FSB's Secret Blizzard Targeted Ukraine Military Devices

Sponsor message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Microsoft published details on a hacking campaign carried out by a group it calls Secret Blizzard, which has been linked to a unit within Center 16 of the Russian Federal Security Service (FSB) and which other security companies refer to as Turla.

Microsoft said that Secret Blizzard used a botnet known as Amadey, allegedly sold on Russian hacking forums and developed by a cybercriminal group, to attempt to break into “devices associated with the Ukrainian military” between March and April. The company thinks the hacking group either used the botnet by paying for it as malware as a service or hacked into it. 

Microsoft said, "Secret Blizzard has been using footholds from third parties — either by surreptitiously stealing or purchasing access — as a specific and deliberate method to establish footholds of espionage value."

The hackers are also using commodity tools, which can allow the threat actor to hide their origin and potentially make attribution more difficult.

The researchers said cybercriminals typically use the Amadey botnet to install a cryptominer. Microsoft is confident that the hackers behind Amadey and those behind Secret Blizzard are different. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Microsoft, Microsoft, Ars Technica,  TechRadar, CyberScoop, PCMag, Bleeping Computer, Infosecurity Magazine, Security Affairs,  r/espionager, Ars OpenForum

The conference version of the US National Defense Authorization Act directs the Pentagon to establish a dedicated cyber intelligence capability, marking a change from a provision passed out of the Senate that specifically called for a dedicated cyber intelligence “center” rather than a “capability.

The conference version requires the secretary of defense and the director of national intelligence to ensure that DOD has a dedicated cyber intelligence capability by Oct. 1, 2026, to support the military cyber operations requirements for the warfighting missions of US Cyber Command, other combatant commands, defense agencies, the Joint Staff, and the Office of the Secretary of Defense.

Additionally, the defense secretary must ensure that the Pentagon budget materials submitted for each fiscal year beginning with fiscal 2027 include a request for funds necessary for the capability, noting that the funds under the Military Intelligence Program must be available for Cybercom. The directive further directs that the National Security Agency cannot provide any information technology services for cyber intelligence, putting the responsibility squarely on Cybercom.

The report accompanying the final conference version between both chambers this year noted members foster continued support for the creation of a cyber intelligence capability within the DOD, adding they recognize that there are pockets of people with useful analytical expertise across existing service intelligence centers that will have valuable contributions to the cyber intelligence mission — and the notion that those contributions may go beyond any single center is understandable. (Mark Pomerleau / DefenseScoop)

Related: Federal News Network, Breaking Defense

Confirming rumors that have floated since Donald Trump won his bid for the White House, sources say that advisers contributing to Donald Trump’s transition effort are readying a plan to split up the leadership of US Cyber Command and the National Security Agency, potentially soon after he assumes office.

Although the proposal is in its early stages, these people said, the recommendation has already been shared with the America First Policy Institute. This right-wing think tank has crafted its own scheme for staffing and setting the policy agenda at each federal agency. 

If Trump does cleave the “dual-hat” arrangement, in which a single officer leads the cyberwarfare command and the electronic spy agency, it would complete a push he began in 2020 with just a little more than a month left in office. While legal hurdles exist, Trump could overcome them without proposing legislation. (Martin Matishak / The Record)

During a hearing before the Commerce Subcommittee on Communications, Media, and Broadband, senators said the United States must do more to address hacking threats after China's alleged efforts known as Salt Typhoon to infiltrate American telecommunications companies and steal data about US calls.

Federal Communications Commission Chairwoman Jessica Rosenworcel recently told Hill leaders that the $1.9 billion Congress had devoted to the “rip and replace” program to eliminate Huawei and ZTE equipment left the agency with a $3.08 billion hole to reimburse 126 carriers for eliminating the use of that tech, which “puts our national security and the connectivity of rural consumers who depend on these networks at risk.”

They said the $3 billion that Congress included in the annual defense policy bill to remove Chinese-made telecommunications technology from US networks would be a huge step toward defending against breaches like the Salt Typhoon espionage campaign.

The fiscal 2025 National Defense Authorization Act (NDAA) passed the House by a 281-140 vote Wednesday, containing language authorizing funds to fill that gap. Sen. Ben Ray Luján, the New Mexico Democrat who chairs the committee, said that Congress should approve that funding even though there’s much still unknown about the attacks from the Chinese government hackers known as Salt Typhoon. (Tim Starks / Cyberscoop)

Related: Reuters, Industrial Cyber, TechRadar, Bleeping Computer, Meritalk, The Record

Russia's Federal Security Service it had detained 11 employees of an alleged global scam network which operated in the interests of a former Georgian defence minister.

The FSB said an internationally organized criminal group operated call centers, which, under the guise of making investment deals, committed mass fraud against citizens of the European Union, the UK, Canada, Brazil, India, Japan, and several other countries.

The FSB said the call centers "operated in the interests of the former Georgian Defence Minister and founder of Milton Group, David Kezerashvili, who is currently hiding in London."

RIA reported that a citizen of Israel and Georgia was also identified and is wanted on charges of disseminating - upon instructions from Ukrainian forces - anonymous messages about impending attacks on critical infrastructure in Russia.

Kezerashvili was Georgia's defense minister from 2006 to 2008 under Mikheil Saakashvili, president of the South Caucasus nation from 2004 to 2013. (Lidia Kelly / Reuters)

Related: FSB, The Moscow Times, The Record, The Register

Photobucket was sued after a recent privacy policy update revealed plans to sell users' photos, including biometric identifiers like face and iris scans, to companies training generative AI models.

The proposed class action seeks to prevent Photobucket from selling users' data without obtaining written consent. It alleges that Photobucket either intentionally or negligently failed to comply with strict privacy laws in states like Illinois, New York, and California by claiming it could not reliably determine users' geolocation.

The litigation could protect two separate classes. The first includes anyone who uploaded a photo between 2003—when Photobucket was founded—and May 1, 2024. Another potentially even more significant class consists of non-users depicted in photographs uploaded to Photobucket, whose biometric data has also allegedly been sold without consent.

Photobucket risks huge fines if a jury agrees with Photobucket users that the photo-storing site unjustly enriched itself by breaching its user contracts and illegally seizing biometric data without consent. As many as 100 million users could be awarded untold punitive damages and up to $5,000 per "willful or reckless violation" of various statutes.

Users suing include a mother of a minor whose biometric data was collected and a professional photographer in Illinois who should have been protected by one of the country's strongest biometric privacy laws. (Ashley Belanger / Ars Technica)

Related: Courthouse News Service

According to blockchain analyst and investigator Richard Sanders, a financial firm registered in Canada called Cryptomus has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers.

According to Sanders, all 122 of the services he tested are processing transactions through a company called Cryptomus, which says it is a cryptocurrency payments platform based in Vancouver, British Columbia. Cryptomus’ website says its parent firm, Xeltox Enterprises Ltd. (formerly certa-pay[.]com), is registered as a money service business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

Sanders said the payment data he gathered also shows that at least 56 cryptocurrency exchanges currently use Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.

These platforms are built for Russian speakers. They each advertise the ability to swap one form of cryptocurrency for another anonymously. They also allow cryptocurrency exchange for cash in accounts at some of Russia’s largest banks, nearly all currently sanctioned by the United States and other Western nations. (Brian Krebs / Krebs on Security)

Researchers at Lookout discovered a previously undocumented Android spyware called 'EagleMsgSpy' that is believed to be used by law enforcement agencies in China to monitor mobile devices.

Wuhan Chinasoft Token Information Technology Co., Ltd. developed the spyware, which has been operational since at least 2017.

Lookout presents abundant evidence linking EagleMsgSpy to its developers and operators, including IP addresses tied to C2 servers, domains, direct references in internal documentation, and public contracts.

Lookout believes that law enforcement manually installs the EagleMsgSpy spyware when they have physical access to unlocked devices. This could be achieved by confiscating the device during arrests, something familiar in oppressive countries.

Lookout has not seen the installer APK on Google Play or any third-party app stores, so the spyware is presumably only distributed by a small circle of operators.

Lookout claims that C2 servers are tied to domains of public security bureaus, including the Yantai Public Security Bureau and its Zhifu Branch. (Bill Toulas / Bleeping Computer)

Related: Lookout, Infosecurity Magazine, The Record, SC Media, TechCrunch

Researchers at Oasis Security cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.

The flaw was present due to a lack of a rate limit for the number of times someone could attempt to sign in with MFA and fail when trying to access an account.

Users supply their email and password when signing into a Microsoft account and then select a pre-configured MFA method. In the researchers' case, Microsoft gave them a code via another form of communication to facilitate sign-in.

The researchers achieved the bypass, dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," writes Tal Hason, an Oasis research engineer. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million.

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9. (Elizabeth Montalbano / Dark Reading)

Related: Oasis Security, Techzine, Dark Reading, HackRead, SC Media

According to a document provided by US law enforcement, a location data company called Fog Data Science is asking police for the addresses of specific people’s doctors in case that can be useful in finding their mobile phones in a massive set of peoples’ location data.

The document is a “Project Intake Form” that asks police for information about the person of interest they would like to track, such as biographical information and known locations, including the addresses of family and friends and doctors' offices they may visit.

It shows that, in a time when surveillance of abortion and reproductive health clinics could rise in a post-Roe America, companies providing monitoring tools to the government are prepared to use healthcare information to track down targets. (Joseph Cox / 404 Media)

Related: Ars Technica

​The Romanian National Cybersecurity Directorate (DNSC) says the Lynx ransomware gang breached Electrica Group, one of the largest electricity suppliers in the country.

Electrica warned investors it was investigating an "ongoing" ransomware attack in collaboration with national cybersecurity authorities. Romania's Energy Minister Sebastian Burduja added that the company's SCADA and other critical systems were isolated and unaffected by the attack.

DNSC, one of the authorities involved in the investigation, revealed that the Lynx ransomware operation was responsible for the incident. It also provided a YARA script to help other security teams detect signs of compromise on their networks. (Sergiu Gatlan / Bleeping Computer)

Related: DNSC

Google is rolling out two new updates to its unknown tracker alerts feature that should make it easier for Android device owners to detect unfamiliar trackers.

The first update lets Android phone owners temporarily stop sending location updates to the Find My Device network if an unknown compatible tracker is detected. Google will pause these updates for up to 24 hours, so your location will no longer be visible to whoever could be monitoring your location via the tag.

Second, anybody who receives an unknown tracker alert can locate the unwanted Find My Device-compatible tracker using the “Find Nearby” feature. Once you’ve found it, Google will also offer instructions for physically disabling the tag. (Sheena Vasani / The Verge)

Related: The Keyword, 9to5Google, Engadget, Android Authority, Android Police, ReadWrite, Droid Life, Phone Scoop

A ransomware attack on Dec. 9 interrupted numerous public safety departments' operations in Woods County, OH.

Officials said fire and emergency services, including 911, are still operational. However,. However, the cyberattack disrupted operations at several public safety departments connected to the Wood County Sheriff’s Office computer-aided dispatch system, including emergency dispatchers, jails, and the Bowling Green Police Division.

Jeff Klein, director of the Wood County Emergency Management Agency, said that though the incident has impacted these county offices, the cyberattack has not affected public services in the county. (Sophia Fox-Sowell / StateScoop)

Related: WTOL, BG Independent News, SC Media

Threat exposure management startup Flare announced it had $30 million in a Series B venture funding round.

Base10 Partners Jason Kong led the round with participation from Inovia Capital, White Star Capital, and Fonds de solidarité FTQ. (Julie Bort / TechCrunch)

Related: Flare, Pulse 2.0, PR Newswire

Best Thing of the Day: Gifts for the Literate Cyber Nerds In Your Life

Binding Hook has compiled ten book recommendations from cyber researchers, analysts, and practitioners of cyber fiction to give to the nerds in your life.

Worst Thing of the Day: Your Calls Have Been Intercepted, But You Don't Know Yet

The vast majority of people whose call records have been stolen by the Chinese hacking group Salt Typhoon have not been notified.

Closing Thought