Robin’s Newsletter #200

17 April 2022. Volume 5, Issue 16
Industroyer2: Cyberattack on Ukraine power grid averted. $600 million crypto-heist linked to North Korea's Lazarus group. RaidForums seized by UA authorities.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Ukrainian power grid attack foiled as Russian soldiers are doxxed

The Ukrainian government and cyber security vendor ESET have released details of an attack against a private energy company that operates part of Ukraine’s power grid supplying approximately 2 million people.

The attack, which was detected and neutralised before the supply could be interrupted, occurred on the 8th of April. Initial access may have occurred back in February.

Analysis of the malware has shown that it can send commands to circuit breakers and protective relays.

The malware has been dubbed Industroyer2, after similarities with the malware used against Ukraine’s power grid in 2016. That previous attack, and by extension this one, especially given the broader conflict, is believed to have been carried out by the ‘Sandworm’ group, who are part of Russia’s GRU military intelligence agency.

A separate piece of malware, CaddyWiper, was also deployed in an apparent attempt to cover track of the attack.

Also this week, Ukrainian intelligence doxxed 1,600 Russian troops it says served in Bucha. The information war accompanying the Russian invasion of Ukraine has been intense and the wholesale ‘naming and shaming’ of the opposition forces are new and I’m sure not something the ordinary solider would have considered.,, (doxxing)

Interesting stats

3% of DDoS targets received a ransom demand in March 2022, compared to 28% in December 2021, according to Cloudflare

A bar chart showing per centre of Cloudflare customers who were targeted by DDoS and accompanying ransom demands. After a lull through Summer 2021, it peaks in December 2021 at 28% before dropping to just 3% in March 2022. (Source: Cloudflare)

The pattern appears to peak in Q4, perhaps meaning that retailers are being targeted during busy shopping periods?

38% of ransomware attacks in Q1 2022 were carried out by LockBit, with a further 20% being attributed to Conti, according to research by Digital Shadows

Other newsy bits

Lazarus group linked to Ronin DeFi heist

The US Treasury Department’s Office of Foreign Assets Control (OFAC) announced this week that a cryptocurrency wallet associated with the theft of 173,600 ether ($600 million) (vol. 5, iss. 14) is associated with North Korea’s Lazarus group. The wallet is subject to sanctions that prevent US individuals and organisations from transacting with the account.

According to Elliptic, over 18% ($107 million) of the stolen cryptocurrency has been laundered so far.

The North Korean group is believed to have been behind the theft of $400 million of cryptocurrency in 2021 and forms an important revenue stream for the state and is believed to help fund the nuclear weapons and ballistic missile programmes.

In related news, Virgil Griffith, a former researcher at the Ethereum Foundation, was sentenced to more than five years in prison this week. Griffith had pleaded guilty to charges he helped North Korea avoid sanctions after travelling to Pyongyang in April 2019 to speak at the blockchain conference.,,

RaidForums seized by US authorities

RaidForums, a marketplace for stolen credentials and personal data has been seized by the US Department of Justice, FBI, and Secret Service amongst a wider group of law enforcement partners from the UK, Europe, Sweden and Romania.

RaidForums has become unresponsive at the end of February and speculation amongst the site’s approximately 500,000 users was that it had been infiltrated by law enforcement.

We now know that the administrator of the site, a 21-year-old Portuguese national was arrested on 31st January and the site was run for almost a month by the FBI.

It marks the second takedown of a significant cybercrime site in as many weeks, with the Hydra marketplace being shut down by German authorities last week (vol. 5, iss. 15).

Having access to the site’s database, and having run it for some time, will have also given law enforcement a significant amount of intelligence on the users of the forum.

Though a substantial amount of information had already been established beforehand, with the operation — dubbed “Tourniquet” — being the “culmination of a year of meticulous planning,” according to Europol. “This intense exchange of information enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.”,

Interesting reads

How China built its cyber-espionage capability

A reminder of the steps that China has taken over the last decade to build its cyber-capability, including the requirement to disclose all vulnerabilities to the state.

“An unnamed large American firm had disclosed to him that Chinese researchers received $4 million in 2021… However, as the Chinese government tightens control, this multimillion-dollar ecosystem is now delivering a steady stream of software vulnerabilities to Chinese authorities—effectively funded by the companies and at no cost to Beijing.”

T-Mobile tried to buy its data from attackers

Court documents show that T-Mobile hired a third party to handle negotiations with attackers last year after they compromised the data of millions of customers (vol. 4, iss. 34). The intermediary paid the attackers $200,000 in an attempt to buy ‘exclusivity’ to the data, though the attackers continued publishing and selling the data.

In brief

Attacks, incidents & breaches

  • Atlassian has published an update on the recent outage that affected 400 customers on the 4th of April, with 88 facing up to a further fortnight without access to their Jira or Confluence instances. The cause? Miscommunication between teams caused the wrong set of IDs to be set for deletion, and a ‘permanently delete’ flag to be set on a script used by the vendor to manage its cloud instances. Remarkable honesty, but, ouch! (reminds me of the command line issue behind Facebook’s outage last year (vol. 4, iss. 41)
  • Advertising company Omnicom took their email, VPN offline following “suspicious activity”
  • $11 Million stolen from Elephant Money decentralised finance (DeFi) platform through a ‘price manipulation attack’

Threat intel

  • Microsoft says Windows hides tasks from GUI and command line of task scheduler where their registry entry doesn’t have a ‘security descriptor’ — essentially hiding them from most admins — and that China-linked Hafnium group used this technique to maintain persistence on compromised hosts
  • Android banking trojan intercepts and reroutes calls to bank’s customer service lines using a spoofed dialler interface
  • Ransomware groups OldGremlin and NB65 are targeting Russian organisations
  • ‘Hack-and-leak’ data extortion group Karakurt linked to Conti ransomware group through shared infrastructure and crypto-currency wallet links


  • HP notify three critical, eight high severity vulnerabilities in its Teradici ‘PC over IP’ remote desktop alternative
  • Amazon fixes local file read vulnerability in AWS’ Relational Database Service (RDS)
  • Proof of concept dropped for critical remote code execution vulnerability in VMware Workspace ONE Access and VMware Identity Manager

Cyber defence

  • Minor release of NCSC’s Cyber Assessment Framework (CAF) — used by critical infrastructure providers — to improve consistency and clarity between different domains

Security engineering

  • OpenSSH 9 includes a protocol designed to prevent ‘capture now, decrypt later’ quantum attacks

Operational technology

  • CISA says an advanced persistent threat (APT) actor has developed tools to gain ‘full system access’ to ICS/SCADA systems from Schneider Electric (programmable logic controllers (PLCs)), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers
  • Five Vulnerabilities in hospital robots could allow them to spy on patient records and harass staff


  • Tim Cook used his keynote at the IAPP Global Privacy Summit to rail against “a data industrial complex built on a foundation of surveillance” and how control over how and what apps a user can install is core to protecting privacy and security (both the US and EU are planning legislation that may allow for circumventing the AppStore and ‘side loading’ of apps)
  • DuckDuckGo trialling a new Mac browser based on WebKit that will ‘manage most cookie popups’ for users

Public policy

  • Should cyber regulation of oil pipelines be transferred from the TSA to the Department of Energy? “The [TSA] has been criticized for lacking the expertise and tools needed to effectively regulate cybersecurity in the pipeline context“
  • Not public, but social media policies, and how content moderation is ‘designed for peacetime, not war’

Law enforcement

  • Department of Homeland Security disrupted an attack on an undersea Internet cable in Hawaii conducted by “an international hacking group”

Mergers, acquisitions and investments

  • Thoma Bravo to buy identity and access management firm SailPoint for $6.9 billion
  • … while Israeli IAM startup Silverfort closes a $65 million Series C round
  • … and KKR is buying Barracuda Networks from Thoma Bravo for $4 billion, according to Reuters
  • Autonomous red-teaming startup Prelude raises $24 million Series A funding

And finally

Thank you for subscribing

This is the 200th edition of Robin’s Newsletter and I’d like to finish with a heartfelt thank you for subscribing, and a couple of pleas:

I always love to hear your feedback: please take 30 seconds to tell me what you like more, or less of.

It’d also be wonderful if you recommend this to a friend or colleague or share this link on social media and make sure you tag me (Twitter, LinkedIn) so I can make sure I like/follow you!

Thanks again, and here’s to the next 200!


  Robin's Newsletter - Volume 5

  Russia Ukraine Power grid ICS Attacks Lazarus Decentralised Finance (DeFi) Cryptocurrency Cyber-heist RaidForums