Robin’s Newsletter #194

6 March 2022. Volume 5, Issue 10
The 'pandemonium' of modern warfare.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Cydea is matching Disasters Emergency Committee (DEC) appeal donations, up to £10,000, as well as the UK Government’s matching £20M of public donations. You donate £10, Cydea matches £10, UK Gov matches £10 meaning £30 goes to the Ukraine Humanitarian Appeal. 

Since Friday people have donated over £2,000. Matched that is £6,000 towards helping refugees fleeing the crisis and enough to provide blankets to keep almost 500 families warm.

Donate via JustGiving.

This week

The battleground for modern warfare is expansive

Obviously, the Russian invasion of Ukraine continues to dominate the news this week. Microsoft says that it detected new ‘wiper’ malware (dubbed ‘FoxBlade’). The malware was used in attacks targeting Ukraine organisations that were launched just hours before the Russian assault began. Working with NATO, and Western governments, signatures were added to Defender ‘within three hours’ to help detect and prevent the attacks. Ukraine has also been granted a role in NATO’s cyber threat intelligence hub.

Meanwhile, Ukraine has been mobilising volunteer ‘IT Army’ and pointing them at a list of 31 public and private sector Russian organisations. “We are creating an IT army,” tweeted Ukraine’s vice prime minister, “there will be tasks for everyone.”

Anonymous and other hacktivist groups have been conducting distributed denial of service attacks, defacing websites and leaking data against Russian state-linked organisations. Some commentators worry that this may compromise covert intelligence operations.

Some of that ‘pandemonium’ came in the form of the news website Ukrainska Pravda publishing a list of what it says is the personal information of 120,000 Russian soldiers who are fighting in Ukraine. Some records appear legit, other names have been proven to be missing, so the exact source and nature of the information are unclear at present. It’s sure to be a hit to soldier’s morale, and the prospect of ‘enemies’ contacting your family is a concern many would rather not have to deal with.

Ukraine also requested that the Internet Corporation for Assigned Names and Numbers (ICANN) — who oversee Internet addresses and the domain name system — ‘shut down’ all .ru (Russian) domains. The non-profit rejected the proposal on the grounds that the Internet is a decentralised system and that “ICANN has been built to ensure that the Internet works” (as opposed to not works).

Human rights groups say that cutting Russians off from the Internet would prevent its citizens from being able to access independent sources of information and leave them reliant on state-run media.

The talk in the buildup was of ‘cyber war’ but, in reality, we’re seeing significant ‘information warfare’ being carried out by all parties. This is a new type of war being fought not just on Ukrainian soil, but in the hyper-connected hearts and minds of people around the world. 

That, in parallel, comes with an explosion of variously (in)credible open source intelligence analysis of conveys, troop movements and advances: “From high-resolution satellite images to TikTok videos, governments no longer control information from the front lines.”

Interesting stats

10x the number of attacks against 8,320 Ukrainian WordPress sites since the Russian invasion began, says Wordfence

61% of vulnerabilities identified by F-Secure’s vulnerability management team win organisation’s networks were at least five years old, according to the Finnish company’s Attack Landscape Update

Other newsy bits

Internal chat logs and admin panel and malware source code of Conti ransomware gang leaked

Last week the Conti ransomware gang declared its allegiance to Russia in the Russia/Ukraine conflict. Seemingly that didn’t sit well with one presumed insider who this week has released a trove of internal data from the group.

About a year’s worth of internal chat logs from the group have been released along with the source code for their admin panels and the malware used to steal data and lock up devices.

Brian Krebs has a three-part series delving into what these messages can tell us about the internal workings of the group, life ‘in the office’ and insights into their strategies and tactics. This will, no doubt, be a huge boon for law enforcement investigations and cause a certain amount of paranoia within the Conti group itself.

In terms of wider consequences, given how refined and proficient the Conti group’s operations are, I’d expect that other cybercrime groups will make use of the leaked source code to improve their own malware.,  part 1part 2part 3

Interesting reads

Cyber realism in a time of war

Ciaran Martin has an excellent piece on the Lawfare blog. “The Russian invasion of Ukraine has, thus far, been utterly conventional… even those of us long skeptical about the mischaracterization of cyber operations… have been surprised by just how little cyber operations have featured in the early part of the invasion.” It’s a good read covering the cyber threat to the West, what we’re learning about cyber escalation and what this may mean for cyber postures.

How to define cyberwar?

In the same vein, with the number of groups involved in the Russian invasion of Ukraine extending beyond nations to include activist groups and civilians around the world, Suzanne Smalley explores ‘how to define cyberwar’. Where do digital operations meet similar thresholds for armed conflict? How much does the civilian or military nature of a target have a bearing? “Most international treaties were written before there was a cyber domain, they also pre-date many other battlefield technologies.”

In brief

Attacks, incidents & breaches

  • A ‘limited’ number of systems at insurance firm AON were affected by a cyberattack on 25th February that it “does not expect… to have a material impact” on its business
  • Toyota has halted production at 14 plants in Japan following a suspected cyber attack resulting in approximately 13,000 fewer cars being produced ‘Just in time’ manufacturing is not resilient against rising cyber security-related disruption in the supply chain
  • South American group Lapsus has claimed responsibility for an attack against Nvidia, with the group saying they have 1 TB of data including employee usernames and passwords and other intellectual property… The cybercriminals are demanding that the chipmaker remove restrictions on using the graphics cards to mine cryptocurrency
  • Tire manufacturer Bridgestone has sent factory workers in North America and Latin America home for consecutive days after an ‘information security incident’

Threat intel

  • Ukraine’s CERT warns of UNC1151/Ghostwriter activity and shares details of email addresses it says are linked to phishing campaigns targeting organisations in Ukraine, Poland, Belarus and Russia. Ghostwriter is believed to act on behalf of Belarus’ Ministry of Defence, (IOCs)
  • New, advanced Daxin malware hides as a Windows kernel driver and hijacks TCP connections to avoid detection, is linked to China, according to Symantec
  • Log4Shell exploits now mostly being used for crypto-mining and DDoS attacks, says Barracuda

Cyber defence

  • Microsoft post on new insider risk management features

Security engineering


  • EU and the US close to replacing Privacy Shield agreement

Public policy

  • US Senate votes to pass legislation requiring critical infrastructure providers to notify Homeland Security of cyber incidents within 72 hours, or 24 hours if they have made a ransomware payment
  • Singapore armed forces to launch new ‘digital and intelligence service’ by the end of 2022 to boost cyber defences

And finally

Just a reminder to, if you can, please make a donation to the DEC humanitarian appeal.


  Robin's Newsletter - Volume 5

  Russia Ukraine cyber war Anonymous Conti (ransomware gang) Disinformation Information warfare AON Lapsus Privacy Shield