A chilling Russian cyber aim in Ukraine: Digital dossiers

By FRANK BAJAK
April 28, 2022

BOSTON (AP) — Russia’s relentless digital assaults on Ukraine may have caused less damage than many anticipated. But most of its hacking is focused on a different goal that gets less attention but has chilling potential consequences: data collection.

Ukrainian agencies breached on the eve of the Feb. 24 invasion include the Ministry of Internal Affairs, which oversees the police, national guard and border patrol. A month earlier, a national database of automobile insurance policies was raided during a diversionary cyberattack that defaced Ukrainian websites.

The hacks, paired with prewar data theft, likely armed Russia with extensive details on much of Ukraine’s population, cybersecurity and military intelligence analysts say. It’s information Russia can use to identify and locate Ukrainians most likely to resist an occupation, and potentially target them for internment or worse.

“Fantastically useful information if you’re planning an occupation,” Jack Watling, a military analyst at the U.K. think tank Royal United Services Institute, said of the auto insurance data, “knowing exactly which car everyone drives and where they live and all that.”

As the digital age evolves, information dominance is increasingly wielded for social control, as China has shown in its repression of the Uyghur minority. It was no surprise to Ukrainian officials that a prewar priority for Russia would be compiling information on committed patriots.

“The idea was to kill or imprison these people at the early stages of occupation,” Victor Zhora, a senior Ukrainian cyber defense official, alleged.

Aggressive data collection accelerated just ahead of the invasion, with hackers serving Russia’s military increasingly targeting individual Ukrainians, according to Zhora’s agency, the State Service for Special Communications and Information Protection.

Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, said via email that personal data continues to be a priority for Russian hackers as they attempt more government network breaches: “Cyberwarfare is really in the hot phase nowadays.”

There is little doubt political targeting is a goal. Ukraine says Russian forces have killed and kidnapped local leaders where they grab territory.

Demediuk was stingy with specifics but said Russian cyberattacks in mid-January and as the invasion commenced sought primarily to “destroy the information systems of government agencies and critical infrastructure” and included data theft.

MORE

Tripwire for real war? Cyber’s fuzzy rules of engagement

By FRANK BAJAK

February 14, 2022

BOSTON (AP) — President Joe Biden couldn’t have been more blunt about the risks of cyberattacks spinning out of control. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” he told his intelligence brain trust in July.

Now tensions are soaring over Ukraine with Western officials warning about the danger of Russia launching damaging cyberattacks against Ukraine’s NATO allies. While no one is suggesting that could lead to a full-blown war between nuclear-armed rivals, the risk of escalation is serious.

The danger is in the uncertainty about what crosses a digital red line. Cyberattacks, including those that cripple critical infrastructure with ransomware, have been on the rise for years and often go unpunished. It’s unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war.

“The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative. “It’s not clear what is allowed, what isn’t allowed.”

MORE

War censorship exposes Putin’s leaky internet controls

By FRANK BAJAK and BARBARA ORTUTAY
March 13, 2022

BOSTON (AP) — Long before waging war on Ukraine, President Vladimir Putin was working to make Russia’s internet a powerful tool of surveillance and social control akin to China’s so-called Great Firewall.

So when Western tech companies began cutting ties with Russia following its invasion, Russian investigative journalist Andrei Soldatov was alarmed. He’d spent years exposing Russian censorship and feared that well-intentioned efforts to aid Ukraine would instead help Putin isolate Russians from the free flow of information, aiding the Kremlin’s propaganda war.

“Look, guys the only space the Russians have to talk about Ukraine. and what is going on in Russia. is Facebook,” Soldatov, now exiled in London. wrote on Facebook in the war’s first week. “You cannot just, like, kill our access.”

Facebook didn’t, although the Kremlin soon picked up that baton, throttling both Facebook and Twitter so badly they are effectively unreachable on the Russian internet. Putin has also blocked access to both Western media and independent news sites in the country, and a new law criminalizes spreading information that contradicts the government’s line. On Friday, the Kremlin said it would also restrict access to Instagram. By early Monday, the network monitor NetBlocks found network data showing the social network restricted in Russia across multiple users.

Yet the Kremlin’s latest censorship efforts have revealed serious shortcomings in the government’s bigger plans to straightjacket the internet. Any Russian with a modicum of tech smarts can circumvent Kremlin efforts to starve Russians of fact.

For instance, the government has so far had only limited success blocking the use of software known as virtual private networks, or VPNs, that allows users to evade content restrictions. The same goes for Putin’s attempts to restrict the use of other censorship-evading software.

That puts providers of internet bandwidth and associated services sympathetic to Ukraine’s plight in a tough spot. On one side, they face public pressure to punish the Russian state and economic reasons to limit services at a time when bills might well go unpaid. On the other, they’re wary of helping stifle a free flow of information that can counter Kremlin disinformation — for instance, the state’s claim that Russia’s military is heroically “liberating” Ukraine from fascists.

Amazon Web Services, a major provider of cloud computing services, continues to operate in Russia, although it says it’s not taking on any new customers. Both Cloudflare, which helps shield websites from denial-of-service attacks and malware, and Akamai, which boosts site performance by putting internet content closer to its audience, also continue to serve their Russian customers, with exceptions including cutting off state-owned companies and firms under sanctions.

Microsoft, by contrast, hasn’t said whether it will halt its cloud services in the country, although it has suspended all new sales of products and services.

U.S.-based Cogent, which provides a major “backbone” for internet traffic, has cut direct connections inside Russia but left open the pipes through subsidiaries of Russian network providers at exchanges physically outside the country. Another major U.S. backbone provider, Lumen, has done the same.

MORE

AP Exclusive: Polish opposition senator hacked with spyware

By VANESSA GERA and FRANK BAJAK

December 23, 2021

Polish Senator Krzysztof Brejza on the night of parliamentary elections on Oct. 13, 2019. An investigation by The Associated Press and Citizen Lab, a watchdog at the University of Toronto, has found that Brejza's mobile phone was hacked with military-grade Pegasus spyware nearly three dozen times in 2019 as he ran an opposition campaign to unseat the right-wing populist government in parliamentary elections. The ruling party won a slim majority and Brejza is convinced that the hacking of his phone gave it an unfair advantage. (AP Photo)
Polish Senator Krzysztof Brejza on the night of parliamentary elections on Oct. 13, 2019 (AP Photo)

WARSAW, Poland (AP) — Polish Sen. Krzysztof Brejza’s mobile phone was hacked with sophisticated spyware nearly three dozen times in 2019 when he was running the opposition’s campaign against the right-wing populist government in parliamentary elections, an internet watchdog found.

Text messages stolen from Brejza’s phone — then doctored in a smear campaign — were aired by state-controlled TV in the heat of that race, which the ruling party narrowly won. With the hacking revelation, Brejza now questions whether the election was fair.

It’s the third finding by the University of Toronto’s nonprofit Citizen Lab that a Polish opposition figure was hacked with Pegasus spyware from the Israeli hacking tools firm NSO Group. Brejza’s phone was digitally broken in to 33 times from April 26, 2019, to Oct. 23, 2019, said Citizen Lab researchers, who have been tracking government abuses of NSO malware for years.

The other two hacks were identified earlier this week after a joint Citizen Lab-Associated Press investigation. All three victims blame Poland’s government, which has refused to confirm or deny whether it ordered the hacks or is a client of NSO Group. State security services spokesman Stanislaw Zaryn insisted Thursday that the government does not wiretap illegally and obtains court orders in “justified cases.” He said any suggestions the Polish government surveils for political ends were false.

MORE

African internet riches threatened by lawsuit and corruption

Two young boys use a computer at an internet cafe in the low-income Kibera neighborhood of Nairobi, Kenya Wednesday, Sept. 29, 2021. Instead of serving Africa's internet development, millions of internet addresses reserved for Africa have been waylaid, some fraudulently, including in insider machinations linked to a former top employee of the nonprofit that assigns the continent's addresses. (AP Photo/Brian Inganga)

By ALAN SUDERMAN, FRANK BAJAK and RODNEY MUHUMUZA

November 23, 2021

KAMPALA, Uganda (AP) — Outsiders have long profited from Africa’s riches of gold, diamonds, and even people. Digital resources have proven no different.

Millions of internet addresses assigned to Africa have been waylaid, some fraudulently, including through insider machinations linked to a former top employee of the nonprofit that assigns the continent’s addresses. Instead of serving Africa’s internet development, many have benefited spammers and scammers, while others satiate Chinese appetites for pornography and gambling.

New leadership at the nonprofit, AFRINIC, is working to reclaim the lost addresses. But a legal challenge by a deep-pocketed Chinese businessman is threatening the body’s very existence.

The businessman is Lu Heng, a Hong Kong-based arbitrage specialist. Under contested circumstances, he obtained 6.2 million African addresses from 2013 to 2016. That’s about 5% of the continent’s total — more than Kenya has.

AFRINIC made no claim of graft when it revoked Lu’s addresses, now worth about $150 million, saying his company was not adequately serving Africa’s interests. Lu fought back. His lawyers in late July persuaded a judge in Mauritius, where AFRICNIC is based, to freeze its bank accounts. His company also filed a $80 million defamation claim against AFRINIC and its new CEO.

It’s a shock to the global networking community, which has long considered the internet as technological scaffolding for advancing society. Some worry it could undermine the entire numerical address system that makes the internet work.

MORE

Big Pentagon internet mystery partially solved

By FRANK BAJAK

April 25, 2021

This image has an empty alt attribute; its file name is 1000.jpeg



BOSTON (AP) — A very strange thing happened on the internet the day President Joe Biden was sworn in. A shadowy company residing at a shared workspace above a Florida bank announced to the world’s computer networks that it was now managing a colossal, previously idle chunk of the internet owned by the U.S. Department of Defense.

That real estate has since more than quadrupled to 175 million addresses — about 1/25th the size of the current internet.

”It is massive. That is the biggest thing in the history of the internet,” said Doug Madory, director of internet analysis at Kentik, a network operating company. It’s also more than twice the size of the internet space actually used by the Pentagon.

After weeks of wonder by the networking community, the Pentagon has now provided a very terse explanation for what it’s doing. But it has not answered many basic questions, beginning with why it chose to entrust management of the address space to a company that seems not to have existed until September.

FULL STORY

In crosshairs of ransomware crooks, cyber insurers struggle

By FRANK BAJAK

July 5, 2021

BOSTON (AP) — In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.

Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.

FILE - In this Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to the company's 2018 annual results presentation, in Paris. The cyber insurance industry, once a profitable niche, is now in the crosshairs of ransomware criminals. Pressure is building on the industry to stop reimbursing for ransoms, but so far only one major cyber insurer, AXA, is doing so — and only with new policies in France. To try to absorb the growing onslaught and stay profitable, insurers are retooling coverage, demanding clients up their security.  (AP Photo/Thibault Camus, File)

Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.

Now, the sector isn’t just in the criminals’ crosshairs. It’s teetering on the edge of profitability, upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70%, the break-even point.

FULL STORY

EXPLAINER: No ransomware silver bullet, crooks out of reach

By FRANK BAJAK

April 29, 2021

BOSTON (AP) — Political hand-wringing in Washington over Russia’s hacking of federal agencies and interference in U.S. politics has mostly overshadowed a worsening digital scourge with a far broader wallop: crippling and dispiriting extortionary ransomware attacks by cybercriminal mafias that mostly operate in foreign safe havens out of the reach of Western law enforcement.

Stricken in the United States alone last year were more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions. Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.

All the while, ransomware gangsters have become more brazen and cocky as they put more and more lives and livelihoods at risk. This week, one syndicate threatened to make available to local criminal gangs data they say they stole from the Washington, D.C., metro police on informants. Another recently offered to share data purloined from corporate victims with Wall Street inside traders. Cybercriminals have even reached out directly to people whose personal info was harvested from third parties to pressure victims to pay up.

“In general, the ransomware actors have gotten more bold and more ruthless,” said Allan Liska, an analyst with the cybersecurity firm Recorded Future.

On Thursday, a public-private task force including Microsoft, Amazon, the National Governors Association, the FBI, Secret Service and Britain and Canada’s elite crime agencies delivered to the White House an 81-page urgent action plan for an aggressive and comprehensive whole-of-government assault on ransomware.

FULL STORY

Tech audit of Colonial Pipeline found ‘glaring’ problems

By FRANK BAJAK

May 12, 2021

BOSTON (AP) — An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

FULL STORY

How the Kremlin provides a safe harbor for ransomware

By FRANK BAJAK
April 16, 2021

BOSTON (AP) — A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.

One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded — and sometimes employed — by Russian intelligence agencies, according to security researchers, U.S. law enforcement, and now the Biden administration.

On Thursday, as the U.S. slapped sanctions on Russia for malign activities including state-backed hacking, the Treasury Department said Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers and giving them safe harbor. With ransomware damages now well into the tens of billions of dollars, former British intelligence cyber chief Marcus Willett recently deemed the scourge “arguably more strategically damaging than state cyber-spying.”

Convicted money-launderer Aleksander Vinnik

The value of Kremlin protection isn’t lost on the cybercriminals themselves. Earlier this year, a Russian-language dark-web forum lit up with criticism of a ransomware purveyor known only as “Bugatti,” whose gang had been caught in a rare U.S.-Europol sting. The assembled posters accused him of inviting the crackdown with technical sloppiness and by recruiting non-Russian affiliates who might be snitches or undercover cops.

READ MORE