Robin’s Newsletter #123

25 October 2020. Volume 3, Issue 43
DOJ charges Fancy Bear, Doubts over Trump's Twitter password, and digital dilemmas for charity donations.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Charges for Sandworm, sanctions for Fancy Bear, as US and EU tighten screws on Russia for cyber-attacks

It’s been quite the week for relations between the West and Russia this week.

The US Department of Justice has charged six Russian intelligence officers of being behind some of the most disruptive and significant cyber-attacks of the last five years.

The line up is alleged to work for Unit 74455 of the Russian Main Intelligence Directorate, widely known as the GRU. The group are variously known as Telebots, Voodoo Bear, Iron Viking and perhaps most famously as Sandworm, by various threat intelligence vendors.

The group are alleged to be behind high profile attacks including taking down Ukraine’s electric grid in 2015 using the BlackEnergy / Industroyer malware, hack-and-leak operations against French President Macron in 2017 and Olympic Destroy malware attack against the Winter Olympic opening ceremony in Pyeongchang 2017, which they tried to pin on North Korean actors.

Perhaps the most notorious of their activities though is the NotPetya ransomware attack in 2017. The ransomware targeted Ukrainian businesses (where over 80% of infections were recorded) but quickly spread around the globe. Companies including shipping companies AP Moller-Maersk and FedEx were affected - who suffered costs of $400m and $300m respectively - as well as Reckitt Benckiser, Merck & Co and advertising giant WPP, with one analyst estimating global damages topping $10 billion.

For their parts in those attacks, they are charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.

As Russian residents extradition is extremely unlikely and the indictment instead forms part of the US’ ‘name and shame’ policy.

Also this week the US added the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics to its sanctions list. It’s accused of aiding in the development of the Triton malware designed to interfere with safety systems of a petrochemical plant.

The European Union also brought sanctions against two other Russian intelligence offices that work for the closely affiliated Fancy Bear group, also part of the GRU, for the hack-and-leak operation against the German Bundestag in 2015.

Former UK national security advisor Lord Sedwill also said the UK ‘hit back hard’ against Russia following the use of Novichok nerve agent in Salisbury and that they “paid a high price.”

The digital transformation of international relations is well advanced, it would seem, with cyber capabilities well established as strategic, national tools for intelligence, military and diplomatic purposes.

Charges:,, sanctions:,,

Interesting stats

There’s more work to do improving diversity within the information security profession… 1/3 of women, and 1/4 or ethnic minorities do not feel they ‘belong’ in the cybersecurity community, according to research conducted by Synack an the University of California-Berkeley

On that note, Black Hat Europe 2020 scholarships for students and women in security are open now through November. Apply here:

2,000 US law enforcement agencies have technology to crack encrypted phones, with $1,950 average cost to crack a device, according to Washington DC non-profit Upturn

Other newsy bits

Trump password’s probably isn’t ‘maga2020!’

Victor Gevers, a Dutch security researcher, claims to have discovered Donal Trump’s Twitter password and that it is ‘maga2020!'. Gevers has form, having claimed previously to have accessed the Presidential Twitter account in 2016 using a password he found in the LinkedIn data breach. The evidence, in the form of screenshots, does not seem to match that on the account. Twitter says they have found no evidence of the breach. Meanwhile, Trump claimed “nobody gets hacked” on the campaign trail this week. He went on “you need somebody with 197 IQ and he needs about 15% of your password” in order ‘to get hacked’ and seemingly forgetting his hotel chain has been breached. Twice.,

Charities in a bind over donations from ransomware gangs

A ransomware group has left two charities in a bind after making two $10,000 donations. In a ‘press release’ from the group they claim “no matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” For Children International and The Water Project the donations leave them in a predicament: they’re unable to accept proceeds of crime, but because the donations were made via Bitcoin they have no way of refunding the transactions. The Robin Hood moment is a bizarre twist in the growth of ransomware operations throughout 2020.,

NSA advisory on Chinese state-sponsored exploits point to perimeter

An advisory from the US National Security Agency lists 25 vulnerabilities used by Chinese state-sponsored attackers that they say are used frequently against networks that contain sensitive intellectual property, economic, political, and military information. The list appear to focus heavily on the perimeter of target organisations, with F5 and Draytek network devices, Citrix and RDP and email server tools featuring heavily. MobileIron’s mobile device manager suite is also included. MDM tools were used to deploy Android malware earlier this year (vol. 3, iss. 18) and I believe are an often overlooked entry point to organisations. (PDF)

In brief

Attacks, incidents & breaches

  • French IT out-source firm Sopra Steria latest victim of Ryuk ransomware

Threat intel

  • Those ransom demands to avoid a DDOS attack probably aren’t from North Korea’s Lazarus or Russia’s Fancy Bear
  • New remote access trojan uses Telegram for command and control
  • Threatening ‘Proud Boys’ email intimidating US voters attributed to Iran


  • Patch available for ‘perfect 10’ vulnerability in console of HPE data storage appliances
  • 402 fixes from Oracle in quarterly update, 10% may be exploited remotely without authentication
  • 1 million WordPress sites forcibly upgraded to newer version of Loginizer plugin after discovery of SQL injection vulnerability

Security engineering

  • Microsoft’s Azure Modular Data Center to use Starlink satellite comms for backhaul in remote and disaster response scenarios

And finally

McBroken: never underestimate those craving ice cream

Rashiq Zahid has reverse-engineered the application programming interface of the McDonald’s app to work out where the ice cream machines are broken beneath golden arches across the US. To work out where machines are out-of-order he adds ice cream to his cart, and in doing so generates (though doesn’t place) over $18,000 worth of orders every minute. While a bit of fun, access to proprietary API’s should be controlled to limit transactions to legitimate clients, and prevent wholesale espionage from the competition. McDonald’s laughed it off as the lengths a ‘true fan’ will go to. (It wouldn’t surprise at all me if exec have been after similar business intelligence for a while!) @rashiq,


  Robin's Newsletter - Volume 3

  Sandworm Russia GRU APT28 / Fancy Bear Cyber-norms NotPetya Ukraine Industrial Control Systems (ICS) Donald Trump Charities Ransomware Application Programing Interfaces (API) McDonald's