This blog was supposed to be written and posted weeks ago and was originally about the indictment of named Russian GRU officers by the FBI, but we have been crazily busy winning business here at Tiberium Towers, so we humbly apologise for the delay.
Now back in the swing of things and having come up with such a natty title (see what we did there?), we decided to still discuss the now ancient GRU news, together with more up to date issues. Although 20 odd days is a long time in the IT world, it seems that the themes of way back then are still current, so we will press on.
So, way back in the day, four weeks ago, the FBI indicted six named GRU officers, even posting their mugshots and their place of work (22 Kirova Street, Moscow. Nicknamed The Tower both in the indictment and by friends and foes of this so-called ‘Fancy Bear’ group). The naming and mug shotting of alleged Nation-State operatives appear to be the new FBI MO, which they also used against Chinese state hackers, presumably in order to show off the mighty power of The Bureau.
The indictments were for the following:
- The Petya ransomware attacks targeting Ukraine in 2015 (with much collateral damage)
- Attacks against Georgia (Surprise!)
- Meddling and influencing the French elections
- Attempting to mess up the 2018 Winter Olympics
- Attempts to de-rail the UK investigations into the poisoning of Sergei Skripal (by two cathedral buffs who also happened to be GRU assassins)
These are clearly serious charges and look to have been meticulously and thoroughly investigated. We can only thank and praise the diligence to the FBI.
Two standouts from the indictments for us were:
The primary vector for these attacks was, wait for it, Phishing and Spear Phishing. To our mind, this remains the number one mechanism to breach your defences and deploy Ransomware (see below), steal credentials or Intellectual property, disrupt infrastructure or utility equipment etc. etc.
At Tiberium, we advise staff training and testing together with automated tooling to detect and protect against these sorts of attacks and subsequent infections. We would love to show you our tooling should you so desire, contact details below.
Secondly, interference in the French election was explicitly called out. Unusual then that there is no mention of interference in The American or UK Brexit voices. Does another indictment wait in the wings until after the US Election, or has a deal been done in the corridors of power? Time will tell.
More recently, and it (unsurprisingly) turns out that those pesky Russians (formerly known as APT28, yes our old pals Fancy Bear ), have been modifying the ‘Zebrocy’ backdoor to improve the capabilities of a remote attacker to exfiltrate data etc. There is an excellent piece by our friends at The Register here. Once again the attack vector for this attack is Phishing, Spear or otherwise (see above).
Last week saw the publishing of the UK’s NCSC annual review. It makes fascinating reading, and we recommend everyone to have at least a skim of the content. If you can’t be bothered a decent summary is here.
Something that did stand out to us was that the NCSC appear have been allowing the animals to roam, at least in the NHS, where it turns out they have been actively detecting, hunting and implementing protection for The NHS, testing of 1.4 million endpoints and implementing web, email and DNS protection.
This is reportedly after a significant rise in the number of attacks using the cover of the current Covid crisis to dupe users into, once again, opening infected emails. (We do recommend you sign up for NCSC Active Defence Programme).
With all this healthcare kerfuffle, it comes as little surprise to us that departments of the US government (including the incredibly busy FBI once more) announced ‘New Ransomware activity targeting the Healthcare and Public Health Sectors’ Nattily named Alert (AA20-302A), this excellent piece of work dismantles the new attacks and describes them accurately. If nothing else, this advisory is worth a read because to describes the mechanics of pretty much any Ransomware attack at a readable level of detail. It is well worth a read.
Having seen a death reported in a German hospital as a result of Ransomware back in September, we can only imagine to what levels these low lives will stoop and look forward to the day when they too are brought to justice.
Of course, this week saw the passing of the one man who did more for the image of spies (well handsome, suave Scottish ones at least) than any of these Russians. RIP Sean Connery.
We would love the opportunity to show you our platform and tooling, which is designed to detect and automatically protect against attacks to your infrastructure. Simply, swiftly and automatically delivered with no fun, we are confident that we can improve your security posture and outcome. Contact us here.