Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Warfare. Show all posts

Sitting Ducks DNS Attack Hijack 35,000 Domains

 

Cybersecurity researchers have uncovered a significant threat affecting the internet's Domain Name System (DNS) infrastructure, known as the "Sitting Ducks" attack. This sophisticated method allows cybercriminals to hijack domains without needing access to the owner's account at the DNS provider or registrar. 

Researchers from DNS security firm Infoblox and hardware protection company Eclypsium revealed that more than one million domains are vulnerable to this attack daily. This has resulted in over 35,000 confirmed domain hijackings, primarily due to poor domain verification practices by DNS providers. The Sitting Ducks attack exploits misconfigurations at the registrar level and insufficient ownership verification. Attackers leverage these vulnerabilities to take control of domains through "lame" delegations, making the hijacking process more effective and harder to detect. 

Once in control, these hijacked domains are used for malware distribution, phishing, brand impersonation, and data theft. Russian threat actors have been particularly active, with twelve known cyber-gangs using this method since 2018 to seize at least 35,000 domains. These attackers often view weak DNS providers as "domain lending libraries," rotating control of compromised domains every 30-60 days to avoid detection. 

The Sitting Ducks attack has been exploited by several cybercriminal groups. "Spammy Bear" hijacked GoDaddy domains in late 2018 for spam campaigns. "Vacant Viper" began using Sitting Ducks in December 2019, hijacking 2,500 domains yearly for the 404TDS system to distribute the IcedID malware and set up command and control (C2) domains. "VexTrio Viper" started using the attack in early 2020, employing the hijacked domains in a massive traffic distribution system (TDS) that supports the SocGholish and ClearFake operations. 

Additionally, several smaller and unknown actors have used Sitting Ducks to create TDS, spam distribution, and phishing networks. Despite the Sitting Ducks attack being reported in 2016, the vulnerability remains largely unresolved. This highlights the critical yet often neglected aspect of DNS security within broader cybersecurity efforts. 

To effectively combat this pressing cybersecurity threat, a collaborative effort is essential involving domain holders, DNS providers, registrars, regulatory bodies, and the broader cybersecurity community. Infoblox and Eclypsium are playing a crucial role by partnering with law enforcement agencies and national Computer Emergency Response Teams (CERTs) to mitigate and diminish the impact of this critical security issue.

Ukraine Hacks ATMs Across Russia in Massive Cyberattack



On July 23, 2024, a massive cyberattack launched by Ukrainian hackers targeted Russian financial institutions, disrupting ATM services across the country. According to a source within Ukrainian intelligence, the attack is “gaining momentum” as it continues to cripple banking services. By July 27, the fifth day of the cyberattack, customers of several prominent Russian banks found themselves unable to withdraw cash. When attempting to use ATMs, their debit and credit cards were immediately blocked, leaving them stranded without access to their funds. 

The intelligence source, who provided written comments to the Kyiv Post, indicated that the attack had affected numerous banks, including Dom.RF, VTB Bank, Alfa-Bank, Sberbank, Raiffeisen Bank, RSHB Bank, Rosbank, Gazprombank, Tinkoff Bank, and iBank. The widespread disruption has caused significant inconvenience for customers and highlighted vulnerabilities within Russia’s financial infrastructure. The source in Ukrainian intelligence mocked the situation, suggesting that the Kremlin’s long-desired “import substitution” might now include reverting to wooden abacuses, paper savings books, and cave paintings for accounting. 

This remark underscores the scale of the disruption and the potential for outdated methods to replace modern financial technologies temporarily. The cyberattack represents a significant escalation in the ongoing cyber conflict between Ukraine and Russia. While cyberattacks have been frequent on both sides, the targeting of ATM services and the subsequent blocking of debit and credit cards mark a notable shift towards directly impacting ordinary citizens’ daily lives. This attack not only disrupts financial transactions but also instills a sense of insecurity and distrust in the reliability of banking systems. 

The list of affected banks reads like a who’s who of Russia’s financial sector, including both state-owned and private institutions. The inability to withdraw cash from ATMs during the attack has put pressure on these banks to quickly resolve the issues and restore normal services to their customers. However, the continued nature of the cyberattack suggests that solutions may not be forthcoming in the immediate future. The Ukrainian hackers’ ability to sustain such a large-scale cyberattack over several days indicates a high level of coordination and technical expertise. It also raises questions about the preparedness and resilience of Russian banks’ cybersecurity measures. 

As the attack progresses, it is likely that both sides will escalate their cyber capabilities, leading to further disruptions and countermeasures. The broader implications of this cyberattack are significant. It highlights the increasingly blurred lines between cyber warfare and traditional warfare, where digital attacks can cause real-world consequences. The disruption of banking services serves as a stark reminder of how dependent modern societies are on digital infrastructure and the potential vulnerabilities that come with it. 

In response to the ongoing cyberattack, Russian banks will need to bolster their cybersecurity defenses and develop contingency plans to mitigate the impact of such attacks in the future. Additionally, international cooperation and dialogue on cybersecurity norms and regulations will be crucial in preventing and responding to similar incidents on a global scale. As the situation develops, the cyber conflict between Ukraine and Russia will likely continue to evolve, with both sides seeking to leverage their technological capabilities to gain an advantage. The ongoing cyberattack on Russian ATMs is a clear demonstration of the disruptive potential of cyber warfare and the need for robust cybersecurity measures to protect critical infrastructure.

Hamilton City's Network is the Latest Casualty of the Global Cyberwar.

 

The attack that took down a large portion of the City of Hamilton's digital network is only the latest weapon in a global fight against cybersecurity, claims one of Canada's leading cybersecurity experts. 

Regarding the unprecedented attack on the municipality's network that affected emergency services operations, the public library website, and the phone lines of council members, not much has been stated by city officials. Although the specifics of the Sunday incident are yet unknown, Charles Finlay, executive director of Rogers Cybersecure Catalyst, believes that the attack is a part of a larger campaign against a shadow firm that is determined to steal money and data. 

“I don't think that the average citizen of Hamilton or any other city, fully understands what's at play here,” Finlay stated. “Our security services certainly are, but I don't think the average citizen is aware of the fact that institutions in Canada, including Hamilton, are at the front lines of what amounts to a global cybersecurity conflict.” 

On Sunday, city hall revealed service delays caused by what it later described as a "cybersecurity incident" that had far-reaching consequences for the city's network and related services. 

The specifics of what took place, however, remain unknown as local officials maintain a cloak of secrecy. So far, the city has refused to divulge the amount of the damage or how affected departments are operating. Emergency services are described as "operational," with some activities now being completed "manually," but officials refuse to disclose specifics.

The city also refuses to reveal whether sensitive data was stolen or is being held ransom.

According to Vanessa Iafolla of Halifax-based Anti-Fraud Intelligence Consulting, a municipality may prefer to delay reporting the extent of the harm in order to preserve an impression of security and control. 

Finlay and Iafolla said they can only speculate about what transpired because city hall hasn't provided any information. However, given the available details and the consequences of other institutions' attacks, a ransomware attack is a realistic possibility. 

A ransomware assault is one in which malicious software is installed on a network, allowing users to scan and grab sensitive data. In the case of the city, Iafolla could refer to personal information on employees and citizens, such as social insurance numbers and other identifying information.

“It's a safe bet that whatever they took is likely of real financial value,” concluded Iafolla. “It's difficult to speculate exactly what may have been taken, but I would be pretty confident in thinking whatever it is, is going to be a hot commodity.”

Pro-Palestinian Hacktivists Reportedly Employ Crucio Ransomware

 

In a recent development, a newly emerged pro-Palestine hacking collective identifying itself as the 'Soldiers of Solomon' has claimed responsibility for infiltrating more than 50 servers, security cameras, and smart city management systems located within the Nevatim Military area.

According to the group's statement, they employed a ransomware strain dubbed 'Crucio,' hinting at a possible utilization of Ransomware-as-a-Service. Additionally, they assert to have gained access to an extensive cache of data amounting to a staggering 25 terabytes.

In an unconventional public relations move, the Soldiers of Solomon disseminated this information via email to multiple threat intelligence firms, including Falconfeeds, alongside other influential entities actively engaged on Twitter.

To substantiate their claims, the group supplied visual evidence obtained from the breached CCTV systems, as well as images showcasing altered desktop wallpapers bearing their statement, as per Falconfeeds.

The year 2023 has witnessed a resurgence of hostilities between Israel and Palestine, culminating in a full-scale armed conflict. The longstanding discord between the two nations, which traces back to the early 20th century, has witnessed significant escalations since 2008. 

Reports indicate that while the 2014 conflict was marked by unprecedented devastation, the 2023 altercation raises concerns about an even higher casualty count.

The conflict zone in Gaza has become a focal point for retaliatory strikes from both hacktivist groups and Threat Actors (TAs), a trend anticipated given similar patterns observed since 2012. 

Cyberattacks have increasingly become complementary strategies within the context of contemporary warfare, a phenomenon noted even prior to the onset of the Russia-Ukraine conflict in early 2022.

Additionally, Cyble Research & Intelligence Labs (CRIL) has been meticulously curating intelligence amidst the fog of cyber-attacks, monitoring the activities of hacktivists and various threat actors to discern noteworthy developments in the cyber theatre. They have observed a diverse array of malicious techniques being employed by hacktivists and threat actors to exploit vulnerabilities in critical infrastructures and disrupt their operations.

Deepfakes: A Rising Threat to Cybersecurity and Society

 

The late NBA player Kobe Bryant appeared in the music video for Kendrick Lamar's song "The Heart Part 5", which stunned the audience. Deepfake technology was employed in the video to pay tribute to the late legend. 

Deepfakes are images and videos that have been altered with advanced deep learning technologies such as autoencoders or generative adversarial networks.

With the support of deepfake technology, realistic yet manipulated media assets can be easily generated. However, deepfake technology is deceptive. The technology is utilised in virtual reality, video games, and filmmaking, but it might also be used as a weapon in cyberwarfare, the fifth dimension of warfare. Additionally, it can be used to share false information to influence public opinion along with political agendas.

Cybercrime is on the rise as the internet's global penetration grows. According to the National Crime Records Bureau, there were around 50,000 incidents of cybercrime in 2020. The national capital witnessed a 111% increase in cybercrime in 2021 compared to 2020 as reported by NCRB.

The majority of these incidents involved online fraud, online sexual harassment, and the release of private content, among other things. Deepfake technology may lead to an increase in such incidents that are weaponized for financial gain. 

Notably, the technology is not only a threat to the right to privacy protected by Article 21 of the Constitution, but it also plays a key role in cases of humiliation, misinformation, and defamation. Whaling attacks, deepfake voice phishing, and other frauds that target individuals and companies are thus likely to rise. 

Mitigation Tips

The difficulties caused by deepfakes can be addressed using ChatGPT, the generative AI that has recently gained attention. To offer viable options, ChatGPT can be integrated into search engines. In order to combat the dissemination of misinformation, the AI-enabled ChatGPT, based on Natural Language Processing, is trained to reject inappropriate requests. It can also process complicated algorithms to carry out complex reasoning operations. 

In order to swiftly purge such information from the internet after deployment, the dataset needs to be fine-tuned using supervised learning. It can be further tweaked due to its accessibility to offer a quicker, more practical solution that is also affordable. However, to stop AI from scooping up new deepfakes from the test set, the train set must be constantly monitored. 

Additionally, a greater influx of cyber security specialists is required to achieve this. India's GDP currently only accounts for 0.7% of research and development, compared to 3.3% in affluent nations like the United States of America. The National Cyber Security Policy of 2013 must be improved in order to adapt to new technologies and stop the spread of cybercrimes as these manipulations become more complex over time.

Microsoft Warns of Rise in Global Cyberespionage Operations

 

Government-sponsored cyberespionage campaigns and data operations are on the rise, and not just as a result of hacker spies deployed by typical suspects Russia and China.

So warns Microsoft in its annual Digital Defence Report, which evaluates nation-state and criminal behaviour recorded from July 2022 to June 2023. 

Ransomware attacks naturally draw attention due to their visible and immediate impact, but governments are doubling down on stealthy cyberespionage operations behind the scenes. 

"Nation states are becoming increasingly sophisticated and aggressive in their cyberespionage efforts, led by highly capable Chinese actors focused on the Asia-Pacific region in particular," Tom Burt, Microsoft's corporate vice president for customer security and trust, stated in an introduction to the report. 

Based on Microsoft's report, the US was the subject of the most cyberattacks last year, followed by Israel and Ukraine. It witnessed an increase in activity last spring that targeted Western organisations, of which 46% were based in NATO states, particularly the U.S., the United Kingdom, and Poland. 

The United States' intelligence agencies have frequently warned that Russia, China, Iran, and North Korea pose the greatest internet risks to national security and allies. According to Microsoft, the scale and sophistication of activities linked to each of those countries continues to improve, and their efforts to steal information and alter narratives target both adversaries and allies. 

"Russian intelligence agencies have refocused their cyberattacks on espionage activity in support of their war against Ukraine, while continuing destructive cyberattacks in Ukraine and broader espionage efforts," Burt wrote in a blog post. 

China is still a significant player, concentrating particularly on gathering intelligence - particularly from U.S. defence and vital sectors, as well as Taiwan and even its own partners - and conducting influence operations, Microsoft reported.

Beijing additionally "deploys a vast network of coordinated accounts across dozens of platforms to spread covert propaganda" that targets Chinese speakers worldwide and occasionally spreads anti-American narratives, the report further reads. The nation's influence operations also emphasise "promoting a positive image of China through hundreds of multilingual lifestyle influencers."

There is ample evidence that Russia is using cyberespionage more frequently. Western intelligence authorities continue to issue warnings that the real scope of such operations is still unknown because they are intended to be stealthy and at times highly targeted. Long-term attacks might not be seen right away. 

The White House blamed the Russian Foreign Intelligence Service, or SVR, for the SolarWinds supply chain attack, which involved the injection of a Trojan into the Orion software updater. It's possible that the effort started in September 2019, but it wasn't discovered until December 2020, giving the SVR months to secure covert access to a number of extremely sensitive systems. 

Microsoft reports that nominal allies attack one another while conducting cyber operations and acquiring intelligence. Despite the meeting between Russian President Vladimir Putin and North Korean hereditary dictator Kim Jong Un last month, Pyongyang continues to carry out Moscow-centered espionage activities, with a particular emphasis on "nuclear energy, defence, and government policy intelligence collection." 

The threat from criminal groups continues to rise in addition to the risk from nation-state organisations. "Ransomware‐as‐ a-service and phishing-as-a-service are key threats to businesses, and cybercriminals have conducted business email compromise and other cybercrimes, largely undeterred by the increasing commitment of global law enforcement resources," Burt added.

This Threat Actor Targeted NATO Summit Attendees

 

A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.

RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.

The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).

At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.

Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.

Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.

Chinese-Sponsored Hacking Group Targeting Critical U.S. Infrastructure, Microsoft Claims

 

The employment of hackers to gather intelligence data is prevalent in practically every nation on earth. Intelligence organisations like the Fancy Bear and Equation Group are used by both the US and Russia. 

Microsoft Corp. stated last week that Volt Typhon was "pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." Concern over the relationship between China and the US on Taiwan immediately arose after this statement. Pacific-wide cyberattacks may result from disputes between the US and China.

What precisely is a Volt Typhoon? 

A suspected hacker organisation goes by the name of "Volt Typhoon." The gang is thought to have China's support. The Volt Typhoon is reported to be capable of both digital sabotage and intelligence gathering. 

Is the Volt Typhoon a genuine threat to the infrastructure of the United States, or is it merely a new network of digital spies? 

Potential threats 

The American infrastructure is thought to be seriously threatened by the Volt Typhoon. The following are potential risks to the group: 

Espionage concerns: Spying is a concern for experts. In the midst of tensions over Taiwan, experts believe Volt Typhoon is a group of hackers ready to attack the American infrastructure. 

The assessment of Microsoft is given a "moderate confidence" rating, which denotes that the idea is plausible and backed by reliable sources but is not yet fully supported. Few experts believe there is any proof of sabotage planning, despite the fact that many researchers have discovered and evaluated the group's many elements.

According to Marc Burnard and Secureworks, the Volt Typhoon currently appears to be designed to steal data from organisations that hold information about the U.S. government or military.

Volt Typhoon is known as the "Bronze Silhouette" by Secureworks, and according to Marc Burnard, its primary function is espionage. 

Sneaky storm: Almost all cyber spies try to hide their tracks; Microsoft and other analysts believe Volt Typhoon was a quiet operator who camouflaged its activity by passing it through hijacked network equipment such as residential routers. These are well-planned wiped proof of intrusion from the victim's logs. 

China, on the other hand, has consistently denied any involvement in the Volt Typhoon cyberattack. However, Beijing has been preparing documentation of cyberespionage efforts for more than two decades. Spying has become a major emphasis in the recent decade, since Western experts have linked breaches to specific units of the People's Liberation Army. US law enforcement has indicted a slew of Chinese operatives with eavesdropping on US secrets. 

According to Secureworks in a blog post, the Volt Typhoon's interest in operational security may stem from the US claims, as well as increased pressure from Chinese leaders to refrain from scrutinising cyberespionage acts. 

Mitigation tips

In line with Microsoft's research on Volt Typhoon, spotting an activity that exploits standard sign-in channels and system binaries necessitates behavioural monitoring, and remediation necessitates shutting or resetting credentials for compromised accounts. In these circumstances, Microsoft recommends that security operations teams investigate the activities of compromised accounts for any dangerous actions or exposed data.

Hospitals Cautioned Against Cybercrime, Following Medibank and Optus Wake-Up-Calls


Hospital facilities in Australia have been cautioned that they are likely to be forced to pay ransoms to threat actors in order to protect patients, as the threat to cyber security grows in the wake of "wake-up call" attacks. 

In the aftermath of massive hacks that affected millions of Medibank and Optus customers, the alarming alert is at the top of the list of predictions made by cyber security experts as we are approaching year 2023. 

According to the cybersecurity firm, Palo Alto Networks, it is high time that the hospitals, government agencies and businesses start considering whether they would be paying ransom and how much they would pay. 

It’s Just the Beginning

Mohiuddin Ahmed, a senior computing and security lecturer at Edith Cowan University, asserts the sentiments. He did not only predict the increasing threats over the upcoming year, but also an increase in attacks on Australia's vital infrastructure, with "highly digitized" hospital systems among the prospective targets. 

He warns saying, it is “just the beginning” for cyber attempts and attacks. 

The recent breaches on Medibank and Optus would prompt criminals to wonder if Australia has other vulnerabilities. 

"We use lots of internet-connected healthcare devices and if those devices are hacked and remotely compromised by these cyber criminals, we'll be left in a situation where we have to pay ransom, otherwise people's lives will be at stake," Dr. Ahmed says. 

"Imagine that for senior citizens using pacemakers or any other embedded or implanted devices […] Who knows, if we do not pay attention, if we do not follow cyber hygiene, things [may] go catastrophic,” he adds. 

According to Dr. Ahmed, International threat actors are apparently targeting Australia, partly due to its affluence and partly since the COVID pandemic has increased the cost of living. 

Cybercrime: a Battlefield

Cyber security researcher Mamoun Alazab on the other hand equates cybercrime to a battlefield, saying it is a matter of time when - not if – Australia will witness data leaks, eventually affecting more people than in the Medibank and Optus data breach cases. 

The associate professor of information technology at Charles Darwin University anticipates that the government will now be better organized in terms of cyber warfare, since it has become a part of national security. 

While Cyber Security Minister Clare O’Neil announced last month of a 100-strong standing cybercrime operation, that would be put to action by the federal police and Australian Signals Directorate. Dr. Alazab warns that publicly announcing the operation could entice criminals into attempting more cyberattacks. 

"We focus so much on [Australia's] offensive operation — we need to focus on the defensive operation […] We are encouraging other … criminal groups to get together to prove us wrong, to cause more embarrassment," Dr. Alazab said.  

FBI Cyber Experts to Examine Attacks on Montenegro Government Infrastructure

 

The U.S. Federal Bureau for Investigation (FBI) will deploy a team of cyber experts to Montenegro to examine a massive, coordinated attack on the Balkan nation's digital infrastructure, the interior ministry announced on Wednesday. 

The rapid deployment of the FBI cyber team suggests "the excellent cooperation between the United States of America and Montenegro and proof that we can count on their support in any situation," said Montenegro's Ministry of Internal Affairs. 

Last week, a combination of ransomware and DDoS attacks disrupted government services and prompted the nation's electrical utility to switch to manual control. Montenegro's Agency for National Security accused Russia of being responsible for them and has said that up to €2.5mn were invested to launch cyber-attacks. 

“Coordinated Russian services are behind the cyber attack,” the ANB stated. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.” 

According to Dusan Polovic, the Director of the Directorate for Information Security, twelve state entities had 150 computers laced with malware following the assault, and while there was no permanent damage to Ministry of Public Administration data, certain retail tax collection was affected. 

The infected stations have been removed from the network and hard drives have been removed from them for further forensics, he said, adding that the priority is to put the tax system into operation, but this will be done only when it is completely secure. 

Government officials have confirmed that National Security Agency (ANB) suspected that Kremlin was behind the attacks, saying they could be retaliation after Montenegro joined NATO in 2017 despite strong opposition from Russia. It also joined Western sanctions against Moscow because of its invasion of Ukraine in February. 
 
On Friday, the U.S. Embassy in Podgorica recommended U.S. citizens restrict movement and travel in the country to the necessities and have travel documents up to date and easily accessible, fearing that the attack could disrupt transportation (including border crossings and airport), and telecommunication sectors. 

Recently, Russia has also targeted multiple Eastern European nations including Moldova, Slovenia, and Bulgaria, via denial-of-service campaigns, which render websites unreachable by flooding them with junk data packets but don't damage data. But the assault against Montenegro's infrastructure seemed more coordinated, with targets including water supply systems, transportation services, and online government services, among many others.

Ukraine Hosts Massive Scale Simulation of Cyber-attack Against Energy Grid

 

Cybersecurity experts from throughout Ukraine took part in a large-scale cyber-attack simulation that echoed the destructive real-world strike on Ukraine's power infrastructure in 2015. 

With 250 participants, 49 teams battled – either digitally or in person at a Kiev venue – to earn points by resolving an attack against an imaginary energy provider after it had multiple unexpected system failures. Security experts from Ukraine's governmental and private sectors, as well as higher education institutions, worked for five and a half hours to determine the nature of a hostile network penetration before dismissing the intruder and recovering systems to normal operation. 

The winning team was Berezha Security Group from Kiev, and cybersecurity engineer Dmitry Korzhevin was the best-performing individual participant. The competition, which took place on December 2, was the latest Grid NetWars event hosted by SANS Institute, a US information security training organisation, with previous tournaments held in Singapore, India, Japan, and Australia. 

The event was also coordinated by Ukraine's National Security and Defense Council, State Service of Special Communication and Information Protection, and the Cybersecurity Critical Infrastructure project for the US Agency for International Development (USAID). 

Ihor Malchenyuk, head of cybersecurity regulatory assistance and institutional development at the USAID Cybersecurity for Critical Infrastructure in Ukraine project stated, “Every day 560,000 new malicious programs are detected in the world, therefore it is necessary to constantly improve qualifications and ‘pump’ the skills of cybersecurity specialists.” 

“Such competitions as Grid NetWars provide an opportunity to practice not only the knowledge and skills of each specialist separately but also train joint interaction. After all, the training conditions are as close to reality as possible.” 

Tim Conway, technical director of the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) programs at SANS, assisted event participants with the help of two other US-based infosec experts. 

“Grid NetWars is a product that has existed for a number of years and has been used in country-level exercises since its creation,” Conway told The Daily Swig. 

“It has also been leveraged by practitioners around the world who attend critical infrastructure or industrial control system-specific events like the SANS ICS Summit where Grid NetWars competitions are conducted in the evenings after courses.” 

The latest, Ukraine-based event had successfully enabled “participants to face real-world challenges, develop skillsets, gain exposure to technical tools, and most importantly ‘practice the way they play through collaboration, and provided the opportunity to work together in teams just like they would in a real-world incident response”, he added. 

Conway assisted in the investigation of the 2015 attack on three Ukrainian power distribution centres, which knocked out power for up to six hours and left 225,000 people without power. A year later, the country's electrical grid was hit again, and Ukraine's then-president, Petro Poroshenko, said that thousands of recent cyberattacks on state institutions were proof that Russian secret agencies were waging a cyberwar against the country.