Iranian cyberespionage (and a possible APT side-hustle).
Fortinet describes a spearphishing effort against Jordanian diplomatic targets that was evidently conducted by Iran. The lure is a familiar "please acknowledge receipt of this document" come-on, but the payload is more sophisticated than the usual run of criminal phishing. The Excel macro in the phish hook may have been accompanied by anti-analysis features. The malware itself would sleep for six-to-eight hours, and the attackers used DNS tunneling for command and control. Their three command-and-control servers were also used unusually intelligently: two of them were "tightly controlled" and were brought up only at specific times. The third server has apparently been used for misdirection, to make attribution more difficult. Fortinet thinks the campaign was run by APT34 (also known as Helix Kitten) an Iranian government-directed threat group.
Another Iranian threat group, APT35 (or Charming Kitten) has been, Hacker News reports, actively conducting ransomware attacks. The activity cluster is tracked, by Secureworks, as Cobalt Mirage. Two series of attacks are reported, One uses BitLocker and DiskCryptor "for financial gain;" the other, while it also deployed ransomware opportunistically, is directed principally toward gaining access to, and collecting intelligence from, espionage targets.
Roblox vulnerabilities undergoing active exploitation.
Avanan reports that a Trojan file "hidden within a legitimate scripting engine that’s used for cheat code" is affecting users of the popular gaming platform Roblox. "The tool," Synapse X," installs an executable file that installs library files into the Windows system folder, giving the program the potential to break applications, corrupt or remove data, or send information back to the hacker." Synapse X has legitimate uses, but in this case it's serving as a dropper, and one of the files it's dropping is a backdoor. The evident goal is to use Roblox as a way into networks of interest; it's not simply a hack designed to annoy gamers.
CIA gets a CISO.
Rick Baich, CISO at AIG, has agreed to return to Government service. He'll be assuming duties as the Central Intelligence Agency's Chief Information Security Officer and Director of the Office of Cyber Security.
CISA issues ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued an unusually large number of industrial control system (ICS) advisories:
The following sections pertain directly to the cyber phases of Russia's hybrid war against Ukraine. CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
War crimes, in physical space and cyberspace.
A captured Russian soldier has been placed on trial by Ukrainian authorities for the shooting of a civilian in the early days of the war. Deutsche Welle identifies the defendant as Vadim Shishimarin. His unit was fleeing Ukrainian forces east of Kyiv. His tank disabled, Shishimarin is said to have fired at, stopped, and stolen a civilian car. As they were driving away seeking safety, Shishimarin is said to have shot and killed a sixty-two-year-old man to prevent him from revealing their position. Shishimarin is said to have acknowledged the killing, but has yet to enter a plea. “I was ordered to shoot,” the AP quotes Shyshimarin as saying. “I shot one (round) at him. He falls. And we kept on going.” It's not known who ordered him to shoot, or how the order was received.
The casual murder of civilians is obviously a war crime, and waging aggressive war is a recognized crime against peace. What about cyberattacks? Under what conditions might a cyber operation constitute a war crime?
Wired reports that the the Human Rights Center at UC Berkeley's School of Law has formally requested that the Office of the Prosecutor for the International Criminal Court (ICC) in the Hague consider prosecuting the GRU's Sandworm group for war crimes. Those crimes weren't committed during the present war, however. The alleged crimes were the December 2015 targeting of electric utilities in Western Ukraine and the 2016 takedown of portions of the grid around Kyiv. affecting hundreds of thousands of civilians.
The Human Rights Center is interested in bringing cyberspace under the scope of international law, and in securing recognition of cyberspace as a fifth domain of warfare. The GRU's two cyberattacks are attractive cases for such purposes because they're well-attested and unambiguously attributed. They also had a clear kinetic effect: they disrupted power distribution in portions of Ukraine. And, finally, and this is most important for the laws of armed conflict, the attacks were indiscriminate, not directed against a military target, but instead directed against an essentially civilian population.
The extension of international law to cyberspace, and the deterrent effect this might have on other state actors, are the goals of the Human Rights Center's request. Given that the Sandworm hackers have already been indicted under domestic law (including US law) and have a price on their heads, as far as the individual operators are concerned an ICC action would amount to making the legal rubble bounce, but the Human Rights Center is seeking to establish a principle.
