SentinelLabs has built a reputation as leading analysts of Russian cyber operations. So when researchers at ESET, a Slovakian cybersecurity company with extensive experience in Ukraine, discovered Russian malware that had been compiled on Dec. 28, 2021, the SentinelLabs team was compelled to stop everything and dig in. The fact that ESET found evidence that the malware dated to late December suggested Russian hackers had been preparing the attack for months.

Dubbed “HermeticWiper,” the malware was part of a flurry of digital attacks launched by Russian-aligned hackers in the weeks leading up to the invasion. Sitting in the Miami hotel and fueled by huge quantities of Chinese take-out to push out a report on the wiper, SentinelOne’s researchers were seeing the early signs of the digital conflict to come. “It felt like — in a stupid, nerdy way — we were on the frontlines, seeing this happen on the cyber side,” said Tom Hegel, a senior threat researcher at the company.

A year after Russia’s invasion, it is possible to begin accounting for the role digital weapons have played in the conflict. Sophisticated Russian cyberattacks — such as those targeting the electricity grid — have either failed to materialize, been thwarted or gone unobserved. Cyberwarfare in Ukraine has instead been marked by widespread deployment of wipers — designed to delete and destroy data — and extensive information operations.

Amid the destruction visited on Ukraine, cyberweapons have been one tool among many to wreak havoc, and in destroying Ukrainian targets, Russian forces typically opted for more traditional weapons, like bombs and missiles. “We shouldn’t underestimate the importance of the cyber component and threats that come from Russia, but, in general, they choose to use more disruptive weapons, while keeping the cyber operations for psyops or cyber espionage,” said Victor Zhora, the deputy head of Ukraine’s State Service of Special Communications and Information Protection.

At the same time, the war has inspired a defensive effort that government officials and technology executives describe as unprecedented — challenging the adage in cybersecurity that if you give a well-resourced attacker enough time, they will pretty much always succeed. The relative success of the defensive effort in Ukraine is beginning to change the calculation about what a robust cyberdefense might look like going forward.

“For all the defeatism about cyberdefense over the years in the West this really shows you what a sustained period of preparatory planning and mobilization of capabilities in an emergency can actually achieve,” Ciaran Martin, the former CEO of the UK’s National Cyber Security Centre and now a managing director at Paladin Capital Group, told CyberScoop. 

The defensive cyber strategy in Ukraine has been an international effort, bringing together some of the biggest technology companies in the world such as Google and Microsoft, western allies such as the U.S. and Britain and social media giants such as Meta who have worked together against Russia’s digital aggression.

Tom Burt, Microsoft’s corporate vice president for customer security and trust, told CyberScoop that the war in Ukraine is “the first large scale hybrid conflict that the world has seen” where there’s “been a significant component” of cyber and digital tools. That has him worried: “What we’ve seen in warfare over centuries is that when a new category of weapon is deployed, in conflict, what we tend to see is the evolution of that form of weaponry and its use again and again, in more destructive and more impactful ways in future conflicts.”

Modern warfare as info ops and wipers

In the run-up to the invasion, Ukrainian computer systems came under a sustained barrage. For the most part, these attacks were fairly inconsequential, distributed denial of service attacks that knocked banking services and some government websites offline, for example. Others were potentially more destructive, such as a wiper disguised as ransomware that was discovered in January on Ukrainian government systems. 

When Russian troops crossed into Ukraine’s borders on Feb. 24 and launched an ill-fated operation to decapitate the Ukrainian government and seize control of the country in a lightning operation, Russia appeared to step up its operations in cyberspace, striking the satellite internet provider Viasat, an attack that may have degraded Ukrainian communications in the early hours of the invasion. 

Russian attacks during this early period ran the gamut from information operations to destructive attacks. In what may have been a bid to degrade the Ukrainian government’s capacity to orchestrate its response to the invasion, Russian actors targeted Ukrainian government systems with wiper malware. In March, a crude deepfake appeared online showing Ukrainian President Volodymyr Zelensky ordering his country’s troops to surrender — an incident that was accompanied by additional wiper attacks and a breach of a Ukrainian media organization where the attackers posted a fake story that Ukrainian troops would soon lay down their arms. 

The malware used in these attacks could have been more aggressive, reflecting what may have been an effort to limit the scope to Ukrainian targets in ways Russian hackers had not during peacetime, said Adam Flatley, the vice president for intelligence at cybersecurity firm Redacted and a former director of operations at the National Security Agency. “If you look at all of the cyber attacks that happened in Ukraine, even Viasat, and all the other ones, they were very, very targeted,” Flatley said. “They were very focused.” 

After a decade of digital attacks on Ukrainian infrastructure that have seen Russian hackers knock out portions of the Ukrainian power grid at least twice, there was an expectation ahead of the war that Russia’s invasion of Ukraine would be accompanied by a cyber shock-and-awe campaign. When these attacks did not materialize, it spawned debate over Russia’s supposedly missing cyber-arsenal and why it hadn’t been deployed in Ukraine. 

That debate obscured how Russia’s digital resources were actually deployed — in the form of wipers and information operations, primarily. Over the course of 2022, Google alone disrupted 1,950 instances of Russian information operations on its platforms — operations that ranged from hacktivist activity, DDoS attacks and hack-and-leak actions. And over the course of the war, cybersecurity researchers have observed roughly a dozen or more distinct wipers, some posing as ransomware, deployed against Ukrainian targets. Google saw more destructive malware attacks in Ukraine during the first four months of 2022 than in the previous eight years combined, and phishing attacks against targets in Ukraine and NATO sharply increased. 

“There’s a lot of people thinking and theorizing about what cyberattacks look like in a time of war,” said Shane Huntley, senior director of Google’s Threat Analysis Group. Russia’s Ukraine invasion is the best example to date of how a major cyber power uses digital tools in a kinetic war. “There will be lessons that we should learn here for future conflicts that can really shape the debate.”

Ukrainian officials say they have observed a massive uptick in the amount of cyberattacks targeting Ukrainian systems but have been distinctly unimpressed by the Russian onslaught. In August, Zhora dismissed Russian cyberattacks as marked by an “absence of strategy.”

But this understanding of Russian cyberoperations comes with a major caveat: There is much about Russian action in cyberspace that remains out of public view. A report published by a pair of Dutch intelligence agencies this week cautioned that “the pace of Russian cyber operations is fast” and has broadly targeted Ukrainian national-security agencies that are not prone to transparency. As a result, the report cautions, “many of these attempts have not yet become public knowledge.”

“There are Russian actors that we’re starting to learn about just today that have been active for years,” said Hegel, the SentinelLabs researcher. “We’re kind of in a position where we’re looking at just the tip of the iceberg.”

Indeed, key aspects of Russian cyber activity are designed to remain clandestine, and cyber operations represent “a core source of intelligence collection” for Russia, according to a senior U.S. administration official who spoke on condition of anonymity to describe Russian cyber operations. Kremlin-backed hackers have, for example, targeted communications between soldiers and their commanders and have probed energy systems to see which are online and connected to the grid, the official said.

These intelligence-focused cyber operations may constitute an important aspect of the Russian war effort, injecting a measure of uncertainty into any analysis of Russian cyberoperations based on publicly available data. But with that caveat in mind, Russia’s digital attacks against Ukraine have been perhaps most notable for what they have failed to achieve: a major impact on the conflict’s outcome. And this mirrors Russia’s broader struggles in carrying out combined arms operations during the war’s early period. 

While Russian operations have improved in recent months, Russian forces across the Ukrainian battlefield have struggled to carry out operations combining the traditional components of combined military power: armored, infantry and airborne attacks supported by a well-functioning logistical network. It should be no surprise Russian forces appear to have struggled plugging cyber operations into that malfunctioning system. 

“Combined arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s attempts to fuse cyber and information operations with more traditional military action.”

While there have been limited and poorly understood examples of Russia using cyberattacks in conjunction with kinetic attacks — or what would amount to the use of cyberoperations in a combined arms context — the utility of using cyberweapons together with kinetic weapons appears fairly circumscribed. In the context of a shooting war, it is much easier to fire a missile at a target that in peace time might have been attacked during peacetime with a digital weapon — which is perhaps why Ukraine’s energy infrastructure, once the target of Russian cyberattacks, has instead come under sustained missile attack in recent months. 

Incidents like NotPetya — a highly destructive ransomware variant built by Russia’s military intelligence unit that caused more than $10 billion in damage — and Russia’s repeated cyberattacks on the grid convinced many policymakers that the Kremlin’s forces would rely extensively on digital attacks when trying to conquer Ukraine. “The calculus changes when, when a kinetic response is more likely,” Flatley said.

The attacks that have been the most consistent and visible have, conversely, been the most trivial. Pro-Russian “hacktivist” groups, with varying degrees of established connection to the Russian government, are almost continually bombarding Ukrainian targets — and others around the world — with relatively unsophisticated DDoS attacks. Groups such as XakNet and KillNet generate headlines around the world, even if their attacks are more for show than anything of substance.

For students of cyberwarfare, the Ukraine conflict will dominate textbooks to come. Over the past decade, Russia has demonstrated that it has an ability to deploy cyberattacks as an integrated component of its statecraft, but in Ukraine, “it hasn’t figured out how to translate it into a sustained long term campaign,” said Martin of Paladin Capital. 

In Martin’s view, the conflict has provided an important corrective to our understanding of cyberattacks as a tool of warfare: “It’s not a catastrophic red button missile that blows things up.” In Ukraine, cyberattacks have mostly functioned as a “tool of intimidation.” And while Russia initially saw some success in using cyberattacks as part of an integrated military plan — by attacking Viasat and disabling some communication links — it has since become an important but, ultimately, secondary feature of the war. “We’ll be studying it for years,” he said. 

Defense wins championships 

Six weeks after the invasion, in April, Ukrainian officials announced a major victory against Russian hackers: Ukraine had repelled a cyberattack that would have crippled an electrical grid serving roughly 2 million people. The hackers behind the attack — best known as Sandworm — are among Russia’s best and have disrupted electricity in Ukraine at least twice before. 

The fact that they were stopped is a testament to Ukraine’s massive investment in cyberdefense and a broad international campaign to help secure Ukrainian systems. 

The Sandworm attack relied on an updated version of the Industroyer malware that had been successful in 2016 in cutting power. Dubbed “Industroyer2” by the ESET researchers who discovered it, it was accompanied by several destructive malware families to hinder analysis and render systems inoperable.

“We consider the Industroyer2 incident the most significant attempted cyberattack during the war thus far,” Robert Lipovsky, a senior malware researcher at ESET, told CyberScoop. “If it had been successful, it could’ve left millions of people without electricity.” The attack “was a failure,” Lipovsky said, “thanks to swift detection and good coordination among the parties involved in the defense.”

Cybersecurity industry and government officials involved in the digital defense of Ukraine unanimously describe this collaborative approach as unprecedented. Ahead of the invasion, teams from U.S. Cyber Command deployed to Ukraine, where they searched for Russian hackers in Ukrainian networks, with a focus on military and transportation systems and providing to Ukrainian officials what a senior U.S. administration official described as a to-do list detailing actions to remove Russian actors from their systems.

U.S. officials say they engaged in extensive intelligence sharing with Kyiv and allies, detailing Russian techniques in cyberspace so that they might be detected. And as Russian attacks were detected, the United States and its allies worked to publicly attribute attacks to Moscow. 

With Cyber Command deployed to Ukraine and Eastern Europe, David Luber, deputy director of the National Security Agency’s Cybersecurity Directorate, said that the NSA worked with them to understand threat information and “to share it broadly with both government and industry — not only to protect Ukraine but also to protect NATO, other allies, and U.S. critical infrastructure.”

Government and cybersecurity executives describe the response to the Ukraine invasion as spurring major improvements in collaboration and information sharing. “I was surprised how much information was shared with multiple vendors to render some of the Russian cyber arsenal useless,” said John Fokker, head of threat intelligence at Trellix.

The cybersecurity industry has thrown a huge amount of resources toward bolstering Ukraine’s digital defense. Just as the United States, European nations and many other countries have delivered billions of dollars in aid and military equipment, cybersecurity firms have donated services, equipment and analysts. Google has said it’s donated 50,000 Google Workspace licenses. Microsoft’s free technology support will have amounted to $400 million by the end of 2023, the company said in February. In the run-up to the invasion there was a broad effort by industry to supply Ukraine with equipment like network sensors and gateways and anti-virus and endpoint-detection and response tools.

Ukrainian defensive investments are the consequence of the long-running conflict with Russia. It can be easy to forget that the war between Russia and Ukraine did not begin in 2022 but in 2014, when Russian forces seized Crimea. That marked the start of an intense conflict between Moscow and Kyiv, much of which has played out in cyberspace. Russia’s cyberattacks on the Ukrainian grid — using the BlackEnergy malware in 2015 and the Industroyer malware in 2016 — played a key role in alerting Ukrainian officials to the threat. 

“Ukraine learned a very valuable lesson after BlackEnergy,” Fokker said. They’ve been under constant bombardment since then, Fokker said, and have built up a capable computer emergency and response team — which has kept working throughout the war and is widely credited with doing incredible work under immensely difficult circumstances. 

And officials in Washington are quick to emphasize that the credit for these victories belong to Kyiv. As Eric Goldstein, the executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, put it last month: “The Ukrainian government, the Ukrainian people, Ukrainian critical infrastructure have been making investments for years to shore up the resilience of their infrastructure.” 

Christian Vasquez contributed reporting for this story.

The post A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus appeared first on CyberScoop.

The group, NoName057(16), used the software development platform to host its distributed denial of service (DDoS) tool website and code used in its attacks, researchers with SentinelOne said Thursday. The researchers reported the activity to Github, prompting the company to disable the group’s accounts earlier this week.

“We disabled the accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attacks or uses GitHub as a means to deliver malicious executables,” a company spokesperson told CyberScoop.

While more obscure than other pro-Russian hacktivist groups, such as KillNet and Xaknet, pro-Russian hacking groups the U.S. government has described as threats to U.S. critical infrastructure, NoName057(16) distributes cryptocurrency to its top DDoS contributors. And while its DDoS attacks have been generally short-lived, the financial incentives offered by the group encourage “people to contribute more technical resources for a more powerful attack,” SentinelOne’s researchers note.

The group has shown a willingness to target a wide range of organizations across NATO, said Tom Hegel, a senior threat researcher with SentinelOne’s SentinelLabs. By offering a financial incentive, “individuals contributing to the attacks may have financial gain in mind, rather than politics—meaning there is a larger pool of potential contributors,” Hegel said.

While it is important to not overstate the impact of a fairly technically unsophisticated group like NoName057(16), the collective illustrates how Russia’s invasion of Ukraine has inspired hackers to act as its proxies.

“What this group represents is an increased interest in volunteer-fueled attacks, while now adding payments to its most impactful contributors,” Hegel and fellow researcher Aleksandar Milenkoski write in an analysis published Thursday. “We expect such groups to continue to thrive in today’s highly contentious political climate.”

NoName057(16) initially targeted Ukrainian news sites starting in March of this year but shifted to attacking various entities in NATO countries, in a bid to silence “what the group deems to be anti-Russian,” according to Hegel and Milenkoski.

The group tends to shift targets depending on current events, the researchers note. In December, for instance, the group disrupted websites in Poland shortly after lawmakers there recognized Russia as a state sponsor of terrorism. In January, the group targeted the cargo and shipping sectors in Lithuania, before turning to targets in Denmark.

The group relies on Telegram to communicate with its followers, where, on Wednesday, the group informed the more than 18,000 subscribers to its Russian-language channel (and the 300-some subscribers to its parallel English-language channel) that it had targeted the website belonging to a candidate in the upcoming Czech presidential election.

Attacking in retaliation for the Czech Republic’s role in training Ukrainian soldiers, NoName057(16) claimed to have taken down a website belonging to presidential candidate Tomas Zima.

Commands sent from NoName057(16)’s command and control server make it clear the group has attacked websites belonging to other candidates in the Czech presidential election, Hegel said, rendering some of them intermittently available over the course of Wednesday.

The post GitHub disables pro-Russian hacktivist DDoS pages appeared first on CyberScoop.

On Thursday, researchers at Mandiant disclosed they discovered Turla targeting Ukrainian systems using run-of-the-mill commodity malware and by piggybacking on infrastructure used in earlier criminal operations. 

Turla’s attack on Ukrainian systems began before the invasion, in December 2021, when an infected USB stick was inserted into a Ukrainian system and kicked off the campaign, the researchers found.

The stick contained a 2013 version of the Andromeda malware — a commercially available malware family — which began sending beacons to Turla’s command-and-control infrastructure, according to Mandiant. Turla appears to have repurposed that infrastructure from an earlier criminal campaign. Relying on expired domains previously used as part of a likely criminal hacking campaign, Turla re-registered these domains for its own operation.

Turla has in the past relied on malware spread via USB sticks, but in Ukraine, the group is taking a novel approach in obscuring its role. “The new spin is the actors aren’t releasing their own USB malware into the wild,” said John Hultquist, Mandiant’s head of threat intelligence. “Now they are taking advantage of another actor’s work by taking over their command and control. By doing so, Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.”

First identified in the mid-1990s, Turla has a long history of making life miserable for the defenders of Western computer systems.

In 1996, the group is believed to have carried out a daring raid of computing systems belonging to NASA and the Pentagon that marked the first known state-on-state computer espionage campaign. In 2007, experts accused the group of breaking into some of the U.S. military’s most sensitive computer systems using an infected USB stick — an attack that reshaped the Pentagon’s approach to cybersecurity and spurred the creation of U.S. Cyber Command. More recently, the group was accused of targeting defense and cybersecurity groups in the Baltics.

Linked to Russia’s domestic intelligence and security service FSB, Turla is one of Russia’s most storied hacking units with a penchant for secrecy and masking their attacks. “We get glances of them and then they disappear on us,” Hultquist said in an interview with CyberScoop.

Hultquist described the group’s use of dormant command-and-control infrastructure as a “a great example of their ability to innovate and take advantage of others and get to their targets.”

Since invading, Russia doesn’t appear to have carried out the type of large-scale cyberattacks in Ukraine that many observers had expected, but Ukrainian officials have described a high volume of attacks aimed at supporting the Russian war effort.

Thursday’s report from Mandiant serves as a reminder that there may be significant Russian activity in cyberspace occurring under the radar. The operation described by Mandiant began in December 2021 and was not discovered until September of this year. 

Mandiant did not disclose what entities in Ukraine that Turla targeted, but said it carried out “extensive profiling” of victims beginning in January allowing “the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities.”

In other respects, the researchers painted a picture of Turla’s operation that resembles the shambolic nature of the broader Russian war effort.

The group relied on a reconnaissance utility known as “Kopiluwak” and a backdoor known as “Quietcanary” and downloaded these tools multiple times in succession, “which may suggest the group was operating with haste or less concern for operational security, experiencing some aspect of operational deficiency, or using automated tools,” Mandiant noted. 

And in repurposing dormant criminal infrastructure for command-and-control, Turla also gave new life to the juvenile jokes of the criminal underground: Mandiant’s researchers found that one of the re-registered domains included a lewd reference advising the “lame AV industry” to perform a sex act on the attacker. 

The post Notorious Russian hacking group appears to resurface with fresh cyberattacks on Ukraine appeared first on CyberScoop.

The attempted intrusion, which appears to have been unsuccessful, occurred on Aug. 30 and was carried out through spear phishing emails using English-named files containing words like “military assistance,” according to the report, which provides an update on the activities since the start of the Russian invasion of Ukraine of a hacking group Palo Alto tracks as “Trident Ursa.”

The report on Trident Ursa’s latest movements comes on the heels of a warning from National Security Agency Cyber Director Rob Joyce that Russian state-backed hackers may target the energy sector in NATO countries in coming months.

These attacks, Joyce said, may have “spillover” impacts for Ukraine’s neighbors — like Poland, where Microsoft recently warned that Russian-backed hackers have stepped up attacks on the country’s logistics industry, a key enabler of the Ukrainian war effort.

Linked to Russia’s Federal Security Service and active since at least 2014, Triton Ursa is also known as “Gamaredon” or “Armageddon” and is primarily known for its intelligence gathering operations through phishing. The group has been heavily active since the start of the Ukraine war and has previously tried to phish Ukrainian entities.

The report from Unit 42 assesses that the likely goal of infiltrating a petroleum refining company was to increase “intelligence collection and network access against Ukrainian and NATO allies.”

Unit 42 researchers told CyberScoop in an email that even though they believe Trident Ursa is made up of less than 10 individuals, the hacking group remains one of the most “pervasive, intrusive, continuously active and focused APTs targeting Ukraine.”

“This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains, and new techniques and try again — often even reusing previous samples,” the report notes.

Trident Ursa isn’t technically sophisticated, researcher say, and instead relies on lures and publicly available tools. The group utilizes geo-blocking to limit their attacks, only letting users in targeted countries download malicious files, which reduces the visibility of their attacks and makes their campaigns more difficult to identify.

The Russian hacking group also has some unique tendencies in picking domain names referencing pop culture. Some of the domains includes U.S. basketball teams, well-known rock bands such as Metallica and Papa Roach and names of characters from the popular TV show “The Big Bang Theory,” Unit 42’s researchers told CyberScoop.

The group also has a habit of trolling its opponents and attacking them online. Shortly after the Russian invasion of Ukraine, a member of Trident Ursa known as “Anton” threatened Ukrainian researchers on Twitter, saying “I’m coming for you.” Subdomains used by the group appear to have been named after a Ukrainian cybersecurity researcher.

“To their credit, the targeted researchers were undaunted, and tweeted additional Trident Ursa IoCs over the weeks following these threats,” the report notes.

The post Russian hackers attempted to breach petroleum refining company in NATO country, researchers say appeared first on CyberScoop.

“I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally,” Joyce said. “As the [Ukraine] war progresses there’s certainly the opportunities for increasing pressure on Russia at the tactical level, which is going to cause them to reevaluate, try different strategies to extricate themselves.”

The remarks came as Joyce briefed reporters about the agency’s annual year in review report, which focuses in part on Russian cyberattacks in Ukraine. Joyce said NSA has seen “spillover” from Ukrainian hacks to neighboring countries and particularly Poland due to its status as a supply channel to Ukraine.

The report portrays cyberspace as a critical domain in the Ukraine war and notes that in the weeks leading up to and following Russia’s invasion at least seven new families of destructive data wipers were used.

Joyce said there was an “enormous amount of activity” in cybersecurity this year and it often felt as if the U.S. was “one bad compromise away from Colonial Pipeline.” He added that there were “some really heinous intrusions across 2022 as well.”

Russian threats extended beyond Ukraine, the report said, with hacktivists targeting the defense industrial base and even NATO, whose communications and weapons systems “were in the
crosshairs of our adversaries.”

The report also focused on the NSA’s Cyber Collaboration Center, which works with defense industrial base companies to detect cyberthreats. According to the report, CCC hosted 10,000 “robust bidirectional exchanges” between industry and NSA officials swapping cyber intelligence.

CCC and the United Kingdom’s National Cyber Security Center worked together this year on a “critical cryptographic vulnerability” in Microsoft Windows, the report said. The vulnerability could allow attackers to manipulate public certificates to spoof their identity, the NSA said.

“The CCC has worked on almost every major cyber incident and vulnerability that made the news this last year,” CCC Chief Morgan Adamski told reporters.

Over the past year, the CCC nearly tripled its partnerships, Joyce said, and now works with more than 300 collaborators in the defense industrial base and threat analysis communities. Joyce said the CCC’s 300-plus partners collectively defended an estimated 2 billion endpoints globally in 2022.

The intense cyber activity around the Ukraine war has spurred more companies to invest in cyber, Joyce said.

“I truly believe a lot of the focus and rigor driven by the conflict in Ukraine improved our networks substantially,” Joyce said. “I witnessed boards and corporations willing to invest in cybersecurity resources at a level we’ve never seen before.”

Joyce also was asked about the cyberthreat posed by Chinese ownership of TikTok, which is now the target of Congressional legislation announced Tuesday.

“People are always looking for the smoking gun in these technologies and I would say I characterize it much more as a loaded gun,” Joyce said.

He said he is not expecting “individualized targeting” through TikTok since millions of people use it.

“Where I’m concerned is the overall ability to do large scale influence … either promoting the information they [China] want those millions and millions of people to see or suppressing lines of efforts that they don’t want carried forward,” Joyce said.

Corrected Dec. 15, 2022: The original version of this story mistakenly quoted Joyce referring to GPS attacks. He was actually referencing a ransomware attack on the Brazilian meatpacking company JBS.

The post NSA cyber director warns of Russian digital assaults on global energy sector appeared first on CyberScoop.

Thursday’s meeting follows a June commitment from officials representing 30 NATO countries to significantly boost NATO’s cyber defenses as an alliance and at the national level.

“Just as NATO is prepared to respond to kinetic [battlefield] crises our allies face, we must also be prepared to respond to cyber crises,” said Anne Neuberger, deputy national security adviser for cyber and emerging technologies at the White House. “We must be more nimble as an alliance … in providing direct, technical and necessary support if a country faces a significant disruptive attack.”

Nate Fick, the State Department’s first ambassador at large for cyberspace and digital diplomacy, was also at the meeting.

During her remarks, Neuberger said NATO’s July intervention on behalf of the Albanian government after Iranian-linked hackers launched a series of cyberattacks on multiple government websites was admirable. Still, she said NATO’s technical response to the cyberattacks was inadequate.

Neuberger won praise from allies for a February trip to Brussels and Warsaw during which time she met with officials from NATO, Poland and the Baltics about cyber deterrence in response to Russian aggression against Ukraine. Russia invaded Ukraine a few weeks after the Feb. 1 visit.

Russian cyberattacks on Ukraine and the skill with which Ukraine has fended them off are a reminder for why NATO will benefit by investing in cyber resilience, Neuberger said Thursday. “Ukraine has in many cases been able to successfully defend against sophisticated cyberattacks due to the work that was done before the Russian invasion.”

The post White House cyber official advocates nimbler NATO to confront digital threats appeared first on CyberScoop.

The Oct. 11 attack — dubbed “Prestige” — attempted to cripple access to computers across the organizations it targeted. When successful, the attack effectively made it impossible for companies to access their computer systems.

By targeting logistics and transportation companies, the Russian military intelligence hackers responsible for the attack may have been attempting to stymie the flow of goods and materiel into Ukraine, where Russian forces have in recent months suffered a series of military setbacks.

The flow of goods into Ukraine from partner countries have been a key way for Ukraine to get the supplies it needs, and attacking computer infrastructure in Poland — a NATO ally — represents one of the few ways Russia can retaliate against Ukraine’s logistics partners.

The group behind the attacks — tracked by Microsoft’s Threat Intelligence Center (MSTIC) as “Iridium” but known widely as “Sandworm” — is the same group that attempted to take out multiple electricity substations and other parts of a grid serving 2 million people on April 8 in Ukraine.

Microsoft, which worked in collaboration with Ukraine’s Computer Emergency Response Team in investigating the attack, revealed the Prestige ransomware attacks on Oct. 14, noting at the time that the attacks had similar victims to “recent Russian state-aligned activity, specifically on affected geographies and countries,” and have overlapped with previous victims of wiper malware dubbed Hermetic Wiper, which was one of several destructive malware attacks launched on Ukrainian targets in the days immediately following the Russian invasion.

“The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” the researchers said Thursday in an update to their blog post from Oct. 14. “More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.”

Jean-Ian Boutin, the director of threat research for Slovakian cybersecurity company ESET, said the attribution to the Russian unit was expected.

“Sandworm has been conducting destructive attacks for years now so the idea of them being behind Prestige ransomware is not surprising,” Boutin said. “In 2018, we reported some of their actions leveraging malware such as GreyEnergy against Polish organizations so this is also in line with their past actions.”

The post Notorious Russian military hacking crew behind October ransomware attacks on Ukraine, Poland appeared first on CyberScoop.

It’s one of the key lessons his agency “took away personally” from the ongoing war in Ukraine, Joyce said at the Trellix Cybersecurity Summit in Washington.

“Over time, I’ve changed my view about what it is to protect sources and methods,” Joyce said, noting that in his 30-plus years at NSA “it’s in our DNA” to protect sources and methods to ensure the ability to “know secrets into the future.”

But “what we know is often not sensitive, it is how we know it,” Joyce said. “We can make available the insights about what we know without putting at risk how we know it. That’s really an inflection point that lets us get to more prolific, more extensive and more closely sharing for operational outcomes.”

Joyce added that “it doesn’t do anybody any good if we know a thing and don’t do something. Doing is really the focus in the cybersecurity area. And if you’ve got secrets and understanding and you don’t operationalize those, they don’t count.”

Joyce pointed to what he called the “maturation” of the NSA’s Cybersecurity Collaboration Center as the venue for “working with industry to operationalize those ideas.” Information is shared with technology providers, major infrastructure providers and others, “who can then take action at scale.”

A recent example of such information sharing came earlier this month when the NSA, the FBI and the Cybersecurity and Infrastructure Security Agency released a joint advisory warning of state-aligned hackers using Impacket, an open-source toolkit to aid in network compromise, and a custom data exfiltration tool known as CovalentStealer against an unnamed defense industrial base entity.

More broadly, the U.S. government has been more aggressive about sharing intelligence about Russian plans, both in the days before the Feb. 24 invasion and since, as part of an effort to disrupt Russian attacks on Ukraine.

“When we set up that protection, protecting us protects you,” he said.

There have been 8,500 “analytic exchanges” through the center this year, where analysts from NSA collaborate with analysts from private industry are “chasing a specific lead and following that through, back and forth in an iterative fashion where we both [come] to understand it much, much better than either of us is going to get to by ourselves.”

The post NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry appeared first on CyberScoop.

Why present a war game on a hypothetical Chinese invasion of Taiwan?

One of the things that is important to understand about the U.S. response to an invasion of Taiwan is not just [whether] the U.S. gets involved, but what kind of involvement it would take. Is it just going to be limited to repelling invasion? Is it going to be strikes on mainland China, which may be followed by strikes on the U.S. homeland? It’s also important to prepare the American public for that because what we have not done is explain to the public why Taiwan matters so much.

Taiwan is essential to U.S. national security interests because of its geographic location. China having Taiwan enables them to project power across the entire Pacific, which is the future of the global economy and American prosperity. But those are the sorts of arguments that have not been made to the American public.

Do you believe China will invade Taiwan? And if so, when?

It’s very likely, but I don’t think it’s likely anytime soon. The U.S. government projections are that they’re trying to be prepared for invasion by 2027. I firmly believe that whether or not China invades is mostly in Taiwanese hands, because they’re an island of 23 million people. If that population actually gets conscripted and trained — really trained, not the minimal amount of training they’re getting now — they can make this invasion a complete impossibility. If they don’t make the right decisions, there’s very little that we can do. And if they choose not to fight, or if Taiwan falls within 48 hours, there’s nothing we can do to take it back. Unfortunately, up until now, we have not seen Taiwan make the right, hard decisions that Ukraine has made since 2014.

And what about the cyber aspects of the China Taiwan dynamic?

Cyber is always an element of both espionage and warfare as we’re seeing today in Ukraine, as we’ve seen from China for several decades now. It’s not going to be a decisive element of it. Taiwan has a unique vulnerability — it’s an island. Unlike Ukraine, there’s no Poland that is nearby to resupply Taiwan. Virtually all the communications come through undersea cables that could get cut. Some are satellite enabled and could be disrupted through cyberattacks, as we have seen in Ukraine. Imagine a situation where Taiwan is nearly cut off from the outside world. Look at what Ukraine has been able to do by putting out Zelensky videos every night, by having him communicate on virtually every TV channel to rally support for his country. If someone is not able to do that, it’s going to be much more difficult for them to rally the world to their cause.

What is your reaction to the Biden administration’s sweeping new restrictions on the export of semiconductor chips to China?

The export control measures that the administration took are quite unprecedented. They’re effectively going to cripple the Chinese chips industry because so much of that industry depends on imports of American and Western technologies. And these export controls are going to massively limit the ability of the Chinese to procure those systems. So, it’s going to slow them down potentially for a decade or more. That’s a very good thing because as long as China is dependent on the West for chips, they’re going to be much less likely to invade. It’s a critical component of deterrence.

Do you expect to see Russian President Vladimir Putin ratchet up cyberattacks in the coming months, particularly if events continue as they have been with his back increasingly against the wall?

They’re pretty much throwing everything but the kitchen sink at Ukraine already in cyber, but they have been remarkably restrained — surprisingly so — against the West. What you’re seeing now, particularly in the last couple of months, is him slowly escalating vis-a-vis the West and you’ve seen that in his energy policy, shutting down Nord Stream One. If he’s behind the blowing up of the Nord Stream One and Nord Stream Two pipelines, that would be another indication of major escalation. So, you could see him increasingly probe and try to test the West, and cyber could be part of that.

Former CIA and NSA Director General Hayden said here yesterday that he thinks there’s a 50/50 chance America won’t survive largely because of how divided we are by disinformation and the like. Is that too cynical?

We’ve gone through much worse periods in our history. I think our survival was much more at risk in 1776. I think our survival was in great danger in the 1860s, during the Civil War. We’re nowhere close to those divisive moments in history. There’s no question that we have a lot of challenges in this country today — both internal challenges and external challenges — but I’m a long-term bull on America. I think that we’ll overcome our differences. This country has always rallied around the flag when presented with an existential threat from overseas and I think we’re facing one now, with China.

The post Dmitri Alperovitch on Taiwan, China and Putin’s probing cyberattacks appeared first on CyberScoop.

Ukraine’s Defense Ministry celebrated the group on Twitter for waging a “fierce fight” against Kremlin trolls. And Rep. Adam Kinzinger, D-Ill., tweeted that he was “self-declaring as a proud member of #NAFO” and “the #fellas shall prevail.”

Former Marine Matt Moores co-founded NAFO in May and it quickly blew up on Twitter. It’s become something of a movement, drawing support in military and cybersecurity circles who circulate its meme backing Ukraine in its war against Russia.

“The power of what we’re doing is that instead of trying to come in and point-by-point refute, and argue about what’s true and what isn’t, it’s coming and saying, ‘Hey, that’s dumb,’” Moores said during a panel on Wednesday at the Center for International and Strategic Studies in Washington. “And the moment somebody’s replying to a cartoon dog online, you’ve lost if you work for the government of Russia.”

Memes have figured heavily in the information war following the Russian invasion. The Ukrainian government has proven eager to highlight memes on agency websites and officials have been known to personally thank online communities that spread anti-Russian memes. The NAFO meme shared by the defense ministry in August showed a Shiba Inu dog in a military uniform appearing to celebrate a missile launch.

The Shiba Inu has long been a motif in internet culture. According to Vice’s Motherboard, the use of Shiba Inu to represent a “fella” waging online war against the Russians dates to at least May when an artist started rewarding fellas who donated money to the Georgian Legion by creating customized fella art for online use.

Moores said he started NAFO primarily as a fundraising tool to support Ukrainians. The group sells cartoon dog avatars and has so far raised $300,000. Moores said the money goes directly to units fighting in Ukraine so they can buy clothing and ammunition.

In June, Russian diplomat Mikhail Ulyanov sparred with a fella online, becoming angry and emotional in the process. The incident reminded Moores why memes work so well, he said.

Ulyanov posted a message on Twitter defending civilian deaths in Ukraine, provoking a fella to attack him. Moores said Ulyanov’s blundering Twitter retort — “You pronounced this nonsense, not me” — has become a meme used on T-shirts.

Corrected Oct. 7, 2022: This story has been updated to make clear that Moores co-founded NAFO, but did not conceive the idea for it.

The post How one group of ‘fellas’ is winning the meme war in support of Ukraine appeared first on CyberScoop.