Robin’s Newsletter #189

30 January 2022. Volume 5, Issue 5
Activists ransomware Belarus' state-woned railway company. New UK cyber strategy for government. Let's Encrypt re-issuing 2M certs.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Belarusian railways systems disrupted in politically motivated attack

The Belarusian Cyber-Partisans group has claimed responsibility for a ransomware attack on Belarus’ state-owned railway and are demanding the release of political prisons and the withdrawal of Russian troops in exchange for the decryption key. 

“We encrypted some of [Belarusian Railway’s] servers, databases and workstations to disrupt its operations,” said the group on Twitter. Continuing that “automation and security systems were NOT affected to avoid emergency situations.”

Screenshots posted by the group appear to back up their claims and implies that consumer ticketing operations have been disrupted, rather than train movements themselves.

The story has grabbed headlines because of the rising tensions between Russia and Ukraine — with the former amassing troops for ‘joint exercises’ along the Belarus/Ukraine border — though I find it interesting because I think it’s the first time that an activist group has used ransomware for political motivations.

Typically risk assessments for ‘hacktivist’ groups focus on the potential for embarrassment, potentially stemming from defacement or theft of data they see as incriminating evidence. Denial of service attacks may also have been considered, but rarely such an active compromise of key systems. Perhaps this will make a change to hacktivism being seen purely as a nuisance.

After all, the Cyber-Partisans, who were also behind the doxxing of Belarus’ state security agents in August 2021 (vol. 4, iss. 33), are giving off strong cyber-punk vibes that Hackers would be proud of.

Interesting stats

$8.6B (up 30%) worth of cryptocurrency laundered by cybercriminals in 2021, according to Chainalysis

95,000+ people lost  $770M to fraud on social media in 2021, according to the Federal Trade Commission (FTC), that’s up from $258M (almost 3x) on 2020

8 hours is needed by Windows to reliably download and apply updates, according to Microsoft

Other newsy bits

UK government cyber security strategy

Hot on the heels of the UK’s National Cyber Strategy (vol. 4, iss. 51), comes the Government Cyber Security Strategy that sets out how central and local government functions — delivering public services and operating national security apparatus — will be strengthened and resilient to cyber attack.

The strategy sets out an eight-year timeframe, through 2030, (while the most critical functions will be hardened by 2025) to drive long-term change to get the fundamentals right across a complex digital estate. That will include collaboration and working with devolved administrations where they are responsible for delivering public services.

The strategy has two pillars: the first focuses on organisational cyber security resilience to build capability and accountability within individual departments and public bodies, while the second is titled defend as one to share knowledge and expertise across government.

The Cyber Assessment Framework, developed by NCSC and used to assure operators of critical infrastructure, will be used to help drive what good looks like and as the assurance framework. 

Alongside the launch of the strategy came news of £37.8M funding for local authorities and a new Government Cyber Coordination Centre (GCCC).

Lets Encrypt revoked 2M HTTPS certificates

An ‘irregularity’ in the way that two million HTTPS certificates were issued and validated prior to 26th January 2022 has necessitated the organisation to revoke and reissue them. If your $thing isn’t working this morning, and you use Let’s Encrypt, start by checking if you’re affected. (Then check DNS :-)).

New Cyber Essentials requirements come into force

Revised requirements for cloud services, home working and multi-factor authentication come into force for Cyber Essentials renewals from this week, amongst other changes. More on the rationale from NCSC, and details on the changes here: 4, iss. 49

In brief

Attacks, incidents & breaches

  • Smart contracts need smart APIs: a vulnerability in OpenSea’s API allowed attackers to buy NFTs as previously listed (read: much lower) prices Elliptic say three attackers made over $1M, which OpenSea says it will reimburse victims
  • Decentralised finance (DeFi) platform Qubit Finance exploited with the attacker making off with $80M of cryptocurrency 
  • Segway’s website has been compromised by attackers who planted Magecart card skimming javascript on the checkout page to steal card details
  • A campaign dubbed ‘Dark Herring’ has used 470 apps on Google Play Store downloaded by 105 million users in 70 countries with malware that subscribes victims to premium services costing up to $15 per month
  • French authorities are investigating the potential theft of data from France’s Ministry of Justice by the LockBit ransomware gang
  • Taiwanese electronics manufacturer Delta Electronics, who supply Apple, HP, Tesla and other big tech companies, has disclosed a ransomware attack attributed to the Conti gang

Threat intel

  • Use of Excel add-in (.XLL) files to compromise machines is up 6x, according to HP, coinciding with Microsoft’s blocking of Excel 4.0 macros by default
  • Microsoft is warning of a phishing campaign that tries to trick users into granting OAuth permissions to their inbox and contacts by an app calling itself ‘Upgrade’ @MsftSecIntel
  • Safari and macOS vulnerabilities being chained to backdoor Apple devices that visit pro-democracy websites in Hong Kong 
  • Android malware dubbed Brata now includes a kill switch that can factory reset and wipe infected devices, according to Kaspersky
  • North Korea’s Lazarus group is using a malicious DLL and Windows Update to fetch further malicious payloads, according to Malwarebytes


  • Privilege escalation vulnerability in Policy (PolicyKit), a utility shipped with every major Linux distribution, discovered by Qualys
  • Critical vulnerability in SonicWall Secure Mobile Access (SMA) gateways is being exploited. A path was released last month for CVE-2021-20038 to prevent the unauthenticated buffer overflow

Security engineering

  • Cool work that OVO Energy have open-sourced on a project called Domain Protect, which detects and automatically prevents domain takeovers caused by orphaned domains - great work Paul S & co!,
  • A joint project between NCSC and their industry 100 group will produce scripts for NMAP to detect critical and common vulnerabilities as part of the Scanning Made Easy project


  • The Tor Project is appealing a decision by Russian courts to block access to the website
  • Google being sued by the District of Columbia, Texas, Washington and Indiana’s attorneys general for “falsely [leading] consumers to believe that changing their account and device settings would allow customers to protect their privacy”
  • Sticking with Google, Mountain View has dropped their proposed replacement for ad tracking cookies in Chrome following opposition from rights groups and regulators, Federated Learning of Cohorts (FLoC) (vol. 4, iss. 26), with a revised proposal (that still builds ad-tracking directly into the browser)
  • A legal dispute has highlighted that HMRC, the UK tax collection authority, may use SS7 techniques to lookup the mobile phone location of debtors

Public policy

  • US Federal Communications Commission (FCC) has revoked China Unicom’s telecoms license on national security grounds

Mergers, acquisitions and investments

  • Censys, the ‘Shodan for IoT’, has raised $35M in a Series B funding round
  • Bug bounty platform HackerOne has closed a $49M Series E round

And finally

Integrity may be coming for NSO Group

Apparently, NSO Group, famed for their Pegasus spyware and dubious approaches to ethics, is in talks with an American VC firm called *checks notes* Integrity Partners in a $300M transaction. How the buyout would work, given NSO Group has been blacklisted by the US Department of Commerce, is unclear. Nor is the proposed strategy to ditch sales to authoritarian regimes in favour of just selling to countries in the five eyes alliance.


  Robin's Newsletter - Volume 5

  Belarus Hacktivism Hacktivist Balrusian Railways Ransomware UK Government Cyber Strategy Cyber Essentials Let's Encrypt