Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sandworm. Show all posts

ICC Investigates Russian Cyberattacks on Ukraine as War Crimes

 



The International Criminal Court (ICC) is conducting an unprecedented investigation into alleged Russian cyberattacks on Ukrainian civilian infrastructure, considering them possible war crimes. This marks the first time international prosecutors have delved into cyber warfare, potentially leading to arrest warrants if sufficient evidence is gathered.

Prosecutors are examining cyberattacks on infrastructure that jeopardised lives by disrupting power and water supplies, cutting connections to emergency responders, or knocking out mobile data services that transmit air raid warnings. An official familiar with the case, who requested anonymity, confirmed the ICC's focus on cyberattacks since the onset of Russia’s full-scale invasion in February 2022. Additionally, sources close to the ICC prosecutor's office indicated that the investigation might extend back to 2015, following Russia's annexation of Crimea.

Ukraine is actively collaborating with ICC prosecutors, collecting evidence to support the investigation. While the ICC prosecutor's office has declined to comment on ongoing investigations, it has previously stated its jurisdiction to probe cybercrimes. The investigation could set a significant legal precedent, clarifying the application of international humanitarian law to cyber warfare.

Among the cyberattacks being investigated, at least four major attacks on energy infrastructure stand out. Sources identified the hacker group "Sandworm," believed to be linked to Russian military intelligence, as a primary suspect. Sandworm has been implicated in several high-profile cyberattacks, including a 2015 attack on Ukraine's power grid. Additionally, the activist hacker group "Solntsepyok," allegedly a front for Sandworm, claimed responsibility for a December 2022 attack on the Ukrainian mobile provider Kyivstar.

The investigation raises questions about whether cyberattacks can constitute war crimes under international law. The Geneva Conventions prohibit attacks on civilian objects, but there is no universally accepted definition of cyber war crimes. Legal scholars, through the Tallinn Manual, have attempted to outline the application of international law to cyber operations. Experts argue that the foreseeable consequences of cyberattacks, such as endangering civilian lives, could meet the criteria for war crimes.

If the ICC prosecutes these cyberattacks as war crimes, it would provide much-needed clarity on the legal status of cyber warfare. Professor Michael Schmitt of the University of Reading, a key figure in the Tallinn Manual process, believes that attacks like the one on Kyivstar meet the criteria for war crimes due to their foreseeable impact on human lives. Ukraine’s intelligence agency, the SBU, has provided detailed information about the incident to ICC investigators.

Russia, which is not an ICC member, has dismissed accusations of cyberattacks as attempts to incite anti-Russian sentiment. Despite this, the ICC has issued four arrest warrants against senior Russian figures since the invasion began, including President Vladimir Putin. Ukraine, while not an ICC member, has granted the court jurisdiction to prosecute crimes on its territory.

The ICC's probe into Russian cyberattacks on Ukrainian infrastructure could redefine the boundaries of international law in cyberspace. As the investigation unfolds, it may establish a precedent for holding perpetrators of cyber warfare accountable under international humanitarian law.


APT44: Unearthing Sandworm - A Cyber Threat Beyond Borders


APT44: Operations Against Ukraine

A hacking group responsible for cyberattacks on water systems in the United States, Poland, and France is linked to the Russian military, according to a cybersecurity firm, indicating that Moscow may escalate its efforts to target opponents' infrastructure.

Sandworm has long been known as Unit 74455 of Russia's GRU military intelligence organization, and it has been linked to attacks on Ukrainian telecom providers as well as the NotPetya malware campaign, which damaged companies worldwide.

Global Scope

Researchers at Mandiant, a security business owned by Google Cloud, discovered that Sandworm appears to have a direct link to multiple pro-Russia hacktivist organizations. Mandiant believes Sandworm can "direct and influence" the activities of Russia's Cyber Army.

One of them is the Cyber Army of Russia Reborn (CARR), also known as the Cyber Army of Russia, which has claimed responsibility for cyberattacks against water infrastructure this year.

One attack occurred in Muleshoe, Texas, causing a water tower to overflow and spilling tens of thousands of gallons of water down the street.

Ramon Sanchez, the city's manager, told The Washington Post that the password for the system's control system interface had been compromised, adding, "You don't think that's going to happen to you." Around the same time, two additional north Texas communities, Abernathy and Hale Center, discovered hostile activity on their networks.

Mapping APT44

1. The Rise of APT44

APT44 is not your run-of-the-mill hacking group. It operates with surgical precision, blending espionage, sabotage, and influence operations into a seamless playbook. Unlike specialized units, APT44 is a jack-of-all-trades, capable of infiltrating networks, manipulating information, and disrupting critical infrastructure.

2. Sabotage in Ukraine

Ukraine has borne the brunt of APT44’s wrath. The group’s aggressive cyber sabotage tactics have targeted critical sectors, including energy and transportation. Their weapon of choice? Wiper malware that erases data and cripples systems. These attacks often coincide with conventional military offensives, amplifying their impact.

3. A Global Threat

But APT44’s reach extends far beyond Ukraine’s borders. It operates in geopolitical hotspots, aligning its actions with Russia’s strategic interests. As the world gears up for national elections, APT44’s interference attempts pose a grave threat. Imagine a digital hand tampering with the scales of democracy.

4. Graduation to APT44

Mandiant has officially christened Sandworm as APT44. This isn’t just a name change; it’s a recognition of the group’s maturity and menace. The report provides insights into APT44’s new operations, retrospective analysis, and context. Organizations must heed the warning signs and fortify their defenses.

AWS Employs MadPot Decoy System to Thwart APTs and Botnets

 

Amazon Web Services (AWS), a prominent player in cloud computing, has unveiled its internal defense system, MadPot, which has proven effective in luring and trapping malicious activities, including those orchestrated by nation-state-backed Advanced Persistent Threats (APTs) such as Volt Typhoon and Sandworm.

Conceived by AWS software engineer Nima Sharifi Mehr, MadPot is described as an advanced network of monitoring sensors equipped with automated response capabilities. This system ensnares malicious actors, monitors their actions, and generates protective data for various AWS security products.

MadPot is ingeniously designed to mimic numerous plausible targets, thwarting Distributed Denial of Service (DDoS) botnets, and preemptively blocking formidable threat actors like Sandworm from compromising AWS customers.

According to AWS, the sensors are vigilant over a staggering 100 million potential threat interactions and probes daily worldwide. Out of these, about 500,000 are identified as malicious activities, and this colossal trove of threat intelligence is meticulously analyzed to provide actionable insights on potentially harmful online activities. 

The response capabilities automatically shield the AWS network from identified threats, and they also reach out to other companies whose infrastructure is being exploited for malicious purposes.

In the case of Sandworm, the honeypot effectively intercepted the actor's attempt to exploit a security vulnerability in WatchGuard network security appliances. AWS not only identified IP addresses but also other distinct attributes linked to the Sandworm threat involved in the attempted breach of an AWS customer.

MadPot's remarkable capability to simulate a range of services and engage in extensive interactions enabled AWS to gather additional insights about Sandworm campaigns. This included specific services targeted by the actor and post-exploitation commands initiated by them. Armed with this intelligence, AWS promptly informed the affected customer, who took swift action to rectify the vulnerability.

Furthermore, AWS highlighted that the data and insights gathered by MadPot are harnessed to enhance the efficacy of their security tools, including AWS WAF, AWS Shield, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. These are complemented by detective and reactive services like Amazon GuardDuty, AWS Security Hub, and Amazon Inspector.

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.

Russian Hackers Sabotaging Critical U.S Infrastructure

Among every state-sponsored hacking group that has attacked the U.S power grid, and went beyond to compromise American Electric Utilities, only Sandworm, a Russian Espionage group, has been bold enough to activate real blackouts, compelling lights shutdown in Ukraine in 2015 and 2016. A firm that emphasizes grid security has issued a warning that a criminal group that has links to Sandworm's highly sophisticated hackers has been successfully attacking US energy systems and it's been years.

Wired reports, "Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany's electric sector in 2017." Recently, Dragos, an industrial cybersecurity firm issued its yearly report on the current state of industrial controls systems security. The report has identified four new foreign criminal groups which target these critical infrastructure systems. Three of these four groups have attacked US industrial control systems. 

However, the most notorious group is Kamacite, according to Dragos. The group, says Dragos, may have worked with Gru's Sandworm. In the past, Kamacite has worked as Sandworm's access team. Experts believe it emphasized getting a stronghold in the victim network before giving access to other Sandworm hacking groups. These groups, in turn, have performed the cyberattacks. As per cybersecurity agencies, Kamacite has targeted US electric utilities, gas and oil, and other organizations on various occasions. These attacks date back to 2017.  Experts believe that the group is continuously attacking the US electric utility sector to maintain a presence of a threat. 

In few incidents over the years, the group has successfully managed to breach US target networks, which allowed them to gain access to the utilities. Sergio Caltagirone, Dragos vice president of threat intelligence and former NSA analyst says that "if you see Kamacite in an industrial network or targeting industrial entities, you clearly can't be confident they're just gathering information. You have to assume something else follows. Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations."