Ukraine and Russia seems to be at the moments on both traditional and cyber war. We could call that hybrid warfare. We are at a cyber war. Countless examples exist of damage to infrastructure from hostile acts via computer attacks. Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar. On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. Russia started to conduct attacks to Ukraine on February 24. Before physical attacks Russia did several cyber attacks towards IT systems in Ukraine.
Here are links to some material on the cyber side of this war:
How the Eastern Europe Conflict Has Polarized Cyberspace
https://blog.checkpoint.com/2022/02/27/how-the-eastern-europe-conflict-polarized-cyberspace/
The war between Russia and Ukraine is advancing. People everywhere are deciding who they will support. The same dynamic happens in the cyberspace. Hacktivists, cybercriminals, white hat researchers or even technology companies are picking a clear side, emboldened to act on behalf of their choices. Historically, Russia has had superiority over Ukraine in the cyberspace. And last week, Ukraine was attacked by destructive wiping malware. However, the situation is starting to change, as most of the non-nation cyber state actors are taking the side of Ukraine. To defend itself, the Ukrainian government has created an international IT army of hacktivists.
As war escalates in Europe, it’s ‘shields up’ for the cybersecurity industry
https://techcrunch.com/2022/03/02/as-war-escalates-in-europe-its-shields-up-for-the-cybersecurity-industry/
In unprecedented times, even government bureaucracy moves quickly. As a result of the heightened likelihood of cyberthreat from Russian malactor groups, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — part of the Department of Homeland Security — issued an unprecedented warning recommending that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”
Digital technology and the war in Ukraine
https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/
All of us who work at Microsoft are following closely the tragic, unlawful and unjustified invasion of Ukraine. This has become both a kinetic and digital war, with horrifying images from across Ukraine as well as less visible cyberattacks on computer networks and internet-based disinformation campaigns. We are fielding a growing number of inquiries about these aspects and our work, and therefore we are putting in one place a short summary about them in this blog. This includes four areas: protecting Ukraine from cyberattacks; protection from state-sponsored disinformation campaigns; support for humanitarian assistance; and the protection of our employees.. Also:
https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/
Ukraine: Cyberwar creates chaos, ‘it won’t win the war’
https://www.dw.com/en/ukraine-cyberwar-creates-chaos-it-wont-win-the-war/a-60999197
There have been at least 150 cyberattacks in Ukraine since Russia’s invasion. Their effect is mainly psychological, and experts say they won’t decide the war.
Russia’s invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional “boots on the ground” — and a slightly more unconventional, digital or cyberwar.
The global technology company Microsoft has said its Threat Intelligence Center (MSTIC) detected “destructive cyberattacks directed against Ukraine’s digital infrastructure” hours before the first launch of missiles or movement of tanks on February 24.
Those attacks, which Microsoft dubbed FoxBlade, included so-called wipers — malicious software or malware — that make their way inside computer networks and literally wipe the data from all connected devices.
Cybersecurity experts in Germany have said there have been over a hundred cyberattacks, in various forms, since then. But their effect has mainly been psychological.
Why Russia Hasn’t Launched Major Cyber Attacks Since the Invasion of Ukraine
https://time.com/6153902/russia-major-cyber-attacks-invasion-ukraine/
In the relatively short and rapidly evolving history of cyber conflict, perhaps nothing has been established with greater certainty and more widely accepted than the idea that Russia has significant cyber capabilities and isn’t afraid to use them—especially on Ukraine. In 2015, Russian government hackers breached the Ukrainian power grid, leading to widespread outages. In 2017, Russia deployed the notorious NotPetya malware via Ukrainian accounting software and the virus quickly spread across the globe costing businesses billions of dollars in damage and disruption.
As tensions escalated between Russia and Ukraine, many people were expecting the conflict to have significant cyber components.
But as the invasion continues with few signs of any sophisticated cyber conflict, it seems less and less likely that Russia has significant cyber capabilities in reserve, ready to deploy if needed. Instead, it begins to look like Russia’s much vaunted cyber capabilities have been neglected in recent years, in favor of developing less expensive, less effective cyber weapons that cause less widespread damage and are considerably easier to contain and defend against. For instance, many of the cyberattacks directed at Ukraine in the past month have been relatively basic distributed denial-of-service attacks.
Given Russia’s past willingness to deploy cyberattacks with far-reaching, devastating consequences, it would be a mistake to count out their cyber capabilities just because they have so far proven unimpressive. And it’s all but impossible to prove the absence of cyber weapons in a nation’s arsenal. But the longer the conflict goes on without any signs of sophisticated cyber sabotage, the more plausible it becomes that the once formidable Russian hackers are no longer playing a central role in the country’s military operations.
Crowd-sourced attacks present new risk of crisis escalation
https://blog.talosintelligence.com/2022/03/ukraine-update.html
An unpredictable and largely unknown set of actors present a threat to organizations, despite their sometimes unsophisticated techniques.
Customers who are typically focused on top-tier, state-sponsored attacks should remain aware of these highly motivated threat actors, as well. Misattribution of these actors carries the risk of nations escalating an already dangerous conflict in Ukraine. Based on data from our fellow researchers at Cisco Kenna, customers should be most concerned about threat actors exploiting several recently disclosed vulnerabilities, highlighting the importance of consistently updating software and related systems.
Russia, Ukraine and the Danger of a Global Cyberwar
https://www.securityweek.com/russia-ukraine-and-danger-global-cyberwar
On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.
Russia has been waging its own cyberwar against Ukraine for many years.
Since the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.
The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population.
The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened.
“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do.
This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. ““It would be a mistake for any one nation to think it could attack another without being known,” said Willett.That is absolutely wrong,” said Willett.
But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.
On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.
Ukraine Digital Army Brews Cyberattacks, Intel and Infowar
https://www.securityweek.com/ukraine-digital-army-brews-cyberattacks-intel-and-infowar
Formed in a fury to counter Russia’s blitzkrieg attack, Ukraine’s hundreds-strong volunteer “hacker” corps is much more than a paramilitary cyberattack force in Europe’s first major war of the internet age. It is crucial to information combat and to crowdsourcing intelligence.
Inventions of the volunteer hackers range from software tools that let smartphone and computer owners anywhere participate in distributed denial-of-service attacks on official Russian websites to bots on the Telegram messaging platform that block disinformation, let people report Russian troop locations and offer instructions on assembling Molotov cocktails and basic first aid.
The movement is global, drawing on IT professionals in the Ukrainian diaspora whose handiwork includes web defacements with antiwar messaging and graphic images of death and destruction in the hopes of mobilizing Russians against the invasion.
The cyber volunteers’ effectiveness is difficult to gauge. Russian government websites have been repeatedly knocked offline, if briefly, by the DDoS attacks, but generally weather them with countermeasures.
It’s impossible to say how much of the disruption — including more damaging hacks — is caused by freelancers working independently of but in solidarity with Ukrainian hackers.
A tool called “Liberator” lets anyone in the world with a digital device become part of a DDoS attack network, or botnet. The tool’s programmers code in new targets as priorities change.
Ukraine Cyber Official: We Only Attack Military Targets
https://www.securityweek.com/ukraine-cyber-official-we-only-attack-military-targets
A top Ukrainian cybersecurity official said Friday a volunteer army of hundreds of hackers enlisted to fight Russia in cyberspace is attacking only what it deems military targets, prioritizing government services including the financial sector, Kremlin-controlled media and railways.
Victor Zhora, deputy chair of the state special communications service, also said that there had been about 10 hostile hijackings of local government websites in Ukraine to spread false text propaganda saying his government had capitulated. He said most of Ukraine’s telecommunications and internet were fully operational.
Zhora told reporters in a teleconference that presumed Russian hackers continued to try to spread destructive malware in targeted email attacks on Ukrainian officials and — in what he considers a new tactic — trying to infect the devices of individual citizens.
Army of Cyber Hackers Rise Up to Back Ukraine
https://www.securityweek.com/army-cyber-hackers-rise-back-ukraine
An army of volunteer hackers is rising up in cyberspace to defend Ukraine, though internet specialists are calling on geeks and other “hacktivists” to stay out of a potentially very dangerous computer war.
According to Livia Tibirna, an analyst at cyber security firm Sekoia, nearly 260,000 people have joined the “IT Army” of volunteer hackers, which was set up at the initiative of Ukraine’s digital minister Mykhailo Fedorov.
The group, which can be accessed via the encrypted messaging service Telegram, has a list of potential targets in Russia, companies and institutions, for the hackers to target.
It’s difficult to judge the effect the cyber-army is having.
Russia Releases List of IPs, Domains Attacking Its Infrastructure with DDoS Attacks
https://thehackernews.com/2022/03/russia-releases-list-of-ips-domains.html
Russia Blocks Access to Facebook Over War
https://www.securityweek.com/russia-blocks-access-facebook-over-war
Russia’s state communications watchdog has ordered to completely block access to Facebook in Russia amid the tensions over the war in Ukraine.
The agency, Roskomnadzor, said Friday it decided to cut access to Facebook over its alleged “discrimination” of the Russian media and state information resources. It said the restrictions introduced by Facebook owner Meta on the RT and other state-controlled media violate the Russian law.
Cyberattack Knocks Thousands Offline in Europe
https://www.securityweek.com/cyberattack-knocks-thousands-offline-europe
Thousands of internet users across Europe have been thrown offline after what sources said Friday was a likely cyberattack at the beginning of Russia’s offensive in Ukraine.
According to Orange, “nearly 9,000 subscribers” of a satellite internet service provided by its subsidiary Nordnet in France are without internet following a “cyber event” on February 24 at Viasat, a US satellite operator of which it is a client.
Eutelsat, the parent company of the bigblu satellite internet service, also confirmed to AFP on Friday that around one-third of bigblu’s 40,000 subscribers in Europe, in Germany, France, Hungary, Greece, Italy and Poland, were affected by the outage on Viasat.
In the US, Viasat said on Wednesday that a “cyber event” had caused a “partial network outage” for customers “in Ukraine and elsewhere” in Europe who rely on its KA-SAT satellite.
Viasat gave no further details, saying only that “police and state partners” had been notified and were “assisting” with investigations.
General Michel Friedling, head of France’s Space Command said there had been a cyberattack.
Cybercriminals Seek to Profit From Russia-Ukraine Conflict
https://www.securityweek.com/cybercriminals-seek-profit-russia-ukraine-conflict
Dark web threat actors are looking to take advantage of the tensions between Russia and Ukraine, offering network access and databases that could be relevant to those involved in the conflict, according to a new report from Accenture.
Since mid-January, cybercriminals have started to advertise compromised assets relevant to the Russia-Ukraine conflict, and they are expected to increase their offering of databases and network access, with potentially crippling effects for the targeted organizations.
Just over a month ago, soon after the destructive WhisperGate attacks on multiple government, IT, and non-profit organizations in Ukraine, threat actors started to advertise on the dark web access to both breached networks and databases that allegedly contained personally identifiable information (PII).
Amid Russian invasion, Ukraine granted formal role with NATO cyber hub https://therecord.media/amid-russian-invasion-ukraine-granted-formal-role-with-nato-cyber-hub/
Ukraine was granted the formal role of “contributing participant” to the hub, known as the Cooperative Cyber Defence Centre of Excellence (CCDCOE), by its 27-member steering committee, the organization announced. “Ukraine’s presence in the Centre will enhance the exchange of cyber expertise, between Ukraine and CCDCOE member nations, ” Col.
Jaak Tarien, the institution’s director, said in a statement.
This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites https://therecord.media/this-ukrainian-cyber-firm-is-offering-hackers-bounties-for-taking-down-russian-sites/
In the days following Russia’s invasion of Ukraine, dozens of hacking groups have taken sides in the conflict, launching attacks on various organizations and government institutions. Cyber Unit Technologies, a Kyiv-based cybersecurity startup, has been particularly outspoken on Tuesday, the company started a campaign to reward hackers for taking down Russian websites and pledged an initial $100, 000 to the program.
High Above Ukraine, Satellites Get Embroiled in the War
https://www.wired.com/story/ukraine-russia-satellites/
While the Russian invasion rages on the ground, companies that operate data-collecting satellites find themselves in an awkward position.
Some researchers are worried that the reliance on satellite imagery has given too much power to the companies that control this technology. “There’s companies like Maxar and Planet that are privately owned and they have the final say on whether or not they want to share the information, ” says Anuradha Damale. The role of private companies in conflicts such as Ukraine means commercial satellites could become targets. In the days before Russia invaded, US space officials warned satellite companies that the conflict could extend into space.
CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine https://www.cisa.gov/uscert/ncas/current-activity/2022/02/26/cisa-releases-advisory-destructive-malware-targeting-organizations
CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.
Alert: https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
US firms should be wary of destructive malware unleashed on Ukraine, FBI and CISA warn – CNNPolitics
https://www.cnn.com/2022/02/26/politics/ukraine-malware-warning-cybersecurity-fbi-cisa/index.html
EU Activates Cyber Rapid Response Team Amid Ukraine Crisis
https://www.bankinfosecurity.com/eu-activates-cyber-rapid-response-team-amid-ukraine-crisis-a-18584
Amid rapid escalation in the Russia-Ukraine conflict derived from historical grievances and qualms with Ukraine’s plan to join the military alliance NATO, the world’s network defenders remain on high alert. And on Tuesday, the European Union confirmed that it will activate its elite cybersecurity team to assist Ukrainians if Russian cyberattacks occur.
UK alludes to retaliatory cyber-attacks on Russia
https://therecord.media/uk-alludes-to-retaliatory-cyber-attacks-on-russia/
The UK government alluded yesterday that it might launch offensive cyber operations against Russia if the Kremlin attacks UK computer systems after an invasion of Ukraine.
Amazon: Charities, aid orgs in Ukraine attacked with malware
https://www.bleepingcomputer.com/news/security/amazon-charities-aid-orgs-in-ukraine-attacked-with-malware/
Charities and non-governmental organizations (NGOs) providing critical support in Ukraine are targeted in malware attacks aiming to disrupt their operations and relief efforts seeking to assist those affected by Russia’s war. Amazon has detected these attacks while working with the employees of NGOs, charities, and aid organizations, including UNICEF, UNHCR, World Food Program, Red Cross, Polska Akcja Humanitarna, and Save the Children.
Ransomware Used as Decoy in Destructive Cyberattacks on Ukraine
https://www.securityweek.com/ransomware-used-decoy-destructive-cyberattacks-ukraine
Destructive ‘HermeticWiper’ Malware Targets Computers in Ukraine
https://www.securityweek.com/destructive-hermeticwiper-malware-targets-computers-ukraine
Just as Russia was preparing to launch an invasion of Ukraine, Ukrainian government websites were disrupted by DDoS attacks and cybersecurity firms reported seeing what appeared to be a new piece of malware on hundreds of devices in the country.
The new malware, dubbed “HermeticWiper” by the cybersecurity community, is designed to erase infected Windows devices. The name references a digital certificate used to sign a malware sample — the certificate was issued to a Cyprus-based company called Hermetica Digital.
“At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” explained endpoint security firm SentinelOne, whose researchers have been analyzing the new malware.
The malware has also been analyzed by researchers at ESET and Symantec. Each of the companies has shared indicators of compromise (IoCs) associated with HermeticWiper.
ESET first spotted HermeticWiper on Wednesday afternoon (Ukraine time) and the company said hundreds of computers in Ukraine had been compromised.
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure. This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack. This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available. Also:
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/
The day before the invasion of Ukraine by Russian forces on February 24, a new data wiper was unleashed against a number of Ukrainian entities. This malware was given the name “HermeticWiper” based on a stolen digital certificate from a company called Hermetica Digital Ltd. This wiper is remarkable for its ability to bypass Windows security features and gain write access to many low-level data-structures on the disk. In addition, the attackers wanted to fragment files on disk and overwrite them to make recovery almost impossible.
In Ukraine, Online Gig Workers Keep Coding Through the War
https://www.wired.com/story/gig-work-in-ukraine/
Freelancers or gig workers who piece together work on online platforms are a hidden engine of the Ukrainian economyand the world’s. They work as software engineers, project managers, IT technicians, graphic designers, editors, and copywriters. And they work for everyone.
Invading Russian forces have plunged freelancers’ home offices into chaos and uncertainty. Vlad, a video editor in southern Ukraine, says he’s grown accustomed to the air alarm signal, and hiding until it has passed. Now there are battles 30 miles from his home. “But as long as there is water, electricity, and internet, I can work, ” he says.
“Because we all need to live for something, eat
Leaving Russia? Experts Say Wipe Your Phone Before You Go
https://www.forbes.com/sites/thomasbrewster/2022/03/04/russians-escaping-putins-repression-urged-to-wipe-their-phones/
Russians fleeing President Vladimir Putin’s regime as it cracks down on anti-war sentimentand rumors of martial law grow louderare being advised to wipe their phones, especially of any traces of support for Ukraine. If they don’t, experts say they may face detention. They’re starting by deleting messages on Signal, Telegram or any app that promises security. For those leaving the country, they’re deleting the apps themselves, and urging others to do the same. Russian media has first-hand accounts of lengthy interrogations at the border, along with phone and laptop searches, though Forbes could not corroborate those claims.
Why ICANN Won’t Revoke Russian Internet Domains
The organization says cutting the country off would have “devastating” effects on the global internet system.
https://www.wired.com/story/why-icann-wont-revoke-russian-internet-domains/#intcid=_wired-bottom-recirc_8e802014-a05f-48c5-89e8-9dad931361ad_text2vec1-reranked-by-vidi
Ukraine on Monday asked ICANN to revoke Russian top-level domains such as .ru, .рф, and .su; to “contribute to the revoking for SSL certificates” of those domains; and to shut down DNS root servers in Russia. Fedorov argued that the requested “measures will help users seek for reliable information in alternative domain zones, preventing propaganda and disinformation.”
Ukraine’s request to cut Russia off from core parts of the internet has been rejected by the nonprofit group that oversees the Internet’s Domain Name System (DNS). CEO Göran Marby of the Internet Corporation for Assigned Names and Numbers (ICANN) said the group must “maintain neutrality and act in support of the global internet.”
“Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the internet—regardless of the provocations,” Marby wrote in his response to Ukraine Vice Prime Minister Mykhailo Fedorov.
https://www.icann.org/en/system/files/correspondence/marby-to-fedorov-02mar22-en.pdf
TikTok Was Designed for War
As Russia’s invasion of Ukraine plays out online, the platform’s design and algorithm prove ideal for the messiness of war—but a nightmare for the truth.
https://www.wired.com/story/ukraine-russia-war-tiktok/#intcid=_wired-bottom-recirc_8e802014-a05f-48c5-89e8-9dad931361ad_text2vec1-reranked-by-vidi
2,078 Comments
Tomi Engdahl says:
Raportti: Venäjä on iskenyt siviilikohteisiin aseilla, joissa oli länsimaisia osia
https://www.hs.fi/ulkomaat/art-2000009424724.html
Raportin mukaan kaikissa siinä tarkastelluissa epäillyissä sotarikoksissa on käytetty aseita, joissa on ollut länsimaissa valmistettuja osia.
LÄNSIMAISTEN yritysten osia on käytetty sotarikoksissa, joita venäläisten joukkojen epäillään tehneen Ukrainassa. Näin kerrotaan kansainvälisen ihmisoikeusjärjestön IPHR:n ja itsenäisen korruptionvastaisen komission NAKO:n raportissa.
Raportissa tarkasteltiin useita sotarikoksia, joita venäläisten joukkojen epäillään Ukrainassa tehneen. Raportin mukaan kaikissa siinä tarkastelluissa epäillyissä sotarikoksissa on käytetty aseita, joissa on ollut länsimaissa valmistettuja osia, tulkitsee asiasta uutisoinut Kyiv Independent. Raportissa on tarkasteltu erityisesti siviileihin kohdistuneita iskuja.
Report: Western-made parts are used in Russian weapons involved in war crimes
https://kyivindependent.com/news-feed/report-western-made-parts-are-used-in-russian-weapons-involved-in-war-crimes
Western technology companies continued to export dual-use and specific military components to Russia as late as November 2022, according to a new report released by International Partnership for Human Rights and the Independent Anti-Corruption Commission.
The report examined multiple war crimes allegedly committed by Russian troops in Ukraine, suggesting that Western-made parts were used in weapons involved in each crime.
Tomi Engdahl says:
New Report Links Western-Made Components to the Weapons Used in Russia’s Suspected Ukraine War Crimes
https://www.iphronline.org/western-made-components-in-russia-war-against-ukraine.html
A new report, released by International Partnership for Human Rights and the Independent Anti-Corruption Commission, has found that western-made dual-use components have continued to reach Russia long after its full-scale invasion of Ukraine, and that western-made components have been and continue to be used within weapons involved in Russian suspected war crimes. The report explores multiple suspected war crimes that have been committed by Russian forces since the start of the full-scale invasion, with each of them believed to have been carried out using a weapon or weapons containing western-made components.
The revelation that western-made components continue to reach Russia long after the invasion raises moral and ethical concerns for the companies involved as well as questions about their due diligence and risk assessment processes. Trade data revealed that three western technology companies
Trade data shows that components manufactured by Harting, Trimble, and TE Connectivity continue to be imported by Russia, either through official distributors for the companies, or third countries such as Hong Kong and Turkey.
Among the suspected war crimes examined are Russian strikes on residential buildings, civilian infrastructure, and power plants, leaving hundreds of civilians killed and wounded and millions of people without heat and water.
The report concludes that four key Russian weapons and weapon systems used to carry out suspected war crimes are, to varying degrees, reliant upon western-made components. It also concludes that existing regulations and enforcements aiming to cut Russia’s access to western dual-use technology are not sufficient, evidenced by the fact that exports to Russia from companies making components sought by the Kremlin continue.
https://www.iphronline.org/wp-content/uploads/2023/02/Enabling-War-Crimes-report-final.pdf
Tomi Engdahl says:
Venäjä möhli mahdollisuutensa suurhyökkäykseen, sanoo venäläistutkija Ylelle – nyt sodan kiihtymistä estää uusi tekijä
Ylen haastattelemat venäläinen ja suomalainen asiantuntija arvioivat Ukrainan sodan tilannetta nyt.
https://yle.fi/a/74-20020193
– Sää on nyt sodassa tärkein määrittävä tekijä, sanoo tutkija Nikolai Mitrohin.
Jo viime vuonna hän oli sitä mieltä, että helmikuun puolivälin jälkeen talvihyökkäyksen toteuttaminen on mahdotonta kelirikon takia. Maalis-huhtikuussa mustan mullan maa on jo kulkukelvoton.
Yllätykset ovat silti mahdollisia.
– Ei kannata aliarvioida venäläisten kenraalien idiotismia. He kykenevät tekemään mielikuvituksellisia asioita, lisää Mitrohin.
Osapuolet kaivautuvat juoksuhautoihin
Sotatieteiden dosentti, Aleksanteri-instituutin vieraileva tutkija Ilmari Käihkö sanoo Ylen haastattelussa, että Venäjän käynnissä oleva operaatio on suurhyökkkäys vain lainausmerkeissä.
– Se ei ole kovin suurelta näyttänyt. Rintamalinja on lyhentynyt ja kumpikin osapuoli on keskittänyt sen tuntumaan lisää joukkoja, sanoo Käihkö.
Samalla ne ovat ryhtyneet kaivautumaan juoksuhautoihin. Molempia vaivaa myös pula kalustosta.
Mitrohinin mukaan Venäjä valmisteli hyökkäystä, mutta havaitsi, että sotilaille ei riitä talvivarusteita eikä edes panssarikalustoa. Tämän lisäksi pula tykistön ammuksista hillitsee sotatoimia.
– Osapuolet kuluttavat nyt niin paljon ammuksia, että eivät voi jatkaa sotatoimia nykyisellä voimalla, Mitrohin arvioi.
Ammuspula näkyy jo taistelukentällä
Käihkö muistuttaa, että Venäjä käytti viime vuonna ammuksia valtavia määriä, mikä on pakottunut sen nyt vähentämään tykistötulen käyttöä.
Molemmat tutkijat muistuttavat, että sekä Venäjä että Ukrainan läntiset tukijat pyrkivät lisäämään ammustuotantoa. Tykistökeskityksissä kuluva ammusmäärä on kuitenkin ollut sellainen, että esimerkiksi Euroopan ja Yhdysvaltain kuukauden tuotanto riittää Käihkön mukaan vain Ukrainan muutaman päivän tarpeeseen.
– Jos molemmille osapuolille tulee pulaa ammuksista, niin sodan intensiteetti laskee ja rintamalinjat muuttuvat pysyvämmiksi
Käihkö muistuttaa, että näin muodostuva tilanne hyödyttää enemmän Venäjää kuin Ukrainaa, jonka on tavoitteidensa saavuttamiseksi pakko päästä vastahyökkäykseen.
– Kartasta näkee, että Venäjä miehittää vajaata viidesosaa Ukrainasta. Venäjän viime vuoden helmikuun jälkeen valtaamista alueista Ukraina on vapauttanut noin puolet, sanoo Käihkö.
– On mahdollista, että Ukraina pystyy palaamaan helmikuun 2022 rajoille, sanoo Käihkö.
Hän lisää kuitenkin, että se ei ole helppo tehtävä, eikä Ukrainan armeijan pystymisestä tähän ole varmuutta.
Tämä riippuu sekä länsimaiden tuesta Ukrainalle että siitä, mitä Venäjä tekee.
– Jos Yhdysvallat on valmis joka viikko kirjoittamaan kahden miljardin dollarin šekin ammuksiin ja kalustoon, Ukraina voi jatkaa taistelua nykyisessä laajuudessa, Mitrohin sanoo.
Jatko riippuukin länsimaiden tuen pysyvyydestä ja Ukrainan menestyksestä taistelukentällä.
Tomi Engdahl says:
How Ukraine is staying connected to the internet — for now
https://www.youtube.com/watch?v=3zM_4VAxifs
Even as Russia targets Ukraine’s infrastructure, the country has managed to stay connected to the internet with help from Elon Musk’s company Starlink and a small Montreal cybersecurity firm.
Tomi Engdahl says:
https://liveuamap.com/
Tomi Engdahl says:
https://deepstatemap.live/en#6/49.438/32.053
Interactive Map: Russia’s Invasion of Ukraine
https://storymaps.arcgis.com/stories/36a7f6a6f5a9448496de641cf64bd375
https://www.google.com/maps/d/viewer?mid=1lscRK6ehG0l2V-XvJ16nsyblMsQ&hl=en_US&ll=49.13769808196173%2C35.04776001289064&z=5
Interactive Map: Russia’s Invasion of Ukraine
https://www.understandingwar.org/interactive-map-russias-invasion-ukraine
This interactive map complements the static control-of-terrain maps that ISW daily produces with high-fidelity and, where possible, street-level assessments of the war in Ukraine.
Tomi Engdahl says:
https://www.verkkouutiset.fi/a/ukraina-muutti-kilpadrooneja-panssarintuhoajiksi/#f105d9e9
Tomi Engdahl says:
Venäjä kielsi Telegramin, Teamsin, WhatsAppin ja Skypen
https://fin.afterdawn.com/uutiset/2023/03/04/venaja-kielsi-telegramin-teamsin-whatsappin-ja-skypen
Kiellettyjen sovellusten lista on tarkalleen ottaen tämä:
Viber
Discord
WeChat
Snapchat
Telegram
Threema
WhatsApp
Microsoft Teams
Skype for Business
Hämmentäväksi listan tekee parikin seikkaa. Ensinnäkin listalta löytyy kiinalainen WeChat, joka tuskin vuotaa tietoja länsimaihin – Kiinalle toki sitäkin enemmän. Toinen huomionarvoinen lisäys on Venäjällä ja myös Ukrainassa valtavan suosittu Telegram. Sovellus on alunperin venäläinen, mutta sen tietoturvan tasosta ei oikein kukaan tunnu tietävän mitään. Yhtiö itse kertoo tietoturvan olevan tasokasta, mutta tietoturvayhteisö ei ole lainkaan vakuuttunut Telegramin tietoturvasta.
Venäjän tietoliikennettä valvova Roskomnadzor kertoo tiedotteessan (venäjäksi, linkki johtaa venäläiselle palvelimelle), että kielto koskee venäläisiä organisaatioita ja niissä työskenteleviä ihmisiä.
Venäjä on jo aiemmin sensuroinut verkkoa rankasti, kieltänyt vapaan lehdistön toiminnan maassa ja on aktiivisesti pyrkinyt estämään VPN-yhteyksien käyttöä. Maan estotoimet tosin eivät ole läheskään samaa tasoa kuin Kiinan vastaavat
Tomi Engdahl says:
A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war https://therecord.media/a-year-of-wipers-how-the-kremlin-backed-sandworm-has-attacked-ukraine-during-the-war/
“While Sandworm is not the Kremlins most important hacking group, it has perhaps become the most visible one, with an emphasis on disruptive cyberattacks. Since the start of the war, Sandworm has been relentlessly targeting Ukraine with various malware strains.. Some were highly sophisticated, while others contained bugs that made them easier to detect and prevent from spreading.” — a write-up on wipers, Sandworm and Ukraine.
Tomi Engdahl says:
Venäjän hyökkäys Ukrainaan alkoi eri tavalla kuin luulit – Tällaista on edelleen jatkuva ”salattu sota”
https://www.iltalehti.fi/ulkomaat/a/f585a37f-2470-4d40-b350-7fb8dac3bf72
Venäjän hyökkäys Ukrainaan alkoi oikeastaan jo 23. helmikuuta 2022 tehokkaalla kyberhyökkäyksellä. Venäjä kuitenkin aliarvioi Ukrainan suorituskyvyn myös kyberrintamalla.
Samalla, kun maailman huomio keskittyy Donbasin rintamalla käytävään Ukrainan ja Venäjän armeijoiden väliseen veriseen taisteluun, on kyberavaruudessa meneillään toisenlainen raivokas kamppailu. Vaikka tällä taistelukentällä verta ei juurikaan vuodateta, ovat tuhon ja sen seurausten mittasuhteet yhtä lailla valtavia.
Tomi Engdahl says:
Venäjä yrittää rakentaa oman Android-puhelimensa
https://etn.fi/index.php/13-news/14672-venaejae-yrittaeae-rakentaa-oman-android-puhelimensa
Tomi Engdahl says:
Russian Cyberwar in Ukraine Stumbles Just Like Conventional One
https://www.bloomberg.com/news/articles/2023-03-09/russian-cyberwar-in-ukraine-stumbles-just-like-conventional-one?srnd=premium-europe&leadSource=uverify%20wall
The Russian cyber threat, like President Vladimir Putin’s army, was expected to overwhelm Ukraine’s capacities quickly.
Even before Russia invaded Ukraine, its hacking offensive was well under way.
Suspected Russian hackers targeted Ukrainian government and financial websites with so-called distributed denial-of-service attacks aimed at creating chaos; they bombarded government, nonprofit and IT organizations with malicious software designed to render computers inoperable; and, in a broadside widely blamed on Russia, they zeroed in on Viasat Inc.’s commercial satellite network, causing major disruptions in Ukrainian communications, including for military units, at a crucial
Tomi Engdahl says:
”Hakeutukaa välittömästi suojaan” – hakkerit toivat Venäjän televisioon hälytyksen ydinhyökkäyksestä
Venäjän hätätilaministeriö antoi lausunnon hälytyksen aiheuttaneesta hakkeri-iskuista
https://www.is.fi/digitoday/tietoturva/art-2000009444934.html
HAKKERIT aiheuttivat eilen torstaina Venäjälle laajan ilmahälytyksen.
– Moskovan alueella julistettiin ilmahälytys radio- ja televisiokanaviin tehdyn hakkeroinnin seurauksena, Venäjän hätätilanministeriö sanoi Ria Novostin mukaan.
Lisäksi ilmahälytyksiä julkaistiin Sverdlovskin ja Tulan alueilla. Hätätilaministeriön mukaan myös nämä johtuivat hakkeri-iskusta. The Moscow Timesin mukaan hälytyksiä annettiin myös Belgorodin ja Voronezin alueilla, miehitetyllä Krimillä sekä Pietarissa.
Hätätilaministeriö sanoi hälytysten olevan valheellisia. Kohteena olivat tiettävästi yksityiset radio- ja televisiokanavat.
Viime viikolla vastaava hyökkäys sai ilmahälytyssireenit soimaan eri puolilla Venäjää.
Tomi Engdahl says:
Microsoft fixes Outlook zero-day used by Russian hackers since April
2022
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/
Microsoft has patched an Outlook zero-day vulnerability
(CVE-2023-23397) exploited by a hacking group linked to Russia’s military intelligence service GRU to target European organizations.
The security vulnerability was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations between mid-April and December 2022. The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy
Bear) sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets devices to authenticate to attacker-controlled SMB shares. The stolen credentials were used for lateral movement within the victims’ networks and to change Outlook mailbox folder permissions, a tactic allowing for email exfiltration for specific accounts
Tomi Engdahl says:
Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
This new threat actor we are naming YoroTrooper has been targeting governments across Eastern Europe since at least June 2022, and Cisco Talos has found three different activity clusters with overlapping infrastructure that are all linked to the same threat actor. Cisco Talos does not have a full overview of this threat actor, as we were able to collect varying amounts of detail in each campaign. In some cases, for instance, we were able to fully profile a campaign, while in other cases, we only identified the infrastructure or compromised data. Our assessment is that the operators of this threat actor are Russian language speakers, but not necessarily living in Russia or Russian nationals since their victimology consists mostly of countries in the Commonwealth of Independent States (CIS). There are also snippets of Cyrillic in some of their implants, indicating that the actor is familiar with the language. Also, in some cases, the attackers are targeting Russian language endpoints (with Code Page 866), indicating a targeting of individuals speaking that specific language
Tomi Engdahl says:
This Is the New Leader of Russias Infamous Sandworm Hacking Unit https://www.wired.com/story/russia-gru-sandworm-serebriakov/
Evgenii Serebriakov now runs the most aggressive hacking team of Russias GRU military spy agency. To Western intelligence, hes a familiar face. For years, the hacking unit within Russia’s GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in historyblackouts, fake ransomware, data-destroying wormsfrom behind a carefully maintained veil of anonymity. But after half a decade of the spy agency’s botched operations, blown cover stories, and international indictments, perhaps it’s no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.
The commander of Sandworm, the notorious division of the agency’s hacking forces responsible for many of the GRU’s most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague
Tomi Engdahl says:
Critical Microsoft Outlook bug PoC shows how easy it is to exploit
https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/
Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email.
Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022.
The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows.
An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.
Easy exploitation
Windows New technology LAN Manager (NTLM) is a authentication method used to login to Windows domains using hashed login credentials.
Although NTLM authentication comes with known risks, it is still used on new systems for compatibility with older systems.
Microsoft explained that an attacker can use CVE-2023-23397 to obtain NTLM hashes by sending “a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server.”
Apart from calendar appointments, an attacker could also use Microsoft Outlook Tasks, Notes, or email messages to steal the hashes.
Chell notes that CVE-2023-23397 can be used to trigger authentication to an IP address that is outside the Trusted Intranet Zone or Trusted Sites.
The vulnerability was found and reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT-UA), likely after seeing it used in attacks targeting its services.
According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.
The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication. Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages.
Tomi Engdahl says:
Winter Vivern | Uncovering a Wave of Global Espionage https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string wintervivern, which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern. The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details
Tomi Engdahl says:
Is Russia regrouping for renewed cyberwar?
https://blogs.microsoft.com/on-the-issues/2023/03/15/russia-ukraine-cyberwarfare-threat-intelligence-center/
As the second year of the Russian war in Ukraine commences, a detailed survey of the cyberattacks used during the first year of the war, and especially new developments we have observed in recent months, provide hints of what the future of this hybrid war may hold. The Russian hybrid offensive has also included sophisticated influence operations.
For example, Moscows propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military
Tomi Engdahl says:
Venäjä peittelee kyberkykyään – ei halua maailman tietävän, miten se pärjää Ukrainaa vastaan
TIVI17.3.2023 09:21KybersotaUkrainan kriisi
Venäjä ei ole toistaiseksi käyttänyt täyttä verkkohyökkäysten ja elektronisen sodankäynnin voimaansa Ukrainassa, sanoo väitöskirjatutkija ja tietoturva-ammattilainen Kimberly Lukin.
https://www.tivi.fi/uutiset/venaja-peittelee-kyberkykyaan-ei-halua-maailman-tietavan-miten-se-parjaa-ukrainaa-vastaan/ef476313-954a-418d-8d01-c81d45066234
Kimberly Lukin vastaa muun muassa teollisuusautomaatiota toimittavan yrityksen EMEA-alueen hyökkäystestauksesta ja auditoinneista, mutta tekee lisäksi väitöskirjaa Turun yliopistoon Venäjän kybersotakyvykkyydestä.
”Venäjä tietää olevansa strategisen arvioinnin kohteena Ukrainassa, eikä se halua paljastaa kaikkia vahvuuksiaan”, Lukin näkee. ”Väärät arviot Venäjän kyvyistä esimerkiksi elektronisessa sodankäynnissä ja verkkosodankäynnissä voivat olla haitallisia eurooppalaisessa varautumisessa.”
”Venäjällä logiikka ja matematiikka olivat kaikissa opinnoissa läsnä. Myöhemmin testaus- ja auditointikeikoilla huomasin, että haittaohjelmien modifiointia ja kehitystä pidettiin siellä normaalina osana testaustyötä. Sellaista ei länsimaissa juuri tehdä asiakasympäristöihin.”
Lukin kirjoitti väitöstyöhönsä liittyen tummin sävyin Venäjän kyberkyvyistä ja aikeista muun muassa Helsingin Sanomiin jo vuosia sitten. Kuluneet vuodet ovat todentaneet hänelle kaiken silloin ennakoidun. ”Kokemukset työn ja opiskelun ajalta ovat käyneet toteen.”
Tomi Engdahl says:
Venäjän kylmäävä suunnitelma Moldovassa vahvistettiin: aseena kyberiskujen aalto ja pommiuhkia
Joakim Kullas13.2.2023 20:02TurvallisuusUkrainan kriisiVenäjän talous
Maan tiedustelupalvelu vahvistaa Ukrainan presidentti Zelenskyin lausunnon, jonka mukaan Venäjä on suunnitellut Moldovan demokratian kukistamista.
https://www.tivi.fi/uutiset/venajan-kylmaava-suunnitelma-moldovassa-vahvistettiin-aseena-kyberiskujen-aalto-ja-pommiuhkia/a7a12e05-7eb9-4a92-8ea9-99e06ec262d7
Moldovan tiedustelupalvelu kertoo epäilevänsä, että Venäjä pyrkii epävakauttamaan maan tilannetta. Lausunto vahvistaa Ukrainan presidentin Volodymyr Zelenskyin EU-huippukokouksessa kertomat tiedot, joiden mukaan Ukraina on paljastanut Venäjän tiedustelupalvelun suunnitelman ”Moldovan tuhoamisesta”.
Tomi Engdahl says:
Venäjä yritti tuhota Ukrainan uutistoimiston toiminnan – isku epäonnistui surkeasti
Joakim Kullas19.1.2023 12:00|päivitetty19.1.2023 12:00HaittaohjelmatTietoturvaUkrainan kriisi
Kyberturvallisuusviranomaisten mukaan iskun taustalla oli Venäjän sotilastiedusteluun liitetty hakkeriryhmä.
https://www.tivi.fi/uutiset/venaja-yritti-tuhota-ukrainan-uutistoimiston-toiminnan-isku-epaonnistui-surkeasti/ac6b840a-5927-46f1-8d80-812188e1df08
Ukrainan kyberturvallisuusviranomaiset syyttävät Venäjän armeijan hakkereita maan valtiolliseen uutistoimistoon Ukrinformiin iskemisestä. Uutistoimistoon hyökättiin dataa tuhoavalla haittaohjelmalla, jonka leviämistä saatiin kuitenkin rajoitettua.
Tomi Engdahl says:
Microsoft: Suomi on Venäjän kyberhyökkäysten kohteena
Venäjä on käyttänyt tuhoavia kyberaseita myös Ukrainan ulkopuolella.
https://www.is.fi/digitoday/tietoturva/art-2000009457862.html
Microsoft on julkaissut Venäjän kyberoperaatioita näkyväksi tekevän A year of Russian hybrid warfare in Ukraine -raportin (pdf). Selvityksestä käy ilmi, että Venäjä kohdistaa Suomeen kyberoperaatioita.
Selvitys käsittelee pääosin Ukrainaa, mutta siitä käy ilmi Venäjän operoineen vuoden aikana verkossa myös 74 muuta maata vastaan. Raportti mainitsee erikseen 14 maata, jotka ovat Suomen lisäksi USA, Puola, Britannia, Liettua, Latvia, Turkki, Peru, Norja, Romania, Tanska, Ranska, Kanada ja Ruotsi.
Microsoft ei nimeä kohteita, mutta suurin osa on valtion ja hallinnon organisaatioihin ja viestintä- sekä IT-yrityksiin kytkeytyviä. Toiminnan uskotaan lisääntyvän etenkin Ukrainan asetoimituksiin kytkeytyvien yritysten sekä sotilaskohteiden suhteen.
Kolme Venäjän tiedusteluorganisaatiota eli sotilastiedustelu GRU, turvallisuuspalvelu FSB ja ulkomaantiedustelu SVR ovat mahdollisesti saaneet jalansijan kriittisen infrastruktuurin järjestelmissä Amerikoissa ja Euroopassa. Microsoftin mukaan etenkin GRU:n kyberosastot ovat osoittaneet halua käyttää tuhoavia kyberaseita myös Ukrainan ulkopuolella tarvittaessa.
A year of Russian
hybrid warfare in Ukraine
https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf
What we have learned about nation state tactics so far
and what may be on the horizon
Tomi Engdahl says:
Nato-pomo kertoo, mitä tapahtuisi Venäjän iskiessä sähköverkkoon
https://www.is.fi/digitoday/tietoturva/art-2000009262726.html
Venäjä voisi halutessaan eskaloida sotaa iskuilla muiden maiden – kuten Suomen – sähköverkkoihin. Naton kyberjohtajan mukaan kyberisku Nato-maata vastaan voisi aktivoida viidennen artiklan.
Jos Venäjä kärsii lisää merkittäviä takaiskuja taistelukentällä, Microsoft pitää mahdollisena kyberaseisen käyttämistä myös Puolan ja Venäjän ulkopuolella. Lisäksi kybervakoilun ohella saatetaan nähdä hack-and-leak-hyökkäyksiä, joissa varastettuja tietoja julkaistaan verkossa. Kohteena olisivat erityisesti Ukrainan tukemisen kannalta keskeiset henkilöt.
Microsoft mainitsee erikseen Suomen, Ruotsin ja Puolan vaalit, joihin Venäjä saattaa pyrkiä vaikuttamaan tavoitteenaan tuen vähentäminen Ukrainalle.
Venäjä jatkaa myös aktiivisia kyberhyökkäyksiään Ukrainaa vastaan. Sodan kuluessa Venäjä on hyökännyt Ukrainan verkkoja vastaan ainakin yhdeksään eri ohjelmistoperheeseen kuuluvalla wiperilla eli tietoja tuhoavalla kyberaseella. Kohteina on ollut yli 100 organisaatiota niin julkisella sektorilla kuin yksityisellä puolella.
– Olemme nähneet tilanteita, joissa muutama ihminen toteuttaa operaatioita näppäimistön ääressä juristijoukon ympäröimänä. Näin tehdään, jotta toiminnan kansanvälisen lain mukaisuus varmistetaan, Lifländer sanoo.
Useimmat valtiot tulkitsevat verkkohyökkäykset yhtä todellisiksi sodankäynnin muodoiksi kuin fyysiset iskut. Niinpä maat varaavat oikeiden vastaiskuihin ja mahdollisuuteen aktivoida Naton yhteispuolustuksen viides artikla.
Tomi Engdahl says:
Google: Tässä Venäjän 3 tavoitetta verkossa juuri nyt
https://www.is.fi/digitoday/tietoturva/art-2000009400273.html
Google ja tietoturvayhtiö ovat yllättyneitä siitä, että Ukrainan tukijoiden kriittistä infrastruktuuria vastaan ei ole hyökätty.
Tomi Engdahl says:
Cyberwarfare
Russian Cyberspies Abuse EU Information Exchange Systems in Government Attacks
https://www.securityweek.com/russian-cyberspies-abuse-eu-information-exchange-systems-in-government-attacks/
Russia-linked APT29 was seen abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.
Russia-linked cyberespionage group APT29 has been observed abusing two legitimate information exchange systems used by European countries, BlackBerry reports.
APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyberespionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium.
As part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister’s recent visit to the US as a lure.
Another lure, BlackBerry says, abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries.
NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
Tomi Engdahl says:
Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
https://www.securityweek.com/microsoft-pins-outlook-zero-day-attacks-on-russian-actor-offers-detection-script/
Microsoft blames a “Russian-based threat actor” for in-the-wild attacks hitting its flagship Microsoft Outlook and has released a detection script to help defenders.
Critical Microsoft Outlook bug PoC shows how easy it is to exploit
https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/
Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email.
Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022.
The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows.
An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.
Tomi Engdahl says:
Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
https://www.securityweek.com/microsoft-17-european-nations-targeted-by-russia-in-2023-as-espionage-ramping-up/
Microsoft says Russia targeted at least 17 European nations in 2023 — mostly governments — and 74 countries since the start of the Ukraine wa
Tomi Engdahl says:
Poland Breaks up Russian Spy Ring
Polish counter-intelligence has dismantled a Russian spy ring that gathered information on military equipment deliveries to Ukraine.
https://www.securityweek.com/poland-breaks-up-russian-spy-ring/
Tomi Engdahl says:
Winter Vivern | Uncovering a Wave of Global Espionage https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string wintervivern, which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern. The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details
Is Russia regrouping for renewed cyberwar?
https://blogs.microsoft.com/on-the-issues/2023/03/15/russia-ukraine-cyberwarfare-threat-intelligence-center/
As the second year of the Russian war in Ukraine commences, a detailed survey of the cyberattacks used during the first year of the war, and especially new developments we have observed in recent months, provide hints of what the future of this hybrid war may hold. The Russian hybrid offensive has also included sophisticated influence operations.
For example, Moscows propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military
Tomi Engdahl says:
Venäläiset hakkerit iskivät ukrainalaiseen pelistudioon – esittivät julman vaatimuksen
https://www.tivi.fi/uutiset/venalaiset-hakkerit-iskivat-ukrainalaiseen-pelistudioon-esittivat-julman-vaatimuksen/583aaf66-625b-4ba4-a163-fa995840a78d
Joakim Kullas14.3.202320:59TIETOMURROTHAKKERITVERKKORIKOLLISUUSPC-PELIT
Peliyhtiö sanoo olleensa kyberiskujen kohteena jo yli vuoden.
Pitkään odotetun Stalker 2: Heart of Chornobyl -pelin ukrainalainen kehitysstudio GSC Game World on varoittanut, että yhtiön järjestelmät on murrettu. Yhtiö sanoo, että iskun takana on venäläinen ryhmittymä.
Tomi Engdahl says:
Remcos-troijalainen osallisena Ukrainan hallintoon suunnatussa kybervakoilussa – Yleisimmät haittaohjelmat Suomessa ja maailmalla https://www.epressi.com/tiedotteet/tietotekniikka/remcos-troijalainen-osallisena-ukrainan-hallintoon-suunnatussa-kybervakoilussa-yleisimmat-haittaohjelmat-suomessa-ja-maailmalla.html
Kyberrikolliset käyttivät Remcos-troijalaista Ukrainan hallinnon yksiköihin kohdistettuun tietojenkalasteluun osana laajempia kybervakoiluoperaatioita, kertoo Check Point Researchin haittaohjelmakatsaus. Suomen ja maailman yritysverkkojen yleisin haittaohjelma oli yhä Qbot.
Venäjä peittelee kyberkykyään – ei halua maailman tietävän, miten se pärjää Ukrainaa vastaan
https://www.tivi.fi/uutiset/tv/ef476313-954a-418d-8d01-c81d45066234
Venäjä ei ole toistaiseksi käyttänyt täyttä verkkohyökkäysten ja elektronisen sodankäynnin voimaansa Ukrainassa, sanoo väitöskirjatutkija ja tietoturva-ammattilainen Kimberly Lukin.
Tomi Engdahl says:
NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine
NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
Tomi Engdahl says:
Mahtikäsky Kremlissä: ”Heittäkää iPhonet pois” – tilalle suomalaisteknologiaa
Yksi korvaavista suosituksista on Aurora OS, jolla on suomalaistausta.
https://www.is.fi/digitoday/mobiili/art-2000009465102.html
Venäjän presidentinhallinnossa on annettu käsky työntekijöille hankkiutua eroon Applen iPhone-puhelimista maaliskuun aikana. Määräys perustuu tietoturvahuoliin, ja se annettiin maaliskuun alussa seminaarissa Moskovassa Putinin kotimaan hallintovirkamiehille, kirjoittaa venäläinen Kommersant. Sitä siteeraa englanniksi Ukrainan Pravda.
– Ei enää iPhoneja. Jokainen heittäköön ne pois tai antakoon lapsilleen. Kaikkien on tehtävä tämä maaliskuussa, useiden tahojen Kommersantille vahvistama käsky kuului.
Kreml uskoo länsimaisten tiedustelupalvelujen pääsevän helposti käsiksi amerikkalaisen Applen puhelimiin. IPhonejen korvaajaksi suositellaan Android-puhelimia, niiden kiinalaisia vastineita tai Aurora OS -käyttöjärjestelmään perustuvia puhelimia.
Korvaussuosituksiin liittyy kaksi huomionarvoista seikkaa. Ensimmäinen on se, että Android on amerikkalaisen Googlen käyttöjärjestelmä. Todennäköistä on, että läntisten tiedustelupalveluiden ei olisi vaikeampi päästä siihen käsiksi kuin iOS:ään.
Toinen havainto on se, että vaihtoehdoksi suositeltu Aurora OS perustuu suomalaiselta Jollalta lisensoituun Sailfish-käyttöjärjestelmään. Vuonna 2013 lanseerattu Sailfish on kehitetty Nokian aikoinaan hylkäämän MeeGo-käyttöjärjestelmän pohjalta.
Tomi Engdahl says:
Bad magic: new APT found in the area of Russo-Ukrainian conflict https://securelist.com/bad-magic-apt/109087/
Administrative organizations were attacked with PowerMagic backdoor and CommonMagic framework When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic. The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns
Tomi Engdahl says:
Exclusive: Meet Russias Cambridge Analytica, Run By A Former KGB Agent Turned YouTube Influencer https://www.forbes.com/sites/thomasbrewster/2023/03/21/andrei-masalovich-avalanche-russia-cambridge-analytica/
Russias Cyber Grandpa has been sanctioned by the U.S. government for selling a big data surveillance tool to Kremlin spies, Russian energy giants and repressive regimes
Tomi Engdahl says:
New loader on the bloc – AresLoader
https://intel471.com/blog/new-loader-on-the-bloc-aresloader
AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The service offers a binder tool that allows users to masquerade their malware as legitimate software
Tomi Engdahl says:
Fighting the Good Fight: Life inside the Talos Ukraine Task Unit https://blog.talosintelligence.com/fighting-the-good-fight-life-inside-the-talos-ukraine-task-unit/
In the months leading up to Russias invasion of Ukraine, Cisco and Talos did everything we could to support our friends, partners and colleagues, who were facing a reality unlike anything that can be found in any technical training manual, SOP or SLA. Once the invasion began, there was an influx of people across Cisco and Talos who wanted to help. That led to the development of an internal Ukraine task unit, which has become a prototype for how we can respond to future global events that are likely to have significant, ongoing cyber implications
Tomi Engdahl says:
Russian Sanctions Evasion Puts Merchants and Banks at Risk https://www.recordedfuture.com/russian-sanctions-evasion-puts-merchants-banks-risk
Cybercriminals devise and execute various workarounds to legalize their illicit income. After international sanctions were leveled against Russia in the wake of Russias full-scale invasion of Ukraine, ordinary Russian consumers have likely resorted to similar workarounds to obtain goods produced abroad. Recorded Future has identified prepaid cryptocurrency virtual credit cards and mail forwarding services also known as reshippers – as methods that can potentially be exploited to illegally bypass sanctions. International financial institutions and merchants that are indirect participants of these workarounds may be at risk of falling under secondary sanctions
Tomi Engdahl says:
The Latest Intel on Wipers
https://www.fortinet.com/blog/threat-research/intel-on-wiper-malware
The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks. Does the evidence corroborate the theory that the ongoing conflict in Europe is to blame for the rise in wipers? Indeed. Furthermore, given that Russia is the main source of wiper activity, one can anticipate an increase in the use of wipers against countries and organizations that provide aid, weapons, or other logistical support to Ukraine. While both ransomware and wipers increased in the second half of 2022, FortiGuard Labs research found it was wipers that really took off. And this trend shows no sign of slowing, which means defenders must take action and prepare now as if they will be targeted
Tomi Engdahl says:
Länsi aliarvioi Ukrainan ilmapuolustuksen: ”Olimme väärässä”, sanoo Ilmari Käihkö – katso animaatiosta, kuinka Ukraina torjuu ohjuksia
Länsimaiden hankkima tiedustelutieto auttaa Ukrainan ilmapuolustusta merkittävästi, arvioivat erikoistutkija Juha Honkonen sekä tutkija Ilmari Käihkö.
https://yle.fi/a/74-20022294
Tomi Engdahl says:
Venäjä ei pysty toimittamaan Intialle sen ostamaa kalustoa
https://www.verkkouutiset.fi/a/venaja-ei-pysty-toimittamaan-intialle-se-ostamaa-kalustoa/#f105d9e9
Sitoumusten noudattamatta jättäminen saattaa rasittaa Intian suhteita sen suurimman puolustustoimittajan kanssa Moskovan pyrkiessä lisäämään asetuotantoa, uutisoi CNN.
Intian ilmavoimien IAF:n edustaja kertoi maan parlamentin valiokunnalle, että Ukrainan sodan vuoksi ”suurta toimitusta” Moskovasta ”ei tule”.
Intian parlamentin alahuoneen tiistaina laatimassa raportissa julkaistu tunnustus on ensimmäinen virallinen vahvistus Intian viranomaisilta paikallisissa tiedotusvälineissä pyörivien huhujen ja Venäjän kapasiteetin puutteiden vuoksi.
– He ovat ilmoittaneet meille kirjallisesti, etteivät he pysty toimittamaan sitä, edustaja sanoi raportin mukaan.
Tomi Engdahl says:
Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
https://www.securityweek.com/microsoft-no-interaction-outlook-zero-day-exploited-since-last-april/
Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, upping the stakes on organizations to start hunting for signs of compromise.
Microsoft says it has evidence that Russian APT actors were exploiting a nasty Outlook zero-day as far back as April 2022, a disclosure that ups the stakes on organizations to start hunting for signs of compromise.
The vulnerability, tracked as CVE-2023-23397, was flagged in the ‘already exploited’ category when Redmond shipped a fix earlier this month and Microsoft’s incident responders have pinned the attacks on Russian government-level hackers targeting organizations in Europe.
“Microsoft has traced evidence of potential exploitation of this vulnerability as early as April 2022,” the company said in fresh documentation that provides guidance for investigating attacks linked to the Outlook flaw.
Microsoft also shipped a CVE-2023-23397 detection script and urged organizations to review the output of this script to determine whether an exploit was successful.
https://www.securityweek.com/microsoft-patch-tuesday-zero-day-attacks/
Guidance for investigating attacks using CVE-2023-23397
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
CVE-2023-23397 script
https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
Tomi Engdahl says:
Loudmouth DJI Drones Tell Everyone Where You Are
https://hackaday.com/2023/03/26/loudmouth-dji-drones-tell-everyone-where-you-are/
Back when commercial quadcopters started appearing in the news on the regular, public safety was a talking point. How, for example, do we keep them away from airports? Well, large drone companies didn’t want the negative PR, so some voluntarily added geofencing and tracking mechanisms to their own drones.
When it comes to DJI, one such mechanism is DroneID: a beacon on the drone itself, sending out a trove of data, including its operator’s GPS location. DJI also, of course, sells the Aeroscope device that receives and decodes DroneID data, declared to be for government use. As it often is with privacy-compromising technology, turns out it’s been a bigger compromise than we expected.
Questions started popping up last year, as off-the-shelf quadcopters (including those made by DJI) started to play a part in the Russo-Ukrainian War. It didn’t take long for Ukrainian forces to notice that launching a DJI drone led to its operators being swiftly attacked, and intel was that Russia got some Aeroscopes from Syria. DJI’s response was that their products were not meant to be used this way, and shortly thereafter cut sales to both Russia and Ukraine.
But security researchers have recently discovered the situation was actually worse than we expected. Back in 2022, DJI claimed that the DroneID data was encrypted, but [Kevin Finisterre]’s research proved that to be a lie
Tomi Engdahl says:
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
https://f7td5.app.goo.gl/esZ32t
Lähetyskanava @updayFI
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
Sodan alussa suurin osa kyberhyökkäyksistä koski vain Ukrainaa. Vuoden 2023 alussa ylivoimainen enemmistö häiriötilanteista tapahtui EU-maissa.
VIIME vuoden lopussa kyberiskut lisääntyivät huomattavasti Puolassa, Baltian maissa ja Pohjoismaissa, korkeaan teknologiaan sekä digitaaliseen turvallisuuteen keskittyvä yritys Thales kertoo tuoreessa raportissaan.
Ruotsissa tehtiin muihin Pohjoismaihin nähden erityisen paljon kyberiskuja.
Iskut ovat tähän mennessä olleet melko harmittomia palvelunestohyökkäyksiä, mutta laajemmin niiden tavoitteena on lisätä päätöksentekijöiden ja kansalaisten huolta, Thalesissa työskentelevä kyberturva-asiantuntija Jukka Nokso-Koivisto sanoo.
Tomi Engdahl says:
Ground Control to Major Tom: Ransomware Groups & Hacktivists Targeting Satellite and Space Industry https://blog.cyble.com/2023/03/27/ghostsec-targeting-satellite-receivers/
Threats towards Satellite Communication Networks have been increasing gradually since previous years. The cyber-attack against Viasat’s KA-SAT network partially interrupted KA-SAT’s consumer-oriented satellite broadband service and rendered 5,800 Enercon wind turbines in Germany. This highlights that cyber attacks on components within the SATCOM industry can have a disastrous effect and weaken National Critical Infrastructure operations
Tomi Engdahl says:
Venäjän Ruotsin-suurlähettiläs uhkailee Ruotsia Natoon liittymisestä – mainitsi myös Suomen
https://www.is.fi/ulkomaat/art-2000009484693.html
Suurlähettilään mukaan ”vihollisblokin” uusista jäsenistä tulee Venäjän vastatoimien oikeutettu kohde.
Venäjän Ruotsin-suurlähetystön Facebook-sivuilla julkaistiin tiistai-iltana uhkaileva teksti Ruotsin Nato-jäsenyyteen liittyen. Tekstin on kirjoittanut Venäjän Ruotsin-suurlähettiläs Viktor Tatarintsev.
Tatarintsev aloitti kirjoituksensa kertomalla, kuinka Ruotsi ”luopui virallisesti uskostaan ja totuudestaan yli 200 vuoden liittoutumattomuuteensa” Ruotsin valtiopäivien hyväksyttyä Nato-jäsenyyden viime viikolla.
Suurlähettilään mukaan Ruotsin kansaa on huijattu, ja Natosta ei järjestetty maassa kansanäänestystä, koska sen tulosten ”pelättiin alittavan merentakaisten ’kumppaneiden’ odotukset”.
– Ainoa asia, jota Suomen ja Ruotsin jäsenyys sotilasliitossa vahvistaa on Suomen ja Ruotsin riippuvuus Washingtonin käskyistä, Tatarintsev sanoi.
– Suomen ja Ruotsin liittymisen myötä Venäjän ja Naton välisten rajojen pituus liki kaksinkertaistuu. Jos joku vielä uskoo, että tämä jollakin tavalla parantaa Euroopan turvallisuutta – on varmaa, että vihollisblokin uusista jäsenistä tulee Venäjän vastatoimien, myös sotilaallisten, oikeutettu kohde.
Ruotsin Nato-jäsenyys odottaa toistaiseksi vielä Turkin ja Unkarin hyväksyntää.
Venäjä jäi kiinni tökeröstä propagandavideosta – jopa omat kritisoivat
https://www.is.fi/digitoday/art-2000009484596.html
Venäläisessä sosiaalisessa mediassa laajasti kiertävä video on paikannettu Venäjän miehittämällä alueella kuvatuksi.
Tomi Engdahl says:
Kyberhyökkäyksissä sodan takia selkeä muutos – näissä maissa
https://www.uusiteknologia.fi/2023/03/29/kyberhyokkayksissa-sodan-takia-selkea-muutos-naissa-maissa/
Perinteisen sodan lisäksi Venäjän ja Ukrainan kybersodankäynnistä siirryttiin it-yritys Thalesin tietoturvaraportin mukaan selvästi Euroopan laajuiseen korkean intensiteetin hybridi-kybersotaan. Yhä useammin ne keskittyvät kriittiseen kansalliseen infrastruktuuriin, esimerkiksi ilmailuun, energiasektoriin, terveydenhuoltoon, pankkeihin ja julkisiin palveluihin. Suomeen kohdistui viime vuonna kahdeksan häirintätapausta.
Viime vuoden aikana kohdistuneita kyberhyökkäyksiä tarkastellaan Thalesin Cyber Threat Intelligence -yksikön tuoreessa raportissa, jonka mukaan Ukrainan konfliktiin liittyvissä kyberhyökkäyksissä tapahtui myös merkittävä käänne vuoden 2022 kolmannella neljänneksellä.
Ukrainan ja Venäjän lisäksi eniten häirintää on kohdistunut Puolaan, Latviaan ja Ruotsiin. EU-maissa konflikteihin liittyvät poikkeamat ovat lisääntyneet jyrkästi viimeisten kuuden kuukauden aikana. Suomeen kohdistettuja tietoturvan poikkeamia oli viime vuonna vain kahdeksan.
Samalla kyberhyökkäysten maantiede on muuttanut Thalesin raportin mukaan muotoaan viimeisten 12 kuukauden aikana. Konfliktin alussa suurin osa hyökkäyksistä koski vain Ukrainaa (50,4 % vuoden 2022 ensimmäisellä neljänneksellä, kolmannella neljänneksellä 28,6 %).
EU-maissa konflikteihin liittyvät poikkeamat ovat lisääntyneet jyrkästi viimeisten kuuden kuukauden aikana (9,8 prosentista 46,5 prosenttiin maailmanlaajuisista hyökkäyksistä). Kesällä 2022 tietoturvapoikkeamia oli EU-maissa lähes yhtä paljon kuin Ukrainassa (85 vs. 86). Vuoden 2023 ensimmäisellä neljänneksellä ylivoimainen enemmistö (80,9 %) poikkeamista on tapahtunut EU-maissa.
Ukrainassa kybersota jatkuu edelleen, mutta yksittäiset hyökkäykset hukkuvat Länsi-Euroopan silmissä jatkuvan kyberhäirinnän tulvaan. Esimerkki hyökkäyksistä on useita Ukrainan julkisia organisaatioita kohtaan suunnattu ATK256 (UAC-0056), joka toteutettiin konfliktin vuosipäivänä 23. helmikuuta.
Tomi Engdahl says:
Kyberhyökkäyksissä sodan takia selkeä muutos – myös Suomessa
https://www.uusiteknologia.fi/2023/03/29/kyberhyokkayksissa-sodan-takia-selkea-muutos-naissa-maissa/
Perinteisen sodan lisäksi Venäjän ja Ukrainan kybersodankäynnistä siirryttiin it-yritys Thalesin tietoturvaraportin mukaan selvästi Euroopan laajuiseen korkean intensiteetin hybridi-kybersotaan. Yhä useammin ne keskittyvät kriittiseen kansalliseen infrastruktuuriin, esimerkiksi ilmailuun, energiasektoriin, terveydenhuoltoon, pankkeihin ja julkisiin palveluihin. Suomeen kohdistui viime vuonna kahdeksan häirintätapausta.
Tomi Engdahl says:
2022-2023 :
A year of Cyber Conflict
in Ukraine
https://bo-cyberthreat.thalesgroup.com/sites/default/files/2023-03/Brochure-resume-A5-WEB.pdf