Cyberconflict and warfare

Russian hackers steal Microsoft and customer emails

Russian hackers breached Microsoft systems earlier this year, stealing emails from Microsoft staff and its customers, according to the tech giant. The disclosure highlights the extensive scope of the breach, adding to the regulatory scrutiny Microsoft faces over the security of its software and systems. The hackers, identified as the Midnight Blizzard threat actor, targeted cybersecurity researchers investigating Russian hacking activities.

Microsoft has been notifying affected customers, although the company has not disclosed the number of customers or emails impacted. Initially revealed in January as affecting a small percentage of corporate email accounts, the breach continued to pose threats for months, raising concerns among the security industry and prompting a Congressional hearing. In response, Microsoft President Brad Smith stated the company is working on overhauling its security practices.

New report unveils cyberespionage groups using ransomware for evasion and profit

A recent report from SentinelLabs and Recorded Future analysts contends that cyberespionage groups have increasingly turned to ransomware as a strategic tool to complicate attribution, divert attention from defenders, or as a secondary objective for financial gain alongside data theft.

The report specifically sheds light on the activities of ChamelGang, a suspected Chinese advanced persistent threat (APT) group that uses the CatB ransomware strain in attacks targeting prominent organisations globally.  Operating under aliases like CamoFei, ChamelGang has targeted mostly governmental bodies and critical infrastructure entities, operating mostly from 2021 to 2023.

Employing sophisticated tactics for initial access, reconnaissance, lateral movement, and data exfiltration, ChamelGang executed a notable attack in November 2022 on the Presidency of Brazil, compromising 192 computers. The group leveraged standard reconnaissance tools to map the network and identify critical systems before deploying CatB ransomware, leaving ransom notes with contact details and payment instructions on encrypted files. While initially attributed to TeslaCrypt, new evidence points to ChamelGang’s involvement.

In a separate incident, ChamelGang targeted the All India Institute Of Medical Sciences (AIIMS), disrupting healthcare services with CatB ransomware. Other suspected attacks on a government entity in East Asia and an aviation organisation in the Indian subcontinent share similarities in tactics, techniques, and procedures (TTPs) and the use of custom malware like BeaconLoader. 

These intrusions have impacted 37 organisations, primarily in North America, with additional victims in South America and Europe. Moreover, analysis of past cyber incidents reveals connections to suspected Chinese and North Korean APTs. 

Why does it matter?

The integration of ransomware into cyberespionage operations offers strategic advantages, blurring the lines between APT and cybercriminal activities to obfuscate attribution and mask data collection efforts. The emergence of ChamelGang in ransomware incidents stresses adversaries’ evolving tactics to achieve their objectives while evading detection.

US Department of Justice charges Russian hacker in cyberattack plot against Ukraine

The US Department of Justice has charged a Russian individual for allegedly conspiring to sabotage Ukrainian government computer systems as part of a broader hacking scheme orchestrated by Russia in anticipation of its unlawful invasion of Ukraine.

In a statement released by US prosecutors in Maryland, it was disclosed that Amin Stigal, aged 22, stands accused of aiding in the establishment of servers used by Russian state-backed hackers to carry out destructive cyber assaults on Ukrainian government ministries in January 2022, a month preceding the Kremlin’s invasion of Ukraine.

The cyber campaign, dubbed ‘WhisperGate,’ employed wiper malware posing as ransomware to intentionally and irreversibly corrupt data on infected devices. Prosecutors asserted that the cyberattacks were orchestrated to instil fear across Ukrainian civil society regarding the security of their government’s systems.

The indictment notes that the Russian hackers pilfered substantial volumes of data during the cyber intrusions, encompassing citizens’ health records, criminal histories, and motor insurance information from Ukrainian government databases. Subsequently, the hackers purportedly advertised the stolen data for sale on prominent cybercrime platforms.

Stigal is moreover charged with assisting hackers affiliated with Russia’s military intelligence unit, the GRU, in targeting Ukraine’s allies, including the United States. US prosecutors highlighted that the Russian hackers repeatedly targeted an unspecified US government agency situated in Maryland between 2021 and 2022 before the invasion, granting jurisdiction to prosecutors in the district to pursue charges against Stigal.

In a subsequent development in October 2022, the same servers arranged by Stigal were reportedly employed by the Russian hackers to target the transportation sector of an undisclosed central European nation, which allegedly provided civilian and military aid to Ukraine post-invasion. The incident aligns with a cyberattack in Denmark during the same period, resulting in widespread disruptions and delays across the country’s railway network.

The US government has announced a $10 million reward for information leading to the apprehension of Stigal, who is currently evading authorities and believed to be in Russia. If convicted, Stigal could face a maximum sentence of five years in prison.

EU sanctions six Russian-linked hackers

Six individuals were added to the EU’s sanctions list – they all have been involved in cyberattacks targeting critical infrastructure, state functions, classified information, and emergency response systems in EU member states, according to the official press release. These sanctions mark the first instance of measures against cybercriminals employing ransomware in essential services such as health and banking.

Among those sanctioned are Ruslan Peretyatko and Andrey Korinets of the ‘Callisto group,’ known for cyber operations against the EU and third countries through phishing campaigns aimed at stealing sensitive data in defense and external relations.

Also targeted are Oleksandr Sklianko and Mykola Chernykh of the ‘Armageddon hacker group,’ allegedly supported by Russia’s Federal Security Service (FSB), responsible for impactful cyberattacks on EU governments and Ukraine using phishing and malware.

Additionally, Mikhail Tsarev and Maksim Galochkin, involved in deploying ‘Conti‘ and ‘Trickbot‘ malware under the ‘Wizard Spider’ group, face sanctions. These ransomware campaigns have caused significant economic damage across sectors including health and banking in the EU.

The EU’s horizontal cyber sanctions regime now covers 14 individuals and four entities, involving asset freezes and travel bans, and prohibiting EU persons and entities from providing funds to those listed.

With these new measures, the EU and its member states emphasize their commitment to combating persistent malicious cyber activities. Last June, the European Council agreed that new measures were needed to strengthen its Cyber Diplomacy Toolbox.

Japan’s space agency hit by series of cyberattacks, no sensitive data breached, officials confirm

Japan’s Chief Cabinet Secretary Yoshimasa Hayashi confirmed that Japan’s space agency, JAXA, has been targeted by several cyberattacks since late last year. The agency has been investigating the breaches, shutting down affected networks, and verifying that no classified information related to rocket and satellite operations or national security was compromised.

Hayashi also confirmed that hackers are located outside Japan and emphasised Japan’s commitment to enhancing its cybersecurity defences. Amidst increasing military developments in response to China’s growing power, Japan aims to develop a counterstrike capability, though experts believe Tokyo will still rely heavily on the United States for launching long-range missiles.

Defense Minister Minoru Kihara assured the public that the attacks have not impacted his ministry but stated that he is closely monitoring JAXA’s ongoing investigation. As part of the investigation, a portion of the affected JAXA network was temporarily shut down.

JAXA, which develops and launches satellites and is involved in advanced missions like asteroid exploration and potential lunar human exploration, has faced multiple cyber incidents since 2016. That year, it was among 200 Japanese companies and research institutes allegedly targeted by Chinese-speaking military hackers. Last year, unknown hackers also attempted to breach JAXA’s network server but failed to access information critical to the operation of rockets and satellites.

In February 2024, Japan’s cyber official Kazutaka Nakamizo highlighted the increasing cyber threats to the country’s critical infrastructure, particularly from China. However, he did not specify which attacks were believed to be linked to Beijing.

Cybersecurity measures ramp up for 2024 Olympics

Next month, athletes worldwide will converge on Paris for the eagerly awaited 2024 Summer Olympics. While competitors prepare for their chance to win coveted medals, organisers are focused on defending against cybersecurity threats. Over the past decade, cyberattacks have become more sophisticated due to the misuse of AI. However, the responsible application of AI offers a promising countermeasure.

Sports organisations are increasingly partnering with AI-driven companies like Visual Edge IT, which specializes in risk reduction. Although Visual Edge IT does not directly work with the Olympics, cybersecurity expert Peter Avery shared insights on how Olympic organisers can mitigate risks. Avery emphasised the importance of robust technical, physical, and administrative controls to protect against cyber threats. He highlighted the need for a comprehensive incident response plan and the necessity of preparing for potential disruptions, such as internet overload and infrastructure attacks.

The advent of AI has revolutionised both productivity and cybercrime. Avery noted that AI allows cybercriminals to automate attacks, making them more efficient and widespread. He stressed that a solid incident response plan and regular simulation exercises are crucial for managing cyber threats. As Avery pointed out, the question is not if a cyberattack will happen but when.

The International Olympic Committee (IOC) also embraces AI responsibly within sports. IOC President Thomas Bach announced the AI plan to identify talent, personalise training, and improve judging fairness. The Summer Olympics in Paris, which run from 26 July to 11 August, will significantly test these cybersecurity and AI initiatives.

Conclusions on the UN Security Council’s open debate on cybersecurity

The UN Security Council held an open debate on cybersecurity as part of South Korea’s presidency for the month of June. The day-long debate centred on the evolving threat landscape in cyberspace, emphasising the need for digital advancements to be directed towards positive outcomes. During the ensuing debate, nearly 70 speakers shared national perspectives on the growing threats posed by rapidly evolving technologies wielded by state and non-state actors. 

UN Secretary-General António Guterres highlighted the rapid pace of digital breakthroughs, acknowledging their ability to unite people, disseminate information rapidly, and boost economies. However, he cautioned that the connectivity that fuels these benefits also exposes individuals, institutions, and nations to significant vulnerabilities. Guterres pointed to the alarming rise of ransomware attacks, which cost an estimated $1.1 billion in ransom payments last year. Nonetheless, he noted that the implications extended beyond financial costs to impact peace, security, and overall stability.

In response to these challenges, Guterres referenced the ‘New Agenda for Peace,’ which calls for concerted efforts by states to prevent conflicts from escalating in cyberspace. He stressed the importance of upholding the rule of law in the digital realm and highlighted ongoing discussions among member states regarding a new cybercrime treaty. Recognising the interconnectedness of cyberspace with global peace and security, he urged the Security Council to incorporate cyber-related considerations into its agenda.

Stéphane Duguin, CEO of the CyberPeace Institute, briefed the council, offering valuable insights into recent cyberattacks, including the ‘AcidRain’ incident affecting Ukraine and cybercriminal activities linked to the Democratic People’s Republic of Korea. Duguin emphasised the necessity of attributing cyberattacks to perpetrators to facilitate de-escalation efforts. In turn, Nnenna Ifeanyi-Ajufo, an expert in Law and Technology, highlighted the misuse of cyber technology by terrorist groups in Africa and the risks posed by states infringing on human rights under the guise of cybersecurity. She called for enhanced mechanisms to understand the cyber threat landscape across different regions.

In deliberating the Council’s role in the cyber domain, some representatives advocated for inclusive processes within the UN, particularly under the General Assembly, to establish equitable arrangements in addressing cyber threats. Others urged the Security Council to take a more active role. Several speakers stressed the Council’s potential to lead in building a secure cyberspace, bridging with existing UN efforts in cybersecurity and ensuring Global South perspectives are considered at every step of the process.

In contrast, the representative from Russia highlighted a lack of clarity in determining which malicious digital technology use could threaten international peace and security. In this regard, Russia criticised the West for attributing cyberattacks to what they called ‘inconvenient countries.’ Moreover, the representative opposed the Council’s involvement in this matter, stating that such a move would exclude states not part of the Council from the discussion.

Why does it matter?

Highlighting the urgency of addressing cyber threats, representatives stressed the need for the Council to facilitate dialogue and support capacity-building efforts, especially in developing countries lacking the resources and expertise to combat cyber threats. 

The discussions highlighted the critical need for proactive measures to address cyber threats, promote cybersecurity, and safeguard global peace and stability in an increasingly interconnected digital landscape.

Biden administration bans Kaspersky software sales and sanctions the company’s executives

The Biden administration is set to ban the sale of Kaspersky’s products in the US, citing national security concerns over the firm’s ties to the Russian government. The ban is aimed at mitigating the risks of Russian cyberattacks, as the renowned software’s privileged access to computer systems could allow it to steal sensitive information or install malware. The new rule, which leverages powers created during the Trump administration, will also add Kaspersky to a trade restriction list, barring US suppliers from selling to the company.

These restrictions, effective from 29 September, will halt new US business for Kaspersky 30 days after the announcement and prohibit downloads, resales, and licensing of the product. The decision follows a long history of regulatory scrutiny, including a 2017 Department of Homeland Security ban on Kaspersky products from federal networks due to alleged ties with Russian intelligence. Efforts by Kaspersky to propose mitigating measures were deemed insufficient to address these risks.

Furthermore, the U.S. Treasury Department sanctioned twelve executives and senior leaders from Kaspersky on Friday, marking another punitive measure against the cybersecurity company. The Office of Foreign Assets Control (OFAC) targeted the company’s chief operating officer, top legal counsel, head of human resources, and leader of research and development, among others. However, the company itself, its parent and subsidiary companies, and its CEO, Eugene Kaspersky, were not sanctioned.

This action follows a final determination by the Commerce Department to ban the Moscow-based company from operating in the U.S., citing national security risks and concerns about threats to critical infrastructure.

Why does it matter?

Another reaction from the authorities stresses the administration’s strategy to counter potential cyber threats amid the ongoing conflict in Ukraine. And while the impact of the entity blacklisting on Kaspersky’s operations remains to be seen, it appears now that it could significantly affect the company’s supply chain and reputation. Kaspersky, which operates in over 200 countries, has previously denied all accusations and, in response to these restrictive measures, has been operating a networks of Transparency Centers under its Global Transparency Initiative (GTI) where the company provides its source code for an external examination.

Ransomeware group involved in cyberattack to London hospitals declares political motives

A ransomware group known as Qilin has recently come under fire for its involvement in a cyberattack that caused significant disruptions at London hospitals. In a surprising turn of events, the group expressed remorse for the harm caused by the attack but vehemently denied any responsibility. Instead, the group framed the incident as a form of political protest. The group engaged in a conversation with the BBC via an encrypted chat service, qTox, where they attempted to justify their actions as a retaliatory measure against the UK government’s involvement in an unspecified war.

Despite Qilin’s claims of seeking revenge, cybersecurity experts, including Jen Ellis from the Ransomware Task Force, remain skeptical of the group’s motives, explaining cyber gangs often lie. Above all, she emphasises that the consequences of the attack carry more weight than understanding the reasons behind the attack. The cyberattack resulted in the postponement of more than 1,000 operations and appointments, prompting the healthcare system to declare a critical incident. The disruption caused by the attack has raised serious concerns about the vulnerability of critical infrastructure to malicious cyber activities in the country.

Qilin, believed to be operating from Russia, has refrained from disclosing specific details about its location or political affiliations. The lack of transparency has added to the complexity of the situation, as authorities and cybersecurity experts work to understand the group’s objectives and the potential future attack vectors. This represents the group’s first declaration of a political motivation behind their cyber intrusions. Qilin has been under observation since 2022, during which time it has executed targeted attacks at educational establishments, medical facilities, corporations, governmental bodies, and healthcare organisations.

Why does it matter?

The aftermath of the cyberattack demonstrates the urgent need for cybersecurity  preparedness within critical sectors such as healthcare. As organisations strive to recover from such incidents, the focus remains on safeguarding sensitive data, restoring disrupted services, and preventing future attacks. The evolving nature of cybercrime, as seen with groups like Qilin, shows the ongoing challenges faced by cybersecurity professionals in protecting critical infrastructure from malicious actors.

Chinese scientists develop world’s first AI military commander

China’s AI military commander substitutes for human military leaders in simulated war games hosted by the Joint Operations College of the National Defence University, amidst growing tensions with the US over the use of militarised AI in combat. The bots, the first of their kind, are completely automated, possess the perception and reasoning skills of human military leaders, and are learning at an exponential rate. They have also been programmed to illustrate the weaknesses of some of the country’s most celebrated military leaders such as General Peng Dehuai, and General Lin Biao. 

The AI arms race between the two countries can be likened to the chicken and egg analogy, in that both countries have expressed interest in regulating the use of these unmanned implements on the battlefield; yet, there are increasing media coverage of either on-going experiments or caged prototypes in both countries. These include the rifle-toting robot dogs, and surveillance and attack drones, some of which reportedly have already been used in battlefields in Gaza and in the Ukraine. The situation renders international rule-making in the space increasingly difficult, particularly as other players, such as NATO seek to ramp up investments in tech-driven defence systems.