A survey of cybercrime experts assessing the top cybercrime-producing nations results in some expected leaders — Russia, Ukraine, and China — but also some surprises.

Source: Wavebreakmedia Ltd IFE-221116 via Alamy Stock Photo

An academic research project to gain insight into which nations produce the most cybercrime has ranked the usual suspects of Russia, Ukraine, China, and the United States at the very top but also found some relative surprises with Nigeria at No. 5, Romania at No. 6, and Brazil at No. 9.

Nations with high technology levels typically scored fairly high on the World Cybercrime Index (WCI), especially if those countries also have state-sponsored threat actors that overlap with cybercriminal groups. Yet other nations dominated in one of the five areas, such as Nigeria taking the top score for scams and Romania scoring highly in data and identity theft, according to the university research effort by academic institutions in the United Kingdom, Australia, and France.

While cybersecurity experts have long associated different countries with different types of cybercrime — Russia with banking and ransomware and China with intellectual-property theft and financial crimes, for example — this is the first time that researchers have been able to compare various countries based on specific attributes and cybercriminal approaches, says Miranda Bruce, a postdoctoral fellow in sociology at the University of Oxford.

"If you look closely at these five indices, you'll get more insight into the character of each country as a cybercrime hotspot," she says. "Nigeria is No. 1 in the Scams index, but comes between 5th and 10th in the other four cybercrime types. Clearly they're a significant producer of all types of cybercrime, but it's also clear that, as a country, they specialize."

The researchers collected survey data from 92 cybercrime experts, asking them to pick the top five cybercrime-producing nations in five different categories of crime: technical products and services; attacks and extortion; data and identity theft; scams; and cashing out or money laundering. For each nation, participants were asked to rate the nation on the impact of the crimes, the actors' professionalism, and their technical skill.

The top 15 nations as ranked by their overall World Cybercrime Index. Source: PLOS One

In all, the cybercrime experts nominated 97 different countries, according to a paper the group published in the journal PLOS One.

The WCI scores may not, however, discern between true cybercriminals residing in a nation and those mercenary groups that also conduct operations on behalf of their state sponsors, says Sean McNee, vice president of research and data at DomainTools, a domain security services firm.

"When evaluating cybercrime groups in locales such as Russia, China, Iran, or North Korea, it is always challenging to determine if groups are operating purely on their own accord or operating on behalf of a nation-state sponsor," McNee says. "This makes cybercrime actors in other countries more interesting to look into, such as Nigeria, India, and Brazil."

**Low Technical Score, High Threat**

Nigeria's top marks in the scams category — in which the researchers lumped together advance-fee fraud, business email compromise, and online auction fraud — underscore that a highly developed cybercrime ecosystem does not necessarily require significant depth of technical skills and infrastructure. While Nigeria has prioritized its cybersecurity capabilities, the country remains a bastion for email fraud, as demonstrated by the case of a Nigerian-based group conducting romance scams with a US-based national, who was sentenced earlier this year.

Romania, which ranked No. 6 on the list, has a long history of hosting a cybercriminal ecosystem, so its ranking is a bit of a surprise, says Chester Wisniewski, director and field CTO at cybersecurity firm Sophos.

"Romania has always had elevated cybercrime activity ... likely due to its well-educated population and proximity and relationships with neighboring cybercrime states like Ukraine, Russia, and Moldova," he says. "Romania has been cooperative with cybercrime takedowns, but I am not sure they are very proactive in nature."

The researchers plan to investigate how the World Cybercrime Index correlates with other characteristics of each nation — such as gross domestic product (GDP), income inequality, Internet penetration, and corruption — and how cybercrime policies can impact their scores, the University of Oxford's Bruce says.

"There's still much to learn about how and why countries like Russia, China, and the USA have become major cybercrime hotspots, but the countries that appear lower in the Index will tell us more about the nuances of cyber criminality," she says. "That is, the specific combination of factors that enable a region to become a thriving economic hub of cybercriminal activity. It's important that we pay attention to these countries and regions in the coming years."

**Room for Improvement**

Unfortunately, the data gives little actionable information to defenders, although it could be useful to policymakers and diplomats interested in influencing countries and gaining cooperation, says Sophos' Wisniewski.

"If these stats are accurate, only the countries listed are in a position to address the problem of them being a source country for cybercrime," he says. "Many of those listed might not only be uninterested in reducing their rank, but they may also be proud of it."

The researchers conducted the survey in 2021, so unfortunately, that means that the rankings have aged, and do not include major changes to the cyberthreat landscape, such as Russia's invasion of Ukraine, the most recent rise in romance scams, and an increase in cryptocurrency scams from North Korea, says DomainTools' McNee.

"This suggests that encouraging policies to promote technology sectors in these countries — turn cybercriminals to entrepreneurs — could have a net positive impact on the economy," he says. "It may be more beneficial to track these trends in countries further down the WCI to help encourage such policies before a notable cybercrime industry takes hold."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria &amp; Romania Ranked Among Top Cybercrime Havens

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity.
That's according to the Microsoft Threat Intelligence team, which said the flaws have been weaponized since the start of April 2024.
OpenMetadata is an open-source platform that operates as a

Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes

Caller ID spoofing and AI voice deepfakes are supercharging phone scams. Fortunately, we have tools that help organizations and people protect themselves against the devious combination.

Source: Ian Allenden via Alamy Stock Photo

COMMENTARY  
Three seconds of audio is all it takes to clone a voice. Vishing, or voice fraud, has rapidly become a problem many of us know only too well, impacting 15% of the population. Over three-quarters of victims end up losing money, making this the most lucrative type of imposter scam on a per-person basis, according to the US Federal Trade Commission (FTC).

When caller ID spoofing is combined with AI-based deepfake technology, fraudsters can, at very little cost and huge scale, disguise their real numbers and locations and highly convincingly impersonate trusted organizations, such as a bank or local council, or even friends and family.

While artificial intelligence (AI) is presenting all manner of new threats, the ability to falsify caller IDs is still the primary point of entry for sophisticated fraud. This has also posed serious challenges for authenticating genuine calls. Let's delve into the criminal world of caller ID spoofing.

**What's Behind the Rise in Voice Fraud?**

The democratization of spoofing technology, such as spoofing apps, has made it easier for malicious actors to impersonate legitimate caller IDs, leading to an increase in fraudulent activities conducted via voice calls. One journalist, who said she's known for her rational and meticulous nature, fell victim to a sophisticated scam that exploited her fear and concern for her family's safety. Initially contacted through a spoof call that appeared to be from Amazon, she was transferred to someone posing as an FTC investigator, who convincingly presented her with a fabricated story involving identity theft, money laundering, and threats to her safety.

These stories are becoming increasingly common. Individuals are primed to be skeptical of a withheld, international, or unknown number, but if they see the name of a legitimate company flash up on their phones, they are more likely to answer the call in an accommodating manner.

In addition to spoofing, we are also seeing a rise in AI-generated audio deepfakes. Last year in Canada, criminals scammed senior citizens out of more than $200,000 by using AI to mimic the voices of loved ones in trouble. A mother in the US state of Arizona also received a desperate call from her 15-year-old daughter claiming she'd been kidnapped; the call turned out to be AI-generated. When combined with caller ID spoofing, these deepfakes would be almost impossible for the average person to catch.

As generative AI and AI-based tools become more accessible, this kind of fraud is becoming more common. Cybercriminals don't necessarily need to make direct contact to replicate a voice because over half of people willingly share their voice in some form at least once a week on social media, according to McAfee. Nor do they need exceptional digital skills, since apps do the hard work of cloning the voice based on a short audio clip, as highlighted recently by high-profile deepfakes of US President Joe Biden and singer Taylor Swift.

Entire organizations can fall prey to voice fraud, not just individuals. All it takes is one threat actor to convince one employee to share some seemingly insignificant detail about their business over the phone, which is then used to join the dots and enable a cybercriminal to gain access to sensitive data. It's a particularly worrisome trend in industries where voice communication is a key component of customer interaction, such as banking, healthcare, and government services. Many businesses rely on voice calls for verifying identities and authorizing transactions. As such, they are particularly vulnerable to AI-generated voice fraud.

**What We Can Do About It**

Regulators, industry bodies, and businesses increasingly recognize the need for collective action against voice fraud. This could include intelligence to better understand scam patterns across regions and industries, the development of industrywide standards to improve voice call security, and tighter regulations governing reporting for network operators.

Regulators around the world are now tightening the rules around AI-based voice fraud. For instance, the US Federal Communications Commission (FCC) has made it illegal for robocalls to use either AI-generated or prerecorded voices. In Finland, the government has imposed new obligations on telecommunications operators to guard against caller ID spoofing and the transfer of scam calls to recipients. The EU is investigating similar measures, primarily driven by banks and other financial institutions that want to keep their customers safe. In all instances, efforts are underway to close the door on caller ID spoofing and smishing (fake text messages), which often serve as the entry point for more sophisticated, AI-based tactics.

Many promising detection tools in development could, in theory, drastically reduce voice fraud. They include voice biometrics, deepfake detectors, AI anomaly detection analysis, blockchain, signaling firewalls, and so on. However, cybercriminals are adept at outpacing and outwitting technological leaps, so only time will tell what will work best.

For businesses of all sizes and sectors, cybersecurity capabilities will become increasingly important for telecom services. Aside from the communications network level, businesses should establish clear policies and processes, such as multifactor authentication that uses a variety of verification methods.

Companies should also raise awareness of the most common fraud tactics. Regular training for employees should focus on recognizing and responding to scams, while customers should be encouraged to report suspicious calls.

On a consumer level, the UK's communications regulator, Ofcom, revealed that more than 41 million people were targeted by suspicious calls or texts over a three-month period in 2022. In other words, although brands and governments have been reiterating the message that legitimate businesses will never ask for money or sensitive information over the phone, continued vigilance is necessary.

The easy availability of cloning tools and spiraling crime levels have experts like the Electronic Frontier Foundation suggesting that people should agree on a family password to combat AI-based fraud attempts. It's a surprisingly low-fi solution to a high-tech challenge.

**About the Author(s)**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

Countering Voice Fraud in the Age of AI

Once attackers have control over a workload in the cluster, they can leverage access for lateral movement both inside the cluster and to external resources.

Source: Sergey Novikov via Alamy Stock Photo

Known vulnerabilities in OpenMetadata's open source metadata repository have been under active exploit since the beginning of April, allowing threat actors to launch remote code execution cyberattacks against unpatched Kubernetes clusters, according to research from Microsoft Threat Intelligence.

OpenMetadata is an open source platform that operates as a management tool as well as a central repository for metadata. In mid-March, researchers published information on five new vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) that affected versions preceding v1.3.1, according to Microsoft's report.

And while many cybersecurity teams might have missed the advisory, adversaries picked up on the opportunity to break into vulnerable Kubernetes environments and leverage them for cryptocurrency mining, the vendor said.

"In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited," Microsoft researcher Yossi Weizman explains. While the cybercriminals were engaged in crypto mining, he warns there's a wide range of nefarious activity an adversary can engage in once they're inside a Kubernetes cluster.

"In general (not specifically in this case), once attackers have control over a workload in the cluster, they can try to leverage this access also for lateral movement, both inside the cluster and also to external resources," Weizman adds.

OpenMetadata administrators are advised to update, use strong authentication, and reset any default credentials in use.

Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Big Tech Says Spy Bill Turns Its Workers Into Informants

Having a solid disaster recovery plan is the glue that keeps your essential functions together when all hell breaks loose.

Source: Aleksei Gorodenkov via Alamy Stock Photo

COMMENTARY

As the conflict in Ukraine enters its third year, the global community is confronted with the grim reality of modern warfare, where cyber operations have emerged as a pivotal battleground. Reflecting on past events and the ongoing crisis, it's evident that cyberattacks have become a constant threat, leaving no sector untouched and rendering the Ukrainian people and their systems vulnerable to relentless aggression.

In January 2022, as tensions loomed, I was tasked with outlining the potential consequences of a Russian attack on Ukraine to a private equity client with operations in the region. Little did we know that the scenarios we discussed would soon transition from hypothetical to harrowing realities.

Fast forward to 2024, and the dire situation persists. Recent cyberattacks targeting Ukrainian state agencies, including the state-owned energy company, and financial institutions such as Monobank, Ukraine's largest mobile-only bank, underscore the severity of the ongoing digital onslaught. The infiltration of Ukrainian telecommunications giant Kyivstar by Russian hackers further highlights the magnitude of the threat, leaving millions without vital services for days.

**How to Prepare for Cyber Warfare**

Amidst this turmoil, organizations must prioritize disaster recovery preparedness to mitigate risks and enhance resilience. Here are essential steps to consider:

1.  Safety of personnel: Beyond technical aspects, acknowledging the human impact of cyber warfare is paramount. With millions of Ukrainian people displaced and seeking refuge, ensuring the safety and well-being of your teams and their vulnerable families should be a top priority.
    
2.  Comprehensive backup strategies: Implementing robust backup solutions for critical data, systems, and networks is essential to restore operations swiftly in the event of a cyberattack. A multisite strategy ensures data survivability even in the face of unforeseen disasters.
    
3.  Cybersecurity training and awareness: Educating employees about cybersecurity best practices significantly reduces the likelihood of successful attacks, making every individual a frontline defender against cyber threats.
    
4.  Multilayered defense mechanisms: Adopting a multilayered approach to cybersecurity, including firewalls, intrusion detection systems, and endpoint protection, strengthens defenses and minimizes vulnerabilities.
    
5.  Incident response planning: Developing a comprehensive incident response plan enables organizations to react swiftly and effectively to cyber breaches, ensuring minimal disruption and damage.
    
6.  Collaboration and information sharing: Collaborating within the cybersecurity community and sharing threat intelligence and best practices bolsters defenses and adaptability against evolving threats.
    

When I reflect on the pre-war briefing on that cold January day in 2022, I recall how dark and macabre my presentation was. Nobody thought that what I was outlining could become reality. But it did. And even worse.

As we continue to witness the devastating impact of cyber warfare in Ukraine, it serves as a poignant reminder of the imperative for preparedness and resilience in the face of modern threats. By implementing proactive cybersecurity measures, prioritizing human safety, and fostering collaboration, organizations can defend against cyberattacks and uphold principles of sovereignty and stability in the digital age. It is essential for organizations to have a solid disaster recovery plan, as it is the glue that keeps your essential functions together when all hell breaks loose. Together, we can navigate the complexities of cyber warfare and work towards a future where technology protects and empowers all, even amidst conflict and adversity.

**About the Author(s)**

Independent Cybersecurity Consultant

Hadi Shavarini an independent cybersecurity consultant is a seasoned CISSP, with over 20 years of extensive Cloud Security experience across Data, Application, IAM, and Infrastructure domains, along with strategic cybersecurity expertise. As a Cybersecurity Consultant and virtual Chief Information Security Officer (vCISO), he specializes in delivering unparalleled advisory and cybersecurity services fortifying organizations' governance, risk, and compliance strategies. Hadi has demonstrated proficiency in steering cybersecurity initiatives across diverse industries, including financial services, healthcare, energy, manufacturing, tech, and retail. As a vCISO and trusted advisor, he excels in fostering strong client relationships, conducting cybersecurity evaluations, and guiding clients in implementing security frameworks and regulatory compliance. Hadi's leadership extends to his roles as CEO & Cofounder at Blue Robin Inc., and CEO & Cofounder at WebMedicPro. His expertise encompasses a wide range of IT solutions, project management, and strategic consultancy in cybersecurity and technology integration.

Preparing for Cyber Warfare: 6 Key Lessons From Ukraine

A native-first approach delivers better protections and a more efficient use of resources than best-of-breed solutions, benefiting cloud service providers and end-user customers alike.

Source: Rasi Bhadramani via Alamy Stock Photo

As companies increasingly migrate to public cloud platforms like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud, many are opting to lift and shift their existing security toolsets in the process. Today, the average company deploys as many as 76 disparate security tools. This is commonly known as a best-of-breed approach.

However, the problem with a best-of-breed model is that it creates security and efficiency gaps for cloud workloads. Because third-party cloud security solutions rely on the visibility provided by the cloud service provider's (CSP) application programming interface (API), each one comes with its own unique set of limitations and blind spots. This makes it difficult for security engineers and analysts to accurately and efficiently triage and remediate threats.

By contrast, a native-first cloud security approach deploys seamlessly integrated first-party security solutions to drive greater cost and resource efficiencies, as well as increase overall security resiliency. Here are three reasons to prioritize a native-first approach over best-of-breed.

**Reduce Your Attack Surface**

One key argument for implementing a native-first cloud security approach over best-of-breed is that relying on multiple third-party security solutions can inadvertently expand an organization's attack surface. Each new tool introduces its own set of configurations, APIs, and potential vulnerabilities. If not properly managed, third-party tools can create additional opportunities for attackers to exploit weaknesses in the security infrastructure. In fact, cloud misconfigurations were responsible for 80% of data security breaches in 2023.

On the other hand, a native-first cloud security approach relies on first-party solutions and doesn't require any changes to the customer's cloud environment. That minimizes the risk of introducing additional weaknesses.

**Eliminate Security Blind Spots**

Another core benefit of a native-first cloud security model is that it eliminates the blind spots often seen with best-of-breed solutions. Third-party solutions often struggle to integrate with one another or with the specific cloud platform being used, which can lead to gaps in visibility and coordination — making it difficult to have a unified view of the security landscape. And because public cloud environments often rely on a variety of interconnected services and APIs, organizations run the risk of missing potential threats or vulnerabilities if their best-of-breed security tools are not designed to work seamlessly with these cloud-native services.

A native-first approach eliminates this issue because all of the CSP solutions are already designed to work together seamlessly. For example, a cloud container workload protection plan that natively integrates with Azure Kubernetes Services (AKS) and Azure Container Repository (ACR) would not require any changes to the protection plan when changes are made to the container-based solution. Similarly, a cloud-native application protection platform (CNAPP) integrating with Microsoft threat intelligence can ensure security teams can respond to security incidents in real time.

**Drive Greater Team Efficiencies**

Finally, taking a best-of-breed approach means that security teams are responsible for managing multiple security solutions from different vendors. This is complex and resource-intensive, requiring teams to understand the various interfaces, policies, and update schedules, while also managing crucial security configurations and responding promptly to emerging threats. Running multiple security tools concurrently can also lead to redundant system resources. This redundancy affects the overall performance of the cloud environment and increases operational costs without necessarily improving security effectiveness.

Under a native-first model, security teams only need to understand their CSP's services — thus cutting down on the initial learning curve required since the native solutions leverage other native services, such as dashboards and responses. Many CSPs are also designed to ensure the efficient use of customers' cloud resources, with much of the heavy lifting done within the CSP's control plane. 

Ultimately, a native-first cloud security approach delivers better protections and a more efficient use of resources than best-of-breed third-party solutions. And because CSPs are used to serving a wide range of customers and use cases, they can often offer more flexibility, innovation, and specialized security expertise than third-party vendors. By exploring available native-first security solutions to see what makes the most sense for their environments, organizations can take the first step toward a more secure and more efficient cloud-based future.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Why a Native-First Approach Is Key to Cloud Security

The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

*   During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
*   The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. 
*   The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. 
*   We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. 
*   The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

As a part of a regular threat hunting exercise, Cisco Talos monitors files uploaded to open-source repositories for potential lures that may target government and military organizations. Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors. 

For example, malicious document lures with externally referenced templates written in Ukrainian language are used by the Gamaredon group as an initial infection vector. Talos has previously discovered military theme lures in Ukrainian and Polish, mimicking the official PowerPoint and Excel files, to launch the so-called “Picasso loader,” which installs remote access trojans (RATs) onto victims' systems. 

In July 2023, threat actors attempted to use lures related to the NATO summit in Vilnius to install the Romcom remote access trojan. These are just some of the reasons why hunting for document lures is vital to any threat intelligence operation.  

In February 2024, Talos discovered several documents with content that seems to originate from Ukrainian local government organizations and the Ukrainian National Police uploaded to VirusTotal. The documents contained VBA code to drop and run an executable with the name \`ctrlpanel.exe\`, which raised our suspicion and prompted us to investigate further.   

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.   

**Attribution **

Although the virus is active in Ukraine, there are no indications that it was created by an author from that region. Even the debugging database string used to name the virus “E:\\Projects\\OfflRouter2\\OfflRouter2\\obj\\Release\\ctrlpanel.pdb” present in the ctrlpanel.exe does not point to a non-English speaker. 

From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer.  

The choices made during the development limited the virus to a specific geographic location and allowed it to remain active for almost 10 years. 

**OfflRouter has been confined to Ukraine **

According to earlier research by the Slovakian government CSIRT (Computer Security Incident Response Team) team, some infected documents were already publicly available on the Ukrainian National Police website in 2018.  

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine. Since the malware has no capabilities to spread by email, it can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine.  

One of the documents was recently uploaded to VirusTotal from Ukraine. 

The virus targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions. The default Word document filename extension for the more recent Word versions is .docx, so few documents will be infected as a result.  

This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents.  

Other issues prevented the virus from spreading more successfully and most of them are found in the executable module, ctrlpanel.exe, dropped and executed by the VBA part of the code.  

When the virus is run, it attempts to set the value Ctrlpanel of the registry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run so that it runs on the Windows boot. An internal global string \_RootDir is used as the value, however, the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.  

One interesting concept in the .NET module is the entire process of infecting documents. As a part of the infection process, the VBA code is generated by combining the code taken from the hard-coded strings in the module with the encoded bytes of the ctrlpanel.exe binary. This makes the generated code the same for every infection cycle and rather easy to detect. Having a VBA code generator in the .NET code has more potential to make the infected documents more difficult to detect.  

Once launched, the executable module stays active in memory and uses threading timers to execute two background worker objects, the first one tasked with the infection of documents and the second one with checking for the existence of the potential plugin modules for the .NET module.  

The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “\*.doc” as a parameter.  

One of the parameters of the function is the SearchOption parameter which specifies the option to search in subdirectories or only the in the root folder. For fixed drives, the module chooses to search only the root folder, which is an unusual choice, as it is quite unlikely that the root folder will hold any documents to infect.  

For removable drives, the module also searches all subfolders, which likely makes it more successful. Finally, it checks the list of recent documents in Word and attempts to infect them, which contributes to the success of the virus spreading to other documents on fixed drives.  

__The choice of document filename extensions is limited to .doc.__

**OfflRouter VBA code drops and executes the main executable module **

The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.

__The VBA part creates and executes the executable module of the virus.__

 The beginning of the macro code defines a function that checks if the file already exists and if it does not, it opens it for writing and calls functions CheckHashX, which at first glance looks like containing junk code to reset the value of the variable \`Y\`. However, the variable Y is defined as a private property with an overridden setter function, which converts the variable value assignment into appending the supplied value to the end of the opened executable module C:\\Users\\Public\\ctrlpanel.exe. Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.  

This technique is likely implemented to make the detection of the embedded module a bit more difficult, as the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.  

To a more experienced analyst, this code looks like garbage code generated by polymorphic engines, and it raises the question of why the author has not extended the code generation to pseudo-randomize the code.  

__Infected Word documents drop the .NET component that infects other documents__. 

The virus is unique, as it consists of VBA and executable modules with the infection logic contained in the PE executable .NET module.  

__The property Y has an overridden setter function to write into a file.__

**Ctrlpanel.exe .NET module **

The unique infection method used by ctrlpanel.exe is through the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.  

The Interop.Word class is used to instantiate a Document class which allows access to the VBA macro code and the addition of the code to the target document file using the standard Word VBA functions.  

When the .NET module ctrlpanel.exe is launched, it attempts to open a mutex ctrlpanelapppppp to check if another module instance is already running on the system. If the mutex already exists, the process will terminate.  

Suppose no other module instances are running. In that case, ctrlpanel.exe creates the mutex named “ctrlpanelapppppp”, attempts to set the registry run key so the module runs on system startup, and finally initializes two timers to run associated background timer callbacks – VBAClass\_Timer\_Callback and PluginClass\_TimerCallback, implemented to start the Run function of the classes VBAClass and PluginClass, respectively. 

__Ctrlpanel.exe has two threads of execution.__

The VBAClass\_Timer\_Callback will be called one second after the creation of VBAClass\_Timer timer and the PluginClass\_Timer\_Callback three seconds after the creation of the PluginClass\_Timer.  

The full functionality of the executable module is implemented by two classes, VBAClass and PluginClass, specifically within their respective functions Backgroundworker\_DoWork. 

**_VBAClass is tasked with generating VBA code and infecting other Word documents_ **

 The background worker function runs in an infinite loop and contains two major parts, the first is tasked with the document infection and the second with finding the documents to infect, the logic we already described above.  

The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum. If the sum is zero, the document is considered already infected.  

__The file system time of creation is used as an infection marker.__

If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).  

The infection uses the traditional VBA class infection routine. It accesses the Visual Basic code module of the first VBComponent and then adds the code generated by the function MyScript to the document’s code module. After that, the infected document is saved.  

__The target document is converted to .docx and then infected.__

The code generation function MyScript contains static strings and instructions to dynamically generate code that will be added to infected documents. It opens its own executable ctrlpanel.exe for reading and reads the file 32-bit by 32-bit value which gets converted to decimal strings that can be saved as VBA code. For every repeating 32-bit value, most commonly for zero, the function creates a for loop to write the repeating value to the dropped file. The purpose is unclear, but it is likely to achieve a small saving in the size of the code and compress it.  

__Repeating 32-bit values are “compressed.”__

For every 4,096 bytes, the code generates a new CheckHashX subroutine to break the code into chunks. The purpose of this is not clear.  

__The VBA code infecting files is dynamically created.__

 After the file is infected, the background worker adds the infection marker file by setting the values of hour, minute, second, and millisecond creation times to zero.

__The infection market is set after the infected file has been copied to its original location.__

**_PluginClass is tasked with discovering and loading plugins_ **

Ctrlpanel.exe can also search for potential plugins present on removable media, which is very unusual for simple viruses that infect documents. This may indicate that the author’s aims were a bit more ambitious than the simple VBA infection. 

Searching for the plugins in removable drives is unusual as it requires the plugins to be delivered to the system on a physical media, such as a USB drive or a CD-ROM. The plugin loader searches for any files with the filename extension .orp, decodes its name using Base64 decoding function, decodes the file content using Base64 decoding, copies the file into the c:\\users\\public\\tools folder with the previously decoded name and the extension .exe and finally executes the plugin. 

__Any plugins found on a removable drive are decoded, copied to drive C: and launched.__

If the plugins are already present on an infected machine, ctrlpanel.exe will try to encode them using Base64 encoding, copy them to the root of the attached removable media with the filename extension “.orp” and set the newly created file attributes to the values system and hidden so that they are not displayed by default by Windows File Explorer. 

**It is unclear if the initial vector is a document or the executable module ctrlpanel.exe **

The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document. It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to doc before infecting documents. That way, the infection may be a bit stealthier.  

The following registry keys are set: 
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\AccessVBOM (to allow access to Visual Basic Object Model by the external applications) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings (to disable warnings about potential Macro code in the infected documents) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Options\\DefaultFormat (to set the default format to DOC) 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are  

The following ClamAV signatures detect malware artifacts related to this threat: 

Doc.Malware.Valyria-6714124-0 

Win.Virus.OfflRouter-10025942-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 - .NET module ctrlpanel.exe  

**Infected documents  **

2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c 

2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912 

802342de0448d5c3b3aa6256e1650240ea53c77f8f762968c1abd8c967f9efd0 

016d90f337bd55dfcfbba8465a50e2261f0369cd448b4f020215f952a2a06bce 

**Mutex **

ctrlpanelapppppp

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google's Mandiant.

Source: Militarist via Shutterstock

The formidable Sandworm hacker group has played a central role supporting Russian military objectives in Ukraine over the past two years even as it has stepped up cyberthreat operations in other regions of strategic political, economic, and military interest to Russia.

That's the upshot of the analysis of the threat actor's activities undertaken by Google Cloud's Mandiant security group. They found that Sandworm — or APT44, as Mandiant has been tracking it — to be responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022.

In the process, the threat actor established itself as the primary cyberattack unit within Russia's Main Intelligence Directorate (GRU) and among all Russian state-backed cybergroups, Mandiant assessed. No other cyber outfit appears as totally integrated with Russia's military operators as Sandworm is presently, the security vendor noted in a report this week that offers a detailed look at the group's tools, techniques, and practices.

"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions," Mandiant warned. "Even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America."

One manifestation of Sandworm's broadening global mandate was a series of attacks on three water and hydroelectric facilities in the US and France earlier this year by a hacking outfit called CyberArmyofRussia\_Reborn, which Mandiant believes is controlled by Sandworm.

The attacks — which appear to have been more a demonstration of capabilities than anything else — caused a system malfunction at one of the attacked US water facilities. In October 2022, a group that Mandiant believes was APT44 deployed ransomware against logistics providers in Poland in a rare instance of deploying a disruptive capability against a NATO country.

**Global Mandate**

Sandworm is a threat actor that has been active for more than a decade. It's well known for numerous high-profile attacks such as the one in 2022 that took down sections of Ukraine's power grid just prior to a Russian missile strike; the 2017 NotPetya ransomware outbreak, and an attack at the opening ceremony of the Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation, and energy sectors. The US government and others have attributed the operation to a cyber unit within Russia's GRU. In 2020, the US Justice Department indicted several Russian military officers for their alleged role in various Sandworm campaigns.

"APT44 has an extremely broad targeting remit," says Dan Black, principal analyst at Mandiant. "Organizations who develop software or other technologies for industrial control systems and other critical infrastructure components should have APT44 front and center in their threat models."

Gabby Roncone, a senior analyst with Mandiant's Advanced Practices team, includes media organizations among APT44/Sandworm's targets, especially during elections. "Many key elections of high interest to Russia are taking place this year, and APT44 may attempt to be a key player" in them, Roncone says.

Mandiant itself has been tracking APT44 as a unit within Russia's military intelligence. "We track a complex external ecosystem that enables their operations, including state-owned research entities and private companies," Roncone adds.

Within Ukraine, Sandworm's attacks have increasingly focused on espionage activity with a view to gathering information for Russian military forces' battlefield advantage, Mandiant said. In many cases, the threat actor's favorite tactic for gaining initial access to target networks has been through exploitation of routers, VPNs, and other edge infrastructure. It's a tactic that the threat actor has been increasingly using since Russia's Ukraine invasion. While the group has accumulated a vast collection of bespoke attack tools, it has often relied on legitimate tools and living-off-the-land techniques to evade detection.

**An Elusive Enemy**

"APT44 is adept at flying under the detection radar. Building detections for commonly abused open source tools and living-off-the-land methods is critical," Black says.

Roncone also advocates that organizations map and maintain their network environments and segment networks where possible because of Sandworm's penchant for targeting vulnerable edge infrastructure for initial entry and re-entry into environments. "Organizations should additionally be wary of APT44 pivoting between espionage and disruptive goals after gaining access to networks," Roncone notes. "For folks working in media and media organizations in particular, digital safety training for individual journalists is key."

Black and Roncone perceive APT44/Sandworm's use of hacking fronts like CyberArmyofRussia\_Reborn as an attempt to draw attention to its campaigns and for deniability purposes.

"We have seen APT44 repeatedly use the CyberArmyofRussia\_Reborn Telegram to post evidence from and draw attention to its sabotage activity," Black says. "We cannot conclusively determine if this is an exclusive relationship but judge that APT44 has the ability to direct and influence what the persona posts on Telegram."

Black says APT44 could be using personas such as CyberArmyofRussia\_Reborn as a way to avoid direct attribution in case they cross a line or provoke a response. "But the second \[motive\] is that they create a fake sense of popular support for Russia's war — a false impression that average Russians are self-assembling to join the cyber fight against Ukraine."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Sandworm' Group Is Russia's Primary Cyberattack Unit in Ukraine

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Tag

#intel