The ongoing war in Ukraine caused by the Russian invasion has interesting effects on Czech cyberspace. Last year, the Security Information Service (BIS) saw a slight decrease in Russian state or state-backed actors against Czech targets, as part of the capacity appears to deal with Ukraine and other entities. On the contrary, China has increased its activities on our territory precisely because of the situation in Ukraine.
“Ukraine is now the main target of attacks by Russian groups. But actions continue to take place also against the countries of the European Union and NATO, including the Czech Republic,” Lupě confirmed Robert Lipovsky, a researcher from the Slovak company ESET. It deals with the activities of Russia in detail, and thanks to this it became part of the American federal organization CISA, which is a breakthrough for a company from our region.
Russian state cyber actors have slowed down in the Czech Republic, but on the contrary, the actions of hacktivists have intensified, which can be seen especially thanks to the group NoName057(16) sending DDoS attacks on various local targets of all kinds. She was last heard from a few days ago.
The activity of an old familiar formation
In any case, Russia is still very active in the Czech Republic, and BIS considers it to be the biggest security threat, including cyberspace. “The permanent interest of the Russian Federation is the collection of information from the field of international relations, which is also manifested in permanent or repeated cyberespionage campaigns. Their targets are primarily ministries of foreign affairs, embassies, think-tanks or multinational institutions,” the security service summarized.
In the Czech Republic, shortly after Russia’s invasion of Ukraine, the Russian cyber state unit resumed its activities, whose activities BIS had recorded in the past. The unnamed actor was supposed to abuse the Czech information infrastructure for war-related phishing attacks. The attacks also targeted organizations involved in helping refugees from Ukraine.
“Last year also stood out as a long-term cyberespionage campaign targeting international relations and diplomacy targets with a near-global scope. The intensity of the campaign can be assessed as exceptionally high. Among other things, the cyber actor succeeded in briefly compromising several individual e-mail boxes on the official domain of a Czech state institution, which he then misused to send other malicious messages,” BIS wrote further.
Military intelligence devotes a large portion of its latest annual report to Russian cyber activities linked to the war in Ukraine. According to the soldiers, cyber attacks by Russian actors did not reach the expected level of sophistication and targeting. Russia mainly deploys so-called wipers, the aim of which is to delete data and prevent computers from booting into systems.
Already at the beginning of 2022, HermeticWiper appeared, overwriting the Master Boot Record. The Slovak company ESET, which described HermeticWiper, has since detected a number of other Russian-made wipers. These are, for example, IsaacWiper, CaddyWiper, NikoWiper and others. The Slovaks also confirmed that these and other Russian tools are often not very sophisticated and are intended to help military operations.
Wipers are relatively simple to create, and in the case of detection and analysis, their effectiveness drops significantly. But for attackers, this is a significantly lower loss than when creating sophisticated tools that cost a lot of time and money. At the same time, wipers can delete data, prevent access to systems and significantly complicate life. According to Military Intelligence, these factors help to deploy the wipers.
Base in Crimea
A search by the FBI, NCSC, Ukrainian security forces, Microsoft or ESET led to the division of Russian cyber actors into three sections corresponding to the state agencies fall under. Specifically, it is the FSB security service (Energetic Bear, Turla, Gamaredon groups), VSR external intelligence (The Dukes / Cozy Bear, InvisiMole, Buhtrap groups) and the GRU military intelligence service (Sandworm or Sednit / Fancy Bear). At the same time, there is not much cooperation and coordination between the FSB, VSR and GRU.
The most aggressive group is the Sandworm or Voodoo Bear associated with the GRU. They are behind infamous attacks such as NotPetya, BlackEnergy or Industroyer, which targeted energy blackouts. “Sandworm has twenty different families of wipers available. They have completely different code bases, they are not just variations of one code. Such a scale is unprecedented,” described Lipovský from ESET.
The oldest known group operating since 2004 is Sednit or Fancy Bear and APT28. For example, she was responsible for the hack of the Democratic Party before the US elections. Today, Sednit is mostly focused on targeted phishing campaigns, including the Czech Republic. The activities of GRU/Sednit were last seen in our country recently, for example, the group uses the discovered vulnerabilities of WinRAR.
A very interesting group is Gamaredon or also Pterodo operating from Russian occupied Crimea. Currently, these are clearly the most active actors in Ukraine. Pterodo goes for volume, does not deal with detection, takes control of more than two devices a day and continues westward from Ukraine to Europe. Pterodo can steal cookies from Opera, Firefox, Chrome and Edge, get information from the desktop applications of Signal and Telegram.
According to Lipovsky, Russian state groups have teams with a double-digit number of people specialized in various sectors. From the indications (time traces and the like), it can be estimated in some places that these actors basically go to work and operate during normal working hours, which again indicates the involvement of the state.
Key commercial entities
According to Military Intelligence, an important lesson in cyber defense is the privatization of security and the use of services by commercial entities. These “fundamentally supported and increased the defense potential of Ukrainian public institutions”.
In particular, Western technology companies provided Ukraine with their technologies and capacities, for example we wrote about the move to Amazon Web Services on Lupa. Microsoft is also very active. In Ukraine, for the first time, we could see on a large scale how the private sector chooses a side.
The former Czech cyber attaché in Washington recently quit Military Intelligence Daniel Bagge, who also mentioned the increasing role of the private sector, into which he moved. “Technological developments in recent years, combined with the growing power of private corporations and the subsequent weakening of government mandates, lead me to reassess where we stand in the coming decade of global strategic competition,” he said.
An increasingly invasive China
And then there is China. According to the BIS, Russia’s invasion of Ukraine has prompted the Asian power to increase its interest in the situation in Europe and intensify cyber espionage activities in the region.
“In the Czech Republic, this effort was manifested, for example, in spearphishing attacks, in which Czech state institutions were targeted in several cases. In some cases, the names of these institutions were misused by the attackers trying to impersonate their employees or representatives,” BIS reported.
The Chinese invaders advanced in waves and most often tried to exploit political themes. Over time, it has been possible to observe an increasing sophistication of attacks and targeting of individuals, including the use of social engineering and impersonation of persons known to the victim.
Increased cyberespionage risk also appeared in the case of the Czech presidency of the Council of the European Union. The Czech Republic has become more attractive to China. BIS noted the escalating activities of Chinese actors. “Some of these activities have been at least partially successful,” the reporters added.
An unprecedented threat
China focuses mainly on cyber espionage, influencing public opinion, data collection, targeting dissidents and stealing the intellectual property of Western companies. The Five Eyes group (the watchdogs of the US, Britain and others) recently said that China’s intellectual property theft and its cyber actions against the West are an unprecedented threat.
Andy Garth, the former British ambassador to Slovakia and today ESET’s head of government relations, told Lupa that China’s resources in cyberspace are many times greater than, for example, the capabilities of the FBI. “Cyber tools are very accessible and useful for governments. They can be subtle and quiet, manipulative and lucrative. At the same time, they’re a tool you can deny you’re using,” Garth continued.
According to Garth, the current geopolitical situation is the worst since the Vietnam War. At the same time, the struggle for the shape of the rest of the twenty-first century between the United States and China has begun, which can be seen, for example, in the ongoing sanctions associated with the trade-technology war.
“China is trying to ensure the dominance of its technology companies and define standards. It is very active in the International Telecommunication Union, trying to set international rules in such a way that it plays into its cards, while at the same time deprioritizing those groups where it does not have such a strong voice,” the former ambassador further described.
A confused goblin and a panda friend
Chinese hacker groups operating in the European Union and the Czech Republic try to operate as covertly as possible. They mainly deal with espionage and theft, often in EU organizations and local companies. More and more emphasis is placed on the old continent. For example, the BackdoorDiplomacy group was previously active especially in Africa, where China has its big interests (mining, ports, etc.), but now it is moving to Europe.
PerplexedGoblin is a very active and young group that has managed to attack several European countries in the year of its existence. According to ESET, it uses DLL side loading. Another new player is MustangPanda, which also tried to operate during the parliamentary elections in Slovakia by using phishing.
Also still active is the Gallium group also known as Operation Soft Cell. It started attacking telecom operators several years ago, including stealing data from their CRM systems. Attacks continue. Gallium continues to focus on operators and, in the European Union, also on suppliers to the defense industry or non-profit organizations.
“To sum it up, Russia and North Korea remain significant threats at about the same level. China and Iran will grow (among other things because of the situation in Israel and the role of Iran in the Middle East – editor’s note). Turkish and other groups targeting organizations in the EU are also gaining strength,” added Garth.