US charges Sandworm hackers who mounted NotPetya, other high-profile attacks

The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday.

Sandworm hackers

Sandworm Team attacks

“These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort,” the DoJ alleges.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.”

At the same time, the UK National Cyber Security Centre says that they asses “with high confidence” that the group has been actively targeting organizations involved in the 2020 Olympic and Paralympic Games before they were postponed.

“In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games. The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter,” the UK NCSC said.

“The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.”

The UK government confirmed their prior assessments that many of the aforementioned attacks had been the work of the Russian GRU.

Sandworm Team hackers

Sandworm Team (aka “Telebots,” “Voodoo Bear,” “Iron Viking,” and “BlackEnergy”) is the group behind many conspicuous attacks in the last half a decade, the DoJ claims, all allegedly performed under the aegis of the Russian government.

The six alleged Sandworm Team hackers against which the indictments have been brought were responsible for a variety of tasks:

Sandworm hackers

One of them, Anatoliy Kovalev, has been previously charged by a US court “with conspiring to gain unauthorized access into the computers of US persons and entities involved in the administration of the 2016 US elections,” the DoJ noted.

The US investigation into the group has lasted for several years, and had help from Ukrainian authorities, the Governments of the Republic of Korea and New Zealand, Georgian authorities, and the United Kingdom’s intelligence services, victims, and several IT and IT security companies.

Political and other ramifications

Warrants for the arrest of the six alleged Sandworm Team members have been drawn, but chances are slim-to-nonexistent that arrests will be performed in the near or far future.

The Russian government’s official position is that the accusations are unbased and part of an “information war against Russia”.

It’s unusual to see the US mount criminal charges against intelligence officers that were engaged in cyber-espionage operations outside the US, but the rationale here is that many of the attacks resulted in real-world consequences that were aimed at undermining the target countries’ governments and destabilizing the countries themselves, and that they affected individuals, civilian critical infrastructure (including organizations in the US), and private sector companies.

“The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims,” commented US Attorney Scott W. Brady for the Western District of Pennsylvania.

There are currently no laws and norms regulating cyber attacks and cyber espionage in peacetime, but earlier this year Russian Federation president Vladimir Putin called for an agreement between Russia and the US that would guarantee the two nations would not try to meddle with each other’s elections and internal affairs via “cyber” means.

This latest round of indictments by the US is unlikely to act as a deterrent but, as Dr. Panayotis Yannakogeorgos recently told Help Net Security, indictments and public attribution of attacks serve several other purposes.

Another interesting result of this indictment may be felt by insurance companies and their customers that have suffered disruption due to cyber attacks mounted by nation-states. Some of their insurance policies may not cover cyber incidents that could be considered an “act of war” (e.g., the NotPetya attacks).

How to gather cyber threat intelligence from dark markets without breaking US law

The U.S. Department of Justice’s Cybersecurity Unit has released guidelines for organizations that want to gather cyber threat intelligence from dark web forums/markets but, at the same time, want to stay on the right side of the (U.S. federal criminal) law.

gather cyber threat intelligence

The document focuses on “information security practitioners’ cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold. It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets.”

It was compiled based on input from the US DOJ’s various divisions, the FBI, the U.S. Secret Service and the U.S. Treasury Department’s Office of Foreign Asset Control. In it, DOJ’s Cybersecurity Unit advises organizations on how to avoid becoming a perpertrator (consult with legat counsel, ask the FBI’s opinion before engaging in some legally murky activities) and a victim (institute security safeguards and adhere to cybersecurity practices that will minimize the risk of being victimized).

DOs and DON’Ts

Organizations can:

  • Gather cyber threat intelligence passively
  • Access forums lawfully (by obtaining login credentials legitimately, for entirely fake personas)
  • Ask questions and solicit advice on the forum (but document that they are doing that just for the purpose of gathering info, not committing a crime)

They shouldn’t:

  • Access forums unlawfully (by using stolen credentials, impersonating the identity of an actual person, including a government official, or using an exploit)
  • Surreptitiously intercept communications occurring on a forum
  • Provide the forum operator with malware or stolen personal info in order to gain access to the forum or provide other forum participants with useful information, services, or tools that can be used to commit crimes in order to get their trust
  • Solicit or induce the commission of a computer crime
  • Assist others engaged in criminal conduct (through advice or action)

They should:

  • Involve their legal department in operational planning
  • Share information about an ongoing or impending computer crime uncovered during intelligence gathering activities with law enforcement

Cybersecurity companies that monitor dark markets for specific types of information as a service to their customers – whether that’s stolen customer records offered for sale, malware or security vulnerabilities that target their customers’ networks or products – have additional specific things to take into consideration when attempting to purchase it (e.g., buying the data from a foreign terrorist organization is unlawful, and so is buying malware that is designed to intercept electronic communications surreptitiously).

Mobile industry has stifled eSIM—and the DOJ is demanding change

Illustration of a smartphone with the word

The US Department of Justice has given its tentative approval to a wireless-industry plan to revise eSIM standards, saying that new safeguards should prevent carriers from colluding against competitors in the standards-setting process. But the DOJ warned the industry that it must eliminate anti-competitive provisions from the current eSIM standard or face possible antitrust enforcement.

The DOJ last year began investigating AT&T, Verizon, and the GSMA, a trade group that represents mobile carriers worldwide. The antitrust enforcer found that incumbent carriers stacked the deck against competitors while developing an industry standard for eSIM, the embedded SIM technology that is used instead of removable SIM cards in new smartphones and other devices.

In theory, eSIM technology should make it easier to switch carriers or use multiple carriers because the technology doesn’t require swapping between physical SIM cards. But how it works in practice depends heavily on whether big carriers dominate the standard-setting process.

The DOJ investigation found that “the GSMA and its mobile network operator members used an unbalanced standard-setting process, with procedures that stacked the deck in their favor, to enact an RSP (Remote SIM Provisioning) Specification that included provisions designed to limit competition among networks,” the agency said last week.

That flawed process resulted in RSPv2, which makes it easy for a carrier to lock eSIM-equipped smartphones to its network, the DOJ said. The standard has so-called “profile policy rules” that require smartphones to “contain the capability for operator-controlled locking in order to be considered compliant with the RSP Specification,” the DOJ said. These provisions “may restrict the pro-competitive potential of eSIMs without being necessary to achieve remote provisioning or to solve an interoperability problem,” the DOJ said.

The current standard also has provisions that make it harder for phones to automatically switch between networks when the phone “detects stronger network coverage or a lower-cost network,” the DOJ said. The standard also “prevents an eSIM from actively using profiles from multiple carriers simultaneously.”

DOJ will watch and wait

Despite that, the DOJ said it won’t file an antitrust lawsuit. That’s because the GSMA agreed to a new standard-setting process that addressed DOJ concerns and will use that process to develop a new standard that will replace RSPv2. The DOJ said it is satisfied by the GSMA’s process changes but that it will monitor the implementation of the new standard and may take action if the GSMA doesn’t remove anti-competitive provisions in the next version of RSP.

The GSMA described its new process—called AA.35—in a letter to the DOJ in July, and DOJ antitrust chief Makan Delrahim provided an update on the agency’s “present enforcement intentions regarding GSMA’s proposal” in a letter to the GSMA last week. The DOJ said it “presently has no intention to challenge AA.35, if it goes into effect,” because the new process “includes sufficient protections to minimize the chances of anticompetitive self-dealing inside the GSMA if it is applied as contemplated.”

However, the DOJ said it “will closely observe how AA.35 is applied and whether it succeeds in promoting interoperability.” The DOJ also warned the GSMA that if carriers form separate agreements to limit competition, “such agreements are always subject to independent antitrust scrutiny.”

What the industry agreed to

Originally, the GSMA let non-carriers such as smartphone manufacturers participate in the standard-development process but made sure that all final decisions were controlled by mobile carriers. The DOJ said it was “concerned that the GSMA’s operator-dominated process was used with the purpose and effect of altering what would otherwise have been competitive negotiations between the operators and smartphone manufacturers (‘OEMs’) over the design and implementation of eSIMs.”

But after the DOJ began investigating, the GSMA came up with the alternative AA.35 process. As the DOJ noted, “AA.35 creates a two-stage process, with an Industry Specification Issuing Group (‘ISIG’) that creates the standards and an Industry Specification Approving Group (‘ISAG’) that approves the standards.”

ISIG membership is open “to all members, ensuring that there will not be operator-exclusive committees driving the process,” the DOJ continued. Non-carriers can become members of the ISAG, which “eliminates the complete control that operators previously had and instead gives all parts of the industry an opportunity to be represented,” the DOJ said.

Another safeguard prevents standards from being approved without the consent of smartphone makers. “At the ISAG level, [AA.35] requires approval of standards by separate majorities of the ISAG operator- and non-operator members,” the DOJ said. “Both bodies require an explanation of negative votes, another improvement that increases transparency and indicates meaningful attempts to reach consensus.”

Another new provision allows for appeals to be heard by an independent panel. Finally, operators can’t bypass or change this process “without the support of non-operator members” because the dual-majority voting structure requires consent of both groups, the DOJ said.

Getting rid of anti-competitive provisions

The current version of the eSIM standard, which was passed under the old, flawed process, has “several key features that have restricted the disruptive potential of eSIMs to date,” the DOJ said. That’s a reference to the phone-locking provision described earlier in this article and “provisions that restrict the number of active profiles on an eSIM or impede the user’s ability to consent to dynamic profile switching,” the DOJ said.

For example, RSPv2 requires consumers to give their approval each time an eSIM “toggles between profiles or networks,” preventing the scenario where a phone automatically switches between networks “if it detects stronger network coverage or a lower-cost network,” the DOJ said.

A RSPv2 prohibition on using profiles from multiple carriers simultaneously could prevent scenarios where users have their phone divided into work-related and personal profiles or multiple “profiles optimized for different coverage areas or for international travel,” the DOJ said. Incumbent carriers apparently wanted that restriction to undercut “a potential competitive threat [that] would allow a user to divide usage across operators,” the DOJ said.

When the GSMA uses its new AA.35 process to create a new standard, the DOJ said it expects the group to reconsider those anti-competitive rules.

“The Department will take a special interest in whether RSPv3 includes provisions that are motivated only by the incumbent operators’ interest in gaining a competitive advantage or stifling new sources of competition,” Delrahim warned the GSMA. The DOJ “reserves the right to bring an enforcement action in the future” if the GSMA’s implementation of AA.35 “proves to be anticompetitive in purpose or effect,” he wrote.