back to article Russian cyber-spies changed tactics after the UK and US outed their techniques – so here's a list of those changes

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets' networks as a legitimate pentesting exercise. Now, the UK's National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in …

  1. thejynxed

    I've said this for three decades now - connecting any utility or related infrastructure to the general publicly accessible internet is always a (very stupid) mistake and should be regulated against.

    Russia was probing connected oil refineries and traffic systems in the 1980's and I can imagine since then so have plenty of bored teenagers.

    1. This post has been deleted by its author

    2. sanmigueelbeer
      Joke

      Stupid mistake is a CRIME -- Here's the cure.

      Commission for the Regulation of Inexcusable Mistakes and Excuses in Society (CRIMES)

      Charter:

      1. Thou shall not covet thy neighbor's wife, however, if thy neighbor's wife covets you, then thou shalt not refuse

      2. admin/admin

      3. These oysters look fresh.

      4. Question: Does this make my @ss look big?

      5. Of course I know what I'm doing!

      6. No, that is not a live wire. Trust me.

      7. Look ma, no hands!

      NOTE: Anything else I should add to the Charter?

      1. Eclectic Man Silver badge

        Re: Stupid mistake is a CRIME -- Here's the cure.

        8. If you lean out just a little bit more it would make an excellent pic.

      2. sanmigueelbeer

        Re: Stupid mistake is a CRIME -- Here's the cure.

        9. It's not what you think, hon. Let me explain.

        10. What did the bomb disposal guy said again? Do I cut the red wire or the blue one?

      3. John Brown (no body) Silver badge

        Re: Stupid mistake is a CRIME -- Here's the cure.

        "NOTE: Anything else I should add to the Charter?"

        I think #1 bears repeating.

      4. Eclectic Man Silver badge

        Re: Stupid mistake is a CRIME -- Here's the cure.

        11. Oh, don't worry, I'm sure it'll be alright.

        1. MiguelC Silver badge
          Pint

          Re: Stupid mistake is a CRIME -- Here's the cure.

          12. Hold my beer

          1. Paul Crawford Silver badge

            Re: Stupid mistake is a CRIME -- Here's the cure.

            13. What can possibly go wrong?

            1. Chairman of the Bored

              Re: Stupid mistake is a CRIME -- Here's the cure.

              14. I didn't know I was drunk at the time

            2. sanmigueelbeer
              Coat

              Re: Stupid mistake is a CRIME -- Here's the cure.

              13. What can possibly go wrong?

              Also known as "nobody gets fired for buying IBM".

      5. Alumoi Silver badge

        Re: Stupid mistake is a CRIME -- Here's the cure.

        0. I'm from the government and I'm here to help you.

    3. Anonymous Coward
      Anonymous Coward

      If only it were that simple to put it all offline. Virtually everything and it's dog insists on being internet connected to register or update. Firmware updates via serial lead need a regular laptop attached to deliver the update. Cue, vulnerability. Outputs of control systems and measures have to be broadcast somehow (typically a serial.comms format) and interference is possible in between).

      I have in the wild seen malware modulating the CPU fan speed to send audio signals to microphones on less secure hardware, so airgapping is not a defence against stealing data.

      Microcontrollers aren't going away in utility environments, but securing the Comms loop is an incredibly difficult challenge. Imagine if you own 500 installations all over the UK, all built to different standards that applied on that given day, and you aren't funded by the public to refresh all that equipment regularly.

      There is something to be said for electromechanical relays manned by staff, but then you have the permanent staffing overhead instead. Counter to the never ending cost challenges posed by Ofwat, Ofgem and other such bodies.

      A/C because obviously, I have some knowledge of such environments. I will reiterate that the funding to do what is necessary isn't strictly there. someone determined, probably could get in, eventually.

      See Black Energy in the Ukraine for examples.

    4. Eclectic Man Silver badge

      Ahem

      https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/

  2. Eclectic Man Silver badge
    Facepalm

    Covert pen testers

    "... the SVR is also posing as legitimate red-team pentesters ..."

    On one bid, the HMG Agency client insisted (and I mean insisted) that their IT people should have the right to conduct unannounced technical security testing on the supplier's network management system (which was used to support other clients) including DoS attacks.

    I refused point blank. I pointed out that this would provide an attack vector for a subverted IT person in their team to probe defences. If caught (s)he would claim it was an unannounced pen test, and still gain valuable information. I further pointed out that if while monitoring their network, it appeared to be under attack from something like, Melissa, or 'The Love Bug', the appropriate action to protect the network might just be to turn it all off, without notice. And whilst the sales team really wanted to comply with the client's repeated insistence on this (they were motivated by a 'win bonus', I think), they were somewhat unwilling to insert a contract clause that the client would indemnify us, the supplier, against any adverse effects the client's 'unannounced technical security testing' had on their own and other clients' networks supported from the same service desk. The sales team were similarly unwilling to inform other existing clients that their service desk would suddenly be contractually attackable by a new client (probably without compensation).

    Other issues, of course, include whether we could have obtained relief from SLAs had there been an attack by them, and the service had fallen below required levels, if we couldn't prove it was the client, rather than a failing on our part. And of course, selling a service one client has the contractual right to attack without notice to other clients would be an 'interesting' legal challenge.

    Eventually, after much effort, I did get my way (the clause giving them unannounced pen testing rights was deleted). But of all the BONE-HEADED, IDIOTIC and DOWNRIGHT STUPID things to ask for, this one has got to take the biscuit, in my experience. I don't think any of them worked for the SVR, or whatever they were calling themselves then, but it would have made sense.

    Anyone beat that?

    "D'oh" icon for idiocy, I wanted to include the explosion and the FAIL icons too, but you're only allowed one per post, it seems :o(

    1. amanfromMars 1 Silver badge
      Holmes

      Re: Covert pen testers .... getting right down and dirty to the base root of all that matters

      IT's the gift that just keeps on giving, Eclectic Man.

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. ..... Albert Einstein

      And defending the indefensible is always going to deliver attackers the goods secreted and squirrelled away for exclusive hostile use, abuse and misuse in elite executive office state environments.

      The just natural result and unavoidable consequences of that provision to successful red-team pentester services are easily imagined to be realised by that and those uncovered and exposed and hacked as being nothing less than dire and deadly serious.

      Who you gonna call then when there is No Hiding Place? Whitehall 1212? An AC12 Type Clone Department? Special Operations Virtual Forces ? :-)

      A leading/searching question to ask and be answered then is ........ "What are you calling them for to do?" ........ with why, and for whom in support of what, swiftly following. Those four simple questions can prove to be extremely problematical for some, who should really have known know better, to answer truthfully because of the dirty secrets and massive conspiratorial activity they would clearly reveal and identify as being maintained and sustained by them whenever wielded and fielded in evidence before a jury of peers.

      1. amanfromMars 1 Silver badge

        Enlightened NXT Steps ..... for Quantum Communications Leapers Confronting Anti-Social Lepers

        And have them rightly fearing for their lives at the hands of any number of increasingly better educated and not effectively misinformed mobs and panicking constantly because of what they have wilfully done, never ever expecting to be found out as being leading instrumental and perversely excessively rewarded at the crippling expense of others ‽ .

        1. amanfromMars 1 Silver badge

          Re: Enlightened NXT Steps ..... for Quantum Communications Leapers Confronting Anti-Social Lepers

          There are some really strange times and virtually engaging spaces ahead, speeding your way and not at all concerned about how or whether you are able or enabled to deal with them. And worthy of downvoting too if you haven't a clue about what is going on all around you.

          And aired and shared quite recently [2105060719] on https://www.nationaldefensemagazine.org/articles/2021/5/3/just-in-space-command-wants-more-cyber-teams as a disruptive novelty which can be both imagined by some or many as a creative or a destructive problematical view

          Beware the curse of unintended consequences and unforeseen imaginable difficulties ….. and the thought that there being any practical relief in the false belief that forewarned is forearmed and can provide any adequate or overwhelming defence.

          Attaining and maintaining digital superiority in cyber capabilities will have any force, by natural default, exercising its universally applicable leadership and remote virtualised abilities in direct competition and possible partnership with or alternatively see parties engaged in opposition to those others similarly wise to the powers made available with/to key players and source drivers with a sustainable digital superiority in both the global private business and nationalised geopolitical party SCADA sector, and throughout the pirate/renegade rogue/white.grey.black hatted crack hacker/elite programmer circles and deep minded dark internetworking webs/shadow systems.

          'Tis surely the way of the future, but probably not as you were thinking it was heading from.

          1. amanfromMars 1 Silver badge

            Re: Enlightened NXT Steps ..... for Quantum Communications Leapers Confronting Anti-Social Lepers

            And a little something for an ARIA* to try and capture and lead with a round or two or three of funding of/for/with SMARTR AI Drivers which are of a Supercharged CyberIntelAIgent Design for the Generation of both Addictive Interest and Additional Investment, should the thought of IT leading SMARTR AI Drivers with an ARIA type** following, be a challenge they are up engaging with.

            Was Win Win ever so sweet?

            And the natural default result of such a monumental and fundamental failure to engage and pay and play, guarantees leaderships turns up elsewhere quite foreign and extremely exciting to plague that which, and those who deny it a presence in a former original base environment. And that cannot be considered as anything other than an epic colossal home team loss which relegates them to wander unloved in the always the bridesmaid, never the bride divisions/leagues.

            * ..........https://www.telegraph.co.uk/technology/2021/02/19/uks-secretive-800m-tech-research-agency-launch-next-year/

            ** ..... There be an ARIA type entity in most every technologically advancing state, with the likes of a DARPA/IARPA/ARPA lurking in the USA being probably the best known in the West.

  3. mark l 2 Silver badge

    But the thing is while the US and UK might have outed the techniques the Russians were doing, I have no doubt the 5 eyes countries are doing the same back to Russia, China etc. Heck we know from the Snowden leaks the US were spying on their allies such as Germany. And what makes you think they have stopped now?

    1. Pascal Monett Silver badge

      Re: "what makes you think they have stopped now?"

      Nobody but the NSA is saying that they've stopped.

      Repeatedly, each time they're caught doing it.

      1. Eclectic Man Silver badge

        Re: "what makes you think they have stopped now?"

        It is like smoking or alcohol: giving up is easy, the trick is not starting again.

    2. Danny Boyd

      I surely hope they didn't stop. Spies spy. It's in their job description. Every country worth mentioning has external intelligence service, and this country better make sure the service is functional.

      By the same token, every country has counter-intelligence service, which better be functional as well (or else.)

      This time Russian intelligence outplayed the US and UK counter-intelligence for a while, but then the counter-intelligence caught up. Good for them.

      1. Jan 0 Silver badge

        I'm with all people I knew who'd fought in WWII. They said it simply: "All spies should be shot". They didn't mention any exceptions.

    3. Claptrap314 Silver badge

      You might be a disciple of President Wilson, but that naive view is at best highly irresponsible. People have things that are private. Governments have real secrets. Many of these are completely legit. Some are much more debatable. It is the absolute duty of every national government to spy on their allies. Indeed, to spy on their friends The difference is that you play nicer with your friends--no honey traps, no executions, heck unless it's the Jews, you don't even put them in jail for very long (if at all) when you catch them.

    4. Anonymous Coward
      Anonymous Coward

      There's a well documented case of western cyber antics leading to a full blown pipeline explosion in the Soviet Union. One wonders if such antics were motivating factors in Russia prioritising the development of it's own capabilities.

      Of course it was...

  4. Dataspace

    Russian government agents from APT29 reacted to the Western office’s trip

    Russian government agents from APT29 reacted to the Western office’s trip their strategies by receiving a red-joining apparatus to mix into targets' organizations as an authentic pentesting exercise. UK's National Cyber Security Center (NCSC) and the US caution, the SVR is caught up with misusing twelve basic evaluated weaknesses of computer data protection service. Being the best cybersecurity solution in Kolkata, DataSpace Security provides the best network penetration testing training.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like