• chevron_right

      LitterDrifter USB Worm / Schneier · Wednesday, 22 November - 21:47

    A new worm that spreads via USB sticks is infecting computers in Ukraine and beyond.

    The group­—known by many names, including Gamaredon, Primitive Bear, ACTINIUM, Armageddon, and Shuckworm—has been active since at least 2014 and has been attributed to Russia’s Federal Security Service by the Security Service of Ukraine. Most Kremlin-backed groups take pains to fly under the radar; Gamaredon doesn’t care to. Its espionage-motivated campaigns targeting large numbers of Ukrainian organizations are easy to detect and tie back to the Russian government. The campaigns typically revolve around malware that aims to obtain as much information from targets as possible.

    One of those tools is a computer worm designed to spread from computer to computer through USB drives. Tracked by researchers from Check Point Research as LitterDrifter, the malware is written in the Visual Basic Scripting language. LitterDrifter serves two purposes: to promiscuously spread from USB drive to USB drive and to permanently infect the devices that connect to such drives with malware that permanently communicates with Gamaredon-operated command-and-control servers.

    • chevron_right

      Acer said it halted business in Russia but kept selling monitors & reportedly PCs / ArsTechnica · Friday, 9 June, 2023 - 22:56

    Man holdering two Acer laptop boxes

    Enlarge / Acer continued selling laptops, like these Chromebooks, in Russia after saying it suspended business there, Reuters reports.

    Per a report by Reuters on Thursday, Acer said it sold monitors in Russia after publicly declaring that it would suspend business there due to the Russia-Ukraine war. In Reuters ' report, Acer claimed it only sold a "limited number of displays and accessories" for "civilian daily use." Additionally, Reuters reported that Acer sold laptops in Russia after saying it wouldn't.

    On April 8, 2022, Acer, like many tech companies (see: HP , Dell , Microsoft , Intel , Nvidia , etc.), said it would no longer do business in Russia for the foreseeable future.

    "Acer strictly adheres to applicable international trade laws and regulations and is closely monitoring the conflict between Russia and Ukraine. Due to recent developments, Acer has decided to suspend its business in Russia," the company's statement said at the time.

    Read 14 remaining paragraphs | Comments

    • chevron_right

      FBI Disables Russian Malware / Schneier · Wednesday, 10 May, 2023 - 15:26

    Reuters is reporting that the FBI “had identified and disabled malware wielded by Russia’s FSB security service against an undisclosed number of American computers, a move they hoped would deal a death blow to one of Russia’s leading cyber spying programs.”

    The headline says that the FBI “sabotaged” the malware, which seems to be wrong.

    Presumably we will learn more soon.

    • chevron_right

      PIPEDREAM Malware against Industrial Control Systems / Schneier · Tuesday, 9 May, 2023 - 15:24

    Another nation-state malware , Russian in origin:

    In the early stages of the war in Ukraine in 2022, PIPEDREAM, a known malware was quietly on the brink of wiping out a handful of critical U.S. electric and liquid natural gas sites. PIPEDREAM is an attack toolkit with unmatched and unprecedented capabilities developed for use against industrial control systems (ICSs).

    The malware was built to manipulate the network communication protocols used by programmable logic controllers (PLCs) leveraged by two critical producers of PLCs for ICSs within the critical infrastructure sector, Schneider Electric and OMRON.

    CISA advisory . Wired article .

    • chevron_right

      Pro-Russian hackers target elected US officials supporting Ukraine / ArsTechnica · Thursday, 30 March, 2023 - 12:19

    Locked out.

    Enlarge / Locked out. (credit: Sean Gladwell / Getty Images )

    Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

    The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

    Tenacious targeting

    “This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Kazakhstan’s seizure of Russian space assets threatens the Soyuz-5 rocket / ArsTechnica · Tuesday, 21 March, 2023 - 13:02 · 1 minute

    A Russian Proton-M rocket carrying Spain's satellite Amazonas-5 blasts off from the launch pad at the Russian-leased Baikonur cosmodrome in Kazakhstan in 2017.

    Enlarge / A Russian Proton-M rocket carrying Spain's satellite Amazonas-5 blasts off from the launch pad at the Russian-leased Baikonur cosmodrome in Kazakhstan in 2017. (credit: KIRILL KUDRYAVTSEV/AFP via Getty Images)

    The Soviet Union created the Baikonur Cosmodrome in 1955 to serve as a test site for intercontinental ballistic missiles. A few years later it became the world's first spaceport with the launch of the historic Sputnik 1 and Vostok 1 missions. The sprawling cosmodrome was a mainstay of the Soviet space program.

    After the breakup of the Soviet Union, Russia began to lease the spaceport from the government of Kazakhstan and currently has an agreement to use the facilities through the year 2050. Russia pays an annual lease fee of about $100 million. Neither country is particularly happy with the relationship; the Kazakh government feels like it is under-compensated, and the Russian government would like it to be in its own country, which is why it has moved in recent years to build a new launch site for most of its rockets in the Far East of Russia, at Vostochny.

    Despite some of this uneasiness, however, the two governments have been working together on future space projects. For example, the main Russian space corporation, Roscosmos, has been developing a new medium-lift rocket that it anticipates launching from Baikonur. This is the Soyuz-5 vehicle, a three-stage rocket powered by RD-171 engines that will burn kerosene fuel. Russia is counting on this vehicle to replace its aging Proton-M rocket and be more cost-competitive with commercial rockets such as SpaceX's Falcon 9 booster.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      Fighting VPN criminalization should be Big Tech’s top priority, activists say / ArsTechnica · Monday, 20 March, 2023 - 11:00 · 1 minute

    Fighting VPN criminalization should be Big Tech’s top priority, activists say

    Enlarge (credit: Aurich Lawson | Getty Images)

    “Women, life, freedom” became the protest chant of a revolution still raging in Iran months after a 22-year-old Kurdish woman, Mahsa Amini, died while in custody of morality police. Amini was arrested last September for “improperly” wearing a hijab and violating the Islamic Republic's mandatory dress code laws. Since then, her name has become a viral hashtag invoked by millions of online activists protesting authoritarian regimes around the globe.

    In response to Iran's ongoing protests—mostly led by women and young people—Iranian authorities have increasingly restricted Internet access. First, they temporarily blocked popular app stores and indefinitely blocked social media apps like WhatsApp and Instagram. They then implemented sporadic mobile shutdowns wherever protests flared up. Perhaps most extreme, authorities responded to protests in southeast Iran in February by blocking the Internet outright, Al Arabiya reported . Digital and human rights experts say motivations include controlling information, keeping protestors offline, and forcing protestors to use state services where their online activities can be more easily tracked—and sometimes trigger arrests.

    As getting online has become increasingly challenging for everyone in Iran—not just protestors—millions have learned to rely on virtual private networks (VPNs) to hide Internet activity, circumvent blocks, and access accurate information beyond state propaganda. Simply put, VPNs work by masking a user's IP address so that governments have a much more difficult time monitoring activity or detecting a user's location. They do this by routing the user's data to the VPN provider's remote servers, making it much harder for an ISP (or a government) to correlate the Internet activity of the VPN provider's servers with the individual users actually engaging in that activity.

    Read 47 remaining paragraphs | Comments

    • chevron_right

      Ukraine Intercepting Russian Soldiers’ Cell Phone Calls / Schneier · Tuesday, 20 December, 2022 - 23:04

    They’re using commercial phones, which go through the Ukrainian telecom network :

    “You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”


    “Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

    “But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

    This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

    • chevron_right

      CryWiper Data Wiper Targeting Russian Sites / Schneier · Monday, 5 December, 2022 - 22:38

    Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

    The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

    So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

    Nothing leading to an attribution.

    News article .

    Slashdot thread .