Robin’s Newsletter #187

16 January 2022. Volume 5, Issue 3
Russian authorities scoop up members of REvil. Google Analytics and GDPR. Using a cyberattack to accelerate dgitial transformation.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Russian authorities act against REvil ransomware gang

Russia has detained fourteen and charged eight individuals from the REvil ransomware gang. “The organised crime gang ceased to exist,” said a statement from the FSB, Russia’s main security agency, following raids at 25 locations in five different regions of the country.

Along with the arrests, the FSB seized 426 million rubles (£4M), $600,000, and €500,000 in cash, a further £440,000 in cryptocurrency and over 20 ‘premium cars’. The suspected malware author and leader of the group, Yevgeniy Polyanin, appears to still be at large (and on the FBI’s most-wanted list).

REvil were responsible for the attack that exploited a vulnerability in the Kaseya remote management tool (vol. 4, iss. 28) used by 60 organisations to manage the IT of 1,500 organisations. Following that attack the group’s infrastructure was taken offline in October (vol. 4, iss. 43) by a multinational operation, before briefly reappearing (restoring from backups that had included an FBI backdoor) and then finally going to ground again in November last year.

It’s a positive step in relations between the US and Russia, with the former having been increasingly calling for the Kremlin to take action against ransomware gangs. Especially following the attack on Colonial Pipeline (also linked to REvil). However, it also comes at a time of heightened tensions and diplomacy between the two countries and Russian troops amass on the Ukrainian border.

Dmitri Alperovitch (Crowdstrike founder) said the move was ‘ransomware diplomacy’ and a signal bartering over potential sanctions against actions in Ukraine. 

Strategic geopolitics aside, it’s a huge development that’s sure to send shockwaves through the cybercrime community. (Though ultimately that will depend on how the individuals are prosecuted and, if guilty, sentenced). I wouldn’t hold your breath for any extraditions to the US, mind.

Interesting stats

35% increase in malware targeting Linux denies in 2021, with over 1/5 attacks relating to one of three malware families (XorDDoS, Mirai, Mozi), according to Crowdstrike

$395M worth of cryptocurrency stolen by North Korean attackers in 2021, according to Chainalysis, with  $1.5B stolen by the regime in the last five years

Other newsy bits

Google Analytics’ transfer of data to the US contravenes GDPR

The Austrian data protection authority — Datenschutzbehörde (DSB) — has found a publisher’s use of Google Analytics in contravention of the General Data Protection Regulation because it moves personal data to the US. The case in question involved a site that offered Google login, explicitly tying the visit to a user, and because Google can be subject to US intelligence requests ‘standard contractual clauses’ were deemed insufficient protection.

In this case, IP-anonymisation had not been properly implemented, though the judge also noted that this was essentially just one piece of the puzzle, hinting that it alone may not be sufficient in the future. 

The extra-territoriality of new data protection regulation (applying to citizens of a nation no matter their physical jurisdiction) is going to cause many headaches in the coming decade as lawmakers and courts try to figure out how this works in practice. The options at the moment are pretty blunt: run an EU-specific version of Google Analytics (up to Google) or greater protections to personal data in the US (up to US legislators).

Ransomware attack: maybe accelerate those digital transformation plans?

Nordic Choice Hotels responded to a ransomware attack in December last year (vol. 4, iss. 50) in a novel manner. The hotel chain used the opportunity to migrate to Chrome OS, with the first hotel being up and running within 24 hours of the attack and a further 2,000 computers at 212 hotels in five countries being migrated in the following 48 hours.

The company had already run a pilot and had planned to make the switch: the ransomware incident provided the impetus to crack on. Using the opportunity to build back in a more secure (and cheaper/easier/more productive) manner is something I’ve seen as an attractive option for businesses in these situations. It’s interesting to see it as a case study of what’s possible.

The kicker is a 60 million NOK ($6.7M) saving by being able to repurpose old hardware.

Good thinking

Changing big stuff and little stuff

Phil Venables discussed the importance of security programmes having the right balance of transformational big bets alongside relentless incremental improvements. Lots of good advice and food for thought here.

Start with context and constraints for a successful cyber strategy

Phil Huggins has some great lessons on writing cyber strategies. A good set of pointers and questions that you can use to check/challenge your ego and assumptions. Set yourself up to start from the right place.

And remember: frameworks frame, they don’t fix.

Write strong risk scenarios

Tony Martin-Vegue’s post on the ISACA website looks at the ‘art’ of writing good risk scenarios. (Something we covered off during a session for the Open Security Summit). There are some bits I’d disagree with — I’ve come round to the opinion that asset-driven risk assessments don’t allow you to capture the holistic risk faced for many organisations — however, it’s great to see emphasis given to the skill of composing and communicating risk clearly.

Welcome focus is also given to the identification phase of risk management. This is foundational to good risk analysis but is oft-overlooked. Get it wrong and you leave yourself open to being blindsided. (As an aside: it’s an area we devote more time to at Cydea and have positive feedback from clients, too (great job, Niall!)).

In brief

Attacks, incidents & breaches

  • Compromise of fifty high-profile FIFA player accounts caused by EA support agents not verifying identities during support requests
  • Cameras and door access controls offline at a New Mexico prison after ransomware attack cripples IT systems
  • Over 70 Ukrainian government websites defaced following a dead-end in Ukraine-US-Russia talks - claims that data of Ukrainian citizens has been ’sent to a public network’
  • Amazon has fixed flaws in AWS’ Glue and CloudFormation services that permitted researchers from Orca Security from accessing and creating resources in other AWS user’s accounts


  • Spare a thought for India’s Patchwork APT group, who exposed their inner workings to researchers from MalwareBytes after infecting their own network with a remote access trojan

Threat intel

  • US Cyber Command attributes ‘MuddyWater’ group to Iranian Ministry of Intelligence and Security (MOIS)
  • Cybercriminals go back to the future and mail out USB drives containing their malware
  • Night Sky ransomware group is using Log4j to compromise VMware Horizon instances
  • SysJoker malware can infect Windows, macOS and Linux
  • How-to for SonicWall remote code execution of SMA 100 VPN devices published
  • Scammers in Texas have been using QR code stickers to direct parking metre users to fake websites and steal money
  • NSO Group spyware found on devices of 35 journalists in El Salvador
  • UniCC, one of the world’s largest ‘carding’ forums, used to sell stolen payment card information, has announced that it’s shutting down


  • Nine crits, one workable vulnerability amongst the 120 addressed by Microsoft in Windows this week
  • Another vulnerability in USB-over-IP functionality, this time SentinelOne found an issue (CVE-2021-45388) in the NetUSB module written by Codes and used by vendors including Netgear, TP-Link, Link and Western Digital

Cyber defence

  • Wireshark creator hired by Sysdig to work on other projects and extend functionality to support monitoring and analysing cloud networks
  • Might we soon be using electromagnetic waves to detect malware? Researchers from IRISA, the ‘French laboratory for research in digital science and technology,’ claim to be able to predict infection from three malware types in IoT devices with 99.82% accuracy

Security engineering

  • This is some clever thinking from Telstra: “When a request is made to us by a banking organisation we’ll provide a rating (in the form of a number on a risk scale) which gives an indication of whether there have been any recent SIM swaps or port out activity for [that number]” that allows banks to identify, and potentially prompt for additional information, where one-time SMS codes may be compromised
  • Open-source developer ‘sabotages’ colours and faker libraries, breaking apps because he is “no longer going to support Fortune 500s… with my free work”
  • Chrome will soon prevent internet sites from querying resources on local networks through a new W3C spec called ‘Private Network Access’ (PNA)

Operational technology

  • German security researcher finds a way to control over 25 Tesla’s, including stereo, windows, and doors, using a flaw in third-party app


  • Europol ordered to delete data on citizens that haven’t been linked to crime


  • UK’s Prudential Regulation Authority (PRA) is looking to place greater scrutiny on the use of cloud computing in financial services, in particular resilience and risk aggregation stemming from the pervasive use of the big three providers (AWS, GCP and Azure). Minutes from a previous session between the PRA, Financial Conduct Authority (FCA) and Bank of England noted: “the increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.”
  • Federal Communications Commission has proposed tighter rules for how telcos handle data breaches, including removing seven-business-day grace period to notify customers
  • China’s State Administration for Marketplace Supervision (SAMR) has issued a penalty warning to Walmart for ‘not dealing with system vulnerabilities in a timely manner,’ in contravention of the country’s Internet Security Law

Law enforcement

  • Five members of a ransomware gang that has attacked more than 50 companies were arrested in Ukraine

And finally

The Security Obstructionism (SecObs) market

This easily falls within good thinking above but rounds out this week’s newsletter due to the on-brand, sharp-witted observations from Kelly Shortridge on ‘security obstructionism’. I’m sure we have all experienced “security says no” at some point in our lives and careers. There are some great examples in this blog post. Take a look on Monday to see which of these your organisation is doing (then try to stop them!)

“The point of SecObs is not better security outcomes for the business or end users. The point is more security outputs as a proxy for progress and these outputs impart more control over the organization, transmogrifying into power and status."

Infernal Quadrant for Security Obstructionism (SecObs) (source: Kelly Shortridge)


  Robin's Newsletter - Volume 5

  REvil Ransomware Russia Sodinokibi Democratic People's Republic of Korea (DPRK) North Korea General Data Protection Regulation (GDPR) Digital Transformation Security Programme Risk identification Cyber strategy Security Obstructionism (SecObs)