Robin’s Newsletter #193

27 February 2022. Volume 5, Issue 9
Russia invades Ukraine.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Russian invasion of Ukraine

What a horrendous situation.

There’s a lot of hyperbole about ‘cyber war’ that I don’t think is helpful. Undoubtedly, security and technology teams defending critical infrastructure and government departments in Ukraine are facing a tough time - digitally, physically and emotionally. Joe Słowik’s post is a good read on the context and how current attacks are ‘annoyances’ than ‘attacks’ and ultimately _”fall quite short of past cyber incidents in Ukraine in terms of both extent and impact.”

As I wrote in a Cydea risk advisory this week, I believe that most commercial organisations are more likely to be affected by the sanctions introduced against Russian nationals and companies than state aggression in cyberspace.

The UK NCSC has published [guidance for steps to take when the cyber thread level is heightened](steps to take when the cyber threat level is heightened), though the immediate business consequences are more likely to be associated with disruption to business operations and impact on revenue where organisations deal with customers in the Russian Federation. And, as @GossiTheDog points out, trying to make significant changes to your infrastructure may lead to self-inflicted disruption.

Ciaran Martin, the former head of the UK National Cyber Security Centre, has tweeted saying “ were a really sophisticated, targeted attack causing huge disruption to Western critical infrastructure to take place, it would be glaringly obvious it was Russia, with all the escalatory consequences.” I agree with him, and that it is ultimately impossible to prescribe how events in Ukraine will unfold.

Collateral damage from an unsophisticated attack is a more likely outcome for businesses to prepare for. There is historic precedence for this, too, with a Russia-linked outbreak of the ‘NotPetya’ malware in Ukraine leading to significant disruption to many companies and sectors worldwide, from shipping giant Maersk, to law firm DLA Piper, and advertising giant WPP to tech provider Nuance.

That may come from either side: A Russia-linked attack may escape its intended target (per NotPetya), however, Ukraine is calling on hackers to come forward and help defend its critical infrastructure and hacktivist group Anonymous has declared ‘cyberwar’ against Russia (who apparently successfully subverted Russian TV broadcasts to feature Ukrainian music and symbols). The Conti ransomware gang says it ‘fully supports’ the Russian government and will retaliate against critical infrastructure of those who ‘organise cyberattack or war activities’ against Russia.

That’s a lot of moving parts and potentially loose command and control over the direction and techniques used to achieve objectives. It’s certainly plausible for their infiltration or subversion of community efforts. Trust, but verify any efforts that you may get involved with.

Physical conflict and cyberattacks aside, Jackie Singh has a great thread on the third front of this conflict: (dis)information warfare. Her thread is a methodical unpacking of the dissemination of pro-Russia talking points and how ‘grass roots’ news is generated from false discourse on social media.

Interesting stats

Log4Shell was a big deal…

A graph showing the cumulative volume of attacks against days since first detection for Log4Shell, Struts and ProxyLogon (source: Fortinet)

2x volume of Log4J DoS attacks in the first 10 days compared to Struts’ first year, that’s also  50x the level of activity seen for the Microsoft Excel ProxyLogon vulnerability (h/t Phil) (PDF), though many attackers may have already lost interest in it, according to SANS

83%% of successful ransomware is now double, or triple, extortion (threatening to release files and/or notify the victim’s customers directly), with  18% who pay up still have their data exposed, and 35% being unable to retrieve their data after making payment, according to Venafi

In brief

Attacks, incidents & breaches

  • Swedish IP camera maker Axis shut down all public-facing systems this week to contain a cyberattack
  • Nvidia is responding to an incident that has impacted the company’s developer tools and email

Threat intel

  • Indicators of compromise for the WhisperGate wiper malware that’s been targeted against organisations in Ukraine
  • CISA says the Sandworm group, linked to Russia’s GRU intelligence agency, is behind malware dubbed ‘Cyclops Blink’,
  • Palo Alto Networks says fileless and socketless malware dubbed SockDetour has been used against defence firms since July 2019
  • Phishing campaign targeting Monzo banking customers and the company’s alert @monzo
  • Using noVNC in the browser to phish users including MFA and leave a valid session on the attacker’s server
  • TrickBot operators shut down their eponymous botnet (after being recruited by the Conti ransomware gang)
  • Iran-aligned MuddyWater group is conducting espionage activities against global telecommunications and energy companies, according to a joint CISA, FBI and NSA advisory
  • No honour amongst thieves: malware authors have been discovered creating malicious npm packages used by their rivals
  • Russia is warning is critical infrastructure providers to expect an ‘increase in the intensity of attacks’
  • Pangu Labs, a Chinese cyber security firm, says it has linked a sophisticated malware variant to the US National Security Agency’s Equation Group


  • Last year Samsung fixed a botched implementation of the hardware abstraction layer used for cryptographic functions and storage of encryption keys in the Android Keystore on an estimated ‘100 million’ Galaxy S8, S9, S10, S20 and S21 phones
  • NHS Digital says organisations should immediately patch Okta’s Advanced Server Client to fix and remote code execution vulnerability

Operational technology

  • LockBit, Conti ransomware groups most actively targeting ICS and OT environments, according to Dragos


  • German university researchers say open source AirGuard app for Android is better at detecting malicious AirTag trackers than Apple’s
  • Meta settles Facebook-era lawsuit over data collection via the company’s embedded ‘Like’ buttons on third party websites, even after a user logged out, for $90 million

Public policy

  • Chris Inglis, the US’ National Cyber Director, on the need for a new ‘cyber social contract’

Mergers, acquisitions and investments

  • Professional and managed services firm BlueVoyant has close a $250 million Series D funding round
  • Cloudflare has acquired email security business Area 1 for $162 million
  • Secureframe closed $56 million Series B to expand go to market for its solution it claims automates compliance processes for HIPAA, SOC3 and ISO27001
  • Darktrace has acquired attack surface management outfit Cybersprint for €47.5 million ($53.7 million) in a cash and equity deal

And finally

Businesses are taking action against Russia

“The sanction nobody is talking about.” Pornhub is (cock)blocking Russian users from its platform. H/t to @alexbloor for labelling this ‘dicklomacy’. @alexbloor


  Robin's Newsletter - Volume 5

  Russia Ukraine cyber war Anonymous Conti (ransomware gang) Disinformation Log4Shell Log4J