Below: Federal prosecutors in Texas are trying to collect hundreds of thousands of dollars worth of crypto that they say is linked to the REvil/Sodinokibi ransomware group, and Australia moved to overhaul its national cybersecurity plan. First:
More lessons on the cyber role in the Russia-Ukraine war
New reporting tied to the first anniversary of the Ukraine-Russia war is illuminating how the conflict has played out in cyberspace.
Although it might sound counterintuitive, Russia’s cyberattacks on Ukraine prepared not just Ukraine to fortify its defenses, but they also helped bolster the security of the rest of the world, my colleague Joseph Menn reported over the weekend.
I also did some reporting about the one-year mark earlier, writing about how the war illustrated both the reach and limits of hacking during wartime, and what the conflict might foretell for hacking’s role in future conflicts.
Collectively, those stories and others paint a picture of how prolific cyberattacks against Russia haven’t led to many major cyber successes out of Moscow, and detail the frenzy of activity across the world to brace for the worst the Kremlin had to offer.
But there’s still reason to worry that Russia might have more up its sleeves, with Germany’s interior minister Nancy Faeser warning in an interview published this weekend that Russian cyberattacks, disinformation and spying still pose a “massive danger” and that “cybersecurity concerns have been exacerbated by the war.”
Overall as a result of the war, Ukraine is “not only better prepared, we are able to share our lessons learned” on cyber, George Dubynskyi, deputy minister for security in Ukraine’s Ministry of Digital Transformation, said in Joseph’s story.
That’s because, as Joseph reported, “the campaign may have helped inoculate Ukraine against more devastating attacks, experts say, by revealing Russian tactics when the stakes were highest, proving the value of faster collaboration and other defensive measures, and destroying the myth of Russia as an unstoppable cyber superpower.”
And there was a spillover effect in the United States.
“The Russian invasion did prompt greater cyber cooperation between the U.S. and key allies, particularly in Eastern Europe,” said Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency and coordinator of the American interagency defensive response. “When it comes to work across domestic critical infrastructure sectors, the war turbocharged the operational collaboration that we had kicked off.”
The story explains how U.S. intelligence agencies and major tech companies worked to defend Ukraine, although some notable attacks did get through, such as the hack of satellite company Viasat that disrupted communications by Viasat customers in Ukraine and Europe in the lead-up to the war.
In an oral history of the overall war, a team of Politico reporters provided a timeline of some of the U.S. cyber preparations.
- “This was really a coming-of-age for our cyber community — we never before mobilized like this for a geopolitical crisis,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology at the National Security Council, discussing plans to aid Ukraine, strengthen U.S. defenses and rally allies. “It reflects the extent to which cyber was now a mainstream national security issue.”
- January 2022 was a big month for laying cyber groundwork, said Gen. Paul Nakasone, National Security Agency and Cyber Command chief. “Working across the FBI, CISA and the Department of Homeland Security — what are we seeing that might inform us of what an adversary, in this case the Russians, might do to us?,” he said. “This was really active. These were conversations going on every day.”
AJ Vicens and Elias Groll of CyberScoop reported on some of the more technical elements of the cyber conflict, emphasizing the prominence of wiper attacks designed to erase data and render machines inoperable as well as some of the cyber industry response.
One attack that stood out as “the most significant attempted cyberattack during the war thus far” was an April attempt by the infamous Russian-government hackers known as Sandworm to take down parts of the electricity grid, according to Robert Lipovsky, a senior malware researcher at ESET.
“If it had been successful, it could’ve left millions of people without electricity,” he told CyberScoop. The attack “was a failure,” Lipovsky said, “thanks to swift detection and good coordination among the parties involved in the defense.”
Cyber observers will be watching closely for what happens next. CISA warned of a potential uptick in attacks around the anniversary of the war. And look for a potential spike in cyber activity out of Russia in the coming months, Adam Meyers, head of intelligence at cybersecurity company CrowdStrike, told me.
“As we move into the second year of armed conflict, it is likely that Russia is preparing a spring offensive when the muddy season is over,” Meyers said via email. “Future months of combat will likely employ tactical capabilities with cyber elements, and we anticipate Russian military policy will aggressively target civilian infrastructure and the energy sectors — as well as attempt to disrupt media services.”
- “Additionally, CrowdStrike Intelligence expects to see continued espionage cyber campaigns of Ukraine’s neighboring NATO countries and the potential use of wipers and website defacements into Ukraine,” he said.
Federal prosecutors in Texas target ransomware-linked funds
Federal prosecutors in the Northern District of Texas are trying to collect more than $300,000 in crypto that they say is linked to the REvil/Sodinokibi ransomware group, which has extorted hundreds of millions of dollars from hacking victims, Seamus Hughes reports for Court Watch.
According to a court filing released last week, the government’s lawyers allege that the digital currency was located in a Russian person’s account until the FBI’s Dallas office seized it in December.
During a news conference in 2021 discussing a previous seizure involving the group, Attorney General Merrick Garland said, “Our message today is clear: The United States, together with our allies, will do everything in our power to identify the perpetrators of ransomware attacks, to bring them to justice and to recover the funds they have stolen from the American people.”
“For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group,” Garland said at the time. “This will not be the last time.”
Australia to rewrite cyber laws after Optus, Medibank hacks
Australia’s federal government is preparing to overhaul a cybersecurity strategy after Optus, a telecommunications company, and Medibank were hacked, exposing the customer data of millions of Australians, from passports and driver’s licenses to health-care information, Australian Broadcasting Corporation’s Jake Evans reports.
“In those events, we were meant to have at our disposal a piece of law that was passed by the former government to help us engage with companies under cyberattack,” Home Affairs Minister Clare O’Neil said.
“That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted.”
Under the new plan, a national cyber office led by a new cybersecurity coordinator will be created to direct emergency responses to future hacks and to enforce standards across industry and the government. O’Neil said that the current cyber law, created by Australian Rep. Scott Morrison, will also be rewritten to give the government the authority to intervene when necessary.
News Corp. says state hackers were on its network for two years
Publishing giant News Corp. said that hackers first gained access to its systems in February 2020, two years before the company disclosed that it had fallen victim to a breach, Sergiu Gatlan reports for Bleeping Computer.
In letters sent to employees, the mass media company said that some staffers had their private personal and health information stolen and that the hackers also had access to an email and document storage system used by the network. The incident impacted news organizations including the Wall Street Journal and the New York Post.
“Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information,” the company said.
“Our investigation indicates that this activity does not appear to be focused on exploiting personal information. We are not aware of reports of identity theft or fraud in connection with this issue.”
When the attack was first revealed last year, the media giant said that the hackers were linked to a foreign government. “Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” David Wong, VP of incident response at Mandiant, told BleepingComputer at the time.
- CISA Director Jen Easterly speaks at Carnegie Mellon University about the designed-in dangers of technology today at 10:05 a.m.
- The R Street Institute, along with Rep. Michael R. Turner (R-Ohio), chairman of the House Permanent Select Committee on Intelligence, will hold its 2023 cyber dialogue with the defense industry today at 10:30 a.m.
- CISA Chief Information Officer Robert Costello will deliver remarks virtually at the 2023 Information Security and Innovation Forum on Tuesday at 8:05 a.m.
- CISA Assistant Director for Stakeholder Engagement Alaina Clark will speak at the Academia Involvement in Community Cybersecurity Conference at the University of Texas on Tuesday at 12:40 p.m.
- The Brookings Institution will hold a discussion with Assistant Attorney General Matt Olsen about the potential reauthorization of the Foreign Intelligence Surveillance Act on Tuesday at 9:30 a.m.
- The House Energy and Commerce Subcommittee on Consumer Protection and Commerce holds a hearing titled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” on Wednesday at 8:30 a.m.
- The Senate Judiciary Committee will hold an oversight hearing to examine the Department of Justice on Wednesday at 10 a.m.
Thanks for reading. See you tomorrow.