Whatever Happened to Russia's Cyber War Against Ukraine?Also: The Doctor Accused of Building Ransomware; Coalition's $5 Billion Valuation Mathew J. Schwartz (euroinfosec) • July 21, 2022 17 Minutes
The latest edition of the ISMG Security Report asks: Whatever happened to Russia's cyberwar against Ukraine? It also looks at the curious case of a cardiologist who's been accused of moonlighting as a ransomware developer.
In this report, you'll hear (click on player beneath image to listen):
- Experts note that while massive, expected onslaughts online might not have happened so far in the Russia-Ukraine war, numerous cyber operations are being launched in support of the Russian government's military objectives;
- ISMG's Jeremy Kirk, as part of "The Ransomware Files" series, detail U.S. charges against Moises Gonzalez, a doctor in Venezuela whom the U.S. has charged with building and selling notorious Jigsaw and Thanos ransomware;
- ISMG's Michael Novinson on how cyber insurance upstart Coalition secured $250 million in funding on a $5 billion valuation, despite stock market turbulence and the value of many cybersecurity firms having plummeted.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the July 7 and July 14 editions, which respectively discuss how to respond to the new "fraud universe" and why ransomware attacks have been intensifying.
Mathew Schwartz: Whatever happened to Russia's cyber war against Ukraine, and the curious case of a cardiologist who's been accused of moonlighting as a ransomware developer, the stories and more coming up on the ISMG Security Report.
Hi, I'm Mathew Schwartz. Whatever happened to the cyber war that Russia was meant to unleash on Ukraine. Few thought to disagree that in the event of an invasion, Moscow was sure to order a furious online assault, taking power plants offline, scrambling defenders communications, and sowing mass chaos. But as Russia's invasion of Ukraine nears its half year mark, experts find themselves reevaluating long-held assumptions and grappling with surprising developments that few saw coming. Russia is constant probing of Ukrainian networks leading to some government sites getting knocked offline has yet to cause massive disruptions.
Jeremy Fleming: Perhaps the concept of a cyberwar was overhyped. But there's plenty of cyber events, including a range of activity we in partners have already attributed to Russia.
Schwartz: That's Jeremy Fleming, the head of U.K.'s security, intelligence and cyber agency, GCHQ. Make no mistake, Russia has been trying to disrupt Ukrainian systems. Wiper malware has been a feature of the conflict. Cybersecurity firm Trellix counts more than a dozen wipers that it traces to Russia or Russian allied forces. Mikko Hyppönen, chief research officer, WithSecure, says wiper malware has caused chaos, not least for civilians.
Mikko Hyppönen: When people ask what Russia has accomplished with their cyberattacks, I think the best example, we saw the very first day of the war was they were 36 up to 40 hour queues on Ukraine-Poland border where women and children were trying to flee the war and they couldn't leave and people were stumped. Why are the borders closed? They weren't closed, but the computers of the Ukraine border control had been wiped by Hermetic Wiper, which was developed and deployed by GRU from Russian military intelligence. That's what cyberwar looks like in the real world.
Schwartz: Russia has also attempted to make some major hits on critical infrastructure in support of military objectives. But is this qualifying as being a cyberwar?
The Grugq: Cyberwar is not a useful term for us. What we are seeing here is not cyberwar, what we are seeing is a war with cyber.
Schwartz: That's the operational security expert known as The Grugq. He says the concept of cyberwar is imprecise as to be essentially meaningless. Instead, he favors terminology such as cyber operations, which better encapsulates the fact that cyber never gets used in a vacuum. Now, another takeaway from the war is that while many experts expected Russia to hack and crash power stations, or Ukraine's ATM machines, none of that has happened. Instead, The Grugq says cyber has been used extremely tactically to support military operations.
The Grugq: This is the first war where cyber has played an instrumental role. The Russians have not done what we wanted them to do or what we expected them to do. But they have done what makes the most sense, given what they were trying to do in general.
Schwartz: For example, on the first day of the invasion, Russia successfully disrupted access to Viasat's KA-SAT satellite network from Ukraine, but this didn't have the impact Moscow likely anticipated. Kiev was able to get a replacement service from satellite provider SpaceX's Starlink up and running in just a few days. Ukraine's military has also shown itself to be highly adaptable. The Grugq says, if Russian attacks disable IT networks, for example, government officials often resort to using smartphones and messaging apps to communicate. Likewise, when the IT networks that run the country's railways were disrupted, officials switched to a Soviet-era analog backup system. As that highlights, Russia is very much continuing to try and disrupt Ukraine via targeted cyberattacks. But the Russian government hasn't been highlighting the fact that many of these efforts seem to have failed.
Chad Sweet: One of the unfortunate things is Russians have done a pretty good job of spreading disinformation that they're not aggressively attacking. If you look at the facts in the lead up to the war, there were numerous probing and intrusive attacks that pre-positioned for the invasion. The day before the February 24th invasion, we saw the GRU — which is their military intelligence arm — launch wiper and other aggressive attacks on 300 systems and 12 different organizations that are all impacting the government and its command and control structures.
Schwartz: That's Chad Sweet, former U.S. Department of Homeland Security Chief of Staff, who's now CEO of consultancy The Chertoff Group.
Sweet: It's factually false that the Russians aren't attacking; they're aggressively attacking. The good news though is, we've been assisting our Ukrainian allies in their preparation for such an attack. Part of the reason it's not grabbing the headlines is they're doing a pretty good job on the defense.
Schwartz: Indeed! Experts say the big Russian cyberwar anticlimax is due in part to Ukraine, having gotten very good at cyber defense. Having been repeatedly targeted by Russia since 2014, the country has had a lot of practice. Nevertheless, as the work continues, so do the cyber surprises. Once again, here's WithSecure's Mikko Hyppönen.
Hyppönen: There's been many surprises, like the fact that Ukrainian government officials are openly recruiting foreign citizens to break their own laws and target Russian targets with cyberattacks, which we've seen in no other war ever in history. I'm surprised by the fact that Western technology companies like Microsoft and Google are there in the battlefield supporting Ukraine against governmental attacks from Russia, which is something we've never seen in nearly any other war.
Schwartz: Those are just a handful of the now large list of cyber lessons that have already been learned from the ongoing conflict. When it comes to the use of cyber operations to support a military invasion, who knows what might happen next.
(Transition ad: You're listening to the ISMG Security Report on ISMG Radio. ISMG - your number one source for information security news.)
Schwartz: Next up: as part of his ongoing Ransomware Files podcast, ISMG's Jeremy Kirk details a curious case involving Moises Gonzalez, a doctor in Venezuela, who the U.S. has charged with building and selling a notorious strain of ransomware.
Jeremy Kirk: The FBI's most wanted list for cybercrime recently gained a new entry. His “wanted” poster has a photo of him with a stethoscope and wearing a doctor's white overcoat.
Alexander Mindlin: Moises Zagala is a cardiologist in his mid-50s who lives in Ciudad Bolívar in Venezuela. In addition to being a cardiologist, he has been charged in the government's complaint. He also designs, sells and licenses out ransomware.
Kirk: That's Alexander Mindlin, who is an Assistant U.S. Attorney for the Eastern District of New York. It's the federal court where Moises Zagala would face trial, Alexander would prosecute the case. The government alleges Zagala is an old-school hacker who kept up his skills from the late 1990s onward. They alleged that he created Jigsaw version to a standalone ransomware program, and Thanos, which is a ransomware builder. Ransomware builder is an application that can generate other unique ransomware programs. Security experts have seen evidence that both programs were used by cybercriminals against companies and organizations around the world over the last few years. Lindsay Kaye is an expert malware analyst and a senior director with a computer security firm Recorded Future. She co-authored a report on Thanos that was released in June 2020. I asked Lindsay, what she thought about the code's quality. I want to make a note here as well about Lindsay's response. When chatting about Thanos, we often refer to its developer using the pronoun “he” inadvertently. That's not intended to mean the developer is Moises. That is an accusation that has been made by the U.S. government, and as they say, he is innocent until proven guilty.
So after taking a look at this code with the person who designed Thanos, likely be able to get a job as a software programmer, or I guess to put it another way, how good was this evil code?
Lindsay Kaye: This thing that he built and if he built it on his own, there's at least some software engineering skill set and principles there – at least at a basic level. He could probably be a software engineer. It's hard to kind of tell if he wrote this or he didn't kind of start with another skeleton of code or you didn't get a lot of examples off the internet. Because right now we've access to so much available that it's like, could he have taken a bunch of pieces and just knew enough to cobble them together versus did he write all of the code on his own. It's a little hard to say, but he is not incompetent in the ability to put together code and make it work.
Kirk: By all appearances, Moises is a respected person in the community. He appears to be married to a kidney doctor named Rosani. He's been working at a private clinic in Ciudad Bolívar.
Ana Vanessa Herrero is a top notch journalist based in Caracas, who's reported for The New York Times and The Washington Post. She has been tracking down Moises, his family, his friends, and his patients. She recently made contact with Guillermo, one of Moises's brothers.
Ana Vanessa Herrero: I need to tell you what happened today. I contacted Guillermo on Facebook.
Kirk: Oh, great. What do you have to say?
Herrero: I said that you and I were working on this, and he immediately attacked me.
Kirk: There's much more in this episode of The Ransomware Files. It's called Dr. Ransomware: Part One, and there's a part two coming as well. You can find it on ISMG's websites or wherever you get your podcasts. For Information Security Media Group, I'm Jeremy Kirk.
Schwartz: Cyber insurance provider Coalition has just gotten a serious amount of funding. To discuss, I'm joined by Michael Novinson, ISMG's managing editor for business. Michael, given the state of the stock market and the levels of cybersecurity funding we're seeing, are you surprised by Coalition getting this infusion?
Michael Novinson: I am. What was eye opening to me was seeing the valuation of $5 billion. Those types of valuations in this economy are few and far between. Especially given that in September of 2021, the company was valued at just 3.5 billion. So their market cap has gone up more than 40% of the time when NASDAQ and most publicly traded cybersecurity companies have seen their stocks fall anywhere from 20 to 30%. Or even more, I think it speaks to the value of the market better and the value of their approach. Coalition is probably the largest of the pure play cybersecurity insurance vendors. A lot of their competition at this point is from traditional insurance companies like AIG and Chubb has moved into the cyberspace. But Coalition benefits from having the knowledge and the expertise to the cyber market, and having a sense of how to price things out appropriately, since they have a better understanding of the risks they're dealing with certain companies. Compared to our peers who've taken on the cyber insurance market, they got through a little bit earlier, and they're a little bit larger. So they have a little bit more scale to draw from as they determine how to position themselves in their customers in the market.
Schwartz: Would you say that cyber insurance itself is a hot market? Or does this funding and as you were saying, the $5 billion valuation for Coalition perhaps reflect more on its approach?
Novinson: I think it's a combination of both. It's definitely a hot market. When I speak with managed service providers or CISOs, it's probably the topic that comes up more than any other in part because a lot of these companies face just brutal premium hikes when they've tried to go for renewals. The insurers, particularly in 2020, and 2021, as well incurred such high losses on ransomware attacks that customers who often are required for regulatory purposes, to carry cyber insurance, now are stuck between a rock and a hard place. I think there's been a lot of thought given to how to make this profitable. In terms of Coalition, they've benefited from some of the data analytics work they've done, as far as some of the advisory work that they do in terms of working with customers around adopting best practices. Executives over there told me that they did not take the types of losses that traditional insurers had in 2020 and 2021. Therefore, it didn't have to hit their customers with the same types of premium hikes as some of the traditional insurers did, which has only helped to further grow their customer base.
Schwartz: I noticed that one of the products that they're offering is Executive Risk Coverage to help organizations better understand the risk of cybersecurity incidents that could impact their executives. Interesting sounding offering, is that something that you've seen being offered by other firms?
Novinson: In terms of the pure play cyber insurance companies, not really; because it is an adjacent market and investors want to see competency in one area before you move into complementary markets. For Coalition, I think this is about having feature parity with the AIGs and the Chubbs of the world. I know we talked about vendor consolidation a lot, that customers don't want to have two separate vendors, one for Executive Risk Coverage and other for cyber insurance. Certainly, when you're talking about large enterprises, they're expected to have both so I think Coalition realized it was a common objection or a reason they might lose out to a traditional insurer is not even that the traditional insurer had a better cyber insurance offering, but that the customer needs both. They don't want to work with two separate vendors. I think they recognize the importance of being able to match from a future standpoint. I think what's maybe a little different for a cyber insurance provider is having to think in terms of this extra diversity on purely cybersecurity and taking in other dimensions of risk as well. So it does require some different telemetry, some different data and maybe some visibility into what the executives are doing outside of working hours and outside of business devices as well. But the two things that will make it easier for them are to compete and win against the traditional insurers.
Schwartz: Fascinating to see how this market continues to evolve. Michael, thank you for joining me to talk the business of cybersecurity businesses and specifically, about insurance today.
Novinson: You're very welcome, Matt. Thanks for the time.
Schwartz: That's the ISMG Security Report. I'm Mathew Schwartz. Thanks for listening.