Ukraine continues hacking back, Conti capsizes and a big cyber bill advances

Welcome to Changelog for 3/6/22, published by Synack! Blake Sobczak here, checking in from a new, FBI-friendly D.C. neighborhood. Russia’s latest war of aggression took a turn for the worse last week as Moscow seized control of its first major Ukrainian city, Kherson, and took over Ukraine’s largest power plant. Meanwhile, CISA added a whopping 95 known exploited vulnerabilities to its running list for government and industry defenders. Here’s what was on my radar:

The payload 

It’s natural to want to hack Russia.

Seeing the atrocities playing out in Ukraine makes it tempting to do something, anything to strike back at Moscow. An attack on Europe’s biggest nuclear power plant Thursday had me seething, too: How dare Russian forces shell the Zaporizhzhia facility, overrunning Ukrainians who were rushing to put out flames and avoid a radiological disaster?

 1_j1rXV9z7WEEi_83aKsuCPA
Zaporizhzhia NPP/YouTube

Telegram and Twitter have offered front-row seats to the ugliness of Russia’s invasion as Ukrainian families are torn apart, and civilian casualties climb.

Against that backdrop, joining a DDoS attack on Russian targets or plumbing deep into Russian websites for vulnerabilities seems noble. But in most cases, such moves would also be illegal, as Nathaniel Mott reports for README. Worse, they risk escalating a conflict that already has a chance of starting World War III.

“Ostensibly you have now Western patriotic hackers and Russian patriotic hackers having a free for all,” cybersecurity executive Pablo Breuer said on a recent Twitch stream. “And it really only takes one group to take out what one country or another deems national critical infrastructure, and now we get a kinetic escalation.”

Ukraine’s government, besieged by Russian tanks and troops, has no reservations about pulling anonymous hackers into the fray. It recruited an “IT Army” of grassroots hackers to go after Russian networks even as private IT executives offer bounties for finding holes in Russian defenses.

“Any infrastructure that we ask them to, they destroy it,” Oleksandr Bornyakov, Ukraine’s deputy minister for digital transformation, told TechCrunch in an interview last week.

Causing that much digital mayhem is bound to backfire for many IT Army recruits. Kali Linux downloads don’t come with get-out-of-jail-free cards.

1_1YIejxYspoD81xK2tmqx7w 
Illustration: Si Weon Kim

But how else can hackers outside Ukraine pitch in?

Ethical hacker Alessandra Perotti had the right idea in their latest newsletter: Raising awareness about digital security, as humdrum as it sounds compared to destroying Russian targets, is bound to be more helpful than throwing your weight behind a shadowy army half a world away.

The week. compiled

Ukrainian cybersecurity official Viktor Zhora warned in a press conference Friday that the country is caught in the throes of an unprecedented “hybrid war” featuring physical and digital fronts, as BBC News’ Joe Tidy reported.

“This is happening for the first time in history and I believe that cyber-war can only be ended with the end of conventional war, and we will do everything we can to bring this moment closer,” said Zhora, deputy chairman of Ukraine’s State Service of Special Communications.

While cybersecurity threats have taken a backseat so far in Russia’s invasion of Ukraine, there is ample reason to stay on high alert.

“Even though cyber operations have featured to an unexpectedly small extent in the conflict so far, the West still remains at higher risk of serious disruption — as distinct from catastrophic attack — via the cyber domain than it was before the invasion,” noted Ciaran Martin, formerly CEO of the U.K.’s National Cyber Security Centre, in a Lawfare article.

Former NSA general counsel Glenn Gerstell put the vulnerability more bluntly in an op-ed Friday: “American businesses aren’t ready for a war in cyberspace.”

On that cheery note, here’s your cybersecurity news roundup:

The Washington Post: Senate lawmakers passed a measure to impose mandatory reporting requirements for “substantial cyber incidents” despite opposition from critical infrastructure industry groups.

PC Mag: Chipmaking giant Nvidia has confirmed that hackers stole data from its networks. The company became aware of the breach on Feb. 23, the day before Russia invaded Ukraine, but both Nvidia and the “LAPSUS$” group behind the hack have denied a Russian connection.

**Don’t forget to get your free tickets to join me later this month at the Jack Rose whiskey bar in Washington, D.C. We’re teaming up with the R Street Institute’s Making Space Initiative to throw a networking event you won’t want to miss!**

Reuters: Satellite communications provider Viasat said last week that it was investigating a suspicious outage on its KA-SAT network in European and Mediterranean markets. The company is treating it as a cyberattack.

A message from Synack

Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.

Flash Memory

On March 18, 2021, a “Patient Zero” workstation in Ireland’s public health system was compromised by the Conti ransomware group, teeing up one of the most disruptive cyberattacks in that country’s history.1_5aah7kOdFSAKsJF9aWgasg

Ambulances parked in Ireland. Greg Clarke/Flickr

In mid-May, attackers executed the Conti ransomware across hundreds of infected machines, encrypting critical healthcare information at dozens of hospitals run by the Health Service Executive. Cybercriminals then twisted the knife by threatening to publish stolen data unless they were paid a nearly $20 million ransom.

But the tables have now turned on the Conti ransomware group, which saw one of its decryptors leaked last week alongside chat histories and other secrets. The leaks began a few days after the group declared its support for Russia.

Cybersecurity analysts and journalists like Brian Krebs dove into the data dumps, exposing the very dirty laundry of a feared cyber criminal group that’s now been forced to play defense.

Local Files

Axios: Toyota halted production at 14 manufacturing plants in Japan after a cyberattack on a third-party supplier.

CyberScoop: ICANN, which oversees top-level domains that form the backbone of the modern internet, denied Ukraine’s request to disconnect Russia. “Our mission does not extend to taking punitive actions, issuing sanctions, or restricting access against segments of the Internet — regardless of the provocations,” ICANN president and CEO Göran Marby said in a letter explaining the decision.

The New York Times: David Boggs, who helped invent Ethernet networking in the 1970s, died last month in Palo Alto, Calif., at 71. You’re using his technology as you read this.

Off-script

McDonald’s has been served with a $900 million lawsuit alleging the fast-food giant conspired to throttle business for ice cream machine maintenance company Kytch.

The soft-serve startup offers a Raspberry Pi-powered device that attaches to McDonald’s notoriously buggy ice cream machines, keeping franchisees up to date on system status and helping them troubleshoot common glitches.

But McDonald’s claimed Kytch’s technology posed a safety threat and ordered restaurant owners to ditch it, a move Kytch is now questioning in court, as Wired reported Wednesday.

“We’re going to continue to get discovery. And it’s going to keep on tunneling into this heart of darkness,” Kytch cofounder Jeremy O’Sullivan said in perhaps the most intense ice cream-related quote I’ve ever read.

1__TWL_4rrGmOO0P1PJd5NCw
Alpha/Flickr

That’s it for this week! Please send tips, feedback and bad cyber puns to bsobczak@synack.com. See you next Sunday!