Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.
Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent “hunt forward” teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.
Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”
Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and small steps are not going to deter them,” says Daniels. “We’ve learned that we need to be more aggressive.”
The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.
Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.
At the same time, the Cybersecurity and Infrastructure Security Agency, Justice Department, and FBI were taking on a third Russian state hacker group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm—with a track record that includes everything from triggering blackouts in Ukraine to the release of the NotPetya malware that inflicted $10 billion in damage worldwide—had assembled a botnet of hacked network devices, along with guidance on how to detect and remove the malware, known as Cyclops Blink. When that advisory led to only a 39 percent drop in the number of devices the botnet hijacked, the FBI took the rare step of actually impersonating the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices, and thus cutting off Sandworm’s access to at least part of its botnet.
The specific targeting of those three hacker groups—the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and GRU-linked Sandworm group—shows how the US government is intentionally taking actions to deter and disable the Russian hackers who present the greatest threat of not mere espionage or cybercrime, but targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at the cybersecurity firm Mandiant and has tracked all three groups for years. “At a time when the US is bracing for potential cyberattacks from Russia, the Department of Justice has specifically indicted two of these actors and carried out an operation against the third,” says Hultquist. “Those are the actors that have the history and proven capability for disruptive and destructive attacks. That’s why operations have been and should be focused on those actors.”
Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.
That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.
It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.
“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”
Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.
“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”
Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”
In the week since the digital extortion group Lapsus$ first revealed that it had breached the identity management platform Okta through one of the company’s subprocessors, customers and organizations across the tech industry have been scrambling to understand the true impact of the incident. The subprocessor, Sykes Enterprises, which is owned by the business services outsourcing company Sitel Group, confirmed publicly last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel’s initial breach notification to customers, which would include Okta, on January 25, as well as a detailed “Intrusion Timeline” dated March 17.
The documents raise serious questions about the state of Sitel/Sykes’ security defenses prior to the breach, and they highlight apparent gaps in Okta’s response to the incident. Okta and Sitel both declined to comment about the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED.
When the Lapsus$ group published screenshots claiming it had breached Okta on March 21, the company says that it had already received Sitel’s breach report on March 17. But after sitting with the report for four days, Okta seemed to be caught flat-footed when the hackers took the information public. The company even initially said, “The Okta service has not been breached.” WIRED has not seen the complete report, but the “Intrusion Timeline” alone would presumably be deeply alarming to a company like Okta, which essentially holds the keys to the kingdom for thousands of major organizations. Okta said last week that the “maximum potential impact” of the breach reaches 366 customers.
The timeline, which was seemingly produced by security investigators at Mandiant or based on data gathered by the firm, shows that the Lapsus$ group was able to use extremely well known and widely available hacking tools, like the password-grabbing tool Mimikatz, to rampage through Sitel’s systems. At the outset, the attackers were also able to gain enough system privileges to disable security scanning tools that might have flagged the intrusion sooner. The timeline shows that attackers initially compromised Sykes on January 16 and then ramped up their attack throughout the 19th and 20th until their last login on the afternoon of the 21st, which the timeline calls “Complete Mission.”
“The attack timeline is embarrassingly worrisome for Sitel group,” Demirkapi says. “The attackers did not attempt to maintain operational security much at all. They quite literally searched the internet on their compromised machines for known malicious tooling, downloading them from official sources.”
With just the information Sitel and Okta have described having right away at the end of January, though, it is also unclear why the two companies do not seem to have mounted more expansive and urgent responses while Mandiant’s investigation was ongoing. Mandiant also declined to comment for this story.
Okta has said publicly that it detected suspicious activity on a Sykes employee’s Okta account on January 20 and 21 and shared information with Sitel at that time. Sitel’s “Customer Communication” on January 25 would have seemingly been an indication that even more was awry than Okta previously knew. The Sitel document describes “a security incident … within our VPN gateways, Thin Kiosks, and SRW servers.”
Ransomware gangs have become well-oiled moneymaking machines in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, cavorting about with a strong social media presence on Telegram, a string of high-profile victims—including Samsung, Nvidia, and Ubisoft—calamitous leaks, and dramatic accusations that add up to a reckless escalation in an already unlawful industry.
What makes Lapsus$ noteworthy, too, is that the group isn’t really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information unless the victim pays up, Lapsus$ seems to exclusively focus on the data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.
“It’s all been quite erratic and unusual,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “My sense is that they are a talented but inexperienced operation. Whether they will seek to expand and bring on affiliates or keep it small and lean remains to be seen.”
Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for a period of time.
Even in those early campaigns, Lapsus$ got creative; it set Localiza’s website to redirect to an adult media site for a couple of hours until the company could revert it.
As the attackers have ramped up and gained confidence, they’ve expanded their reach. In recent weeks, the group has hit Argentine ecommerce platforms MercadoLibre and MercadoPago, claims to have breached the British telecom Vodafone, and has begun leaking sensitive and valuable source code from Samsung and Nvidia.
“Remember: The only goal is money, our reasons are not political,” Lapsus$ wrote in its Telegram channel in early December. And when the group announced its Nvidia breach on Telegram at the end of February, it added, “Please note: We are not state sponsored and we are not in politics AT ALL.”
Researchers say, though, that the truth about the gang’s intentions are more murky. Unlike many of the most prolific ransomware groups, Lapsus$ seems to be more of a loose collective than a disciplined, corporatized operation. “At this point it’s difficult to say with certainty what the group’s motivations are,” says Xue Yin Peh, a senior cyber-threat intelligence analyst at the security firm Digital Shadows. “There are no indications yet that the group uses ransomware to extort victims, so we can’t confirm that they’re financially motivated.”
Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia didn’t meet a series of unusual demands. At first the gang told the chipmaker to remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Then Lapsus$ demanded that the company release certain drivers for its chips.
“The focus on cryptocurrency mining suggests that the group may ultimately be financially driven, however they are certainly taking a different approach than other groups in soliciting financial rewards,” Digital Shadows’ Peh says.
Mac malware known as UpdateAgent has been spreading for more than a year, and it is growing increasingly malevolent as its developers add new bells and whistles. The additions include the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on infected Macs.
The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary.
Person-in-the-Middle attack
Over time, Microsoft said on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.
Microsoft researchers wrote:
Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.
Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.
Before installing the adware, UpdateAgent now removes a flag that a macOS security mechanism called Gatekeeper adds to downloaded files. (Gatekeeper ensures users receive a warning that new software comes from the internet, and it also ensures the software doesn’t match known malware strains.) While this malicious capability isn’t novel—Mac malware from 2017 did the same thing—its incorporation into UpdateAgent indicates the malware is under regular development.
UpdateAgent’s reconnaissance has been expanded to collect system profile and SPHardwaretype data, which, among other things, reveals a Mac’s serial number. The malware also started modifying the LaunchDaemon folder instead of the LaunchAgent folder as before. While the change requires UpdateAgent to run as administrator, the change allows the trojan to inject persistent code that runs as root.
