back to article Crims shut off Ukraine power in wide-ranging anniversary hacks

Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December. The attacks were revealed at the S4x17 conference in Miami in which Honeywell security researcher Marina Krotofil offered reporters some detail into the exploitation that …

  1. Mark 85 Silver badge

    Maybe I'm being simplistic here and I realize the problems it would create but unplug those critical infrastructure systems from the Internet. Yes, you'll have to have techs available 24/7 but presumably that would be a private LAN without an Internet connection.

    Banks and the like are a problem as they need an Internet connection. But if a system can be disconnected from the Internet, it should be. Emails and attachments are headache I'm not sure can ever be solved except not allowing any email system to ever be attached/connected to a control system.

    1. Anonymous Coward
      Anonymous Coward

      "unplug critical infrastructure from the Internet."

      The fact that little has changed in a year speaks volumes. So what's wrong? At a guess there are executives in HQ who want access to real-time data from all the generation plants. But they refuse to pay for a dedicated closed lines system as it would endanger bonuses. Everything is about short-termism and cost control now, so someone else gets to inherit the problems down the line.


    How sure this is not hype

    We are in a context where major pressure is beeing used to distant Trump from Russia. Earlier reports from Ukraine had significant walk back. While malaware was found when investigating earlier outagates, it was less clear the malware actually caused the outages.

    1. Voland's right hand Silver badge
      Thumb Down

      Re: How sure this is not hype

      Well, shall I shed tears or what?

      Ukraine pretended to investigate and in reality did f*** all (if not assisted) in more than 8 cases of blowing up the grid pylons between mainland and Crimea with dynamite. They got whacked in return.

      Let's say you are making a living off software and you cannot work for days because the Ukrainian police are standing around smoking and giggling while "freedom fighters" attach dynamite to a grid pylon. Let's say you do some of the gray (if not black) hat stuff to make a living. Are you going to be pissed. I would.

      There are plenty of people entirely unrelated to Putin and the Russian state living in Crimea (quite a few of them way towards the black part of the hat color). Some of them are even on the FBI most wanted list (you can check last well known locations for them - at least 2 were in Crimea last time I looked). So the Ukraine grid being knocked out as a retaliation does not surprise me. In the slightest.

      1. Pen-y-gors

        Re: How sure this is not hype

        Out of idle curiousity, given that Crimea has been invaded and occupied by a foreign government, what use are grid pylons between Crimea and the rest of Ukraine? Surely a sensible approach would be to cut the power anyway, so whether the pylons are up or down is irrelevant.

        1. frobnicate

          Re: How sure this is not hype

          Once you learn that diesel fuel that runs the Ukrainian army is mostly supplied by the very same foreign power, which that army is purportedly fighting, you will start understanding how things work there.

  3. Anonymous Coward

    Attack of the Siberian Cyber bogeyman :)

    'Marina Krotofil said .. that this testbed-type approach against Ukraine is considered by experts as a "standard practice" by Russian hackers for testing out their tools and attacks.'

    If I wanted to hear anti-Russian BS I would go and watch Faux News.

  4. DanceMan

    If I wanted to hear Putin's BS I'd watch RT. It's interesting to note that unlike NHK, DW, or France24, almost nothing on RT is about Russia.

    1. Destroy All Monsters Silver badge

      Yeah, but quite a lot of is about things you don't hear about on DW and France24, whereas the latter dish the daily Soma about how we are Good In Syria, Ukraine is on the freedom train, our Politictactoeicians are glorious (especially Merkel), Trump is 100% pig disgusting and Putin is in every router and underneath children's bed.


      Further attacks against the State Administration of Railway Transport left Ukrainians unable to purchase rail tickets and delayed payments when the Treasury and Pension Fund was compromised

      Railways down and the Pension Fund empty? A daily occurrence in France.

  5. Destroy All Monsters Silver badge


    Sounds like someone was playing "Alien Isolation: Corporate Lockdown" for real.

  6. Pen-y-gors

    On the bright side

    Putin doesn't need to write a new statement denying it. He can just recycle the Drumpf ones.

    1. Destroy All Monsters Silver badge

      Re: On the bright side

      You seem to be alluding to this bullshit

      1. druck Silver badge

        Re: On the bright side

        Bullshit? It's all true, Trump is just pissed that stories of a video showing him with a room full of Russian prostitutes has come out now. Vlad was supposed to leak it in 4 years time, as given how much the groping tape actually helped him in the polls, it would have undoubtedly won him a second term.

  7. Mike 137 Silver badge

    "the variance in security controls"

    'variance' does not mean 'variability'.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Russia, China warn US its cyber support of Ukraine has consequences
    Countries that accept US infosec help told they could pay a price too

    Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal.

    The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion.

    While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General Paul Nakasone's public remarks to that effect were therefore unusual.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Super-spreader FluBot squashed by Europol
    Your package is delayed. Click this innocent-looking link to reschedule

    FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has been reportedly squashed by an international law enforcement operation.

    In May, Dutch police disrupted the mobile malware's infrastructure, disconnecting thousands of victims' devices from the FluBot network and preventing more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland's National Bureau of Investigation on Wednesday.

    The takedown followed a Europol-led investigation that involved law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the US. 

    Continue reading
  • Watch out for phishing emails that inject spyware trio
    You wait for one infection and then three come along at once

    An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.

    Researchers with Fortinet's FortiGuard Labs threat intelligence unit have been tracking this mailspam campaign since May, outlining how three remote access trojans (RATs) are fired into the system once the attached file is opened in Excel. From there, the malicious code will not only steal information, but can also remotely control aspects of the PC.

    The first of the three pieces of malware is AveMariaRAT (also known as Warzone RAT), followed by Pandora hVCN RAT and BitRAT.

    Continue reading

Biting the hand that feeds IT © 1998–2022