using wipers, lockers, DDoS attacks, and also the psychological disinformation campaign that actually was also launched simultaneously in order to make people panic that all of their data were stolen and will be exposed and that all the IT infrastructure will be wiped away."

Vitiuk thinks these early attacks were "about the psychology of the people". If they had succeeded, they would "wipe out a lot of infrastructure and make people panic [and] make people more vulnerable" to the subsequent invasion. This could explain why these attacks occurred weeks before the invasion rather than being timed to sow chaos as the ground invasion was kicking off.

Ukraine had help. Vitiuk describes how US Cyber Command came to Ukraine in December 2021 and provided hardware and software to help the country defend high-value critical infrastructure. Vitiuk says these actions "helped us a lot" when Russian actors targeted that infrastructure.

Vitiuk also spoke of how Russian hackers had physically relocated to be "closer to the frontlines". This was to facilitate communication with the Russian military, get better access to Ukrainian military devices captured on the battlefield and to access Ukrainian infrastructure located in occupied territories.

This forward deployment, for example, would have facilitated a recently-thwarted Russian effort to compromise Ukrainian combat information systems. Vitiuk provided more detail about the Russian effort and its potential to be extremely damaging.

The full interview is a compelling insight into cyber defence in a large-scale conflict. It is available here or on Apple podcasts:

Advanced Persistent Teenagers

Earlier this month the Cyber Safety Review Board (CSRB) released an excellent report into the activities of the Lapsus$ threat actor group. The report identifies many current security practices that aren't up to scratch and should be required reading for CISOs.

Lapsus$ was a loosely-organised transnational group of hackers based mainly in the UK and Brazil that emerged in late 2021 and went on an absolute tear in 2022. The report said the core membership was a small group of around 10 known members, and the CSRB did not find evidence of affiliation with state actors.

The group "seemed to work at various times for notoriety, financial gain, or amusement," the report said. Because Lapsus$ had ties to other threat actor groups that used similar tactics, the CSRB also considered these groups in its review.

The Board said "Lapsus$ was unique for its effectiveness, speed, creativity, and boldness". Despite its small size, the group managed to compromise high-profile companies including Microsoft, Uber, Nvidia, Rockstar Games, and Samsung. The group's "attacks were consistently effective against some of the most well-resourced and well-defended companies in the world".

Rather than diving into specific incidents, the review took a holistic approach and made recommendations about the systemic issues that enabled Lapsus$' attacks.

In an interview on the Risky Business podcast last week, CSRB Deputy Chair Heather Adkins said Lapsus$ included "very creative kids who have digital skills" but the "large majority of the very successful attacks against well-defended organisations stemmed from some fairly basic social engineering".

"[Lapsus$] were just using accents, different languages, just calling people up, if the first thing didn't succeed they'd try, try again until something succeeded," Adkins continued. "They weren't really worried so much about failing, they were only worried about succeeding."

Another aspect of Lapsus$’ success, she said, was that "there were really no rules" for the group.

Some members of Lapsus$, for example, exploited Emergency Disclosure Requests, emergency requests for information from service providers, typically law enforcement agencies, for sensitive personal information about targeted people. The group would then use this information to take over online accounts and access personal photos for use in extortion attempts.

Some of the groups related to Lapsus$ also harassed cyber security researchers and staff at targeted organisations. The report said:

The seriousness of this activity ranged from mischief to dangerous behaviour. Lapsus$ was known to join and monitor an organisation’s incident response channels, and in one instance took over a screen share and deleted resources live in front of the victim. Similarly, Lapsus$ publicly posted screenshots of victim environments to demonstrate their access. On the more serious end of this behaviour, loosely affiliated threat actors threatened and harassed security professionals by publishing their personal information online, i.e., doxing, and pestered targeted organisations’ employees on Keybase, Twitter, and other online forums. The Board also heard of a subset of threat actors that recruited forum members to hijack cybersecurity professionals’ online accounts, and conducted swatting attacks against them and their families. This demonstrates the potentially serious physical threat these groups posed.

Adkins described this behaviour as a "wake up call".

"Believe it or not, many of the nation state actors we study are professionalised. They are not going to call up your local police department and have your house swatted."

Adkins thinks this results in many infosec people thinking "about the bad guys at a distance … [and that] they're going to operate within these constraints that we assume and we build these … investigator biases around how they behave."

Aside from breaking imaginary norms of behaviour, Lapsus$ was also particularly adept at exploiting the 'seams' between organisations. It identified points of weakness or vulnerability that existed in these relationships and exploited them ruthlessly.

In one example, Lapsus$ targeted a company that provided technical support for identity vendor Okta in order to access Okta's downstream customers. Although the breach did not compromise Okta customers, the report describes it as a "remarkable example of a creative three-stage supply chain attack".

The group targeted telecommunications providers because of their role in authentication processes that involve One Time Passcodes (OTPs) sent via SMS and voice calls. Lapsus$ compromised telecommunications infrastructure or subverted business processes and accounts to access these authentication mechanisms.

Some of Lapsus$’ techniques fell into the 'it’s not dumb if it works' category. For example, the group could rely on MFA push fatigue when spamming employees with access approval requests until they simply said yes. The report said "sometimes these prompts occurred late at night, or during inconvenient times, possibly to increase the likelihood of the employee accepting the prompt".

Lapsus$ also tried to recruit insiders from targeted organisations and posted advertisements offering money for access to internal systems. The group offered up to USD$20k per week to insiders to conduct SIM swaps.

If it didn't have inside help, the group would carry out fraudulent SIM swaps to enable access to other target accounts.

One clear message from the report is that SMS and voice-based MFA processes provide weak protection against determined attackers. From a CISO's point of view, they are better than nothing, but only barely.

So it is no surprise that many of the report's recommendations focus on improving identity management while mitigating telecommunications and reseller vulnerabilities.

The report recommends "everyone must progress toward a passwordless world", and mentions technologies built into consumer devices, such as FIDO2-compliant solutions, WebAuthn and Passkeys.

At the same time, the Board recognised that implementing these solutions will take time and that SMS and voice authentication processes will be around for a while.

There are a swathe of recommendations aimed at making telco SIM swapping procedures more rigorous. The report suggests that the Federal Communications Commission and the Federal Trade Commission "standardise and facilitate the adoption of best practices to reduce or eliminate fraudulent SIM swaps".

These are exactly the kind of specific recommendations that we hoped would come out of a report like this. They address the root causes that allow Lapsus$ and groups like it to be successful, but they can only be arrived at by examining a broad set of incidents.

Three Reasons to be Cheerful this Week:

1. 16Shop phishing arrests: An international operation coordinated by Interpol has resulted in the arrests of three individuals associated with the '16shop' phishing-as-a-service platform. Two of the suspects were arrested in Indonesia and one in Japan. Cyber security firm Group-IB says the platform has been active since late 2017 and has been used in the creation of over 150,000 phishing domains. The platform's administrator was a 21-year-old based in Indonesia.
2. Three years prison for USD$20m of SIM Swapping: A US court sentenced 26-year-old Anthony Francis Faulk to three years in prison for his role in a cryptocurrency hacking trio. The trio tricked cellphone service providers into transferring victims’ phone numbers to a SIM under their control. Faulk and his co-conspirators would then reset passwords for email and cryptocurrency trading accounts to empty the associated wallets.
3. NCSC Ransomware Tipoffs: The UK's National Cyber Security Centre is disrupting ransomware attacks by tipping off potential victims prior to the deployment of encrypting malware. Detecting the ransomware attack is the easy part, apparently the hard part is finding contact details for the potential victims. Only one in 50 targeted organisations are alerted and sometimes the person contacted believes the  NCSC is a scammer. The NCSC is appealing for more British organisations to join its Early Warning program to receive these alerts.

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Dan Guido, CEO of Trail of Bits, about AI. Dan thinks AI technologies will be a "game changer." But he also thinks the conversation around AI is not very sophisticated just yet.

Trail of Bits co-founder and CEO Dan Guido was asked to provide feedback on the effects of AI on modern technology at a meeting of the Commodity Futures Trading Commission's Technology Advisory Committee (TAC) on July 18. His comments are summarised in the company's blog here and are available in full in the video below.

Shorts

Another Glenn Greenwald Source Goes to Jail

Brazilian authorities have sentenced a hacker named Walter Delgatti Neto to 20 years in prison in connection to the so-called Vaza Jato leaks.

In 2019 he leaked messages from prosecutors involved in an anti-corruption probe. These leaks revealed that a judge, Sérgio Moro, had coached prosecutors during a corruption investigation known as Operation Car Wash, or "Lava Jato".

One of Moro's investigations resulted in the conviction of former Brazilian President Lula da Silva, which forced him out of the 2018 presidential poll. Moro was appointed to serve as the justice minister in the Bolsonaro government in 2019.

The Brazilian Supreme Court later ruled that Moro was biased against Lula. Lula's conviction was subsequently annulled, and he is once again serving as President of Brazil.

Latest Open Source Hippies: The US Government

The US Government has announced a request for information seeking help on ways to secure open source software.

The post compares the effort to secure open source software to the investment required to build the US interstate highway system. Although the investment was massive, the returns were also huge. We like the analogy, but of course the announcement doesn't commit any funding!

The White House also launched a two-year competition led by DARPA to use AI to identify and fix software problems. The competition will feature almost USD$20m in prizes and we think it will move the needle. AI assistants are already being used to help write code, so they need to be security savvy too.

Preparing For the Post-Quantum Future

CISA, NIST, and the NSA have published a joint guide to help organisations migrate to post-quantum cryptographic algorithms. Essentially, the guide says you should figure out what encryption systems you are using and come up with a plan to migrate to quantum-secure systems..

Google is taking these first steps and last week announced the release of the first "quantum resilient" FIDO2 security key.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at  hacking CCTV cameras for fun and profit.

From Risky Biz News:

US warns space sector of hacks, spying, IP theft, and sabotage: As the US private space sector is growing into a global behemoth and as Starlink shows the crucial role private satellite networks can play in a military conflict, the US government is urging companies to bolster their defenses against foreign sabotage and espionage.

Three US intelligence agencies—the FBI, the National Counterintelligence and Security Center, and the US Air Force Office of Special Investigations—published a joint security advisory [PDF] last week describing the type of threats the commercial space industry could face from foreign intelligence agencies.

Officials warn of hacks, malicious insiders, employee recruitment efforts, and misleading investments and business partnerships.

All of these are designed to enable espionage, the theft of intellectual property, and sabotage of space infrastructure in the case of a military conflict.

[more on Risky Business News]

Lockbit has been bluffing in extortion schemes, is close to an implosion: New clues discovered by threat intelligence analysts suggest that the Lockbit ransomware group may be having technical difficulties, which have contributed to the operation losing some of its top affiliates over the past months.

According to a report published by Analyst1's Jon DiMaggio, the Lockbit gang is having problems publishing and leaking victim data on its dark web leak site.

The gang has run out of server storage, DiMaggio says. It often claims that a victim's files have been published, but the files can't be downloaded.

[more on Risky Business News]

PowerShell's official package repo is a supply chain mess: PowerShell Gallery, the official repository for the PowerShell scripting language, contains (still-unfixed) design flaws that can be abused by threat actors for typosquatting and impersonation attacks.

Discovered by cloud security firm AquaSec, these issues can be weaponized in supply chain attacks to trick developers into downloading and running malicious PowerShell packages on their systems or inside enterprise applications.

[more on Risky Business News]