Newsletters

In a joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch spoke with Ilia Vitiuik, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about how Ukraine has countered Russia's cyber operations.

Vitiuk described Russian cyber operations against Ukraine as a "cyber war" with destructive campaigns against Ukraine starting in 2014, eight years before the full-scale invasion. Significant destructive cyber operations he cited included NotPetya, electricity network attacks in 2015 and 2016 and a less well-known attempt to cause a train collision by interfering with a railroad control system.

Vitiuk said these incidents motivated Ukraine to improve its cyber security.

Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The zero-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign.

Researchers tracked the earliest exploits to April this year.

South Korea's National Intelligence Service (NIS) has found malicious code embedded in the chips of weather-measuring instruments made in China and used by the Korean Meteorological Administration.

The malicious code was described as a "spy chip" that can eavesdrop on its surroundings and "steal information through radio frequencies," South Korean TV network Channel A reported this week.

A representative for the Korean Meteorological Administration told KBS, South Korea's national broadcaster, that the malicious code was found four months ago but didn't elaborate on how it was discovered.

As the US private space sector is growing into a global behemoth and as Starlink shows the crucial role private satellite networks can play in a military conflict, the US government is urging companies to bolster their defenses against foreign sabotage and espionage.

Three US intelligence agencies—the FBI, the National Counterintelligence and Security Center, and the US Air Force Office of Special Investigations—published a joint security advisory [PDF] last week describing the type of threats the commercial space industry could face from foreign intelligence agencies.

Officials warn of hacks, malicious insiders, employee recruitment efforts, and misleading investments and business partnerships.

PowerShell Gallery, the official repository for the PowerShell scripting language, contains (still-unfixed) design flaws that can be abused by threat actors for typosquatting and impersonation attacks.

Discovered by cloud security firm AquaSec, these issues can be weaponized in supply chain attacks to trick developers into downloading and running malicious PowerShell packages on their systems or inside enterprise applications.

The first issue researchers found was that PSGallery does not come with any kind of protection against typosquatting, allowing threat actors to register packages that mimic the names of more successful PowerShell modules just by adding punctuation inside the name.

New clues discovered by threat intelligence analysts suggest that the Lockbit ransomware group may be having technical difficulties, which have contributed to the operation losing some of its top affiliates over the past months.

According to a report published by Analyst1's Jon DiMaggio, the Lockbit gang is having problems publishing and leaking victim data on its dark web leak site.

The gang has run out of server storage, DiMaggio says. It often claims that a victim's files have been published, but the files can't be downloaded.

The DHS Cyber Safety Review Board (CSRB) has picked up the unenviable task of investigating the security practices of US cloud service providers and plans to use the recent breach of Microsoft email systems as the figurehead of an upcoming report.

The CSRB may have couched its press release as a generic investigation of cloud security providers, but it is, without a doubt, an investigation into Microsoft's carelessness when it comes to its cloud infrastructure, which underpins a vast section of the US government's IT systems.

The CSRB investigation was announced two weeks after Sen. Ron Wyden asked the DHS—together with the FTC and DOJ—to investigate Microsoft's "lax cybersecurity practices" that led to the breach in the first place.

Russian internet users are reporting that VPN clients using the OpenVPN and WireGuard protocols have stopped working as of this week.

The unofficial ban has been reported primarily by users of Russian mobile internet operators, such as Beeline, Megafon, MTS, Tele2, Tinkoff, and Yota.

OpenVPN and WireGuard traffic does not appear to be blocked on landline connections and especially on business accounts, where they're most likely to be used by the few foreign companies still doing business in Russia.

The Russian government wants to protect its intelligence and law enforcement officials from journalists, activists and foreign intelligence agencies by giving itself the power to change personal information in the systems of local data operators.

This is shutting the gate after the horse has bolted, but we can see why they want to try.

Our colleague Catalin Cimpanu reported on the draft legislation in Risky Business News on August 7:

The US Department of Homeland Security has linked a Twitter disinformation campaign to a media organization managed by the municipal government of Chongqing, China's fourth largest city.

The US government says that the Chongqing International Communications Center (CICC) is behind a network of more than 800 Twitter accounts that consistently published anti-US and pro-PRC content.

The DHS says it tracked this network under the name of SPICYPANDA, and it believes it's part of a larger Chinese-backed disinformation effort tracked as DRAGONBRIDGE, or Operation Spamouflage.