Sandworm operators indicted

The Risky Biz newsletter for October 20, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Sandworm operators indicted

The US Department of Justice has unsealed charges against six members of Russia’s GRU military intelligence Unit 74455, the group known as “Sandworm”, connecting them to several of the most destructive and impactful cyber attacks in history.

The indictment accuses Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin of contributing to:

  • Destructive attacks against Ukraine’s electricity grid in 2015 and 2016;
  • Destructive attacks against Ukrainian government agencies in late 2016;
  • The hack and leak campaign against the 2017 election campaign for French President Emmanuel Macron;
  • The NotPetya worm, which caused billions of dollars of damages worldwide in 2017;
  • The destructive “Olympic Destroyer” attacks against the Pyeongchang Winter Olympics in 2018;
  • A series of 2018 attacks on the Organisation for the Prohibition of Chemical Weapons in the Netherlands and the United Kingdom’s Defense Science and Technology Laboratory;
  • Attacks on neighbouring Georgia in October 2019.

Across the Atlantic, the UK Government added another potential item to the list, accusing the same GRU operators of attempting to sabotage the (now postponed) 2020 Tokyo Olympics.

The US indictment lays out the most definitive account yet of the 2018 Olympic Destroyer attacks. It contends that the GRU hackers compromised a managed IT services supplier to the Pyeongchang Winter Olympics to access and disrupt systems during the event, and deliberately mimicked Lazarus Group malware in an attempt to pin the attack on North Korea. (Keen observers will recall that the false-flag attempt was a little sloppy; the DPRK ruse only held up for a few days.)

Critically, the American indictment mentions several activities that demonstrate a “stunning” level of visibility into Russia’s military intelligence operations. It details the “celebrations” held by GRU staff after the NotPetya campaign and even catalogues one operator’s web browsing activity after the Olympic Destroyer attacks. It even identifies individual GRU operators as authors of particular malware strains or as the senders of phishing emails.

By the looks of things, someone has been all up in GRU’s business for a while.

German authorities raid FinFisher

German authorities have raided the offices of FinFisher, a commercial provider of hacking tools, to support an investigation into whether the company sold malware to foreign states without an export license.

Germany’s Customs Investigation Bureau (ZKA) raided 15 commercial and residential properties related to the directors of the company and two related entities.

Until now, the German government had tolerated FinFisher sales to autocratic regimes. Researchers at the Citizen Lab project first aired evidence of the company’s flagship product FinSpy being used by human rights abusers in 2012 and documented numerous other examples since. The 2014 hacking of FinFisher’s former parent company Gamma Group by the mysterious ‘Phineas Fisher’’ exposed additional sales to Bahrain. More recently, FinSpy has been detected in attacks everywhere from Egypt to Ethiopia and, critically in this case, Turkey.

German politicians have publicly espoused the need for trade controls to limit abuse of these tools and applied them within Germany in early 2015, but have taken inconsistent positions on votes to introduce them on an EU-wide basis. In 2019, Germany’s government reported that it hadn’t received [pdf] a single application for an export license, and hadn’t taken any steps to find out why.

Two recent events might help explain why authorities have now chosen to act.

First, in response to the 2015 introduction of export controls, FinFisher began setting up parallel company structures under the name ‘Raedarius M8’ in Malaysia and elsewhere to avoid the scrutiny of licensing authorities at home.

Then in mid-2018, an Access Now investigation [pdf] revealed that Turkish authorities used FinSpy to attack its political opponents. An analysis [pdf] by independent security researchers found that the malware in question was created (timestamped) after Germany had imposed export controls. Germany’s Economy Ministry told public broadcaster Deutsche Welle that it had not issued export licenses for any sale of FinSpy to the Turkish Government. In September 2019, a coalition of human rights organisations filed a detailed criminal complaint [pdf] with the public prosecutor’s office in Munich.

Amnesty International’s Claudio Guarnieri, a researcher who has tracked use of FinSpy since 2012, expects FinFisher might argue that sales to despots made since 2015 were sold by Raedarius M8 entities outside of Germany. But under trade controls, where the software was produced matters just as much as who wrote up the final invoice.

FinFisher’s global network of subsidiaries “speaks to the character and the moral fibre of these companies,” Guarnieri told Risky Business. “For folks who claim to be fighting crime and protecting lawfulness, they seem to make some serious efforts to bypass the law and avoid oversight.”

Recent US Government intrusions had a Russian energy about them

Last week we included an item (see ‘Everybody is using the NetLogon bug’) on a CISA/FBI advisory about an unnamed US government entity that was compromised by an actor that exploited vulnerabilities in internet-facing network devices for initial access and the Netlogon bug for lateral movement.

Sean Lyngaas at Cyberscoop has connected indicators from that advisory to infrastructure associated with past attacks attributed to Temp.Isotope (aka Energetic Bear), an actor of Russian origin that has been found snooping around US power utilities and airports in recent years.

There’s still no evidence that US election systems have been affected by these attacks. But the prospect of a known espionage actor targeting state and local government entities in late October has some officials concerned. We understand these entities may be encouraged to check their logs for signs of this activity in coming days.

Twitter, Facebook suppress the spread of a tainted story

Twitter and Facebook suppressed amplification of a pungent story in the Rupert Murdoch-owned _New York Post _last week, citing policies designed to curb the spread of hacked information.

The disputed article was based on documents allegedly obtained from the hard drive of a MacBook belonging to Hunter Biden, a son of the Presidential candidate Joe Biden. The article claims the drive was delivered to a Delaware computer repair shop for repairs, never retrieved, and eventually forwarded by the shop’s owner to Trump’s personal lawyer (Rudy Giuliani) and the FBI in September 2020.

Content moderators moved to suppress the story after receiving “signals” that cast doubts on the story’s credibility, although the social media giants are staying mum on what those signals were.

It’s worth noting that the ‘leaked’ document most damning to Biden’s campaign was a pdf export from a Gmail account, leaked in a format that denies third parties the opportunity to forensically examine its provenance. The bundling together of doctored or entirely fake documents with stolen (or hacked) ones has long been used in ‘active measures’ by military intelligence agencies bent on smearing their adversaries.

Active measures thrive on confusion, and this story has plenty of it. In January 2020, New York Times reporters Nicole Perlroth and Matthew Rosenberg claimed GRU had compromised the network of Burisma, a company for whom Hunter Biden had served as a board member. Their story relied on analysis of a phishing page set up to imitate Burisma, but provided no evidence that the attackers were successful. The fact that Burisma was a target of a GRU operation was significant at the time, but Risky Business warned it was dangerous to report the attack was successful in the absence of supporting evidence. And in hindsight it’s easy to see why.

The Times has since published an exposè of what went on in the New York Post newsroom prior to publication. One journalist behind the Post story didn’t want to be bylined, another had their byline added without consent, a third is a former staffer for Hannity’s show on Fox. (And somehow the Trump-appointed Director of National Intelligence doesn’t think it stinks? Are we on the same planet?)

We agree with Wired’s view of the debacle: Twitter and Facebook were in a no-win situation. Both knew the story was problematic and felt compelled to act according to their respective policies. Twitter has since backflipped on that policy. Its CEO Jack Dorsey now says that blocking links to tainted stories isn’t the best approach, and the company’s future policy will be to apply labels and warnings instead.

As to whether the New York Post story was sourced from documents obtained or modified by a foreign intelligence service, there’s no way to know for now. Could be GRU. Could be Rudy being Rudy. ¯\(ツ)

Twitter post-mortem makes strong case for U2F hardware keys

The State of New York has published its view of how a group of young hackers defeated Twitter’s infosec controls in July, based on interviews conducted under subpoena.

Its report found Twitter deficient in several areas the company has since committed to addressing: a lack of security leadership (Twitter has hired a CISO) and lax access controls (Twitter has committed to regular user access reviews). The report confirmed that over 1000 Twitter staff had access to Twitter’s powerful administrative console, with logins authenticated using a software-based MFA app.

During the July incident, attackers posed as Twitter’s IT support staff in phone calls to their victims to access the company’s network. They identified users with privileged access and convinced several of them (over the phone) to approve MFA authentication requests.

“MFA is critical, but not all MFA methods are created equal,” the report concluded. “The most secure form of MFA is a physical security key, or hardware MFA, involving a USB key that is plugged into a computer to authenticate users. This type of hardware MFA would have stopped the hackers, and Twitter is now implementing it in place of application-based MFA.”

Hardware-based options (U2F) for authentication have been available for several years, and held up as the NIST gold standard for authentication since at least 2017 [pdf].

Today, WebAuthn (and FIDO2) allows developers to create apps that talk to hardware-based authenticators. According to CISA [pdf] and now the State of New York: if you’re not using hardware keys for privileged accounts, you’re falling behind.

Some organisations have resisted hardware-based authentication over concerns that it could result in higher IT support costs. This report suggests that resistance is futile.

You’ve got mail

From: APT31 (China)
To: The Joe Biden for President campaign

Google’s Threat Analysis Group reports that APT31 malspam campaigns sent to Biden campaign staffers directed them to install a legitimate version of McAfee Total Protection from a GitHub page. Users would also receive a python-based implant. The campaign was reportedly unsuccessful: you can’t even give away McAfee AV these days.

Switzerland and Sweden fall out over crypto exports

Sweden has cancelled a celebration of 100 years of diplomatic ties with Switzerland, after the latter placed export restrictions on Crypto International, a cryptography company founded in Sweden but headquartered in the tax-friendly Swiss canton of Zug. We don’t know why the export restriction has been imposed on the company, but we remind readers that a joint Washington Post/ZDF_ investigation in February 2020 revealed that US and German authorities had for decades been able to decrypt communications protected by the company’s equipment, which was sold to 130 countries. The CIA was apparently a major shareholder. Lol.

Money mules corralled

Sixteen members of a money laundering ring that worked with cybercrime gangs were arrested in a Europol-coordinated global law enforcement operation. Hailing mostly from Latvia, the gang laundered stolen funds for operators of Dridex, GozNym and Trickbot malware campaigns. Most were arrested in Latvia, the UK, Spain and Portugal.

Hackers for hire sued

India-based ‘hacker for hire’ companies BellTroX and CyberRoot Risk Advisory are being sued in a US court by an Iranian-American businessman Farhad Azima. Azima claims the Indian mercenaries were hired by a UAE-based investment fund (via US-based private investigators) to hack and later publish his private emails. A British court recently gave Azima permission to appeal a case he’d lost against the investment fund: a case in which the court wasn’t satisfied he had “conclusive” proof of his emails being hacked.

Surprise! It was the Russians

Norway’s government concluded that an August attack that stole the emails of its parliamentarians was, as broadly expected, a Russian operation.

Iran is still… having a bad time

Iran claims its Ports and Maritime organisation and another of its government bodies were targeted in recent cyber attacks. The attacks have not been attributed. Iran has more than a few adversaries, but our money is on the one that’s a little more YOLO than the others.

Attacking sick people one day, poor people the next

Add another rage-inducing example to the list of critical services disrupted in recent ransomware attacks: For close to a week now, London’s Hackney Council hasn’t been able to pay housing benefits to those in need.

NSS Labs gets a ‘C’ for “closed” and a ‘D’ for “down”

NSS Labs, which claimed to provide “independent” testing of security equipment, has closed its doors after running into financial difficulties. We can think of a few reasons they are no longer with us.

Another SonicWall VPN bug

There are too many high impact vulnerabilities to report this week: but the one that caught our eye was a buffer overflow condition in SonicWall VPNs that could, with a bit of work, provide remote code execution. Close to 800,000 devices were vulnerable when the bug was announced. We haven’t seen a PoC yet, but there’s plenty of folks out there with the skills and motivation. Expect carnage if this thing progresses to a working exploit.

Anonymous proxy service built on hacked devices

Researchers identified the operators of the “Interplanetary Storm” botnet after discovering two management nodes that direct activity to 9000+ infected devices, most of which are located in Hong Kong, Taiwan and South Korea. BitDefender researchers found that these two nodes were linked to a for-profit organisation that advertises anonymising proxy services.

8Chan and QAnon sites turn to Russia for hosting help

8Kun (nee 8Chan) has been chased off every reputable hosting service and CDN under the sun and has now taken refuge with a Russian DDoS protection provider. The absolutely bonkers (Barking! Woof! Woof!) QAnon conspiracy theory is orchestrated on 8kun so we can’t imagine the Russian government moving to shut it down anytime soon.

Speaking of…

Google-owned YouTube has followed Facebook and Twitter down the path of removing content that “justifies real-world violence”. A few popular QAnon and pizzagate videos have been removed.

Facebook pulls NZ political party off its platform

Facebook removed the pages of a fringe political party, Advance NZ, just two days out from the New Zealand election on the basis that it featured information about COVID-19 that could lead to “imminent physical harm”. The party posted advertisements targeting kiwi fans of Donald Trump and falsely claimed that COVID-19 testing and vaccinations are mandatory. Advance NZ bombed in the election and this post-vote interview with the party’s co-leader needs to enter some sort of hall of fame. Amazing.

Microsoft to publish bugs they find in Chromium browsers

A group of Microsoft red teamers declared their intention to publish write-ups of bugs they’ve found in any Chromium-based browsers. Microsoft has offered a Chromium-based version of the Edge browser since January.

Don’t read this before bed

We’re usually hesitant to share articles we can’t source, but the last two write-ups in the anonymous DFIR Report blog are very consistent with what our network has seen in recent Ryuk ransomware attacks. Alarming stuff.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at