Russian Attacks on Europe Double in Lead up to Elections, Olympics

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Russian Attacks on Europe Double in Lead-Up to Elections, Olympics

Russian espionage, disruption, disinformation, and real-world interference in Europe is ramping up in the lead-up to European Union elections and the Paris Olympics. Juhan Lepassaar, the head of the EU’s cybersecurity agency ENISA, last week told the Associated Press that disruptive attacks against European infrastructure had doubled in recent months.

“This is part of the Russian war of aggression, which they fight physically in Ukraine, but digitally also across Europe,” Lepassaar said.

Many of these attacks have been linked to Russia-backed groups and some targeted election-related services, Lepassaar said. He said Russia often first attempted new techniques in Ukraine before rolling them out across the EU.

Over the weekend, Germany’s Christian Democratic Union (CDU), the country’s leading opposition party, was hit by what the Interior Ministry described as a “serious cyber attack.” The ministry did not disclose details but said the attack looked like it was carried out by a “very professional actor.” This attack could have been for intelligence collection rather than disruption, but the CDU shut down parts of its network as a precautionary measure. The incident has not been attributed to Russia, but in May the German government attributed a breach of the Social Democratic Party last year to APT28 aka Fancy Bear, part of the GRU, Russian military intelligence. On that occasion, the German government’s statement was backed by both the Czech government and Poland’s CERT, which both stated that entities in their respective countries had been targeted by the same group.

Russia is also going hard on cyber campaigns that enable disinformation and propaganda.

Last week, for example, Poland’s state news agency, PAP, was hacked to publish a fake news article claiming Prime Minister Donald Tusk was ordering the mobilization of 200,000 people to join Ukraine’s fight against Russia. Both Tusk and Poland’s digital affairs minister blamed Russia, with Tusk saying on X that the incident “illustrates Russia’s destabilization strategy on the eve of the European elections.” The incident is noteworthy because it hijacked a legitimate media source outside Ukraine.

The idea itself isn’t new. There’s been a back-and-forth series of television station hacks to replace legitimate programming with propaganda in Russia and Ukraine. These incidents have often taken place during important political events such as Russia’s Victory Day, which commemorates the Soviet Union’s victory over Nazi Germany.

A Microsoft Threat Analysis Center (MTAC) report from April said the company had tracked 70 Russian actors engaged in Ukraine-focused disinformation. In its most recent report, MTAC says that Russian efforts targeting the 2024 Paris Olympics have ramped up. It says these operations’ principal aims are to “denigrate the reputation of the International Olympic Committee (IOC)” and to “create the expectation of violence breaking out in Paris at the Games.”

One disinformation actor, which Microsoft calls Storm-1679, has been working on Olympic-focused activity from June 2023, when they released a feature-length film called “Olympics Has Fallen.” There’s no Rotten Tomatoes or IMDB rating for it yet, but reliable sources tell us it sucks. MTAC, for its part, says:

Using a fake AI-generated audio impersonating the actor Tom Cruise to imply his participation, the film disparaged the IOC leadership. The use of slick computer-generated special effects and a broad marketing campaign, including faked endorsements from Western media outlets and celebrities, indicates a significant increase in skill and effort compared to most Influence Operations (IO) campaigns.

Other efforts from Storm-1679 include a collection of deceptive videos aiming to fuel expectations of violence at the games.

In the past couple of months, another group known as Doppelganger (Storm-1099 in Microsoft parlance) has also targeted the Olympics with similar themes, and MTAC expects Russian Olympics-focused activity to intensify.

In 2018, a Russian GRU group known as Sandworm disrupted the 2018 Pyeongchang Winter Olympics opening ceremony with a cyberattack, so it’s happened before.

Russia’s efforts aren’t limited to the digital domain, either.

In the Daily Beast this week:

Authorities in France suspect Russia may be responsible for the appearance of five coffins at the Eiffel Tower over the weekend that were covered with French flags bearing the words: “French soldiers in Ukraine.”

In early May, NATO issued a statement denouncing Russian “hybrid activities” across Europe, including “sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations.”

Russia’s disruptive cyber and real-world covert actions are cohesive and coordinated, and the West’s response is piecemeal and siloed. It’ll be a wild few months.

Measuring Disinformation Impact Is More About Vibes Than Science

With everything that’s happening in Russia, it’s worth thinking about the actual impact of disinformation campaigns. Unfortunately, measuring these effects is extremely difficult. The companies best placed to detect disinformation operations are also best placed to stop them. However, this means their reports are not representative of the impact of disinformation on the broader internet.

For example, in Meta’s latest Adversarial Threat Report, released last week, the company described the tradecraft of a group called Doppelganger as “crude and largely ineffective in building authentic audiences on social media.” Over time, Meta has used a range of countermeasures to blunt the group’s effectiveness.

Doppelganger aims to undermine support for Ukraine and sow division within countries supporting the nation. Doppelganger targets France, Germany, Ukraine, Latvia, Italy, the U.S., the U.K., and Poland. The actor is known by that name because they often use clones of media or government websites to seed fabricated stories. Doppelganger continues to develop new techniques to evade Meta’s countermeasures, but Mike Dvilyanski, Meta’s head of threat investigations, told CyberScoop that “forcing them to adapt as we keep on improving our defenses degrades the quality of the operation overall.” However, although Meta may be winning the contest against Doppelganger, the actor targets many other services and the company concedes it has only a “limited view into these malicious efforts across the internet.”

Meta says Doppelganger is having success elsewhere on the internet and implies that other companies aren’t using appropriate countermeasures. Put differently, companies that don’t invest in detection and response are poorly equipped to measure what is happening on their platforms.

And successful disinformation may not even require authentic social media audiences. The Microsoft Threat Analysis Center’s April report described the three-stage process one particular Russian disinformation actor was using to successfully launder anti-Ukraine narratives for U.S. audiences:

1. An individual presents as a whistleblower or citizen journalist, seeding a narrative on a purpose-built video channel.
2. The video is then covered by a seemingly unaffiliated global network of covertly managed websites.
3. Russian expats, officials, and fellow travelers then amplify this coverage.

Talking to the Associated Press about the potential for election interference, Senate Intelligence Committee chair Mark Warner (D-Va.) noted domestic political candidates and groups are now willing to spread disinformation. It’s hard to say quite how much Russia’s disinformation campaigns have altered the course of U.S. political debate, but we’re sure some Russian intelligence staffer is claiming credit for it in a slide deck in Moscow. Grim.

Three Reasons to Be Cheerful This Week:

1. Call center scammers comms gear seized: Thai officials have seized 102 SIM boxes, 134 Starlink receivers, and nearly 50,000 SIM cards, among other telecommunications equipment. Thai police believe the country has become a hub for the ordering and transportation of equipment for call center gangs. They believe the equipment seized was destined for scam operations in neighboring countries. Seven suspects were arrested. More coverage can be found in Khaosod English.
2. NTLM deprecated: Microsoft announced it has deprecated the NTLM authentication protocol that has been around since 1993 and is insecure compared to modern protocols. Although NTLM has been deprecated, it hasn’t yet been removed from Microsoft’s operating systems and will work in upcoming releases of Windows and Windows Server.
3. Former data brokers guilty: Two former employees of data broker Epsilon Data Management were found guilty of charges relating to knowingly selling targeted lists of consumers to fraudsters. The defendants used Epsilon’s algorithms to pick out lists of consumers most likely to respond to the frauds, including targeting elderly and vulnerable people.

Shorts

Snowflake Burned

A series of breaches at cloud data platform Snowflake illustrate that multi-factor authentication (MFA) for sensitive data is a must-have rather than a nice-to-have. The incident is covered in depth at Risky Business News, but in summary it appears that a group purchased credentials for various Snowflake demo accounts and scraped data belonging to the affected companies from the platform. The affected accounts were not protected by MFA.

This is discussed in this week’s Risky Business podcast.

Inside the An0m Crimephone Sting

Wired has a long excerpt from Joseph Cox’s new book about how the FBI marketed the An0m encrypted phone network successfully to criminals. The FBI controlled An0m and was able to intercept and read the encrypted messages. Criminals used An0m to organize crimes such as drug trafficking and assassinations.

This week’s Risky Business podcast talks to Cox about the book.

Over 600,000 U.S. Routers Bricked, but Why?

Black Lotus Labs, Lumen Technologies’ research team, has reported an incident from October last year in which 600,000 small office/home office routers from a single internet service provider (ISP) were permanently disabled. The routers had to be replaced. The attack was confined to a single ISP, even though a variety of different devices were affected at the same time. While the motivation for the attack is unknown, Black Lotus Labs believes it was a “deliberate act intended to cause an outage.”

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about law enforcement agencies trolling cyber criminals when they carry out disruption operations, and why it might be counterproductive.

From Risky Biz News:

The Linux CNA mess you didn’t know about: The Linux Kernel project was made an official CVE Numbering Authority (CNA) with exclusive rights to issue CVE (common vulnerabilities and exposures) identifiers for the Linux kernel in February this year. While initially this looked like good news, almost three months later, this has turned into a complete and utter disaster.

Over the past months, the Linux Kernel team has issued thousands of CVE identifiers, with the vast majority being for trivial bug fixes and not just security flaws. In May alone, the Linux team issued over 1,100 CVEs, according to Cisco’s Jerry Gamblin—a number that easily beat out professional bug bounty programs/platforms run by the likes of Trend Micro ZDI, Wordfence, and Patchstack.

[much more on Risky Business News, including the Linux team’s stated logic and criticisms of its approach]

Law enforcement disrupts six malware botnets: A coalition of law enforcement agencies orchestrated the largest cybercrime takedown to date and seized servers and domains used by six of the world’s largest malware botnets. Named Operation Endgame, the takedown specifically targeted the botnets of “malware loaders,” a type of malware that infects systems and then rents access to other cybercrime groups. Europol says the coalition specifically targeted these botnets because of their role in helping deploy ransomware as part of their “host rental” business model.

The list of disrupted botnets includes some of the biggest players on the cybercrime scene:

• Bumblebee
• IcedID
• Pikabot
• SmokeLoader
• SystemBC
• TrickBot

[more on Risky Business News including details of arrest warrants issued and participating organizations]

Threat/trend reports: Abnormal Security, Akamai, AU10TIX, Cato Networks, Google Cloud (Mandiant), Kaspersky, Kaspersky (again), and Veracode [PDF] have recently published reports covering information security industry threats and trends. The most interesting of these is the Google Cloud (Mandiant) one, summarized below.

• In 2023, Mandiant observed an increase in ransomware activity as compared to 2022, based on a significant rise in posts on data leak sites and a moderate increase in Mandiant-led ransomware investigations.
• Mandiant observed an increase in the proportion of new ransomware variants compared to new families, with around one-third of new families observed in 2023 being variants of previously identified ransomware families.
• Actors engaged in the post-compromise deployment of ransomware continue to rely predominantly on commercially available and legitimate tools to facilitate their intrusion operations. Notably, we continue to observe a decline in the use of Cobalt Strike Beacon and a corresponding increase in the use of legitimate remote access tools.
• In almost one-third of incidents, ransomware was deployed within 48 hours of initial attacker access. Seventy-six percent of ransomware deployments took place outside of work hours, with the majority occurring in the early morning.