Entries Tagged "Russia"

Page 1 of 13

Ukraine Intercepting Russian Soldiers’ Cell Phone Calls

They’re using commercial phones, which go through the Ukrainian telecom network:

“You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

[…]

“Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

“But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

Posted on December 21, 2022 at 7:09 AMView Comments

Trojaned Windows Installer Targets Ukraine

Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system:

Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.

One obvious solution would be for Microsoft to give the Ukrainians Windows licenses, so they don’t have to get their software from sketchy torrent sites.

Posted on December 20, 2022 at 7:30 AMView Comments

How to Surrender to a Drone

The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone:

“Seeing the drone in the field of view, make eye contact with it,” the video instructs. Soldiers should then raise their arms and signal they’re ready to follow.

After that the drone will move up and down a few meters, before heading off at walking pace in the direction of the nearest representatives of Ukraine’s army, it says.

The video also warns that the drone’s battery may run low, in which case it will head back to base and the soldiers should stay put and await a fresh one.

That one, too, should be met with eye contact and arms raised, it says.

Incredible.

Posted on December 19, 2022 at 7:09 AMView Comments

CryWiper Data Wiper Targeting Russian Sites

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

Nothing leading to an attribution.

News article.

Slashdot thread.

Posted on December 6, 2022 at 7:04 AMView Comments

Russian Software Company Pretending to Be American

Computer code developed by a company called Pushwoosh is in about 8,000 Apple and Google smartphone apps. The company pretends to be American when it is actually Russian.

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in US regulatory filings, however, it presents itself as a US company, based at various times in California, Maryland, and Washington, DC, Reuters found.

What does the code do? Spy on people:

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

I have called supply chain security “an insurmountably hard problem,” and this is just another example of that.

EDITED TO ADD (12/12): Here is a list of apps that use the Pushwoosh SDK.

Posted on November 16, 2022 at 6:03 AMView Comments

Cold War Bugging of Soviet Facilities

Found documents in Poland detail US spying operations against the former Soviet Union.

The file details a number of bugs found at Soviet diplomatic facilities in Washington, D.C., New York, and San Francisco, as well as in a Russian government-owned vacation compound, apartments used by Russia personnel, and even Russian diplomats’ cars. And the bugs were everywhere: encased in plaster in an apartment closet; behind electrical and television outlets; bored into concrete bricks and threaded into window frames; inside wooden beams and baseboards and stashed within a building’s foundation itself; surreptitiously attached to security cameras; wired into ceiling panels and walls; and secretly implanted into the backseat of cars and in their window panels, instrument panels, and dashboards. It’s an impressive—­ and impressively thorough—­ effort by U.S. counterspies.

We have long read about sophisticated Russian spying operations—bugging the Moscow embassy, bugging Selectric typewriters in the Moscow embassy, bugging the new Moscow embassy. These are the first details I’ve read about the US bugging the Russians’ embassy.

EDITED TO ADD (10/12): How the CIA bugged Xerox copiers.

Posted on September 28, 2022 at 6:19 AMView Comments

Russia Creates Malware False-Flag App

The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It’s actually malware, and provides information back to the Russians:

The hackers pretended to be a “community of free people around the world who are fighting russia’s aggression”—much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard. To add more credibility to the ruse they hosted the app on a domain “spoofing” the Azov Regiment: cyberazov[.]com.

[…]

The app actually didn’t DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.

[…]

Google said the fake app wasn’t hosted on the Play Store, and that the number of installs “was miniscule.”

Details from Google’s Threat Analysis Group here.

Posted on July 20, 2022 at 10:32 AMView Comments

The Limits of Cyber Operations in Wartime

Interesting paper by Lennart Maschmeyer: “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations“:

Abstract: Although cyber conflict has existed for thirty years, the strategic utility of cyber operations remains unclear. Many expect cyber operations to provide independent utility in both warfare and low-intensity competition. Underlying these expectations are broadly shared assumptions that information technology increases operational effectiveness. But a growing body of research shows how cyber operations tend to fall short of their promise. The reason for this shortfall is their subversive mechanism of action. In theory, subversion provides a way to exert influence at lower risks than force because it is secret and indirect, exploiting systems to use them against adversaries. The mismatch between promise and practice is the consequence of the subversive trilemma of cyber operations, whereby speed, intensity, and control are negatively correlated. These constraints pose a trilemma for actors because a gain in one variable tends to produce losses across the other two variables. A case study of the Russo-Ukrainian conflict provides empirical support for the argument. Qualitative analysis leverages original data from field interviews, leaked documents, forensic evidence, and local media. Findings show that the subversive trilemma limited the strategic utility of all five major disruptive cyber operations in this conflict.

Posted on May 31, 2022 at 6:06 AMView Comments

Microsoft Issues Report of Russian Cyberattacks against Ukraine

Microsoft has a comprehensive report on the dozens of cyberattacks—and even more espionage operations—Russia has conducted against Ukraine as part of this war:

At least six Russian Advanced Persistent Threat (APT) actors and other unattributed threats, have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea. It is unclear whether computer network operators and physical forces are just independently pursuing a common set of priorities or actively coordinating. However, collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.

[…]

Threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion. From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.

Posted on April 28, 2022 at 9:15 AMView Comments

Russian Cyberattack against Ukrainian Power Grid Prevented

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used.

Key points:

  • ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
  • The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
  • The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
  • We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
  • We assess with high confidence that the APT group Sandworm is responsible for this new attack

News article.

EDITED TO ADD: Better news coverage from Wired.

Posted on April 13, 2022 at 6:32 AMView Comments

1 2 3 13

Sidebar photo of Bruce Schneier by Joe MacInnis.