Russia has created its own Transport Layer Security (TLS) certificate authority (CA) to help bypass website access issues caused by the sanctions. To provide context a TLS certificate allows a web browser to confirm that a domain is a verified entity and that there is encryption between the user and the server. Once certificates expire, browsers will display warnings that the pages are not secure.
The domestic certificate authority will replace the foreign security certificate if it is revoked or expires, explained the Russian public service portal, Gosuslugi. The only web browsers that currently recognize the new CA as trustworthy are the Yandex browser and Atom products, and users are advised to utilise these instead. Users of other browsers will need to manually add the new certificate in order to continue surfing Russian sites (that have the certificate).
Russian authorities have already started recommending the transition to the new CA, and so far it has been confirmed that the sites of Sberbank, VTB, and the Russian Central Bank use these certificates.
Experts argue that the Russian certificate will not be on the list of approved certificates for most browsers, which would ultimately mean blocked access to sites that feature the new certificate. Experts also caution that CA root certificates could be abused by Russia to perform HTTPS traffic interception and man-in-the-middle attacks.
According to a report by Cisco Talos, threat actors are distributing malware to volunteers in the Ukrainian IT army by promoting a false distributed denial of service DDoS tool on Telegram. The threat actors are mimicking a DDoS tool known as the ‘Liberator’, which is used against Russian propaganda outlets, and is not inherently malicious. However, once users download the altered file which is promoted on Telegram, it instals a password and data-stealing trojan on their computers.
Ukraine is preparing to relocate sensitive data and servers outside the country in case of an emergency, according to Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communications and Information Protection. Zhora told Reuters that Ukrainians want to be ready for the possibility of a Russian attempt to seize sensitive government documents.
Zhora emphasised that his department is preparing a contingency plan and that relocating the information technology data infrastructure abroad is only ‘plan B or C.’ Such a plan could only be activated after Ukrainian lawmakers approve regulatory changes, Zhora explained. Government agencies would also have to determine whether to keep their operations running inside the country or evacuate them on a case-by-case basis.
BBC News journalists in Russia have resumed their English-language broadcasts, previously halted due to a new law that criminalises fake news.
The BBC stated: ‘We will tell this crucial part of the story independently and impartially, adhering to the BBC’s strict editorial standards. The safety of our staff in Russia remains our number one priority.’
The BBC is the first media outlet that has returned to Russia following its initial withdrawal.
The Russian Ministry of Digital Development, Communications and Mass Media claimed that it registered disruption in the operation of the federal agencies’ websites because the service (widget) of the monitoring system of state agencies had been hacked. The ministry said that: ‘After hacking the widget, hackers were able to publish incorrect content on the pages of the websites. The incident was promptly localised.’ The service was operational again in an hour.
According to Google’s Threat Analysis Group (TAG), a number of cyberattacks have been carried out by entities linked with Russia, Belarus, and China over the past two weeks, ranging from espionage to phishing campaigns.
TAG claims that the Russia-linked FancyBear hacking group (also known as APT28) has carried out multiple massive credential phishing attempts aimed at ukr.net users. The phishing emails were sent from different hacked accounts and contained links to attacker-controlled domains. The attackers used newly-created Blogspot domains as the initial landing pages, which then redirected targets to credential phishing pages.
Increased activity by Ghostwriter (also known as UNC1151), a hacking group previously linked with Belarus, was also observed by TAG. In recent weeks, the group has undertaken credential phishing attacks against Polish and Ukrainian government and military entities. TAG identified campaigns targeting webmail users from numerous providers.
Mustang Panda, alias Temp.Hex, a China-linked hacker group, targeted European entities with malware attachments with file names such as ‘Situation at the EU-Ukraine Borders.zip’. When opened, the zip file contains an executable with the same name that downloads multiple extra files that then load the final payload.
TAG noted that they are still observing DDoS attempts against various Ukrainian sites, including the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as services such as Liveuamap, aimed at helping people find information.
Amazon has announced that it has suspended shipment of retail products to customers based in Russia and Belarus and will no longer be accepting new Amazon Web Services (AWS) customers based in those countries. Access to Prime Video for customers located in Russia will also be suspended. The company noted that Amazon and AWS do not have data centres, infrastructure, or offices in Russia. They also have a long-standing policy of not doing business with the Russian government.
The hacker group Anonymous showed a live feed from 100 breached public cameras in Russia to ‘counter Russia’s propaganda’ and to ‘open the eyes of Russian civilians’. Different lines of text appeared, such as ‘Putin is killing children,’ ‘352 Ukraine civilians dead,’ and ‘Russians lied to 200RF.com.’ Earlier on Monday, the group hacked Russian TV, including Russia 24, Channel One, and Moscow 24 channels, to show footage from invaded locations in Ukraine.
Hackers accessed more than 100 computers belonging to current and past personnel of 21 major US liquefied natural gas providers and exporters in mid-February, research by cybersecurity company Resecurity showed. Hackers broke into the target computers directly in some cases while they purchased access to computers that had already been infected in other cases.
The motive of the cyber operation is unknown, and it is not clear whether the attack is connected to Russian military operation in Ukraine. Resecurity CEO Gene Yoo stated that ‘Recent tensions around Nord Stream 2, global market changes, as well as conflict in Ukraine are obvious catalysts.’ As of January 2022, the USA is the world’s top liquefied natural gas exporter.
Meta, Instagram’s parent company, announced that Instagram will start hiding information about private accounts based in Russia and Ukraine to reduce the spread of misinformation. This will include information about people’s followers, who they are following, and people who are following each other.
Instagram will also start labelling content from Russian state-owned media and making it harder to find by placing it lower in the Stories tray. Instagram will also warn users before they reshare content from Russian state-owned media accounts in their stories. If users reshare the content, Instagram will place it lower in the Stories tray.
