Robin’s Newsletter #290

7 January 2024. Volume 7, Issue 1
Sandworm was in Kyivstar for at least seven months. British Library will spend 40% of reserves rebuilding after ransomware attack. Mandiant Twitter account compromised.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • Ukraine: Russian attackers gained access to Ukraine’s Kyivstar telco as early as May 2023, before wiping “almost everything” on thousands of virtual servers and PCs on 12th December 2023, according to Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cyber agency. The attackers, believed to be a group in Russia’s military intelligence agency dubbed Sandworm, would also have been able to steal personal information, geolocate mobile handsets, intercept SMS messages and more with the access they achieved. Remarkably, Kyivstar restored full operations eight days later, on 20th December.

  • British Library: The British Library will burn through around 40% of its reserves to rebuild its digital estate following a ransomware attack in October 2023. The institution refused to pay the £600,000 ransom demand and now estimates the rebuilding costs to be between £6-7 million ($8-9 million). Procurement records show NCC Group were paid £250,000 in the wake of the attack, claimed by the Rhysida ransomware group, who also released 573GB of data. Meanwhile, authors will not be receiving Public Lending Right (PLR) payments, worth unto £6,600, because of the ongoing disruption.

Interesting stats

12 characters will be the minimum length for LastPass master passwords via a phased rollout, starting this month.

8 days to fully restore Kyivstar’s operations following a destructive cyber-attack (see above).

Other newsy bits / in brief

  • Shameless: DNA testing business 23andMe is blaming the victims of a data breach because “users negligently recycled and failed to update their passwords following [previous, unrelated breaches]”. In a letter sent to hundreds of 23andMe users suing the company, 23andMe said that “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures”. In December, attackers used credential stuffing to access the accounts of 14,000 23andMe users, which ultimately resulted in the genetic and ancestry data of 6.9 million users being stolen (vol. 6, iss. 50).

  • BGP hijack: Orange Spain suffered an outage after the company’s password to RIPE, the regional IP address database, was stolen using infostealer malware. Not that the password would have been difficult to guess: Spain’s second most popular network operator used the password “ripeadmin” and hadn’t enabled MFA.

  • Merck/NotPetya: Merck has reached an 11th-hour settlement with its insurers over refusals to payout $700 million on the pharmaceutical giant’s ‘all risks’ policy. Details of the settlement are confidential. Merck had claimed $1.4 billion in damages to 40,000 computers incurred during the NotPetya outbreak in 2017, and the insurers refused the $700 million payout, claiming NotPetya was excluded by its “acts of war” clause. A New Jersey court and appellate court had found in Merck’s favour (vol. 6, iss. 19). The settlement was reached shortly before oral arguments were due to begin at the New Jersey Supreme Court.

  • Unintended consequences: A prankster who created an ‘everything’ package broke software repository npm. The package includes every other software library hosted on npm as a dependency, and npm’s policies prevent the deletion of projects on which other software depends (to prevent others swooping in and replacing them with malicious code).

  • Non-story: You may see this floating around on social media: Cyber-hackers target UK nuclear waste company RWM. The Guardian article picks up on a statement around cyber attacks made in RWM’s annual accounts filed with Companies House. The accounts talk about the company being targeted, especially since a merger last year, and that attempts predominantly started with approaches to employees on LinkedIn. However, they also explain that none of the “cyber incidents” had a “material effect”.

  • New low? A ransomware gang that compromised the network of Seattle’s Fred Hutchinson Cancer Center threatened to ‘SWAT’ patients in an attempt to extort the hospital. SWATting involves making false reports of an ongoing serious or violent crime to elicit a response from law enforcement, such as dispatching an armed SWAT team.

  • Breach law firm breached: Orrick, Herrington & Sutcliffe, an international law firm, has suffered a data breach. Orrick lost the personal data of over 637,000 victims of the law firm’s data breach clients.

  • Cyber diplomacy: The FBI is posting six new cyber assistant legal attachés to embassies, including New Delhi, Rome, and Brasilia, improving how law enforcement can engage with their foreign counterparts to coordinate responses to cybercrime.

  • Industry news: Atos is in talks to sell off its Big Data & Security division to Airbus for up to €1.8 billion ($2 billion).

And finally

Robin

  Robin's Newsletter - Volume 7

  Ukraine Russia Sandworm Kyivstar British Library LastPass 23andMe Orange Spain RIPE BGP Hijacking Merck NotPetya npm Radioactive Waste Management (RWM) Nuclear SWATting Ransomware Orrick Atos Airbus