Today’s edition of the LookingGlass Cyber Monitor features insights on the latest Uber breach, Ukrainian intelligence warnings of future Russian attacks on critical infrastructure, more Chinese strategic messaging about old alleged NSA hacks on universities, the Quad seeking to hold ransomware sanctuary countries accountable, and the latest Cyber Power Index findings.
MAJOR HACKS & CAMPAIGNS
The US government, in a joint alert published by NSA and CISA, attributed a series of cyber attacks against the government of Albania to Iran. According to the report, Iranian cyber actors likely had access to the Albanian government networks it attacked for fourteen months. When the first attack took place in July,Albania severed diplomatic ties with Iran, making it the first known country to sever diplomatic ties over a cyber attack. More attacks against the Albanian government took place in September, which were also attributed to Iran. The US Treasury issued additional sanctions against Iran, saying its cyber actions disregard “norms of responsible peacetime State behavior in cyberspace, which includes a norm for refraining from damaging critical infrastructure.” Many US partners, including NATO, issued similar statements condemning the attacks. Iran claims Albania is harboring terrorists, referring to Iranian regime opposition figures who are currently living in Albania, which many speculate led to its decision to attack Albanian government organizations. In a column published last week, Mark Montgomery asserts that these events highlight the need for cyber capacity building across NATO allies.
Analyst Comment: According to the alert, attackers gained initial access by exploiting CVE-2019-0604, a commonly exploited vulnerability. Threat actors remained undetected within the network for 14 months, which is consistent with typical APT activity. The attackers, who call themselves “Homeland Justice,” maintain a leak site homelandjustice[.]ru. Previously other groups linked to Iran have used leak sites to publish their victims’ data, including Pay2Key and N3tw0rm ransomware groups. However, unlike Homeland Justice, these ransomware groups used .onion domains instead of .ru. It is unclear why the group chose to use a .ru domain, but it could indicate an attempted “false flag” operation.
Uber said last week that it was a victim of a cyberattack attributed to the criminal group Lapsus$. Some members of the group, who are mostly teenagers, have been identified as individuals living in Brazil and the UK. The group is known for targeting high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta. In Uber’s case, the attacker likely purchased a username and password belonging to an Uber contractor on the dark web after it had been stolen from the contractor’s computer via malicious software, the company said in a blog post. Uber is coordinating its investigation with the FBI and Department of Justice, as well as several leading digital forensics firms, according to the post.
Analyst Comment: Once the attacker had the contractor’s credentials, they appeared to conduct an “MFA bombing” attack. This means they repeatedly tried logging into the contractor’s account until eventually the contractor accepted one of the multi-factor authentication login attempts, granting the attacker access. Lapsus$ used this same attack method when they targeted Microsoft. The actor, Tea Pot, responsible for the Uber compromise also claimed responsibility for the Rockstar Games breach that happened a few days later. The actor leaked footage of the unreleased GTA 6 game under the alias teapotuberhacker. There was a dox of this actor that attributed them as one of the leaders of the Lapsus$ group. They were allegedly arrested on September 22, 2022 and are being held at a youth detention center since they are under 18. For this reason, law enforcement has also kept their identity anonymous.
According to Ukrainian Intelligence, Russia plans to carry out massive cyberattacks on critical infrastructure facilities in Ukraine, particularly the energy industry, as well as increase the number of DDoS attacks on institutions in Poland and the Baltic states. The press service of the Chief Intelligence Directorate of the Ministry of Defense of Ukraine posted a bulletin on Monday September 26, saying “the cyber attack will be aimed at energy industry enterprises. This will allow the enemy to try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine.” This warning follows a July Council of the EU statement that Russian threat groups increasingly attacking “essential” organizations worldwide might lead to potential escalation and spillover risks And in February, CISA and the FBI said in a joint advisory that wiper malware attacks targeting Ukraine could easily spill over to targets from other countries. Just days before Ukraine’s warning, Russian President Vladimir Putin announced a call-up of roughly 300,000 military reservists and issued a veiled threat of using nuclear weapons as Russia has lost ground in eastern and southern points of Ukraine in recent weeks.
Analyst Comment: While Ukrainian intelligence did not disclose any additional details, this warning should be taken seriously. Russia has repeatedly targeted Ukrainian critical infrastructure with both cyber and kinetic attacks, starting with power disruptions in Ukraine in 2015 and 2016 caused by Sandworm Team. More recently Russian missiles struck several critical infrastructure objects knocking out power in multiple regions of Ukraine amid the retreat of Russian troops. In future Russia may use a combination of cyber and kinetic attacks targeting Ukrainian critical infrastructure. On September 28, CISA Director Jen Easterly tweeted the agency’s Shields Up campaign, warning that the risk environment is evolving. The UK’s NCSC Director Lindy Cameron also warned, “There is a real possibility Russia could change its approach in the cyber domain and take on more risks.”
After a massive cybersecurity breach against Australian telecommunications firm Optus, affecting 10 million customers, Sydney is planning a privacy overhaul. Specifically, Australia plans to toughen privacy rules to force companies to notify banks faster when they experience cyber attacks, according to Prime Minister Anthony Albanese. Optos, owned by Singapore Telecoms, said last week that home addresses, drivers’ licenses, and passport numbers of up to 10 million customers, or about 40% of the population, were compromised, in what has become one of Australia’s biggest data breaches in history. Albanese called the incident a “huge wake-up call” for the corporate sector, saying there were some state actors and criminal groups who want to access people’s data. Australian media reported an unidentified party demanded US $1M in cryptopurrency for the data in an online forum. But Optus has not commented on the authenticity of the ransom demand.
Analyst Comment: On September 23, 2022, the actor optusdata advertised the leak on the Breached forum requesting US $1M in cryptopurrency. The actor stated if Optus paid then the data would be deleted, but if they did not pay then the data would be sold. The actor posted about 10,000 address records as proof. On September 26, 2022, optusdata stated that the data would not be sold and no additional data would be released outside of the initial 10,000 leaked. The actor apologized for their actions and claimed to have deleted the data they possessed. The actor stated that they would have reported the vulnerability if Optus had a security mail, bug bounty program, or some way to contact the company about it. An Australian cybersecurity publication, Risky.Biz reported on September 29, that law enforcement could have engaged with the actor to alter his course of actions.
Meta announced that it disrupted a network of fake accounts originating from China and Russia ahead of the US midterm elections. According to Meta’s press release, the Chinese network was the first that Meta has identified focusing on US domestic politics leading up to November’s elections. The network targeted individuals on both sides of the political spectrum. Another Chinese network that Meta disrupted was primarily producing anti-government content in the Czech Republic that criticized the country’s support for Ukraine in its war with Russia. Meta also disrupted a large Russian network that targeted several European countries, including Germany, France, Italy, Ukraine, and the UK. The fake accounts sought to impersonate legitimate news sites and posted pro-Russia content that criticized Ukraine and Western sanctions.
China again publicly accused the US National Security Agency of launching a cyber attack against a leading Chinese university. The investigation by China’s National Computer VIrus Emergency Response Center and a Chinese internet security company uncovered the technical characteristics, tools, and methods of the attacks it said were conducted by Computer Network Operations, a cyber warfare intelligence-gathering unit of the NSA. They also identified thirteen hackers they said were involved in cyberattacks on Northwestern Polytechnical University in China. The university is funded by China’s Ministry of Industry and Information Technology and frequently collaborates with Beijing on national security projects like fighter jet development.
Analyst Comment: Noting that this piece was published by a Chinese news source, there could be exaggerations or misstatements in the messaging. China has a history of holding onto old information and releasing it later for strategic effect or signaling towards its adversaries. It is unclear if this piece was published at this time in response to an event or to strategically position China for future geopolitical events. This activity is consistent with the Chinese Communist Party’s military-civilian fusion cyber strategy to strengthen China’s cyber resilience and achieve cyber sovereignty. It is also likely part of China’s strategic intent to both normalize their espionage behaviors and establish themselves as a cyber superpower that peers with the US. The South China Morning Post published a similar article in July 2022.
- Deactivate in-country administrative access.
- Implement blocking DLP policies.
- Wipe high-risk internal servers.
- Deprovision access to intranet services.
- Deprovision access to cloud services
- Lock/wipe endpoints PCs as appropriate.
- Deprovision mobile devices.
- Lock user accounts.
- Cut WAN access, maintaining a VPN backup.
Senate Homeland Security Committee leaders Gary Peters (D-Michigan) and Rob Portman (R-Ohio) introduced a bill requiring CISA to develop a risk framework laying out how the federal government relies on open source software. The Securing Open Source Software Act comes after researchers discovered Log4j in December, which affected millions of devices to include critical infrastructure and federal systems. The bill also requires CISA to hire professionals with experience developing open source code to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Over the summer, CISA warned that actors were continuing to exploit the vulnerability. And in the past few weeks, Cisco said it observed Lazarus targeting energy providers in the US, Canada, and Japan doing the same.
The Quad: Australia. Japan, India, and the US, met last week and issued a joint statement calling on nation states to address ransomware operations originating from within their own territory. Officials representing the quad countries met on the sidelines of the UN General Assembly last week. They pledged to help each other in the face of malicious cyber activity, including ransomware, against critical infrastructure. They also plan to fight against threats to the cyber infrastructure that enables Indo-Pacific economic development and security. The group also welcomes talks about a possible new UN cybercrime convention, which will seek to counter ransomware.
TRENDS & RESEARCH
In a blog post, Google said it has observed hackers aligning more closely with Russia to target Ukraine. According to the report, Google analysts have “never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort.” According to the researchers, three pro-Russian hacktivist groups have been involved: XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn. And, some US institutions have been targeted by these groups.
Analyst Comment: LookingGlass actively monitors cybercrime and hacktivist groups that have been targeting Ukraine since the early stages of the full-scale invasion. The group behind Conti ransomware (Trickbot Gang/UAC-0098) declared their support of the Russian government in the first days of the invasion. In addition, LookingGlass has been tracking dozens of hacktivist groups targeting Ukraine and their allies, mostly with DDoS attacks, data exfiltration, doxxing, and information operations. While not all of them may be directly involved with the Russian government, their activity closely aligns with the interests of Russia.
The National Cyber Power Index of 2022 was released with the US ranked at the top again, China in second, followed by Russia. Russia displaced the UK for the number 3 spot compared to the previous (2020) National Cyber Power Index. Regarding objectives, the US scored the highest for intelligence, information control, norms, and offensive objective. China scored the highest for surveillance and commerce. Of note, Iran placed last in the top ten, while North Korea did not place in the top ten; however, the DPRK was ranked decisively first in the financial objectives category. The index is based on open source information and ranks thirty nations relatively.