By Kevin Townsend on February 24, 2022
A conversation with Marcus Willett, former director of cyber at GCHQ
On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.
Just before this maneuver, SecurityWeek spoke to Marcus Willett to get insight into the role of cyber in aggressive geopolitics. Willett is senior advisor for cyber at the International Institute for Strategic Studies where he researches the use of cyber and related technologies as levers of national power. Before then, he had worked at the UK’s GCHQ for 33 years, including roles such as the agency’s first director of cyber.
Strategically, Ukraine is the soft underbelly of Russia. As an ally, Ukraine is a bulwark against NATO. As a member of NATO, it would be a Russian weakness. Preventing this weakness and keeping NATO at least an arm’s length from the heart of Russia, is one purpose of Russian behavior.
But it shouldn’t be ignored that Russia has been increasingly bellicose over the last two decades – including, for example, the invasion of Georgia in 2008 and the almost uncontested annexation of Crimea in 2014. The extent of Putin’s desire to return Russia to the height of its global influence as the USSR should not be ignored.
The big difference between the Russia of the USSR and the Russia of today has been the emergence of cyber as an accepted theater of war. It is this role of cyber that SecurityWeek discussed with Marcus Willett.
Russia has been waging its own cyberwar against Ukraine for many years. For example, on December 23, 2015, Russian attackers accessed SCADA systems in three Ukrainian electricity distribution companies, opened breakers in about 30 substations in Kiev and western Ivano-Frankivsk, and caused a loss of power to more than 200,000 customers. On December 17, 2016, a single transmission substation in northern Kiev lost power.
In June 2017, Russian actors hijacked the updater process of Ukrainian accounting software firm MEDoc and delivered a wiper malware named NotPetya to MEDoc customers. Its worm capabilities subsequently led to the wiper vary rapidly spreading around the world. There are many other examples of disruptive Russian cyber operations against Ukraine between 2014 and the present.
ince the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.
The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population. The advantage of conducting the initial stages of kinetic activity in cyber is the inherent perceived impossibility of accurately attributing the action to any specific aggressor. Noticeably, Putin has consistently denied any Russian (government) involvement in any of this activity.
“What is unknown,” Willett told SecurityWeek, “is the extent to which Russian actors are now embedded undetected within the Ukrainian critical infrastructure – and particularly the electricity grid. This would be the classic use of cyber operations to prepare the battlefield for physical invasion. In the past, cyber activity preceded the physical action in Georgia and Crimea by around two weeks – but Russia may be able to move faster this time.”
There is, however, a major difference between the Crimea and Ukraine incidents. The West seemed largely unprepared on how to respond over Crimea. This time, America has learned the lesson and has been controlling the narrative from the beginning. The U.S. and NATO have signaled very clearly that it knows what Russia is doing and how the allies will respond. The U.S. has liaised closely with its European allies, and sanctions have already begun. Blocking Russian gas exports to Europe will hurt Russia’s economy, while withholding tech exports could also hurt Russian industry. The message is very clear: a physical war with Ukraine could lead to a sanctions war with America and Europe – and that is one war that the relative economic minnow cannot win.
Widespread cyberwar and attribution
The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened.
“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do.
“I suspect,” he continued, “the Russians will be bending over backwards to make sure that they don’t let their cyber operations against Ukraine spread like NotPetya and cause damage more widely, including in the U.S. and its NATO allies. But we may see an increase in Russian criminal gangs using ransomware against the U.S. and its allies. If any of the Russian government agencies got attributed for causing major damage in the U.S. and NATO, the consequences for Russia would be very serious. Nevertheless, we might well see an increase in Russian cybercriminal activity, including the use of ransomware against the U.S. and its allies.”
This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. “That is absolutely wrong,” said Willett. “The problem with attributing in the past has not been a lack of confidence in knowledge, it’s been an inability to release the information in a way that doesn’t jeopardize sources. But over the years, states have become more confident in what they are able to reveal safely, have acknowledged there are thresholds where the risk is acceptable, and the private sector has become more capable in putting together the cyber jigsaw to come up with an accurate conclusion.”
This has allowed the U.S. to be sufficiently confident to indict not just countries but named individuals in both China and Russia. The attacking governments can deny this and claim the U.S. justice system is corrupt, but the effect of being attributed collectively by multiple allied states who say, ‘we know it was you’ is damaging to international reputation. “It would be a mistake for any one nation to think it could attack another without being known,” said Willett.
The danger of accidental global cyberwar
But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.
“The U.S., UK and other like-minded states have declared their intent to use their cyber power responsibly, without giving many indications as to what precisely this means. Comparing Stuxnet and NotPetya is one way of illustrating the difference,” said Willett.
NotPetya was an uncontrolled worm released through a global IT vulnerability that – surprise, surprise – spread beyond the intended target and affected the operating system of any system it landed on. “Stuxnet,” continued Willett, “was very targeted. Yes, it spread beyond the intended target, but it could only cause damage if the specific software that made a centrifuge spin was present (with lots of other conditions). The controlled Stuxnet and the uncontrolled NotPetya illustrates the difference between responsible and irresponsible use of cyber power.”
Willett believes that the U.S. will do its utmost to maintain the principle of a responsible use of cyber power. “If not,” he said, “they end up playing the same game as the Russians, the Chinese, Iran and North Korea. This would leave much of the rest of the world thinking that what the Russians and others have been demanding – new international treaties and conventions to increase the control by governments of their sovereign piece of cyberspace – is the only solution.” The problem is that this is code, in authoritarian states, for mass internal censorship and surveillance, and is the opposite of the ‘free internet’ that we would like to see endure. “So, there are strategic reasons for any U.S. or NATO cyber operations to be very carefully judged to maintain cyber responsibility rather than simply to respond like-for-like.”
In the other direction, Willett doesn’t believe the Russian state will be tempted to run destructive cyber operations against the U.S. and its allies. “They might,” he added, “if subsequent sanctions are particularly brutal; but that would be a mistake – it would be another ‘internationally wrongful act’ under international law, and would invite even more stringent countermeasures and even more international opprobrium.”
In the end, you can’t help feeling that there’s a longer game here: both sides are struggling to understand the potential of cyber in war. Can cyber capabilities be used to have a deterrent effect, can they prepare the battlefield, could they be used for countermeasures against an aggressor? “These have largely been intellectual and doctrinal discussions to this point, but might now be tested in reality with unpredictable results. We are at a very dangerous moment. We should perhaps remember that, before the current Ukraine crisis, Biden said that it would most likely be as the consequence of a cyber breach that the U.S. would find itself in a real shooting war with a major power.”
Nevertheless, the overriding impression given by Marcus Willett is that both sides (this excludes any action or opportunity taken by China, Iran or North Korea) will do everything possible to avoid the actuality of a Russia/Ukraine cyberwar spreading to the wider world. But ‘unintended consequences’ is a risk in all IT and security – and unintended consequences are hard to predict or control.
As this article was completed, the physical invasion of Ukraine began. On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.
Associated Press reported another wave of DDOS attacks against Ukraine’s parliament and other government and banking websites, while ESET has detected new wiper malware on “hundreds of machines in the country”.
Although ESET did not name the targets beyond saying they were ‘large organizations’, Symantec has described three: a financial institution in Ukraine, and government contractors in Latvia and Lithuania. This adds a further geopolitical complication — although Ukraine itself is not a member of NATO, both Latvia and Lithuania are members.
One thing is clear: the marriage of cyber and kinetic warfare has been consummated.
Note: Anything not quoted from Marcus Willett is the opinion of the author.
Russia vs Ukraine – The War in Cyberspace
Russian troops have launched a major assault on Ukraine and while their forces battle in the physical world for control over various cities and regions, a battle is also taking place in cyberspace.
Just before Russia launched an invasion of Ukraine on February 24, Ukrainian government websites were disrupted by distributed denial-of-service (DDoS) attacks, and cybersecurity firms reported seeing a new piece of destructive malware on hundreds of devices in the country.
The malware used in this attack has been named HermeticWiper and it has been described by experts as a wiper malware disguised as ransomware. This attack wave came just weeks after Ukrainian government websites were disrupted as part of a campaign that involved WhisperGate, a completely different wiper malware that was also disguised as ransomware.
Due to the timing of the attacks, the main suspects are Russian state-sponsored threat actors. Russian hackers have often been accused of targeting Ukraine over the past decade, including in attacks that caused significant disruption to critical infrastructure.
However, the BBC reported that at least some of the latest DDoS attacks against Ukrainian government websites were launched by “patriotic” Russian hackers, including some who work at a “respectable Russian cyber-security company.” One of the individuals claiming to work at the unnamed firm admitted that they would be terminated if their employer found out about their after-hours activities.
These patriotic hackers also claim to have obtained access to Ukrainian government email accounts — which they plan on using for phishing attacks — and they claim to have stolen data.
The Conti ransomware gang, which has thrived in recent months amid crackdowns on other ransomware groups, has pledged its support for the Russian government, warning that it will use its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” The cybercrime group has threatened to “strike back at the critical infrastructures of any enemy.”
Russia-linked ransomware groups demonstrated in the past that they are capable of causing significant disruption to critical infrastructure organizations.
The Ukrainian government has issued a warning to the population regarding an email attack campaign whose goal appears to be the delivery of malware.
The country’s Computer Emergency Response Team (CERT) has also reported seeing email attacks that have been linked to UNC1151, a threat actor previously tied to Belarus and possibly Russia, and which specializes in disinformation campaigns.
Several cybersecurity companies and industry professionals have offered free tools and services to organizations and individuals in Ukraine after Russia launched its invasion. Curated Intelligence has compiled a list of threat reports, access brokers, data brokers, and other resources that could be useful to Ukraine.
Ukraine’s activities in cyberspace have not been purely defensive. Mykhailo Fedorov, the country’s minister of digital transformation, over the weekend announced the creation of an “IT Army” and urged cyber specialists to join the new unit. A Telegram channel created for the IT Army urged members — instructions have been provided in both English and Ukrainian — to target major Russian businesses and government websites, with DDoS and other types of attacks.
The IT Army was created shortly after the Ukrainian government called for cyber volunteers to help defend the country’s critical infrastructure.
Several major Russian government and media websites have been intermittently offline since the conflict started, with many attributing the outages to DDoS attacks.
Some of these attacks were conducted by members of the Anonymous hacktivist movement, which has declared cyberwar against Russia. Hackers operating under the Anonymous banner have defaced Russian websites and leaked data allegedly stolen from high-profile organizations, including the Russian Ministry of Defense. However, these data leak claims have not been verified and hacktivists have been known to publish data that later turned out to be fake or obtained in older breaches.
Anonymous hackers have also claimed responsibility for disrupting the websites of pro-Kremlin Russian media, and posted messages appealing to Russians to try to stop the war and not participate as fighters.
There have also been reports of Russian TV channels getting hacked to play Ukrainian songs.
Russia’s National Coordination Center for Computer Incidents warned last week that cyberattacks on Russian critical information infrastructure and other information resources could increase. The agency also said there could be misinformation operations whose goal was to damage Russia’s image.
The Russian government has also issued an alert to the media regarding the circulation of false information, and the country’s Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) has lashed out at Facebook and YouTube after they suspended the accounts of several Russian media organizations.
NATO Secretary General Jens Stoltenberg warned that cyberattacks could trigger NATO’s Article 5, which considers an attack on any NATO ally an attack on all.
NBC reported last week that U.S. President Joe Biden had been presented with options for “massive cyberattacks” against Russia, but the White House called NBC’s report “off base” and claimed it did “not reflect what is actually being discussed in any shape or form.”
Users around the world have also been warned about scams exploiting the war in Ukraine. ESET has spotted several cyber fraud operations whose goal is to steal money and information from people using fake charity campaigns as a lure.
Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions
By Brian Krebs
Costa Rica’s national health service was hacked sometime earlier this morning by a Russian ransomware group known as Hive. The intrusion comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in response to a data ransom attack from a different Russian ransomware gang — Conti. Ransomware experts say there is good reason to believe the same cybercriminals are behind both attacks, and that Hive has been helping Conti rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.
The Costa Rican publication CRprensa.com reports that affected systems at the Costa Rican Social Security Fund (CCSS) were taken offline on the morning of May 31, but that the extent of the breach was still unclear. The CCSS is responsible for Costa Rica’s public health sector, and worker and employer contributions are mandated by law.
A hand-written sign posted outside a public health center in Costa Rica today explained that all systems are down until further notice (thanks to @Xyb3rb3nd3r for sharing this photo).
Esteban Jimenez, founder of the Costa Rican cybersecurity consultancy ATTI Cyber, told KrebsOnSecurity the CCSS suffered a cyber attack that compromised the Unique Digital Medical File (EDUS) and the National Prescriptions System for the public pharmacies, and as a result medical centers have turned to paper forms and manual contingencies.
“Many smaller health centers located in rural areas have been forced to close due to not having the required equipment or communication with their respective central health areas and the National Retirement Fund (IVM) was completely blocked,” Jimenez said. “Taking into account that salaries of around fifty thousand employees and deposits for retired citizens were due today, so now the payments are in danger.”
Jimenez said the head of the CCSS has addressed the local media, confirming that the Hive ransomware was deployed on at least 30 out of 1,500 government servers, and that any estimation of time to recovery remains unknown. He added that many printers within the government agency this morning began churning out copies of the Hive ransom note.
“HIVE has not yet released their ransom fee but attacks are expected to follow, other organizations are trying to get a hold on the emergency declaration to obtain additional funds to purchase new pieces of infrastructure, improve their backup structure amongst others,” Jimenez said.
A copy of the ransom note left behind by the intruders and subsequently uploaded to Virustotal.com indicates the CCSS intrusion was the work of Hive, which typically demands payment for a digital key needed to unlock files and servers compromised by the group’s ransomware.
On May 8, President Chaves used his first day in office to declare a national state of emergency after the Conti ransomware group threatened to publish gigabytes of sensitive data stolen from Costa Rica’s Ministry of Finance and other government agencies. Conti initially demanded $10 million, and later doubled the amount when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data taken from Costa Rican government servers.
As CyberScoop reported on May 17, Chaves told local media he believed that collaborators within Costa Rica were helping Conti extort the government. Chaves offered no information to support this claim, but the timeline of Conti’s descent on Costa Rica is worth examining.
Most of Conti’s public communications about the Costa Rica attack have very clearly assigned credit for the intrusion to an individual or group calling itself “unc1756.” In March 2022, a new user by the same name registered on the Russian language crime forum Exploit.
On the evening of April 18, Costa Rica’s Ministry of Finance disclosed the Conti intrusion via Twitter. Earlier that same day, the user unc1756 posted a help wanted ad on Exploit saying they were looking to buy access to “special networks” in Costa Rica.
“By special networks I mean something like Haciendas,” unc1756 wrote on Exploit. Costa Rica’s Ministry of Finance is known in Spanish as the “Ministerio Hacienda de Costa Rica.” Unc1756 said they would pay $USD 500 or more for such access, and would work only with Russian-speaking people.
THE NAME GAME DISTRACTION
Experts say there are clues to suggest Conti and Hive are working together in their attacks on Costa Rica, and that the intrusions are tied to a rebranding effort by Conti. Shortly after Russia invaded Ukraine at the end of February, Conti declared its full support, aligning itself directly with Russia and against anyone who would stand against the motherland.
Conti quickly deleted the declaration from its website, but the damage had already been done, and any favor or esteem that Conti had earned among the Ukrainian cybercriminal underground effectively evaporated overnight.
Shortly thereafter, a Ukrainian security expert leaked many months worth of internal chat records between Conti personnel as they plotted and executed attacks against hundreds of victim organizations. Those candid messages exposed what it’s like to work for Conti, how they undermined the security of their targets, as well as how the group’s leaders strategized for the upper hand in ransom negotiations.
But Conti’s declaration of solidarity with the Kremlin also made it increasingly ineffective as an instrument of financial extortion. According to cyber intelligence firm ADVIntel, Conti’s alliance with the Russian state soon left it largely unable to receive ransom payments because victim companies are being advised that paying a Conti ransom demand could mean violating U.S. economic sanctions on Russia.
“Conti as a brand became associated with the Russian state — a state that is currently undergoing extreme sanctions,” ADVIntel wrote in a lengthy analysis (PDF). “In the eyes of the state, each ransom payment going to Conti may have potentially gone to an individual under sanction, turning simple data extortion into a violation of OFAC regulation and sanction policies against Russia.”
ADVIntel says it first learned of Conti’s intrusion into Costa Rican government systems on April 14, and that it has seen internal Conti communications indicating that getting paid in the Costa Rica attack was not the goal.
Rather, ADVIntel argues, Conti was simply using it as a way to appear publicly that it was still operating as the world’s most lucrative ransomware collective, when in reality the core Conti leadership was busy dismantling the crime group and folding themselves and top affiliates into other ransomware groups that are already on friendly terms with Conti.
“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” ADVIntel concluded.
ADVIntel says Conti’s leaders and core affiliates are dispersing to several Conti-loyal crime collectives that use either ransomware lockers or strictly engage in data theft for ransom, including AlphV/BlackCat, AvosLocker, BlackByte, HelloKitty, Hive, and Karakurt.
Still, Hive appears to be perhaps the biggest beneficiary of any attrition from Conti: Twice over the past week, both Conti and Hive claimed responsibility for hacking the same companies. When the discrepancy was called out on Twitter, Hive updated its website to claim it was not affiliated with Conti.
Conti and Hive’s Costa Rican exploits mark the latest in a string of recent cyberattacks against government targets across Latin America. Around the same time it hacked Costa Rica in April, Conti announced it had hacked Peru’s National Directorate of Intelligence, threatening to publish sensitive stolen data if the government did not pay a ransom.
But Conti and Hive are not alone in targeting Latin American victims of late. According to data gathered from the victim shaming blogs maintained by multiple ransomware groups, over the past 90 days ransom actors have hacked and sought to extort 15 government agencies in Brazil, nine in Argentina, six in Colombia, four in Ecuador and three in Chile.
A recent report (PDF) by the Inter-American Development Bank suggests many Latin American countries lack the technical expertise or cybercrime laws to deal with today’s threats and threat actors.
“This study shows that the Latin American and Caribbean (LAC) region is not sufficiently prepared to handle cyberattacks,” the IADB document explains. “Only 7 of the 32 countries studied have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs. This limits their ability to identify and respond to attacks.”