Welcome to The Cybersecurity 202. I’m guest-hosting today’s edition, enjoy! There won’t be a Cybersecurity 202 tomorrow or Monday, but we’ll will be back Tuesday.

Below: Apple announces a new security feature to protect high-risk users from spyware, and U.S. agencies warn that North Korean hackers are trying to infect health-care networks with ransomware. 

A top ransomware distributor has targeted Ukraine six times since Russia’s invasion

We have a potentially major development in the murky world of ransomware gangs, a world made even murkier by ongoing questions about which of them are motivated strictly by money, which of them are simply disguised government operations, and which fall somewhere in between. 

In a report out this morning, IBM security researchers say that Trickbot, one of the most active ransomware distributors of the past several years, has hit targets inside Ukraine in six separate campaigns since Russia invaded in February. 

While the first two of those efforts were scattershot, looking to infect anyone, some in May and June were carefully selected elements of critical infrastructure, where the group installed Cobalt Strike, a common exploitation tool that typically needs hands-on governance. That suggests that the longtime money-chasers were doing work on behalf of the Russian government, or at a minimum in enthusiastic support of it. 

IBM based its analysis on malware samples uploaded by victims to VirusTotal, senior researcher Ole Villadsen told me. Those provided links between various campaigns, in part when the same encryption scheme was used. 

The encryption deployed in the recent Ukraine waves isn’t necessarily limited to use by Trickbot alone, but Villadsen said IBM believes it circulates only among those with strong ties to the group, what he termed “friends and family.”  

Trickbot means different things to different people, especially to experts. 

It began life as a banking credential-stealer in 2016, even then overlapped with a crime group some believed was close to Russian authorities, known as Dyre. (That speculation increased when authorities conducted a raid on the gang and then never announced charges.)  

It then began offering services to other gangs, who paid it to install their own malware. When the crime of the moment became ransomware, that’s where the Trickbot network went as well, putting Ryuk and other nastiness on machines worldwide. 

Trickbot as a whole has perhaps up to 200 people, mostly in the services-for-others wing, or did before U.S. Cyber Command and Microsoft tried hard to disrupt its operations nearly two years ago. 

But it has a core leadership that directs some of the outfit’s own operations. Many analysts say that now includes the nice people behind Conti, the ransomware that has picked its targets carefully and raked in millions of dollars in multiple scores. 

It is this same core group that Villadsen said is now running the latest Ukrainian operations. 

If that checks out — Caveat 2: A competitor said he didn’t agree with some of IBM’s assumptions — it would fit with Conti’s post-invasion declaration of loyalty to the Russian government. That same declaration backfired when a Ukrainian member of the group quit and posted reams of internal chats, including one in which two other members discussed setting up a separate office solely for government business. 

The leaks included names and addresses of some Conti leaders but mysteriously led to no known arrests; in retrospect, that could have given Russian national authorities more leverage over the gang. 

That leak also cost Conti credibility with its outside affiliates who installed its ransomware in exchange for a cut of the profits, and the group appeared to splinter after one last hurrah, the ransoming of the entire government of Costa Rica. 

Some researchers said Conti was slimming down just to Russian employees. Others said it was giving up the Conti brand and using a grab bag of new names. A senior federal official told me the jury is still out. 

  • “They seemed to have launched a number of brands,” said Emsisoft analyst Brett Callow. “It’s hard to say who is what. There is considerable crossover between the groups.”

As I said, this world was already murky, which is a problem not just for analysts and reporters but for law enforcement trying to beat the odds and hold someone accountable, at least when they travel somewhere with extradition. 

Part of the murk is that many crime groups use multiple services for distribution, including Trickbot.

Caveat 3: When one group moves too close to the Russian government and gets sanctioned, it changes names and often infrastructure and partners. 

  • “It’s invulnerable because it’s a marketplace,” Mandiant Vice President John Hultquist told me. “Any single actor can be replaced by a dozen high-value alternatives.”

That said, a major group carrying water for a government’s war objectives is major new territory, Callow and others said. 

  • As Villadsen put it: “We have a shift in their targeting, it coincides with the invasion of Ukraine, and we are seeing both indiscriminate and targeted attacks — all of which signal a fairly big change in the criminal ecosystem.”

Apple unveiled a new security measure to block spyware

Apple software’s new “Lockdown Mode” will block many attachments on messages and prevent links from previewing on devices belonging to potential victims of government spyware, I reported yesterday. Apple is releasing the feature on test versions of its operating system and plans to roll out the feature more broadly in the fall.

“The vast majority of users” won’t need to use the feature, said Apple head of security engineering Ivan Krstić. Users will be able to easily toggle the feature on and off.

“Apple’s lockdown tactic resolves a long-standing tension in its design approach between security concerns and the pursuit of easy-to-use, highly functional capabilities,” I wrote. “The extra usability made the phones more vulnerable to attack through iMessage, FaceTime and other software. Lockdown Mode gives users the choice of whether to maintain those features. When activated, it limits what the phone can do.”

Apple sued the Israeli firm NSO Group and notified potential victims of its Pegasus spyware after The Post and 16 media partners reported last year that Pegasus was used to target activists, journalists and executives. The Biden administration also put NSO on a blacklist last year, restricting its ability to receive American technologies.

Parker Higgins, with Freedom of the Press Foundation:

North Korea targeting U.S. health-care sector with ransomware, officials warn

U.S. agencies warned that hackers have deployed “Maui” ransomware to lock health-care servers, with some disruptions lasting for “prolonged periods,” CyberScoop’s Tim Starks reports. Cybersecurity firm Stairwell said it first saw the ransomware strain this April, but the FBI has been responding to the type of ransomware in the health-care sector since May 2021, a U.S. government alert said. 

“The Wednesday alert came with a reminder of September guidance from the Treasury Department that paying ransomware operators potentially puts victims at risk of violating Office of Foreign Assets Control regulations,” though the memo noted that “cooperating with law enforcement and improving cybersecurity practices lessens that risk,” Starks writes. “Treasury has designated the North Korean government-backed hacking outfit known as the Lazarus Group and two subgroups under its sanctions program.”

FBI and MI5 directors warn about Chinese hacking

FBI Director Christopher A. Wray warned that the threat China poses to Western businesses is “getting worse,” Devlin Barrett reports. Wray’s speech, which was delivered alongside Ken McCallum, the director general of U.K. domestic security service MI5, marked the first such event featuring the leaders of the two agencies, officials said.

“Wray’s remarks represent the latest in a series of public warnings he has given about the dangers posed by China to U.S. and European economic interests,” Devlin writes. “But Wednesday’s speech seemed designed to try to rally Britain’s business community to help fight Chinese hacking, theft of trade secrets and surreptitious lobbying on efforts ranging from human rights to the possibility — however slim — of a Chinese invasion of Taiwan.”

Last year, the U.S. government, European Union, NATO and other allies accused China of hacking Microsoft’s widely used email server software. At the time, officials said it amounted to the largest condemnation of Chinese hacking to that point, my colleagues reported.

  • China-backed hackers are ramping up their hacks of Russian organizations, SentinelLabs says in a new report on a hacking campaign. “The attacker continues their long history of Russian targeting; however, the rate of Russian and Russia-relevant targets in recent weeks may indicate increased prioritization,” SentinelLabs said. They added that it appears to have been carried out for espionage purposes.
  • Russia is trying to divide Ukraine’s Western allies and carry out other influence campaigns centered on food security, economic and other issues amid the Ukraine war, Recorded Future said.

Cyber firm Group-IB to split Russian, international businesses (Reuters)

Most countries lack crypto information-sharing laws, watchdog says (The Wall Street Journal)

Security advisory accidentally exposes vulnerable systems (Bleeping Computer)

Breaking down the cyber amendments to the House defense policy bill (The Record)

Axie Infinity’s blockchain was reportedly hacked via a fake LinkedIn job offer (The Verge)

  • Col. Candice E. Frost, the commander of U.S. Cyber Command’s Joint Intelligence Operations Center, speaks at a NightDragon event today at 4:30 p.m.
  • The Atlantic Council hosts an event on new U.K. data protection rules Tuesday at 9 a.m.

Thanks for reading. See you next week.