Robin’s Newsletter #88

23 February 2020. Volume 3, Issue 8
Georgia defacement attribution; misusing anti-abuse; Pipeline ransomware.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK, US says Russia’s GRU behind massive Georgia cyber-attack

This week the UK and US point the finger of blame at Russia for the defacement of thousands of Georgian websites in October last year. The UK’s National Cyber Security Centre (NCSC) believes there is a ’95% likelihood’ that Russia’s GRU Unit 74455 is responsible for the action and that it was to sow discord amongst the population.

Original reports (vol. 2, iss. 44) stated that 2,000 sites had been affected, though since October that number has risen to 15,000. The affected websites included those of the Georgian prime minister, media outlets and other government bodies. I’m also due a correction: initially the sites all originated from the same web hosting provider and that does not appear to be the case.

Unit 74455 — also known as Sandworm, BlackEnergy, TeleBots and Voodoo Bear — are believed to have been behind some of the highest-profile cyber-attacks of recent years.

That includes the NotPetya ransomware attack that started in Ukraine but spread globally causing havoc for many companies and costing billions. Wired have a write up of that attack that claims response and recovery costs for Maersk were $250-300M, TNT Express at over $400M and pharmaceutical giant Merck’s at a whopping $870M.

Defacing websites was a common occurrence in the early days of the Internet and usually featured the hacking group behind it replacing content and claiming responsibility for the ‘kudos’. Nowadays they are less common. It’s interesting to see the breadth of tactics the GRU use and how, while there was technical expertise behind a compromise of that scale, it was intended to look far less sophisticated.

These attributions are intended to step up pressure on the Russian government and discourage them from carrying out similar attacks in the future. Establishing this body of attribution is also helpful for US and UK diplomatic efforts, for example between the two competing groups at the United Nations trying to establish the ‘norms’ for how countries should behave in cyberspace.,,,, (original coverage)

Interesting stats

56 days, median dwell time in 2019, down from 416 days in 2011, according to Fireeye’s M-Trends 2020 report. Also…

22% of incidents investigated by Mandiant involved data theft likely linked to intellectual property or espionage end goals 29% were likely for direct financial gain (including extortion, ransom, card theft, and illicit transfers) 3% were for the purpose of reselling access gained in the intrusion 4% likely served no purpose except for creating compromised architecture to further other attacks <1% involved an insider.

$24.83 average cost of phishing tutorials on cybercriminal forums $23.27 average cost of the tools needed to conduct an attack, according to Digital Shadow’s Photo Research team

Other newsy bits

Turning anti-abuse tools against themselves

Lots of coverage is given to adversaries finding and exploiting holes in systems to achieve their ends. Less well covered is subverting legitimate tools for unintended purposes. That the case this week in a story from Brian Krebs who highlights a new email-based extortion scheme targeting Google AdWords. As Google’s anti-abuse systems start to prevent click fraud, groups have turned their systems from perpetrating click-fraud to threatening to use them on legitimate ads, that would result in the victim’s account being suspended for the suspicious traffic. Similar schemes exist to threaten popular influencers on social media platforms, reporting their content to get their accounts suspended.

Jumping the air gap: CISA warn of ransomware affecting operation technology of pipeline company

Claims that operational technology - the industrial control systems and digital things that control physical - air not air-gapped (segregated) are as frequent as those claiming they are. Connections are put in to allow control, or reporting, to IT systems, or for allowing remote diagnostics, amongst many other purposes. A ransomware outbreak at a natural gas pipeline company was able to ‘jump’ from their IT to OT network. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the ‘programmable logic controllers’ (PLCs) were not encrypted - not surprising given they run very limited code - however the Windows-base ‘human-machine interfaces’ used to administer the pipeline were. That resulted in an operational shutdown of the entire pipeline asset lasting approximately two days. The attacker seemed more interested in holding their data to ransom than disrupting production, though that was the result.,

In brief

Attacks, incidents & breaches

  • We know what you did last summer: MGM’s hotel spinoff lost 10.7m guest records
  • Health care analytics firm [NRC Health] infected with ransomware
  • Croatia’s largest petrol station chain impacts ability to invoice, accept loyalty cards, by ransomware
  • DOD [Defense Information Systems Agency (DISA)] discloses data breach

Threat intel

  • Static password in Smart Software Manager – patch now, says Cisco
  • ObliqueRAT: New RAT [targets SE Asian government] endpoints via malicious documents
  • Severe vuln in WordPress plugin Profile Builder allows remote attackers were able create their own admin accounts
  • Systems at Redcar and Cleveland Council have been down for almost two weeks, amid fears it has fallen victim to a ransomware attack

Security engineering

  • FBI recommends passphrases over password complexity

Internet of Things

  • Bluetooth-related flaws [exploitable within physical/radio distance] threaten dozens of medical devices


  • Google to put a muzzle on Android apps accessing location data in the background

Mergers, acquisitions and investments

  • Dell Technologies sell its infosec business RSA for $2.075bn to reduce its longstanding debt
  • ForgePoint raises a massive new $450M fund for early-stage cybersecurity startups
  • SentinelOne raises $200M at a $1.1B valuation to expand its AI-based endpoint security platform

And finally

An IoT Candle…

“With a tap on your smartphone, you can now magically light up a real scented candle.” What could possible go wrong?


  Robin's Newsletter - Volume 3

  Georgia Russia Attribution Dwell Time Cyber-Crime Tools Abuse Tools Air Gap