Cyber Week in Review: April 15, 2022
from Net Politics and Digital and Cyberspace Policy Program
from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: April 15, 2022

General Paul Nakasone, director of the National Security Agency, testifies before the Senate Intelligence Committee on March 15, 2018.
General Paul Nakasone, director of the National Security Agency, testifies before the Senate Intelligence Committee on March 15, 2018. Reuters/Aaron P. Bernstein

Russia targets Ukrainian power grid; India foils Chinese cyberattack; EU officials targeted with spyware; Hackers use Conti ransomware in Russia; New industrial control system malware discovered.

April 15, 2022 12:24 pm (EST)

General Paul Nakasone, director of the National Security Agency, testifies before the Senate Intelligence Committee on March 15, 2018.
General Paul Nakasone, director of the National Security Agency, testifies before the Senate Intelligence Committee on March 15, 2018. Reuters/Aaron P. Bernstein
Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Russia targets Ukrainian power grid 

The Ukrainian Computer Emergency Response Team (CERT-UA) and the cybersecurity firm ESET revealed that Russian-linked Sandworm hackers targeted high-voltage electrical substations in Ukraine with malware. The attackers targeted the substations with a novel variant of the Industroyer malware, dubbed Industroyer2, which interacts with industrial control systems that manage the flow of power. This mirrors 2015 and 2016 campaigns conducted by Sandworm in which attackers used Industroyer malware to cause blackouts in Kyiv. While Ukrainian authorities claimed there was no damage to the power grid in this case, there were some reports of damage in electrical substations. There is evidence that the hackers may have infiltrated the target systems as early as February, lying in wait until the scheduled attack on April 8. The hackers also deployed multiple strains of wiper malware to other systems, including CaddyWiper, which was recently found inside the systems of Ukrainian banks. 

 

India claims it foiled Chinese cyberattack 

Cybersecurity analysts uncovered an ongoing Chinese campaign targeting components of the Indian power grid. A likely state-sponsored actor used ShadowPad malware to gain access to the networks of Indian State Load Despatch Centers, which are in charge of operations for grid control and electricity dispatch. The targeted centers were mostly located in Northern India, near the disputed Ladakh border. Chinese threat actor RedEcho has targeted Indian power sector organizations in the past, but it is unclear if the group is behind the most recent campaign. One day after details of the campaign were published, India claimed that it had foiled at least two of the attacks. Chinese foreign affairs ministry spokesman Zhao Lijian denied the allegations that the Chinese government was behind the attacks. 

 

EU officials targeted with Israeli spyware 

More on:

Cybersecurity

Russia

India

European Union

NSO Group tools were allegedly used to target at least five senior officials and staffers at the European Commission between February and September 2021. The officials were alerted when Apple warned iPhone users in November that they may be the victim of a state-sponsored hacking campaign. The officials’ devices were infected with ForcedEntry malware, which has been tied to multiple Israeli spyware vendors such as NSO Group and QuaDream in the past, although NSO Group denied any involvement in the incident. It remains unclear who was behind the campaign. This disclosure comes a week before the European Parliament’s April 19 launch of a committee of inquiry tasked with investigating the use of surveillance software in member states. 

 

Hackers use Conti ransomware code to attack targets in Russia 

A hacking group, known as NB65, began using source code created by the Conti ransomware group to launch ransomware attacks against Russian companies. The Conti source code was leaked in March by a security researcher upset with the group’s stance on the war in Ukraine. NB65 has attacked several prominent targets in Russia, including state television and radio stations before, but the shift to using Conti ransomware is a new development. NB65 say their attacks are motivated by Russian aggression in Ukraine and claim that any ransom paid will be donated to aid organizations in Ukraine. While Russia has not been a traditional target for ransomware, the war in Ukraine has apparently shifted the calculus of some groups. 

 

New industrial control system malware detected in United States 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it had detected an advanced persistent threat (APT) targeting industrial control systems with a new malware toolkit, dubbed PIPEDREAM and INCONTROLLER by different cybersecurity companies. The malware could be used to cause physical damages to industrial processes, including those used by liquid natural gas facilities, which officials believe were the target of the malware. Hackers have manipulated industrial control systems to cause physical damage before, most famously through the Stuxnet malware launched against the Natanz nuclear facility in Iran. The Biden administration has issued several warnings about the potential for destructive Russian cyberattacks against U.S. critical infrastructure since the Russian invasion of Ukraine. 

More on:

Cybersecurity

Russia

India

European Union

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail
Close