This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack.
Russia’s Cyberwar Gets Smarter … and Dumber
Russia’s cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can’t resist destructive operations that are flashy but ultimately counterproductive.
In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On Jan. 2, Ukraine’s security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes and for damage assessment.
At first glance, this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report mentions only two cameras.
It turns out, however, that many of the video surveillance cameras sold in Ukraine prior to the war were managed with a system known as Trassir, which was developed by a Russian company. Trassir software was used by individuals and enterprises and was even installed at critical infrastructure facilities such as the Chernobyl nuclear power plant. Worse yet, the video feeds from these cameras were routed via Russian servers.
So although the SBU mentioned just two cameras in this case, Russian efforts to compromise cameras could be widespread. Early in 2022, the SBU blocked a large number of Russian IP addresses, including those of Trassir servers. Presumably, this explains why the hacked devices the SBU reported on were altered to stream video via YouTube rather than directly to a Russia-based IP address. In this month’s announcement, the SBU said it had stopped the operation of 10,000 IP cameras since the start of the invasion and appealed for Ukrainian citizens to report online camera streams to its official chatbot.
Hijacking surveillance cameras to provide targeting support is also a fairly sensible use of cyber operations, because it complements conventional military capabilities with the intent of making them more effective. It’s quiet, but potentially deadly.
By contrast, a Dec. 12, 2023, attack on Kyivstar, Ukraine’s largest mobile operator, is the stuff of cyberwar fantasies. However, the attack feels like a squandered opportunity as Russia does not appear to have taken significant advantage of it.
The Kyivstar attack left over half of Ukraine’s population without mobile and home internet services for two days. It also disrupted some banks and ATM services, point-of-sale terminals, and air-raid sirens.
Illia Vitiuk, the SBU’s cyber security chief, told Reuters this was a long-term operation and that the hackers had been in Kyivstar’s networks since at least May 2023. Vitiuk said they had probably had “full access” since at least November.
He described the attack as wiping “almost everything,” including thousands of virtual servers, and said it “completely destroyed the core of a telecoms operator.”
Despite what sounds like pretty comprehensive destruction, the disruption was relatively short lived. Kyivstar services were back up within a matter of days, and the company’s CEO said services were fully restored just eight days after the attack.
The attack was not combined with any other significant Russian military action, such as a major drone or missile attack. And, according to Ukrainian government sources, there was relatively little impact on Ukrainian military communications.
When it comes to assessing the impact of this attack, timing is everything. If this type of attack had been executed in February 2022, at the beginning of Russia’s invasion and combined with Russia’s attack on Viasat’s KA-SAT satellite service, it could have measurably improved the chances of Russian military success.
Since the attack took place in December 2023, however, we think it is actually a net negative for Russia’s military prospects, because maintaining enduring access into Kyivstar would have been tremendously valuable. Vitiuk told Reuters the SBU assessed:
the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.
These capabilities would have been an intelligence gold mine that could have enabled many more impactful military actions over the longer term.
Destroying Kyivstar results in a short-term sugar rush but pretty much guaranteed that the Russians lost access. This cuts against the trend in Russian operations toward intelligence gathering that we wrote about in September 2023, so we are left wondering what the motivation for this particular operation was.
The SBU’s Vitiuk attributed the attack to Russia’s Sandworm group (the GRU, Russian military intelligence) and said, regarding the timing of the operation, “[M]aybe some colonel wanted to become a general.” We don’t have a better explanation.
Predatory Sparrow Won’t Move the Needle in the Middle East
Israel is trying to use cyber operations to warn off regional foes, but the current conflict is just too hot for this strategy to work.
In mid-December, Predatory Sparrow, a purported hacktivist group believed to be a persona of the Israeli military, disrupted petrol supply systems in Iran. In a statement on Telegram, the group claimed to have disrupted “a majority of the gas pumps throughout Iran … in response to the aggression of the Islamic Republic and its proxies in the region.”
Although we don’t know yet if the technical details are the same, this appears to be a repeat of an October 2021 attack that Predatory Sparrow launched against Iran’s fuel subsidy system. In that attack, petrol stations shut down because they were unable to charge customers for fuel.
As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services.
We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation.
In this case, the operation is all about sending a message to Iranian leadership. In its Telegram posts, Predatory Sparrow directly warned Iran’s supreme leader, saying, “Khamenei, playing with fire has a price” and, a few days later, “Khamenei! Playing with proxies a girl can get burned.”
Previous Predatory Sparrow attacks took place in the context of a series of tit-for-tat destructive operations between Iran and Israel that appear to have been kick-started by an Iranian cyberattack on Israeli water infrastructure. At the time, we wrote:
Following reports of cyber attacks against Israeli water infrastructure in 2020, a suspiciously large number of things have caught fire or gone boom in Iran since, including the Natanz uranium enrichment facility, a missile production facility, an oil pipeline, a shipyard in the Iranian port of Bushehr, Iran’s largest warship, and an oil refinery.
Other less physically destructive incidents have involved cyber attacks on the port of Bandar Abbas and a wiper attack on Iran’s national rail system. Some of these incidents could be the result of deliberate state-backed actions; others may simply be accidents.
This one wasn’t an accident, though: In November last year, Iran’s top nuclear scientist was assassinated with a self-destructing remotely-controlled machine-gun. ,
At one level, using precisely executed cyber operations to send a warning is clearly better than using operations that cause a lot of collateral damage and therefore escalate conflict.
Having said that, however, we are not sure that signaling via cyber operations has actually worked for Predatory Sparrow. Its previous petrol station hack occurred in October 2021, and by June 2022 it was carrying out spectacular destructive attacks on three Iranian steel mills. If its signaling had worked, would it have needed to carry out further operations?
The geopolitical situation is also vastly different today. Israel is involved in a war against Hamas, Israel and Hezbollah are exchanging strikes back and forth across Lebanon, and Iran-backed Houthi rebels are attacking cargo ships in the Red Sea. There’s genuine diplomatic concern that the Israel-Hamas war could expand to encompass Hezbollah in Lebanon.
Given the situation, will the repeat of a two-year-old fuel supply disruption operation move the needle at all? We don’t think so.
Three Reasons to Be Cheerful This Week:
- ALPHV Disruption: In mid-December, the U.S. Department of Justice announced that it had disrupted the ALPHV (aka BlackCat) ransomware gang, which it described as the second most prolific ransomware-as-a-service brand. The Justice Department also revealed the FBI had developed a decryption tool that it had offered to 500 affected victims. That’s the good news, but the weird addendum is that, although the FBI was able to get credentials for the site, it wasn’t able to prevent ALPHV from “unseizing” it. This “tug of tor” is well described at Ars Technica.
- Scam city seized by Myanmar rebels: A city that is a hub for online scams known as “pig butchering” has been ceded by Myanmar’s military government to rebel forces that claim to be focused on cleaning up scam centers. The change in control ultimately seems to be driven by the People’s Republic of China’s (PRC’s) frustration with the pig butchering epidemic that has affected thousands of Chinese nationals. This ABC report has good coverage of the broader issues.
- More cyber-focused FBI agents overseas: The FBI told CyberScoop that it is increasing the number of cyber-focused FBI assistant legal attaches at American embassies overseas by six people to 22. Given the international nature of cybercrime, we are actually surprised there are so few.