Robin’s Newsletter #196

20 March 2022. Volume 5, Issue 12
Russia/Ukraine roundup. Mysterious incident affecting satcom terminals. Ransomware group adds wiper capability. Law firm gets GDPR fine for not patching.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Roundup of Ukraine cyber news

ESET has seen another ‘wiper’ malware strain at ‘a few dozen’ Ukrainian organisations. The malware appears to have been deployed via group policy. It checks to see if the infected machine is a domain controller, presumably to maintain access to the infiltrated networks.

Ukraine’s Computer Emergency Response Team has also attributed a fake ‘critical security update’ installer to a Russian state-linked group with ‘medium confidence’. The fake ‘BitdefenderWindowsUpdatePackage’ actually installed a variety of malware, including Cobalt Strike a paid penetration testing product popular with red teasers and cybercriminals alike.

Russian attacks have caused several regional Internet outages, with monitoring firm Netblocks saying overall connectivity has ‘dipped about 20%’ since the invasion began. The outages are a mix of trikes against telecommunications infrastructure and power failures, causing slowdowns to complete outages. The besieged city of Mariupol is one of the worst affected.

Meanwhile, reports at The Guardian have interviews with volunteers in Ukraine’s ‘IT Army’. Described as “running interference,” the loosely organised group has been behind the ongoing denial of service attacks against the Russian government, media and energy company websites.

In a separate article, ‘Western officials’ are quoted as saying they “strongly discourage” volunteers from launching cyber attacks against Russia which may be criminal acts. I’d expect anyone on the IT Army Telegram group to receive a ‘special welcome’ if they ever travel to Russia. “We are not seeing a heightened threat to the UK or generally to allies,” said one official, “it’s fair to say that the level of cyber-activity we see is not significantly up or down”. The concern is ‘overspill’ from well-meaning attacks.

An example of what that might look like was also seen this week. An open-source developer of the ‘node-ipc’ NPM package turned it into ‘protestware’ with the package being updated to check if it was being run on an IP in Russia or Belarus and, if so, wiped files replacing them with a heart emoji.

More damaging to Russian information technology will likely be the sanctions imposed by Western countries that, according to reports in Russian news, mean that the Russian public sector will ‘run out of digital storage’ within ‘two months’. Rising demands from Russian private and public sectors, combined with the inability to buy new storage devices is putting strain on domestic cloud providers.

As Russia’s VTB and Promsvyazbank have been removed from the SWIFT financial messaging network, the FT reports ‘several executives’ at banks are concerned that SWIFT may be targeted for reprisal attacks. There has been no evidence of offensive state cyber-attacks outside of the conflict zone to date.

Germany’s BSI security agency has warned against using Kaspersky anti-malware products, especially critical infrastructure providers and those with ‘special security interests’. The reason given by the federal agency is that, as a Russian headquartered organisation, it may be “forced to attack target systems against its will, or spied on without its knowledge”. (CaddyWiper), (fake updated), (internet outages), (IT Army),, (protestware), (storage) and, via, (SWIFT), (Kaspersky),

Interesting stats

2,692% increase in Russians using virtual private network (VPN) services, according to Top10VPN

34 different ransomware variants were observed across 722 distinct attacks in Q4 2021, according to Intel 471, up 18% on Q3 2021, with LockBit 2.0, Conti and PYSA being the most prevalent

Other newsy bits

Viasat satellite communications were knocked offline as Russia invaded Ukraine

A developing story from the last three weeks has been a mysterious issue affecting satellite modems communicating with Viasat’s KA-SAT satellite over Ukraine and Eastern Europe.

The circumstances around the incident are curious, with affected terminals seeming to be clustered around a particular satellite ‘beam’ rather than a network-wide event. Reuters reports that the affected modems ‘appeared to be completely inoperative,’ and Viasat has blamed a “deliberate, isolated and external cyber event” though further details are sparse.

Viasat provides services to the Ukraine military, providing a motive for an attack against the service provider.

The Cybersecurity & Infrastructure Agency (CISA) and FBI have published an alert to US critical infrastructure providers outlining mitigations for ‘satcom’ network providers and customers.,

Law firm handed GDPR fine for not patching ‘critical’ vulnerability for five months

The UK Information Commissioner has handed a £98,000 penalty to law firm Tuckers Solicitors for failing to protect sensitive information. The company suffered a ransomware attack during which over 972,000 files were encrypted, including almost 25,000 related to ongoing case information. Sixty were exfiltrated and released by the attackers, including “15 relating to criminal proceedings and 45 civil proceedings”. While sympathetic to the attack, the ICO deemed the fine was justified because the law firm had failed to patch a critical vulnerability in its systems for over five months. “Tuckers should not have been processing [highly sensitive data] on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk,” said the ICO in its report.

LokiLocker ransomware now includes optional wiper functionality

‘Double extortion’ ransomware became the dominant tactic for cybercrime operators in 2021, stealing organisations’ data and threatening to release it, as well as encrypting it. Now new kind on the block, LokiLocker, includes optional wiper functionality that overwrites the master boot records of infected devices.

It’s a ‘nuclear’ option: there certainly wouldn’t be any coming back from negotiations, but it will undoubtedly apply additional pressure on victims.

BlackBerry believe that the group behind LokiLocker may be Iranian in origin.

In brief

Attacks, incidents & breaches

  • Games company Ubisoft has confirmed it suffered a ‘cyber security incident’ with LAPSUS$ group taking responsibility
  • Israeli government websites were temporarily taken offline by ‘huge DDoS’
  • 281 managed WordPress sites hosted by GoDaddy (and their resellers which includes MediaTemple, 123Reg and Host Europe) were compromised within 24 hours. GoDaddy suffered a breach in November 2021 that may be related (vol. 4, iss. 48)
  • The German operations of automotive company Denso, who supplies parts to Toyota, appear to have been compromised by the Pandora ransomware group
  • Approximately 4TB of data was stolen over a decade from TransUnion South Africa, according to a Brazilian crime group who are demanding a $15 million ransom

Threat intel

  • US CISA has published indicators of compromise for what they say are Russian actors that have been using misconfigured Cisco Duo multi-factor authentication and the ‘PrintNightmare’ vulnerability to compromise non-governmental organisations (NGOs) since May 2021
  • Lily Hay Newman has a good write-up on the ‘chaotic start’ of the Lapsus$ group, who struck a string of Brazilian and Portuguese-language targets, before pivoting to tech organisations like Samsung, Nvidia and Ubisoft (see above) with hack-and-leak operations and wild demands (Nvidia’s was to remove limitations on their GPUs mining cryptocurrency)
  • Trickbot is going after MikroTik routers, according to Microsoft, who have a detailed write-up on how the IoT devices are being used in the botnet
  • Attackers are using Apple’s TestFlight app in scams that allow users to install apps that haven’t been through the Cupertino company’s AppStore vetting process
  • Google Threat Analysis Group’s expose of the ‘Exotic Lilly’ initial access broker, who may be linked to the Conti Ransomware group. Exotic Lilly was sending around 5,000 emails a day and spoofing company domains and social media profiles


  • Asus wifi routers are vulnerable, and being targeted, by the ‘Cyclops Blink’ malware

Cyber defence

  • HackerOne will make payments to Ukraine hackers after botched comms around sanctions and tweets from execs saying funds would be donated to charity


  • Facebook parent, Meta, has been fined €17 million (£14.3 million, $18.8 million) by the Irish Data Protection Commission for twelve security incidents affecting 30 million Facebook users disclosed to the regulator in 2018

Public policy

  • President Biden has signed the bill that includes the ‘Strengthening American Cybersecurity Act’ into law. Critical infrastructure operators will now be required to notify the Cybersecurity and Infrastructure Agency within 72 hours of a breach, or 24 hours if a ransom payment is made. The law should start to give policymakers more data and insights into the state of CNI cyber security and incidents
  • Australia will help 30,000 victims of domestic abuse to scan their phones for stalkerware in a new initiative
  • Lawmakers in Minnesota are trying to ban the use of algorithms for content recommendation to under 18’s on social media networks, something that UK digital secretary Nadine Dorries seems to be all in favour of, asking Microsoft when ‘they were going to get rid of algorithms’ during a meeting this week
  • UK Online Safety Bill brought before Parliament, with potential jail time for tech executives who fall foul of regulators, amidst dissatisfaction from campaigners and rights groups


  • CafePress is settling a complaint with the Federal Trade Commission with $500,000 being set aside for redress. The case brought by the FTC was for not disclosing a data breach to users and a string of other poor security practices in 2019

Law enforcement

  • Nigerian law enforcement have arrested Osondu Victor Igwilo, a scammer on the FBI’s Most Wanted list, and who is claimed to be the leader of a cybercrime group that has defrauded victims out of approximately $100 million

Mergers, acquisitions and investments

  • The UK Competition and Markets Authority (CMA) has raised concerns that the NortonLifeLock acquisition of rival Avast shouldn’t proceed because “the proposed deal could lead to a reduction in competition in the UK market”. The companies have five days to explain to the regulator how the concerns will be addressed, though NortonLifeLock was “surprised” by the decision, which has been approved by authorities in the US, Spain and Germany,
  • SentinelOne has announced it is acquiring identity management company Attivo for $616.5 million to fill the “missing link in holistic XDR (Extended Detection and Response) and zero trust strategies”

And finally

NS8 co-founder pleads guilty

Golf clap to the co-founder and former CEO of ‘cyberfraud prevention’ company NS8 who has pled guilty to falsifying financial data to defraud investors out of $123 million. Prosecutors say ’somewhere between 40% and 95%’ of balance sheet assets did not exist.


  Robin's Newsletter - Volume 5

  Russia Ukraine cyber war wiper protestware Ukraine IT Army Satellite communications (satcom) General Data Protection Regulations (GDPR) Ransomware Exotic Lilly Initial Access Broker (IAB) Online Safety Bill (UK legislation)