Start your day with intelligence. Get The OODA Daily Pulse.

Today, Putin Sends Cybercrime Crackdown Signal to U.S.; Unattributed Cyber Attack on Ukrainian Government Sites

More than any of the mixed signals of the high-level meetings between the U.S. and Russia, two cyberwar developments today are far more clear indicators of the direction of the Ukrainian conflict playing out between NATO, Putin, and the U.S.

One event – a major cyberattack on Ukrainian government websites – does not, as of yet, have direct nation-state attribution to Russia (which is possibly how they want the attack to “play’ in the media.  Cyberattack as misinformation).  The other  – the Russian Federal Security Service (FSB) takedown of the REvil Ransomware Gang – is very specific, positive signaling from the Kremlin to the White House that they understand the seriousness with which the U.S. military and intelligence apparatus are taking the strategic cyber threats posed by Russia to the U.S. political and economic systems and the U.S. homeland.

The concurrent elements of appeasement and aggression are troubling.  Both events have false flag elements relative to the other, which makes for both a tactical and strategic quandary for the U.S. and Ukraine (as the governments and military sort out the true impact and implications of these cyber maneuvers by Russian state and non-state actors). Are both incidents integrated active measures and only part of a larger geopolitical operation by the Russians?

FSB Shuts Down REvil Ransomware Gang

Moments ago (and just days after talks on Ukraine, where the U.S. and Russia Deadlocked Over NATO Expansion),  The Record just reported that “The Russian Federal Security Service (FSB) said today that it has raided and shut down the operations of the REvil ransomware gang.” (1)

Below, we include the full text of the press release sent out by the FSB today to highlight the specificity of the language about cooperation with U.S. law enforcement, consistent with a direct request by the U.S. in July that Russia must crack down on cybercriminals.

This raid signals cooperation with the U.S. requests made by phone directly by President Biden to President Putin and reinforced during negotiations a few days ago.  What is unclear is, while this raid is a positive development in U.S/Russia relations, how does the raid impact the conditions on the ground in Ukraine?  The raid appeases the U.S. but does not directly address Ukraine’s interests and the military threat posed by Russia to the region.

The full text of the FSB Press Release [CAPS theirs]:

UNLAWFUL ACTIVITIES OF MEMBERS OF AN ORGANIZED CRIMINAL COMMUNITY WERE SUPPRESSED

14.01.2022

The Federal Security Service of the Russian Federation, in cooperation with the Investigation Department of the Ministry of Internal Affairs of the Russian Federation, has suppressed the illegal activities of members of an organized criminal community in the cities of Moscow, St. Petersburg, Moscow, Leningrad and Lipetsk regions.

The basis for the search was the appeal of the competent US authorities, who reported on the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies through the introduction of malicious software, encryption of information and extortion of funds for its decryption.

The FSB of Russia established the full composition of the criminal community “REvil” and the involvement of its members in the illegal circulation of means of payment, documentation of illegal activities was carried out.

In order to implement the criminal plan, these persons developed malicious software, organized the theft of funds from the bank accounts of foreign citizens and their cashing, including through the purchase of expensive goods on the Internet.

As a result of a complex of coordinated investigative and operational-search measures in 25 addresses at the places of stay of 14 members of the organized criminal community, funds were seized: over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with money obtained by criminal means.

The detained members of the OPS were charged with committing crimes under Part 2 of Article 187 “Illegal circulation of means of payment” of the Criminal Code of Russia.

As a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized.

Representatives of the competent US authorities have been informed of the results of the operation.

Ukraine Government Websites Hit by Unattributed Cyberattack

According to CNN:  “A threatening message of “be afraid and wait for the worst” was shone on a number of Ukrainian government websites after they were targeted in a cyberattack.”  Source: CNN.com

Source: https://archive.fo/VIDeS/image

Today’s OODA Loop Daily Pulse included the following report:  Cyberattack hits Ukraine government websites: Here is what you should do.  Please take a look for OODA-informed next steps if your organization is a possible target for Russian state and non-state actors in this current climate.

What we Know (from CNN and The Record):

  • The attack took place on the night between January 13 and January 14 and impacted the websites of the Ukrainian Ministry of Foreign Affairs, Ministry of Education and Science, Ministry of Defense, the State Emergency Service, the website for the Cabinet of Ministers, and others.
  • The Record provided the following translation of the message sent by the hackers:  “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.”
  • Officials say they are investigating the attacks, but all signs post to an attack carried out by Russian hackers.
  • Ukrainian officials have not yet formally attributed the attack to any threat actor or nation-state.
  • “As a result of a massive cyberattack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,” Foreign Ministry spokesman Oleg Nikolenko said on his official Twitter account on Friday.

What’s Next: Expect more attacks like this, not just on Ukraine, but on NATO governments and on commercial entities. Some malicious code can escape like in the June 2017 NotPetya attacks.

Your Action: Read the latest on the cyber threat and defensive strategies on the OODA Cyber Sensemaking pageBecome an OODA Network member to discuss this topic with peers. For tips on establishing a more detailed action plan see: The OODA C-Suite Guide To Improving Your Cybersecurity Posture Before Russia Invades Ukraine

https://oodaloop.com/archive/2021/12/22/c-suite-guide-to-improving-your-cybersecurity-posture-before-russia-invades-ukraine/

 

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Further Resources

Security Researcher Gary Warner turned around this quick, prescient analysis earlier this AM.  Find it here.

A related story in the last few days on the ground in Ukraine:  Ransomware gang behind attacks on 50 companies arrested in Ukraine

Previous OODA Loop coverage of REvil

Kaseya Obtains Universal Decryptor for REvil Ransomware

Kaseya Patches Zero-Days Used in REvil Attacks

REvil Group Demands $70 Million for ‘Universal Decryptor’

REvil Claims Responsibility for Invenergy Hack

REvil Hits US Nuclear Weapons Contractor

JBS Paid $11M to REvil Gang Even After Restoring Operations

Cyberwar and Cybercrime Analyses:

 Will Cyber Breaches Start a Shooting War?

The Next Evolution of Ransomware Gangs: Collaboration

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

 

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.