Cyber Pulse: Edition 177 | 4 March 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Warning for individual hackers to step down or risk escalation of war

Disruptive cyberattacks against Ukraine

While Russia hasn’t attempted to launch a catastrophic cyberattack on Ukraine, several tactical disruptive cyberattacks have taken place over the last few days.

“Several hours before the launch of missiles or movement of tanks on 24 February, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” said Microsoft President and Vice-Chair Brad Smith. 

These recent and ongoing cyberattacks have been precisely targeted, not the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack. We are seeing never-before-used strains of wiper malware, as recently discovered by ESET telemetry who uncovered a third new data wiper malware, dubbed IssacWiper, that was used against hundreds of machines located in Ukraine.

Researchers from Wordfence said the company has witnessed a “massive attack” on Ukrainian education institutions by threat actors identified as the Monday Group, which it says has publicly supported Russia’s recent actions.

Out of the shadows: Blanket call to cyber arms

While this capability exists and will continue at pace, a more pressing concern is the blanket call to cyber arms. Out of the shadows, threat actors on both sides have issued ultimatums and statements of allegiance to their cause and a call to arms. Not least of which is the public intervention of the Anonymous hacking collective. 

Anonymous allegedly hacked into Russian TV transmissions and displayed pro-Ukrainian messages and played the Ukrainian national anthem, then diverted the broadcast to events taking place in Ukraine. More seriously, the group have also claimed responsibility for hacking and taking control of gas control systems in North Ossetia.

Russia's threat in response: It's a reason to go to war

Anonymous-linked Network Battalion 65 (NB65) claimed it hacked and shut down some Russian Roscosmos satellite servers. In response, Russia declared it will consider any cyberattacks targeting Russian satellite infrastructure an act of war, as the country's space agency director said in a TV interview: "... disabling the satellite group of any country is generally a casus belli, that is, a reason to go to war. And we will be looking for those who organised it," Rogozin said on Rossiya 24 (VGTRK).

This unpredictable and uncoordinated attack strategy from within the cybercrime shadows could cause a significant aggressive cyber retaliation from Russian cybercrime sympathisers. This is of far greater concern than the limited but persistent capability of the Russian cyber military forces.

Yes, it’s important to avoid getting caught in the crossfire, but not to live in fear. There is an illusion of parity with the Russian cyber capability and a danger we overestimate and run the fear gauntlet on their behalf.

Increasing organisational cyber resilience

That said, it’s crucial to establish robust organisational cyber resilience, including the supply chain, to establish a stance against any cyber kinetic activity provocation.

"Further disruptive cyberattacks against organisations in Ukraine are likely to occur and may unintentionally spill over to organisations in other countries," US authorities stated. "Organisations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event."

Avoid attack tools widely shared on social media, forums

Security firm Avast has identified initiatives throughout the public domain on various social media platforms that encourage individuals to engage in hacking and offer fee tools for download, eg, DDoS tools. Their analysis of one of these tools shows that it isn’t secure, as it collects personal data that can make users identifiable, such as your IP address, country code, city, location derived from IP address, username, hardware configuration and system language.

Since the configuration is downloaded from a remote server, the tool can also support a DDoS attack on any target the server operator or tool author picks without you knowing. 

Cyber insurance clauses

Engaging in this activity through the private sector could put your organisation and its supply chain in harm’s way, without a cyber insurance backstop.

Credit ratings giant Fitch said on Tuesday that cyberattacks linked to Russia’s invasion of Ukraine might be a test for language commonly used in cyber insurance policies that excludes damages caused by acts of war.

“The proliferation of potential cyberattacks from well-organised, state-sponsored hackers is elevated given the current conflict,” Fitch said.

NATO warns: Leave it to governments

No NATO government wants to see an offensive or disruptive cyber activity initiated from with the commercial sector. Well-intentioned individuals would simply cause chaos. This activity firmly belongs in the hands of governments, which can manage the diplomatic and international geopolitical implications of such activity.

Conflict triggers improved cyber intelligence sharing

One recent hashtag, #DefendAsOne, has been used to describe the collective ambitions set out in the new UK cyber strategy. To accelerate and defend together we should take this moment to remove any separate agendas and form collective expertise for resilient collaboration.

The declassification of intelligence has genuinely enhanced public and private information sharing. Typically, it takes a little longer, due to the mechanics of observing the sensitivities of a government authority issuing a statement for public viewing. Sharing early-warning "clean" intelligence activity discovered by the private sector and the ability to track the pace of the threat could be a watershed moment.

For example, OSINTtechnical and other sources are being used extensively in support of Western media outlets to help verify and amplify a news feed, photo, or video content. Meanwhile, Google and others counter the misinformation feeds by closing various channels within its enterprise, as reported in their Threat blog.

“We terminated 4 YouTube channels, 2 AdSense accounts, and 1 Blogger blog and blocked 6 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into reported coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign was sharing content in English that was about a variety of topics including US and European current events. We believe this operation was financially motivated”.

If you’re not using a cyber intelligence feed, a useful free OSINT feed can be found via CyberKnow – their live feed is focused on the multi-dimensional cyber activity because of this conflict. This is a view of the open-source data collected and published demonstrating the various actors now engaged in non-government sanctioned cyber offensive activities on both sides of this conflict.

Source: CyberKnow 03-03-22

US authorities warn of wiper malware

The US CISA, along with the FBI, released new guidance on the recently discovered WhisperGate and HermeticWiper malware strains. The new advisory was issued following the widespread impact against Ukrainian organisations. It also warned the malware could affect businesses in the US. The CISA urged US organisations to take proactive measures to protect their critical assets from attacks.

WhisperGate is a form of wiper malware that masquerades as ransomware. Instead of encrypting files, it targets the Master Boot Record (MBR). The malware, first discovered by the Microsoft Threat Intelligence Center (MSTIC), was used in multiple cyberattacks against Ukrainian targets in January. The targets include organisations in the government, non-profit and technology sectors. 

In response, this week, legislators through the US Senate approved a package of cybersecurity bills, including legislation that would require mandatory incident reporting for critical infrastructure organisations.

“So glad to see the Senate pass the Strengthening American Cybersecurity Act – with the mounting threat of Putin launching more cyberattacks against Ukraine or even the US, there has never been a more critical time to act to strengthen our cyber defenses,” Senate Intelligence Committee Chair Mark Warner (D-Va.) tweeted.

The cyber incident reporting bill will mandate that critical infrastructure operations alert the US authorities within 72 hours of a breach and 24 hours if the organisation made a ransomware payment.

This comes at a time when entities in the healthcare and public health sectors are urged to be vigilant in monitoring for and proactively working to prevent falling victim to wiper malware and attacks from threat groups with ties to Russia, in light of the unprovoked attack on Ukraine, according to an alert from The US Department of Health and Human Services Cybersecurity Coordination Center.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.