Select Page
Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine

Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine

More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station’s circuit breakers and turn off the lights to a fraction of Ukraine’s capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia’s GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review today, stated that power had been temporarily switched off to nine electrical substations.

Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine’s deputy minister of energy.

“The hack attempt did not affect the provision of electricity at the power company. It was promptly detected and mitigated,” says Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, known as the State Services for Special Communication and Information Protection (SSSCIP). “But the intended disruption was huge.” Asked about the earlier report that seemed to describe an attack that was at least partially successful, Zhora described it as a “preliminary report” and stood by his and CERT-UA’s most recent public statements.

According to CERT-UA, hackers penetrated the target electric utility in February, or possibly earlier—exactly how isn’t yet clear—but only sought to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of “wiper” malware designed to destroy data on computers within the utility, including wiper software that targets Linux and Solaris-based systems, as well as more common Windows wipers, and also a piece of code known as CaddyWiper that had been found inside of Ukrainian banks in recent weeks. CERT-UA claimed Tuesday that it was also able to catch this wiper malware before it could be used. “We were very lucky to be able to respond in a timely manner to this cyberattack,” Zhora told reporters in a press briefing Tuesday.

How Russia’s Invasion Triggered a US Crackdown on Its Hackers

How Russia’s Invasion Triggered a US Crackdown on Its Hackers

Since Russia launched its full-blown invasion of Ukraine in late February, a wave of predictable cyberattacks has accompanied that offensive, striking everything from Ukrainian government agencies to satellite networks, with mixed results. Less expected, however, was the cyber counteroffensive from the US government—not in the form of retaliatory hacking, but in a broad collection of aggressive legal and policy moves designed to call out the Kremlin’s most brazen cyberattack groups, box them in, and even directly disrupt their hacking capabilities.

Over the past two months, President Joe Biden’s executive branch has taken more actions to deter and even temporarily disarm Russia’s most dangerous hackers than perhaps any previous administration in such a short space of time. US countermeasures have ranged from publicly pinning the blame for distributed denial of service attacks targeting Ukrainian banks on Russia’s GRU military intelligence agency to unsealing two indictments against the members of notorious Russian state hacker groups to undertaking a rare FBI operation to remove malware from network devices that GRU hackers had used to control a global botnet of hacked machines. Earlier this week, NSA and Cyber Command director general Paul Nakasone also told Congress that Cyber Command had sent “hunt forward” teams of US cybersecurity personnel to Eastern Europe to seek out and eliminate network vulnerabilities that hackers could exploit in both Ukraine and the networks of other allies.

Together, it adds up to “a concerted, coordinated campaign to use all of the levers of national power against an adversary,” says J. Michael Daniel, who served as the cybersecurity coordinator in the Obama White House, advising the president on policy responses to all manner of state-sponsored hacking threats. “They’re trying to both disrupt what the adversary is doing currently, and to also potentially deter them from taking further, more expansive actions in cyberspace as a result of the war in Ukraine.”

Daniel says compared to the Obama administration he served in, it’s clear the Biden White House has decided to take a far faster and harder-hitting approach to countering the Kremlin’s hackers. He attributes that shift to both years of US government experience dealing with Vladimir Putin’s regime and the urgency of the Ukrainian crisis, in which Russian state hackers pose an ongoing threat to Ukrainian critical infrastructure and also networks in the West, where Kremlin hackers may lash out in retaliation for sanctions against Russia and military support for Ukraine. “The Russians have made it pretty clear that signaling and small steps are not going to deter them,” says Daniels. “We’ve learned that we need to be more aggressive.”

The Biden administration’s ratcheted-up responses to Russian cyberattacks began in mid-February, before Russia had even launched its full-scale invasion. In a White House press conference, Deputy National Security Advisor Anne Neuberger called out Russia’s GRU for a series of denial of service attacks that had pummeled Ukrainian banks over the prior week. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,” Neuberger told reporters. Coming just days after the GRU’s attacks, that rebuke represented one of the shortest-ever windows of time between a cyber operation and a US government statement attributing it to a particular agency—a process that has often taken months or even years.

Last month, the Department of Justice unsealed indictments against four individual Russians in two state-linked hacker groups. One indictment named three alleged agents of Russia’s FSB intelligence agency who are accused of belonging to an infamous hacker group, known as Berserk Bear or Dragonfly 2.0, that engaged in a years-long hacking spree that repeatedly targeted critical US infrastructure, including multiple breaches of power grid networks. A second indictment put a name to another highly dangerous hacking campaign, one that used a piece of malware known as Triton or Trisis to target the safety systems of the Saudi oil refinery Petro Rabigh, potentially endangering lives and leading to two shutdowns of the refinery’s operations. The Justice Department pinned that attack on a staffer at the Kremlin-linked Central Scientific Research Institute of Chemistry and Mechanics (known as TsNIIKhM) in Moscow, along with other unnamed coconspirators at the same organization.

At the same time, the Cybersecurity and Infrastructure Security Agency, Justice Department, and FBI were taking on a third Russian state hacker group even more directly. In February, CISA first issued a warning that a GRU hacking group known as Sandworm—with a track record that includes everything from triggering blackouts in Ukraine to the release of the NotPetya malware that inflicted $10 billion in damage worldwide—had assembled a botnet of hacked network devices, along with guidance on how to detect and remove the malware, known as Cyclops Blink. When that advisory led to only a 39 percent drop in the number of devices the botnet hijacked, the FBI took the rare step of actually impersonating the hackers’ communications to its command-and-control machines, sending commands to remove the hackers’ malware from those devices, and thus cutting off Sandworm’s access to at least part of its botnet.

The specific targeting of those three hacker groups—the FSB-linked Berserk Bear hackers, the TsNIIKhM hackers allegedly behind Triton, and GRU-linked Sandworm group—shows how the US government is intentionally taking actions to deter and disable the Russian hackers who present the greatest threat of not mere espionage or cybercrime, but targeted, disruptive cyberwarfare, says John Hultquist, who leads threat intelligence at the cybersecurity firm Mandiant and has tracked all three groups for years. “At a time when the US is bracing for potential cyberattacks from Russia, the Department of Justice has specifically indicted two of these actors and carried out an operation against the third,” says Hultquist. “Those are the actors that have the history and proven capability for disruptive and destructive attacks. That’s why operations have been and should be focused on those actors.”

Shutdown of Russia’s Hydra Market Disrupts a Crypto-Crime ATM

Shutdown of Russia’s Hydra Market Disrupts a Crypto-Crime ATM

On the dark web, the takedown of yet another cryptocurrency-based black market for drugs has become almost a semiannual routine, with plenty of competitors ready to fill the shoes of any market law enforcement manages to bust. But the seizure of the Russian-language dark-web site Hydra may have ripple effects that go further than most: It represents a disruption of not just the post-Soviet world’s biggest hub of online narcotics sales, but also of a cybercriminal money-laundering and cash-out service that had been used in crimes with victims across the globe.

German law enforcement agencies announced early Tuesday morning that German federal police known as the BKA—in a joint operation with the FBI, DEA, IRS Criminal Investigations, and Homeland Security Investigations in the US—seized Hydra’s Germany-based servers, shutting down the site and confiscating $25 million in bitcoins stored there. In doing so, they’ve put an end to, by some measures, the longest-running and most crowded black market in the history of the dark web, with 19,000 seller accounts and more than 17 million customer accounts, according to BKA. The US treasury simultaneously imposed new sanctions on the market and more than a hundred of its cryptocurrency addresses.

In total, Hydra facilitated more than $5 billion dollars in illicit cryptocurrency transactions since it launched in 2015, according to blockchain analysis firm Elliptic. The majority of those transactions, Elliptic says, were sales of illegal drugs, which were strictly limited to Hydra’s target market of former Soviet states. But Hydra also played a significant and more global role for cybercriminals: It offered “mixing” services designed to launder crypto and make it more difficult to trace, alongside exchange services that allowed clients to trade in the crypto proceeds from all manner of crime for Russian rubles—in some cases, even for cash bundles buried in the ground for customers to dig up later.

“It has this dual function of being a drugs market and a service for cybercriminals—and particularly Russian cybercriminals,” says Jess Symington, Elliptic’s research lead. “So it does impact more than just the drugs community, and it forces these individuals to now potentially reconsider how they’re going to launch their funds or cash out.”

Around half of the roughly $2 billion in transactions going into Hydra’s cryptocurrency addresses in 2021 and early 2022 were from illicit or “risky” sources, such as stolen funds, dark-web markets, ransomware, online gambling, scams, and individuals and organizations facing sanctions, according to cryptocurrency tracing firm Chainalysis. In other words, close to a billion dollars’ worth of the money entering Hydra over that time wasn’t clean money used to buy drugs or other contraband available for sale on the site, but rather dirty money that Hydra was helping to launder and exchange for rubles.

Chainalysis has so far tracked just over $200 million in stolen cryptocurrency going into the site’s coffers in 2021 and 2022. It has also tracked much smaller amounts linked to other crimes, with roughly $4 million from sanctioned sources, $5 million from fraud, and $4 million from ransomware. (Chainalysis saw close to $9 million in total ransomware payments funneled into Hydra over the market’s lifetime but says that relatively small number is a conservative estimate.) Another major chunk of the site’s incoming payments during that time, close to $310 million, were from dark-web markets—including some funds from Hydra recycled back into the site—as users sought to launder the proceeds from the sales of drugs and other illegal products and services and cash out.

You Need a Password Manager. Here Are the Best Ones

You Need a Password Manager. Here Are the Best Ones

Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like YubiKey, FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

After signing up, download the app for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for Firefox, Chrome, Safari, Edge, Vivaldi, and Brave.

Best Full-Featured Manager

Dashlane app
Courtesy of Dashlane

I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company did discontinue its desktop app earlier this year, moving to a web-based user interface, which is a little different than 1Password and Bitwarden. (The desktop apps will officially shut down on January 10, 2022.) I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

Best DIY Option (Self-Hosted)

KeePassXC app displayed on Microsoft Windows
Courtesy of KeePassXC

Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s recommended service, SpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

Why do it yourself? In a word: Transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

Download the desktop app for Windows, MacOS, or Linux and create your vault. There are also extensions for Firefox, Edge, and Chrome. It does not have official apps for your phone. Instead, the project recommends KeePass2Android or Strongbox for iPhone.

Another Option

NordPass app shown on Mac laptop
Courtesy of NordPass

NordPass is a relatively new kid on the password manager block, but it comes from a company with significant pedigree. NordVPN is a well-known VPN provider, and the company brings to its password manager much of the ease of use and simplicity that made its VPN offering popular. The installation and setup process is a breeze. There are apps for every major platform (including Linux), browser, and device.

The free version of NordPass is limited to one device, and there’s no syncing available. There is a seven-day free trial of the premium version, which lets you test device syncing. But to get that for good, you’ll have to upgrade to the $36-a-year plan. (Like its VPN service, NordPass accepts payment in cryptocurrencies.)

A Sinister Way to Beat Multifactor Authentication Is on the Rise

A Sinister Way to Beat Multifactor Authentication Is on the Rise

Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.

That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.

It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.

“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.

“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”

Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”