US cybersecurity company Palo Alto Networks’ Unit 42 (a threat intelligence group) issued a report outlining continuous operations by the advanced persistent threat (APT) group Trident Ursa – a group attributed to Russia’s Federal Security Service by the Security Service of Ukraine. According to Unit 42’s assessments, Trident Ursa has remained ‘one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine’.
Following ten months of monitoring indicators of the group’s operations, Unit 42 announced that it had identified, among other issues:
- ‘An unsuccessful attempt to compromise a large petroleum refining company within a NATO member nation on 30 August 2022’ (neither the country nor the company concerned was named).
- ‘An individual who appears to be involved with Trident Ursa threatened to harm a Ukraine-based cybersecurity researcher immediately following the initial invasion.’
- ‘Multiple shifts in [the group’s] tactics, techniques and procedures.’
In October 2022, Amnesty International Canada detected and investigated a sophisticated digital security breach. The organisation announced that, according to forensic experts at the cybersecurity firm Secureworks, the attack was likely orchestrated by ‘a threat group sponsored or tasked by the Chinese state’. The conclusion was based ‘on the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups’. China’s embassy in Ottawa denied the allegations.
Microsoft has warned that Russian cyberattacks are likely to continue to target Ukrainian critical infrastructure, and may also target countries and companies that are providing Ukraine with vital supply chains of aid and weaponry. The company also noted that ‘cyber-enabled influence operations’ that target Europe are likely to be conducted in parallel with cyberthreat activity.
Microsoft also announced that its AI for Good Lab has created a Russian Propaganda Index (RPI) ‘to monitor the consumption of news from Russian state-controlled and sponsored news outlets and amplifiers’. Compared to other Western Europe countries, Germans read and watch significantly more Russian propaganda, the AI for Good Lab found.
Between 28 November and 2 December 2022, NATO held its Cyber Coalition 2022 cyber defence exercise with the goal of boosting member countries’ cyber resilience.
The exercise involved 1000 cyber defenders from 26 NATO allies, Finland, Sweden, Georgia, Ireland, Japan, Switzerland, and the EU, as well as experts from business and academia.
Cyber Coalition 2022 was used to test and validate concepts, capture requirements, or explore disruptive technologies, in support of military operators and commanders. It included experiments on the use of artificial intelligence to help counter cyber threats, on the standardisation of cyber messages to foster information sharing, and on the exploitation of cyber threat intelligence to inform cyberspace situational awareness.
The Singapore-based research team, Group-IB, has identified 34 Russian cybercrime groups responsible for distributing info-stealing malware under the stealer-as-a-service model. The cybercriminals use this type of malware to target users of Steam, Roblox, and Amazon in 111 countries, obtaining user credentials stored in browsers, bank card details, and crypto wallet information from infected computers and selling them on the dark web. Group-IB estimates that more than 890,000 devices in 111 countries in the first seven months of 2022 have been infected. The five most attacked countries are the USA, Brazil, India, Germany, and Indonesia, while the estimated value of stolen credentials is around $5.8 million.
In the USA, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) have issued a cybersecurity advisory regarding an incident at a Federal Civilian Executive Branch (FCEB). Having assessed that the FCEB network was compromised by Iranian government-sponsored advanced persistent threat (APT) actors, the two entities provided details on the actors’ tactics, techniques, and procedures. One of the findings was that the cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server. As such, organisations with affected VMware systems that did not immediately apply available patches or workarounds were advised toto assume compromise and initiate threat-hunting activities.
The Computer Emergency Response Team of Ukraine (CERT-UA) reported the spread of a new ransomware strain called ‘Somnia’, attributing the attacks to the Russian threat actor known as ‘From Russia with Love’ (FRwL), also known as ‘Z-Team’. The ransomware attacks targeted Ukrainian corporations’ employees, using their Telegram accounts to try and gain access to a corporate network.
As explained by CERT-UA, the group used fake sites that mimic the ‘Advanced IP Scanner’ software, which, if downloaded, infects the victim’s computer with the Vidar data-stealing malware that can capture Telegram session data, as well as take over the victim’s account.
Then, the threat actors used victims’ Telegram accounts to gain access to the corporate network. Once access to the target’s network was obtained, the hackers executed reconnaissance operations using tools like Netscan and deployed Cobalt Strike Beacons before exfiltrating data.
According to CERT-UA, the group had previously revealed that they created Somnia ransomware on Telegram and posted evidence of the attacks they made against Ukrainian targets.
The European Union has recently proposed a set of measures to help its armies move faster in times of conflict. The proposal aims to holistically strengthen the European infrastructure, focusing on cyberattacks and the protection of critical infrastructure, as well. The Action Plan on Military Mobility will help European armed forces to better respond to crises erupting at the EU’s external borders and beyond.
