Cyber conflict between Ukraine and Russia

The CyberWire


Security firm proof point this morning released a study of chinese people's liberation army threat actor ta four thirteen. That's deployed a militias fire. Fox browser extension fryer fox in a surveillance campaign directed against tibetans. Ta four thirteen has also used scan box and support your malware in its operation so far this year the units targets include tibetan groups both domestic and in tibetan diaspora proof point assesses ta four thirteen tool said as limited but quite effective against dissident communities. Which after all have what proof point aptly calls a low barrier to compromise the campaign also suggests a shift to more open source tools on the part of the p. l. a. ukraine's national security and defense counsel has accused moscow of compromising a ukrainian government file sharing system the system of electronic interaction of executive bodies zd net thinks. The group responsible is gamero. Don a group widely regarded as a proxy for russian intelligence services. Kamera don has certainly been active against ukrainian targets in the past. But it's an odd duck while often thought of as an advanced persistent threat that is a government. Run operation in some respects. It doesn't really act like a government agency or even a straight up contractor like iran's mob group for one thing gamero don doesn't restrict it's targeting the way government operation normally would nor is it entirely indiscriminate in the way the lower end criminal gangs tend to be for all that gamero. Don is both noisy and aggressive. Research by cisco's talos group suggests that gamero don is also a mercenary player in the criminal. Criminal market talos wrote in. Its recent report on maradonna quote. We should consider the possibility of this. Not being an ap t at all rather being a group that provides services for other ap teas while doing its own attacks on other regions and quote so Kind of contractor perhaps a criminal organization that hires its services out to intelligence services but that also does business with other criminals while its principal state sponsor by general agreement russia turns a blind eye so gamero don is one of the most active and undeterred actors in the threat landscape it does the work of an ap t but it uses a cybercriminals style. It's worth noting that the operation the ns dc describes seems to be a software supply chain compromise as an s. d. c. tweeted. The attack belongs to the so-called supply chain attacks methods in means of carrying out this cyberattack allow to connect it with one of russia's hackers spy groups this is therefore a different matter entirely from the distributed denial of service attacks ukraine complained of at the beginning of the week the de dos attack targeted. Both the national security and council and the sba you security service bleeping. Computer reports and ukrainian authorities did claim that the attack had its origins in russia in as they put it russian traffic networks. The ns dc describes the diaz thusly vulnerable government web servers are infected with virus that covertly makes them part of a button. It used for de dos attacks on other resources at the same time. Security systems of internet providers identify compromised web servers as a source of attacks and begin to block their work by automatically blacklisting them. Thus even after the end of the de dos fix the attacked websites remain inaccessible to users and quote. But it seems that this denial of service harassment was probably the work of the criminal. Gang thought to be retaliating for the arrest of three of its members by the cranium. Participants in a big bilateral franco ukrainian law enforcement sweep alleged members of gregor. We should of course say allegedly engaged in criminal activity. These particular alleged. Hoods seem to have belonged to a gregor's ransomware sub gang french authorities in particular had blood in there is because as france entire reports. A gregor was allegedly implicated in ransomware attacks against hospitals. So paris in kiev. Good hunting. go get him. There allegedly bad guys researchers at mcafee this morning released their study of uc ransomware. A new strain detected earlier this year. It's another entry into the ransomware as a service market whose operators hawkins in both russophone an anglophone criminal the criminal markets. It uses the familiar attack. Vectors common in the ransomware space phishing emails of course but also exploitation of compromised accounts index has gained through unpacked. Systems with known vulnerabilities. Babba criminal customers seem so far to be most interested in hitting victims in the transportation healthcare plastics electronics and agriculture sectors. Their activity has extended to a number of geographical regions and the malware doesn't use the sorts of local language checks often employed to keep the operators out of water in countries whose legal systems tend to be vigilant and unforgiving mcafee's notes on abbott. See an interesting division of labor across its two principal linguistic communities. The operators will use an english language for them for announcements but a russian language forum for affiliate recruitment ransomware updates

Coming up next