Anna Delaney: Cyber Operations keep impacting civilians as Russia's war continues, and a cardiologist stands accused of being a ransomware kingpin. But is he the victim? These stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. More than 165 days after Russia invaded Ukraine, the conflict continues. Many might not think that cyberattacks have been a major feature of the war. But experts who've been tracking the conflict have counted more than 300 such cyber operations. Joining me to discuss is Mathew Schwartz, executive editor at ISMG. Matt, there's a sense that there never was a cyber war component to Russia's invasion. But you've reported on there being a substantial number of attacks.
Mathew Schwartz: Yes, more than 300 cyberattacks and cyber operations tied to the conflict have been tracked so far. That count comes from CyberPeace Institute. It's an independent and neutral non-governmental organization based in Geneva, whose mission is to reduce the harm from cyberattacks on people's lives and promote responsible behavior, not least by governments. It's been monitoring how such online attacks, including against critical infrastructure, have been affecting civilians since Russian Federation Forces first invaded Ukraine. I spoke with Emma Raffray, a senior analyst at the Institute.
Emma Raffray: At the core of our work are our data-centric projects, in which we document cyberattacks and harm and that's generated as a result of these attacks. We launched a platform called Cyber Attacks in Times of Conflict, in which we're tracking attacks on organizations in Ukraine, the Russian Federation and other countries, which have been attacked as a result of spillover effects of the conflict itself. So to date, we've documented attacks on 27 countries beyond Ukraine and the Russian Federation. We've got in excess of 300 cyberattacks documented as of July 29. The part that is most worrying in the context of the incidents that we've tracked today is that 19 different sectors have been targeted as part of these campaigns. And of these, we've seen particularly worrisome attacks against public administrations, media organizations, the financial sector, the energy sector, telecommunications and the ICT, as well as transportation networks. These are some sort of high-level figures and so far, we've also documented attribution by third parties to 36 different threat actors, ranging from nation states to hacking collectives and cybercriminal groups.
Schwartz: CyberPeace Institute tracks these attacks against four core categories: destruction, disruption, data weaponization, and disinformation and propaganda. It's important to note that the cyberattacks during the armed conflict in Ukraine have destroyed data and systems, disrupted critical infrastructure and services, controlled the information space and exfiltrated significant volumes of data.
Delaney: CyberPeace Institute has been tracking a high number of attacks. But do you think there's a lack of awareness of the true cyberattack impact being felt as a result of this conflict?
Schwartz: Definitely. There's a feeling that cyber war never happened. That's why the work being done by groups, such as CyberPeace Institute, is so important. Cataloging these attacks helps hold attackers, including governments, to account not least for the unacceptable impact their operations are having on civilians. I asked the Institute's Emma Raffray to describe that impact for me in more detail.
Raffray: This is the bread and butter of our work here at the Institute. Because of the appalling loss of life due to attacks using traditional weapons in Ukraine, the impact of cyberattacks and operations has been masked, in a way by the reporting of what are very distressing scenes in the country. The volume and scope of cyberattacks in Ukraine have been very high and would have normally drawn much higher attention if the kinetic attacks hadn't been so severe. In this situation, attacks against Ukraine by the Russians are not new. But what we're seeing in the context of war and what is causing us a significant amount of alarm and concern is attacks on critical infrastructure and essential services that are not military targets.
Delaney: What are some examples of this impact, Matt?
Schwartz: Unfortunately, there are so many. One of the best big ones that a lot of people have heard of is access to the Viasat satellite communications network, which was knocked out on the day of the invasion. Another example is on April 8; Ukraine successfully blocked an attack, which if it had succeeded, would have knocked out electricity for two million people. Another one comes from Emma Raffray. She told me that wiper malware has had an impact during the war, and sometimes in unexpected ways.
Raffray: When we look at destructive attacks, we've documented several of these, and how far they've caused harm to the civilian population. One of them was on February 25: a wiper attack that targeted the border control station. This slowed the processing of refugees crossing the border from train into Romania. This is one very real example of how cyberattacks have a concrete impact in real life and on the civilian population.
Schwartz: Unfortunately, one of the big takeaways here is that as the work continues, so do the online attacks and their unacceptable impact on civilians.
Delaney: Well, Matt, thank you very much for updating us on the conflict.
Schwartz:Thank you, Anna.
Delaney: You may recall a few months back the astonishing story of a Venezuelan doctor being charged by the U.S. for using and selling Thanos ransomware. It was not a story that ISMG's Jeremy Kirk was going to miss out on investigating in The Ransomware Files. In fact, the story is so intriguing, that he has dedicated not one but two episodes to it. Here's the taster:
Jeremy Kirk: He is a practicing cardiologist living in Venezuela and also a cybercriminal mastermind. If U.S. prosecutors are to be believed, Moises Luis Zagala Gonzalez is a polymath who not only treats heart patients but also allegedly sells malicious software on the dark web. He was charged by the U.S. government in May with creating ransomware programs called Jigsaw and Thanos. The government alleges he's an old-school hacker from the late 1990s, who got into ransomware as a side hustle alongside his career as a cardiologist in Ciudad Bolivar. That's a city in southeastern Venezuela. Here's Alexander Mindlin who is an assistant U.S. attorney with the Eastern District of New York, who will prosecute the case.
Alexander Mindlin: He's accused essentially of conspiring with users of his ransomware to carry out ransomware attacks on victim networks.
Kirk: Moises is now 55 years old, which is pretty far out of the typical age range of someone in the ransomware business. By all appearances, he comes from a real high-achieving family. There’s a brother who is a dental specialist, another brother is a lawyer and yet another is in a high-ranking job in the national police. People who know him and his family are dumbfounded and say the accusations could absolutely not be true.
Amalia Guevara: I know Moises and his family and they are a beautiful family, very united. I have never known them to be involved in anything out of the ordinary.
Kirk: But Moises' wife says there's a reason for her husband's predicament and that he will defend himself.
Rosanny Zagala: Moises is a man of integrity, a family man with values and principles who would never lend himself to such acts. God willing, we'll get the right legal team to clear his name.
Kirk: The U.S. government accessed what it alleges are Moises' online accounts including one that held cryptocurrency as well as Gmail and PayPal accounts. There's a wealth of digital evidence that's cited in the criminal complaint, including digital accounts that are under the name Moises Zagala. But how does it all add up? And would it be a slam dunk case against him if he went to trial?
Tony Martino: It seems too difficult for this to be exactly true. Could anyone this smart be that sloppy?
Kirk: The voice you're hearing is from a digital forensics expert who has worked on complicated cases involving digital evidence.
Martino: My name is Tony Martino. I'm the director of the Northeast Cyber Forensics Center at Utica University in Utica, New York.
Kirk: Tony reviewed the government's complaint against Moises. Tony says with digital evidence, you still have to have a strong link between the cyber world and someone's body. He's not convinced that the government has necessarily shown that in this case. But Tony cautions that the government doesn't have to show all its cards in a criminal complaint. It may have more compelling evidence that we haven't seen.
Martino: That's always the key in cyber investigation: who actually did it? Not what user account did it, or even what IP address did it - who was at the keyboard and the mouse when it happened? That's been a problem since the dawn of cybercrime.
Kirk: There's much more in this episode of The Ransomware Files. It's called Dr. Ransomware, Part 2, and is part of a two-part series into this fascinating case. The second episode looks at Moises, and if perhaps we're all just missing something. You can find it on ISMG's websites or wherever you get your podcasts. For Information Security Media Group, I'm Jeremy Kirk.
Delaney: I spoke recently with Sandy Carielli, principal analyst at Forrester, who shared the latest bot management trends she has detailed in the Forrester Wave: Bot Management, Q2 2022 report. I asked her for her advice on effective bot management strategies that online businesses should consider. Here she is:
Sandy Carielli: One of the things, Anna, that I think people didn't realize early on with bots is they thought it was just another application attack. They thought that, "Okay, it's a huge influx of automated traffic trying to take advantage of our application. So, of course, our web application firewall or our data service is going to protect us from that." One of the trends that I think people have realized is that you do need a bot management solution. You do need something that looks at business logic types of attacks because that's where bots are going after. They're not usually going after failures in web applications. There is this notion of web recon where bots will look for flaws in web apps in order to mount a more sophisticated attack later, but that is less common than bots that are trying to do credential stuffing are bots that are trying to do inventory hoarding. That's where a lot of the news is. PS5 a couple of years ago, graphics cards, now even hoarding of vaccines, hoarding of other types of things that are in low supply, anything that people want that is hard to get, you're starting to see bots come to the fore. I was talking to one vendor several months ago, and I made a joke, and I said, "Alright, we're going to see formula bots soon because there was that whole run on baby formula." And he turned to me and said Sandy, "Already seeing them." I think the important thing to know is that while you have all of your traditional web application protections, you do need that bot-specific element that's going to speak to the business logic.
Delaney: That's it from the ISMG Security Report. I'm Anna Delaney. Until next time!