Russia's GRU Thugs Double Down on Recruiting Cybercrooks

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Russia's GRU Thugs Double Down on Recruiting Cybercrooks

Several strands of evidence suggest Russia's use of cybercriminals to support its war effort in Ukraine is now planned and deliberate rather than ad hoc and opportunistic. Russia's strategy to harness cybercriminal resources has evolved over the duration of the war. Prior to the conflict, connections between the Russian state and cybercriminals appeared to be opportunistic and based on relationships and connections between individuals.

However, a Mandiant report from April this year suggested that Sandworm (aka Unit 74455 of the GRU) was acquiring tools and bulletproof hosting services from criminal marketplaces. Now Russian intelligence services are taking the next logical step and are directly acquiring people from the criminal talent pool.

In its 2024 Digital Defense Report, released this week, Microsoft writes:

…Russian threat actors have integrated evermore commodity malware in their operations and appear to have outsourced some cyberespionage operations to criminal groups.
In June 2024, Storm-2049 (UAC-0184) used Xworm and Remcos RAT — commodity malware associated with criminal activity — to compromise at least 50 Ukrainian military devices. There was no obvious cybercriminal use for this compromise, suggesting the group was operating in support of Russian government objectives.
Between June and July 2023, Microsoft observed Federal Security Service (FSB)-attributed Aqua Blizzard appear to "hand-off" access to 34 compromised Ukrainian devices to the cybercriminal group Storm-0593 (also known as Invisimole). The hand-off occurred when Aqua Blizzard invoked a Powershell script that downloaded software from a Storm0593-controlled server. Storm-0593 then established command and control infrastructure and deployed Cobalt Strike beacons on most of the devices for follow-on activity. This beacon was configured with the domain dashcloudew.uk, which Microsoft assesses Storm-0593 registered and used in a previous spear-phishing campaign against Ukrainian military machines last year, suggesting a pattern by Storm-0593 of supporting state intelligence collection objectives.

In early September, the US government issued an advisory warning that, since 2020, Unit 29155, a Russian military intelligence (GRU) sabotage and assassination unit, had "expanded their tradecraft to include offensive cyber operations." Partly, this appears to be on-the-job training, partly recruiting cyber criminals. Per the advisory:

FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.

GRU thugs do not strike us as natural keyboard maestros but probably are well suited for coercing weedy cybercrooks into hacking for the state.

Ukraine's cybersecurity organization, the SSSCIP, has also reported on a group directed by  personnel from law enforcement agencies in occupied Luhansk. There is no firm evidence here, but again we wonder if law enforcement officers from regional Ukraine have hands-on-keyboard skills or simply leverage over local cybercriminals.

Taken together, these strands of evidence suggest a much more deliberate and structured recruitment of criminals into Russia's war effort. Recruiting or training skilled cybersecurity talent into intelligence agencies takes time, whereas telling crims to do some patriotic hacking or else … is quick.

AI Is No Gift to Malicious Actors

Malicious cyber actors are experimenting with AI but have not found a way to use the technology to scale and accelerate their activities, according to prominent AI organization OpenAI.

Last week, OpenAI released an Influence and Cyber Operations update report that analyzed the activities of malicious actors using its tools, and included a range of case studies. The report provides insights into how some actors are experimenting with AI. The case studies describe how actors try to use ChatGPT to assist with reconnaissance, vulnerability research, scripting or software development, or social engineering. In all of these case studies, OpenAI's conclusion is that "use of our models did not appear to provide them with novel capabilities or directions that they could not otherwise have obtained from multiple publicly available resources."

Happily, OpenAI found that ChatGPT was very useful for its security work:

Throughout this investigation, our security teams leveraged ChatGPT to analyze, categorize, translate, and summarize interactions from adversary accounts. This enabled us to rapidly derive insights from large datasets while minimizing the resources required for this work. As our models become more advanced, we expect we will also be able to use ChatGPT to reverse engineer and analyze the malicious attachments sent to employees.

OpenAI describes half a dozen covert influence operations targeting elections around the world. These operations used AI for content creation and the management of fake personas on social media sites. OpenAI found that these operations all had limited impact with "the majority of social media posts that we identified as being generated from our models received few or no likes, shares, or comments."

Ironically, the ChatGPT-related operation that did go viral was a hoax on X that purported to be the output of a Russian troll account whose credits for using OpenAI's GPT-4o model had expired. 

Image from X, https://x.com/bookazoid_/status/1802974326943015087

OpenAI said that this response appeared to be manually generated as it was not valid JSON and incorrectly referenced the model's name. Even though this post was a hoax, the same X account had been using OpenAI models to be argumentative "apparently in an attempt to bait controversy."

So far at least, it appears the apparent malicious use of AI is more interesting than the actual malicious use of AI.  Despite the absence of significant impact so far, we think these kinds of reports into the adversarial or malicious use of AI technologies should be applauded and encouraged in other companies.

Australia's Actually Quite Sensible Cybersecurity Bill

New Australian cybersecurity legislation will introduce world-first reporting obligations for companies regarding ransomware incidents and payments. Beyond mandatory ransomware reporting, the Cyber Security Bill 2024 imposes security standards on smart devices and establishes an Australian Cyber Incident Review Board. These initiatives all make sense. What is surprising is that it has taken until 2024 to reach this stage.

Cybersecurity authorities regularly bemoan the absence of authoritative data on incidents. Ransomware, and payments in particular, are notoriously underreported, and it is difficult to know if anti-ransomware initiatives are working when it is not possible to assess the state of play.

The reporting obligation applies to companies that meet a minimum revenue threshold, and the information in these reports can be used only for cybersecurity purposes. It can't be forwarded to government regulators and used to fine companies, for example. At the same time, reporting incidents to cybersecurity authorities isn't a "get out of jail free" card. If companies have been behaving improperly, they can still be subject to regulatory action (although regulators need to build a case using information derived from other sources).

The bill also establishes the Cyber Incident Review Board (CIRB), Australia's version of the U.S. Cyber Safety Review Board (CSRB). We are big fans of the U.S. CSRB, which has produced a number of impactful reports. These can sting companies into taking action—the most notable case being the report that lashed Microsoft for its "cascade of security failures."

However, the U.S. is the home to several of the world's most influential technology companies and is central to the internet whereas Australia … is not. The CIRB aims to learn from the circumstances that lead up to incidents through to industry and government responses. There have been several high-impact breaches in recent years where this kind of comprehensive review would have been tremendously valuable.

The Australian review board goes a step further than the U.S. CSRB with the ability to compel information from entities involved in an incident under review. To balance that power, the board is not to apportion blame, and the legislation says that its final report cannot "provide the means to determine the liability of any entity in relation to a cyber security incident."

Finally, the Cyber Security Bill will strengthen security standards for smart internet-connected devices. Rather than defining standards in legislation, the minister sets standards by issuing rules, which can be changed over time. This is not uncommon in Australian legislation, and social media safety standards are set by ministerial decree in the Basic Online Safety Expectations. The intent here is to adjust standards upward over time to the extent that the market will bear.

These are all good moves, but it is amazing they took so long.

Three Reasons to Be Cheerful This Week:

1. U.K. doing more to protect schools from ransomware: The U.K.'s National Cyber Security Centre has announced that it is rolling out its Protective Domain Name System (PDNS) to schools nationally. The PDNS protects organizations by preventing them from connecting to known malicious domains and is already used across the U.K. government, including the Ministry of Defense.
2. Hardened hardware for the Trump campaign: Key members of the Trump campaign are reportedly using hardened devices, including phones preinstalled with a stripped-down version of the Android operating system. It is good news that the campaign is investing in security, but we wonder how useful the devices will actually be—they are so locked down that they only communicate within closed networks of like devices.
3. Smarter theft detection on Android: Google has published an interesting post on tightening Android to make it harder for thieves to get anything useful out of stolen phones. Some of these techniques are fairly simple, such as locking a phone if it is taken offline for a prolonged period (for data extraction or to avoid a remote wipe, for example) and making it easier to remotely lock or wipe a device from a trusted phone number. The interesting part of the post describes using machine learning to analyze multiple on-device signals to detect theft attempts and lock the device in response. You know if your phone is stolen, so given the array of sensors it has, why shouldn't your phone?

Shorts

Circling the Wagons Against Chinese Telco Hack

The Washington Post reports the Biden administration has formed a multiagency "unified coordination group" to manage the government's response to the hack of multiple U.S. telecommunications companies. The hack is now believed to affect 10 or 12 companies, up from three known victims last week. The report also states that responders are finding it difficult to evict the intruders because they don't know how they got in in the first place. It sounds like this is going to take a long time to unwind.

The FBI Gets Into Cryptocurrency

The Verge reports the FBI created an Ethereum-based cryptocurrency, NexFundAI, to investigate manipulation of cryptocurrency markets. Last week, 18 individuals were charged with "widespread fraud and manipulation in the cryptocurrency markets" after they tried to manipulate the currency's price. Just like An0m, but for crypto!

Risky Biz Talks

In the latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about how criminals are using deepfakes, but it is not the end of the world.

From Risky Biz News:

China says the U.S. is framing other countries for espionage operations: The Chinese government has put out another report of questionable quality this week, claiming that the U.S. is trying to smear poor li'l China as a bad cyber actor. Beijing officials say that the U.S. is actually the country behind most cyber espionage operations today, and they possess a "cyber weapon" that can mislead investigators and frame other states for its intrusions.

The report [English PDF] is the third in a series of reports that China's National Computer Virus Emergency Response Center (CVERC) has published on the topic this year, after previous reports in April and July. The reports typically come out after the U.S. government and U.S. media expose new Chinese cyber-espionage operations in the U.S. This one came out days after U.S. officials claimed that Chinese hackers breached sensitive systems at U.S. telecommunication companies used for law enforcement wiretaps—basically, China wiretapped the U.S. wiretapping system.

Pro-Kremlin disinfo cluster disrupted ahead of Moldova's election: Meta has taken down a network of fake accounts engaged in a disinformation campaign targeting Moldova a week before the small Eastern European country is set to hold presidential elections and a referendum to join the EU. The network used fake accounts to manage pages that posed as "independent" news entities. They posted content primarily in Russian that criticized the country's current president, Maia Sandu, Moldova's pro-EU politicians, and the country's ever-increasing closer ties to neighboring Romania.

Dutch government to physically replace tens of thousands of hackable traffic lights: Dutch authorities will have to replace tens of thousands of insecure road traffic lights by 2030. Officials are taking this extreme and very expensive step after a security researcher found a vulnerability that could allow threat actors to change traffic lights on demand. The issue was discovered earlier this year by Alwin Peppels, a security engineer for Dutch security firm Cyber Seals. Peppels says threat actors can use a software-defined radio to send commands to the control boxes that sit next to traffic lights.