Cydea is matching Disasters Emergency Committee (DEC) appeal donations, up to £10,000, as well as the UK Government’s matching £20M of public donations. You donate £10, Cydea matches £10, UK Gov matches £10 meaning £30 goes to the Ukraine Humanitarian Appeal.
Since Friday people have donated over £2,000. Matched that is £6,000 towards helping refugees fleeing the crisis and enough to provide blankets to keep almost 500 families warm.
This week
The battleground for modern warfare is expansive
Obviously, the Russian invasion of Ukraine continues to dominate the news this week. Microsoft says that it detected new ‘wiper’ malware (dubbed ‘FoxBlade’). The malware was used in attacks targeting Ukraine organisations that were launched just hours before the Russian assault began. Working with NATO, and Western governments, signatures were added to Defender ‘within three hours’ to help detect and prevent the attacks. Ukraine has also been granted a role in NATO’s cyber threat intelligence hub.
Meanwhile, Ukraine has been mobilising volunteer ‘IT Army’ and pointing them at a list of 31 public and private sector Russian organisations. “We are creating an IT army,” tweeted Ukraine’s vice prime minister, “there will be tasks for everyone.”
Anonymous and other hacktivist groups have been conducting distributed denial of service attacks, defacing websites and leaking data against Russian state-linked organisations. Some commentators worry that this may compromise covert intelligence operations.
Some of that ‘pandemonium’ came in the form of the news website Ukrainska Pravda publishing a list of what it says is the personal information of 120,000 Russian soldiers who are fighting in Ukraine. Some records appear legit, other names have been proven to be missing, so the exact source and nature of the information are unclear at present. It’s sure to be a hit to soldier’s morale, and the prospect of ‘enemies’ contacting your family is a concern many would rather not have to deal with.
Ukraine also requested that the Internet Corporation for Assigned Names and Numbers (ICANN) — who oversee Internet addresses and the domain name system — ‘shut down’ all .ru (Russian) domains. The non-profit rejected the proposal on the grounds that the Internet is a decentralised system and that “ICANN has been built to ensure that the Internet works” (as opposed to not works).
Human rights groups say that cutting Russians off from the Internet would prevent its citizens from being able to access independent sources of information and leave them reliant on state-run media.
The talk in the buildup was of ‘cyber war’ but, in reality, we’re seeing significant ‘information warfare’ being carried out by all parties. This is a new type of war being fought not just on Ukrainian soil, but in the hyper-connected hearts and minds of people around the world.
That, in parallel, comes with an explosion of variously (in)credible open source intelligence analysis of conveys, troop movements and advances: “From high-resolution satellite images to TikTok videos, governments no longer control information from the front lines.”
Interesting stats
10x the number of attacks against 8,320 Ukrainian WordPress sites since the Russian invasion began, says Wordfence bleepingcomputer.com
61% of vulnerabilities identified by F-Secure’s vulnerability management team win organisation’s networks were at least five years old, according to the Finnish company’s Attack Landscape Update f-secure.com
Other newsy bits
Internal chat logs and admin panel and malware source code of Conti ransomware gang leaked
Last week the Conti ransomware gang declared its allegiance to Russia in the Russia/Ukraine conflict. Seemingly that didn’t sit well with one presumed insider who this week has released a trove of internal data from the group.
About a year’s worth of internal chat logs from the group have been released along with the source code for their admin panels and the malware used to steal data and lock up devices.
Brian Krebs has a three-part series delving into what these messages can tell us about the internal workings of the group, life ‘in the office’ and insights into their strategies and tactics. This will, no doubt, be a huge boon for law enforcement investigations and cause a certain amount of paranoia within the Conti group itself.
In terms of wider consequences, given how refined and proficient the Conti group’s operations are, I’d expect that other cybercrime groups will make use of the leaked source code to improve their own malware.
techcrunch.com, krebsonsecurity.com: part 1, part 2, part 3
Interesting reads
Cyber realism in a time of war
Ciaran Martin has an excellent piece on the Lawfare blog. “The Russian invasion of Ukraine has, thus far, been utterly conventional… even those of us long skeptical about the mischaracterization of cyber operations… have been surprised by just how little cyber operations have featured in the early part of the invasion.” It’s a good read covering the cyber threat to the West, what we’re learning about cyber escalation and what this may mean for cyber postures.
How to define cyberwar?
In the same vein, with the number of groups involved in the Russian invasion of Ukraine extending beyond nations to include activist groups and civilians around the world, Suzanne Smalley explores ‘how to define cyberwar’. Where do digital operations meet similar thresholds for armed conflict? How much does the civilian or military nature of a target have a bearing? “Most international treaties were written before there was a cyber domain, they also pre-date many other battlefield technologies.”
In brief
Attacks, incidents & breaches
- A ‘limited’ number of systems at insurance firm AON were affected by a cyberattack on 25th February that it “does not expect… to have a material impact” on its business bleepingcomputer.com
- Toyota has halted production at 14 plants in Japan following a suspected cyber attack resulting in approximately 13,000 fewer cars being produced reuters.com ‘Just in time’ manufacturing is not resilient against rising cyber security-related disruption in the supply chain ft.com
- South American group Lapsus has claimed responsibility for an attack against Nvidia, with the group saying they have 1 TB of data including employee usernames and passwords and other intellectual property zdnet.com… The cybercriminals are demanding that the chipmaker remove restrictions on using the graphics cards to mine cryptocurrency arstechnica.com
- Tire manufacturer Bridgestone has sent factory workers in North America and Latin America home for consecutive days after an ‘information security incident’ zdnet.com
Threat intel
- Ukraine’s CERT warns of UNC1151/Ghostwriter activity and shares details of email addresses it says are linked to phishing campaigns targeting organisations in Ukraine, Poland, Belarus and Russia. Ghostwriter is believed to act on behalf of Belarus’ Ministry of Defence zdnet.com, facebook.com (IOCs)
- New, advanced Daxin malware hides as a Windows kernel driver and hijacks TCP connections to avoid detection, is linked to China, according to Symantec bleepingcomputer.com
- Log4Shell exploits now mostly being used for crypto-mining and DDoS attacks, says Barracuda bleepingcomputer.com
Cyber defence
- Microsoft post on new insider risk management features microsoft.com
Security engineering
- NCSC guidance on building and operating secure online services and transaction monitoring have been published.
Privacy
- EU and the US close to replacing Privacy Shield agreement theregister.com
Public policy
- US Senate votes to pass legislation requiring critical infrastructure providers to notify Homeland Security of cyber incidents within 72 hours, or 24 hours if they have made a ransomware payment therecord.media
- Singapore armed forces to launch new ‘digital and intelligence service’ by the end of 2022 to boost cyber defences zdnet.com
And finally
Just a reminder to, if you can, please make a donation to the DEC humanitarian appeal.