I’ve carefully read the MSTIC “Defending Ukraine” preliminary report on the RU-UA cyber war (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK). Surprise, surprise… it doesn’t come to any counterintuitive conclusions that would be bad for MS’ bottom line. It encourages deepening public-private partnerships, as one would expect. MS has given a lot of free support to UA, and wants cash its goodwill out of the clout casino. And it’s rolling out new product lines in accord with its newly demonstrated capacity to provide security services in an information war.

Justifiable cynicism aside, MSTIC has been absolutely fantastic in this war. They’ve performed brilliantly. Some of their analysis is right on point. They acknowledge that RU has been circumspect and ineffective it its cyber sabotage while being expansive and effective in its cyber espionage. The report talks about the GRU, SVR, and FSB activity in light detail. To my eyes, the most successful Russian cyber campaign of the RU-UA War of 2022 appears to be by the threat group Actinium, an FSB Crimea unit.

Actinium was previously known as Gamaredon and Shuckworm. Back in January, Symantec Threat Hunters found this group conducting cyber espionage against Ukrainian targets via a spear-phishing campaign (that ultimately proved highly resistant to static detection) that installed malware that ultimately established a connection to a C2 server and exfiltrated data (https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine). Palo Alto Networks has also been following the Gamaredon group and have found hundreds of infection domains (they aren’t fast-fluxing them but they are changing them daily), IP addresses, and malware samples associated with this activity cluster (https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/). MSTIC itself had earlier reporting specifically on Actinium, and found them targeting the Ukrainian public sector and public sector-adjacent NGOs for the purpose of stealing sensitive data (https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/).

There does not exist any strong evidence Actinium’s campaign are coordinated with other Russian cyber war activities. It has, however, been uniquely successful in acquiring sensitive information related to UA’s security, emergency response, and humanitarian support services. Over the course of the RU-UA conflict, at least insofar as we can tell FSB has had a more focused campaign than GRU and a broader campaign than SVR. Actinium has been the sharpest knife in its toolkit. Now that RU moves closer to achieving its objectives in UA, my anxiety is that Actinium’s well-honed blade will be pointed beyond UA and at targets in Western Europe, GB, or the US.

The MSTIC report does not downplay the extent of Russian cyber espionage against the Coalition that has supported Ukraine’s valiant efforts. I cannot help but fear the invasion of the Ukraine is only step one in a much larger strategic war. The UA invasion started with a cyber and information war, and the same could be true of additional Russian deployments. The best way to contain Russia’s revanchist ambitions is to make the UA phase as costly as possible. Which is easy for me to say here in my comfy home in my role as a keyboard warrior. I wish I could contribute more. Slava Ukraini!

This red-on-red activity thread with China as the adversary, Russia as the victim, and APT tools as the capabilities is interesting. Developments in the RU-UA war are also dependent events, as China seems to be using cyberespionage to determine RU actions. A Twitter thread from last month by a Russian-speaking CTI specialist for Malwarebytes found CERT-RU messages warning of new attacks. This account looked into it and was one of the first to report a maldoc built with Royal Road, a maldoc builder software associated with PRC APTs, that he uncovered in his investigation (https://twitter.com/h2jazi/status/1537536029250490382). A malware researcher published the results of analysis on Virus Total, revealing the doc contained trojans with a malware dropper (https://www.virustotal.com/gui/file/c7018ee3783f4b2fb19fedc78c59586390efa1b72c907867794bf42141eb767c/detection). Our friends at CERT-UA also reported on it, analyzing the rich text document and finding the Bisonal RAT. They attributed the attacks to Chinese APTs and concluded, “it is appropriate to assume that groups associated with the PRC have intensified their activities in relation to the Russian Federation (enterprises in the scientific and technical, aviation industry, as well as state bodies)” (https://cert.gov.ua/article/375404). We have Chinese espionage on Russian systems, primarily for scientific and technical intelligence collection.

The story doesn’t stop there, though. SentinelLabs did a deep dive into this and found a previously undiscovered activity cluster of Chinese (metadata revealed the documents were created on a system utilizing simplified Chinese) cyberespionage groups (including Tonto Team) targeting a broad range of Russian orgs and specifically telecoms in Pakistan (https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/). The Chinese have not just entered the cyberbattlespace. This is a campaign.

We have Chinese fingerprints: Royal Road, Bisonal RAT, IOCs that show infrastructure used by Chinese APTs. We have ops by the APT. We have tooling exclusively used by the Chinese and designed primarily for espionage. We have phishing tradecraft that shows some knowledge of the relations between RKN and the RU telecoms, as well as the Russian MoD. The question that I don’t see anyone asking is: why would a single APT get tasking to go after both RU and Pakistan? Is it just because both involve telecom espionage? Answering these questions involves looking into the APT itself.

Tonto Team has had some longevity. They’ve been around since 2009, mostly focused on Pacific Rim targets from Japan to Korea to the US. Their tasking expanded in 2020 to Eastern Europe. Their threat objectives were primarily scientific and technical intelligence and industrial espionage. Their TTP has also evolved considerably, from Python and Powershell scripts delivered via phishing campaigns aimed at basic OS credential dumps to sophisticated remote administration tools. Their infrastructure has also expanded. My hypothesis is that since scientific and technical intelligence collection and industrial espionage are so central to the Chinese strategy, they invest in their APTs that show success in these areas, and then expand their targets and objectives as they upgrade their capabilities and tradecraft. Maybe they’ve gamified this in a sense, and they level up their APTs to more expansive areas of operation over time. Young Chinese are extraordinary gamers, after all.

Russia is not a natural ally for the Chinese. They want to be on their side but they don’t trust them. This cyberespionage reflects that. The Chinese want scientific and technical advantage. Even more so, they want a predictable world. They’re spying on Russians to help manage the risks of an alliance with them, and extracting their price in the form of science, engineering, and industrial know-how.

Shinzo Abe was a reluctant but effective cyberwarrior. In 2014, during Abe’s second term as prime minister, the Diet passed the Basic Act on Cybersecurity (https://www.japaneselawtranslation.go.jp/en/laws/view/3677/en). It was a law that had the right sense of the problem. Cyberspace is an unregulated place of realpolitik for everyone who participates in it, is broadly governed by norms and conventions rather than enforceable laws, threats abound and hostility is always possible, and self-help is necessary for safety and security on the Internet. The goal of the law was, inter alia, comprehensive education and engagement of the whole citizenry on basic cybersecurity to empower everyone. The law also gave the Cyber Security Strategy HQ new authority to audit the cybersecurity policies of Japan’s administrative agencies (https://japan.kantei.go.jp/97_abe/actions/201502/10article4.html). There were some bad optics missteps, such as when Yoshitaka Sakurada, the minister with responsibility over cybersecurity, admitted he had never used a computer (https://www.cnbc.com/2018/11/15/japans-minister-of-cybersecurity-admits-hes-never-used-a-computer.html). Still, the cyber security office released a lauded cybersecurity strategy in 2018 that helped clarify and focus the Japanese corporate sector’s effort on securing their nation’s cyber assets in the face of growing regional threats (https://www.cfr.org/blog/how-japans-new-cybersecurity-strategy-will-bring-country-par-rest-world). By 2020, the ITU’s Global Cybersecurity Index ranked Japan 7th overall in cybercapacity. Abe was serious about reviving Japanese strategic and overall defense capabilities to confront the growing threat of Chinese imperialism, including on the cyber and information warfare fronts (https://nsc.crawford.anu.edu.au/department-news/17115/opinion-shinzo-abe-has-made-japan-leader-again). He vocally supported the critical AUKUS triangle strategy and wanted Japan to work with quadrilateral and trilateral powers on cyber and AI to confront the rising Red Dragon (https://www.theguardian.com/australia-news/2021/nov/19/japan-should-work-with-aukus-on-cybersecurity-and-ai-says-shinzo-abe). He was a measured yet confident statesmen who guided and shaped a Japan that is more capable of regional self-defense than it has been in living memory. RIP Shinzo Abe.

I’m still parsing this big pic report from MSTIC on the UA Cyberwar (https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK). I believe this report is a primary historical document. MSTIC has become that important. Microsoft President Brad Smith outlines the Russian cyber strategy we’ve all come to understand in a forward: “The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts – destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.” He calls for collective cyberdefense and cooperation (not unlike Defend Forward). He also identifies this as a moment in which we can reflect on the efficacy of cyber offensive and defensive operations. He summarizes the five conclusions of the report: 1. A strategic cyber response to invasion requires dispersion of digital infrastructure. 2. Crediting AI-enabled CTI and end-point security with effective defense. 3. Cyber espionage by RU APTs has spread to coalition nations. 4. Russia is coordinating targeted IPb with other cyber arms through APMs using TTP that began with the KGB (and in ways that are isomorphic with malicious code distribution). 5. Calling for a comprehensive cyber strategy to simultaneously deal with CNA, CNE, and IO. MS’s acquisition of IO-focused CTIA house Miburo Solutions shows they are stepping into the information war (an acquisition that coincides with this report). We live in interesting times.

MS is prepping to sell a new product line of CTIA services. One focused on APMs and not just APTs. They are joining the information war, as I’ve said. I mean, they’ve already joined it. They are just gearing up to monetize their participation. They’ve been impressive. Markets reward effectiveness so I take nothing away from them. The criticism I would make of this is that they’ve looked at this from a CTI perspective in terms of TTP, which is typical. But I try to think in terms of threat objectives. Their explanandum is Russia is coordinating joint cyber military operations and their explanans is that we are seeing similar TTP across dissimilar activity threads. However, these are distinct threat objectives: sabotage, data theft, information manipulation. I would need to see stronger evidence of coordination because I wouldn’t operate under the assumption they are inherently related just because they are ultimately sourced in some part of the Russia state apparatus. The Russia security services bureaucracies are notoriously cutthroat in their competition. And Russia has struggled to coordinate all arms fires with kinetic weapons on the battlefield. Thus, I have to treat the notion they are effectively coordinating military-cyber operations with espionage and IO with some serious skepticism.

Fancy Bear is exploiting the Follina vuln in MSDT to commit credential stealing (https://www.darkreading.com/attacks-breaches/russia-apt28-launches-nuke-themed-follina-exploit-campaign). Fancy Bear is GRU Unit 26165 according to the US Special Counsel. Our friends at CERT-UA warned about the threat. CERT-UA said that another threat actor (probably Sandworm) has been exploiting the vuln against media orgs in the Ukraine. They have also identified a threat group exploiting it to drop the red team C2 tool Cobalt Strike Beacon. MS supposedly patched the vuln with recent security updates. Just to be on the safe side, I backed up the ms-msdt reg key on my system and then went into RegEdit and deleted it.

Mikko Hypponen coming in with a triumphalist take on the Ukraine situation: https://portswigger.net/daily-swig/insight-russia-is-failing-in-its-mission-to-desta[…]ze-ukraines-networks-after-a-series-of-thwarted-cyber-attacks. He says that Russia is failing in the cyberwar in Ukraine. I’m concerned pronouncements such as this will create a false sense of security. My anxiety is that this is actually a much wider cyber and information war. The same article mentions MSTIC’s success in thwarting GRU-associated attacks in Ukraine. MSTIC has been amazing. However, the same article also mentions German financial regulators warning about Russia-sourced DDoS attacks aimed at German financial services. Furthermore, I just reviewed Mandiant’s April analysis of INDUSTROYER.V2 (https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks). Mandiant supplies a good technical analysis and makes the argument that OS malware should not be dismissed as one off, and should be treated as a modular framework for a persistent threat. INDUSTROYER.V2 targets ICS/SCADA systems using IEC-104, a device-to-device communication profile for PLC and RTU clients over TCP. Mandiant notes that systems using this protocol are more common in Europe and the Middle East. Is Russia’s real target the European peninsula? If so, MSTIC cannot be everywhere so there are no real security assurances and Russia could, indeed, cause serious deleterious effects.

Cyber-partisans target Lithuanian transportation agencies with DDoS following Kaliningrad blockade (https://www.bleepingcomputer.com/news/security/lithuania-warns-of-rise-in-ddos-attacks-against-government-sites/). The Cyber Spetsnaz squads appear to be using a tool called Aura DDoS. The dev seems to be on Telegram @AuraNetz. Google search showed there were pull requests available on an unsecured GitHub link that allowed for Layer 7 DDoS with methods for bypassing Cloudflare reverse proxy protections. Although, this tool also reportedly offers network and transport layer DDoS as well.

Here is the link to another DDoS tool by this “firstapostle” (which was St. Peter): https://github.com/firstapostle/Blood. This is a surprising OSINT find due to the threat actor’s sloppiness. It is called Blood DDoS and it appears to have devs @Killnet_Jacky. Jacky is one of the Cyber Spetsnaz squads of the Killnet cyber-partisan groups that has been assigned to Germany and Poland. There were no pull requests or discussion on this one so there is no evidence of collaboration and it may be the work of a single malicious actor.

The Github for Blood also contains a list of 206 IP addresses for SOCKS5 proxies. Reverse name space lookup on some of these IP addresses reveals that most report non-existent domains. Some did get a response back on a basic nslookup query, but were blacklisted according to Talos and did not provide any more detailed name space info on option-enabled lookups (the query reported back non-existent domains consistent with them being blacklisted by third party lists). Some had quite a bit of active traffic as of last week after a period of dormancy. This is unsurprising, as Wednesday of last week (15 June 2022) saw the second biggest spike in DDoS attack activity (as measured by request and response data throughput) since this conflict started (https://www.akamai.com/internet-station). Suggested future directions for researchers with security labs is monitoring the traffic on these SOCKS5 proxies, which should be unencrypted, to see if there is evidence of any encrypted traffic or attempts by the proxies to connect SSH tunnels to routers or other devices (a strong indicator that these DDoS botherds are actually being used for other purposes such as data exfiltration).

As far as I could find, the first compelling revelation that pro-Russian national cyber-partisan militias were engaging in information warfare campaigns with DDoS tools against targets was by legendary security researcher Dancho Danchev on ZDNet (https://www.zdnet.com/article/georgia-presidents-web-site-under-ddos-attack-from-russian-hackers/). This was during the Russo-Georgia War of 2008. These DDoS attacks were with proxies cultivated by Russian botherders. The same TTP seems to be ongoing, precipitated by the same motivations. Danchev is also the first instance I could find of floating the hypothesis that Russia had incubated a cybercriminal ecosystem in order to direct it for geopolitical purposes based on nationalist saber-rattling.

As a policy solution, these cyber-partisan groups should be classified as APTs and monitored closely. Researchers should look for evidence that these groups are actually being handled by security service operatives.

I’ve found an interesting article on the Substack of Russian propagandists and digital samizdat spreaders RWA (likely a front for pro-Russian IO). It is by a blogger who is popular with the cyber boffins of the Russian new right. It is likely to have been an influence on some of the pro-Russian cyber-partisans who are now information war combatants. In this brutal ideology, Ukraine belongs to Russia regardless of the perceptions of anyone else, including the Ukrainians themselves. It is part of the Russian fatherland. Thus, they don’t wish to destroy it, only control it. Furthermore, the real enemy is not the post-Maidan Ukrainian government, America, or even Atlanticist institutions like NATO. The real enemy is Europe, of which Russia cannot be considered historically, culturally, or intellectually a part. Perhaps the goal of many cyber-partisan operatives is not to have effects on Ukraine. Rather, the objective is to move laterally and spread into the nodes of the systems of Brussels bureaucrats or other European decision-makers (who pull strings behind the scenes in this conspiratorial worldview). The real mission is to damage Europe. This explains a lot of the Russian behavior. The deepest animus is reserved for European institutions (https://rwasamizdat.substack.com/p/bohemicus-on-the-ukraine?s=r). Supporting this hypothesis, JAGS seems to indicate that the AcidRain malware had its most devastating effect on European systems (https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/).

Absolute bombshell by Bellingcat: https://www.bellingcat.com/news/2022/06/17/meet-the-irregular-troops-backing-up-russias-army-in-the-donbas/. They track the Telegram and VK activity of 88er NazBols and Cossacks in the SDD paramilitary and use IMINT to geolocate their training facility. In tracking former DNR PM Borodai’s movements, they “geolocated the range to Russia’s Belgorod Region, at a location which is listed as an FSB border service shooting range.” It was Putin who pulled the Border Guard Service into the FSB. Putinism is the intelligentization of every relevant institution. There was an obscure story back in 2014 in which the Ukrainian security service accused then Russian Border Guard Service Vladimir Kulishov, among others, of managing terrorist organizations in the separatist regions through financing and other material assistance (https://web.archive.org/web/20140728224641/http://rupaper.com/post/30752).

It looks like Russia uses the FSB to train and run these Ukrainian separatist paramilitary units. For organizational reasons, it would make sense to use them for those purposes. They are located proximal to these regions in the Donbas and have both intelligence and counterintelligence activity within their umbrella, giving them the capacity to manage ops with an obscured fingerprint. I’m assuming Bellingcat published these as a target package for Ukrainian-sympathetic saboteurs because they have likely been operating and planning missions in Belgorod, despite public denials (see: https://www.rferl.org/a/russia-belgorod-fuel-depot-fire-ukraine/31780891.html and https://tass.com/society/1443891).

The first paper is a bit of a think piece. It advances the complex argument that, while on the one hand cybersecurity researchers may tend to be overly circumspect in their research projects based on false beliefs about what the letter of the law prohibits, they do need to think carefully about how their research programs fit into the broader institutional framework and agenda of the organizations of which they are a part. It’s actually quite a good technical ethics paper because of its fusion of thinking from an attorney on hard legal constraints with an ethicist’s calibrated reasoning on the ethical problems of such technical issues as intentionally running malicious scripts in a quasi-controlled environment. 

Burnstein doesn’t really do much of a lit review. From the scant lit review and insinuations elsewhere in the paper, it looks like previous efforts to tackle the legality and ethics of cybersecurity research were centered on concerns related to privacy, and insufficiently on other potential criminal harms that trigger the dreaded prosecutorial discretion. That inference is a bit of stretch, however, as the author insufficiently specifies where his present contribution is situated in the professional literature nor what, as a broad thread, the previous research in this issue area stands for and what the anxieties were that motivated him to reassure security researchers that law gives them a larger operating space than they utilize.  

Presumably, the author has training in technical philosophy since he is delving into technical ethics. It would have been nice to see some sharper reasoning and more productive insights into the problem of legal–particularly statutory–vagueness. The language of the law is rarely tidily coextensive with the intent of policy design. It appears Ohm et al. had made some noises about this yet did not go far in advocating change. It seems to be a very real problem though. To further complicate the matter, the spirit of the law is even harder to grapple with. The intent of privacy protections related to interception of electronic communications seem to be to protect the nature and semantic content of the messages as well as, to some extent, the sources (i.e. pseudonymity). Although, collect enough packet headers and metadata about a source and a set of messages and the awesome power of inferential data analysis can lead to real risks about the core content of packet payloads, who is sending them, and why. How can we approach scribbling rules, rights, and duties in such a way that operators can provide security researchers enough access to get an accurate clinical picture of the pathologies of the contemporary Internet without being hamstrung by vagaries and ambiguities? Are their sharp distinctions and hard boundaries where we can plant our flags? 

Returning to the issue of metadata, I found an interesting paper on the privacy profile of cellphone metadata. This issue became topical in the wake of revelations that the NSA were engaged in subpoena-less bulk collection of metadata. In the paper, the authors solicited volunteers to download an app that extracted metadata from their mobile device, and it was trivial to demonstrate that this kind of metadata could be used to draw intrusive conclusions using inferential analysis (https://www.pnas.org/content/pnas/113/20/5536.full.pdf). Research of this sort introduces its own ethical concerns, but in conducting crowdsourced research the authors were able to pursue authorizations of informed consent. 

Admittedly, Burnstein does not proffer a comprehensive ethical framework for reasoning through all the edge cases that can come up. He’s writing a discussion piece and sprinkling in some practical tidbits (though decidedly not legal advice) from a lawyer to a security researcher on how to contend with the legal risks of real-world research. That’s all to the good. As far as work-ready principles, I could tease out a few. One is the for all the privacy protections that cover the conduct of network operators and service providers, there are limited to no meaningful research exceptions on committing actions such as running network traces and these research exceptions ought to be in place. It seems like what Burnett and Feamster set out to contribute was to develop tools to longitudinally measure the scale and scope of invidious Web censorship. That toolkit is Encore, which uses a task scheduler to unspool tasks to a Web client for execution and then analyzes how much filtering takes places. I’m guessing it’s to be aggregated by domain (which they did) but ultimately by AS (so we know what governance power system is behind it). Now, this tool is designed to be run by the Web hosts (it collects and reports information about their traffic patterns in order to infer allowable behavior), but if the researchers were to run this over some URL without the Webmaster’s permission, without a research exception they could run afoul of a variety of criminal statutes, including CFAA because it delivers executable tasks to someone else’s machine.