Russian state-sponsored threat actors were observed abusing an old printer vulnerability to drop custom malware on target endpoints.
The malware helped them exfiltrate sensitive data and login credentials. This is according to a new report from Microsoft Threat Intelligence, published earlier this week.
As per the report, since mid-2019, a group known as Fancy Bear has been abusing a print spooler elevation of privilege bug found in Windows printers. The vulnerability, tracked as CVE-2022-38028, was discovered in 2022, and patched in October the same year.
The fall of Moobot
However, even after the release of the fix, Fancy Bear targeted unpatched endpoints in government, non-government, education, and transportation firms, located in Ukraine, Western European, and North American countries.
Once found, the devices would be infected with a custom-built malware called GooseEgg, which granted the attackers elevated privileges, and the ability to steal credentials across compromised systems.
Given that the patch has been available for almost two years now, it’s the best and easiest way to protect the endpoints from Russian spies.
Fancy Bear is probably Russia’s most popular threat actor. Some researchers have linked it to the GRU – the Russian General Staff Main Intelligence Directorate – the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In mid-February this year, US law enforcement agents successfully shut down a malicious Fancy Bear botnet. At the time, the U.S. Department of Justice (DoJ) said its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.
As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 (as they call Fancy Bear) swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”
Vladimir Putin spoke at an event marking the 300th anniversary of the Russian Academy of Sciences.Credit: Getty Images
Russian President Vladimir Putin has secured a fifth term in office, claiming a landslide victory in the country’s presidential election on 18 March. Election officials say he won a record 87% of votes. This outcome came as a surprise to no one, and many international leaders have condemned the vote as not being free or fair.
Researchers interviewed by Nature say that another six years of Putin’s leadership does not bode well for Russian science, which has been shunned globally in response to the country’s ongoing invasion of Ukraine, and is on precarious ground at home. Those still in Russia must choose their words carefully: as one scientist, who wishes to remain anonymous, put it, “business as usual” now includes possible prison time for offhand comments.
Russia’s war in Ukraine forces Arctic climate projects to pivot
Publicly, Putin’s government is a big supporter of research. In early February, at a celebration of the 300-year anniversary of the Russian Academy of Sciences, Putin bolstered the academy’s role, effectively reversing parts of a sweeping reform that limited its autonomy he oversaw in his third term. And at the end of last month, he signed an update to the 2030 national science and technology strategy, which calls for funding for research and development to double to 2% of gross domestic product, and stresses an increased role for applied science amid “sanctions pressure”.
Despite being made before the election, these big announcements were framed not as campaign promises but as top-down directives, says Irina Dezhina, an economist at the Gaidar Institute for Economic Policy in Moscow. “The fact that it was set in motion back then implies no one really expected any changes at the helm.”
Fractured landscape
Although domestic support for Russian science, which remains mostly state-funded, appears to be strong, many collaborations with countries in the West have broken down since the invasion of Ukraine, prompting a shift to new partners in India and China.
After intense internal discussions, CERN, the European particle-physics powerhouse near Geneva, Switzerland, voted in December 2023 to end ties with Russian research institutions once the current agreement expires in November this year. And the war has severely disrupted science in the Arctic, where Russia controls about half of a region that is particularly vulnerable to climate change. A study1 this year gave a sense of how collaborative projects could be affected by losing Russian data: excluding Russian stations from the International Network for Terrestrial Research and Monitoring in the Arctic causes shifts in project results that are in some cases as large as the total expected impact of warming by 2100.
Reports also suggest that political oppression combined with the threat of military draft have led to a ‘brain drain’ among scientists. Getting an accurate headcount is challenging, but a January estimate by the Latvia-based independent newspaper Novaya Gazeta Europe, based on researchers’ ORCID identifiers, says at least 2,500 researchers have left Russia since February 2022.
The countries maintaining research ties with Russia despite Ukraine
Researchers who stayed in Russia have had to contend with serious supply-chain disruptions as well as personal risks. And international sanctions on Russia might have hit even the most productive scientists: according to a January 2024 paper co-authored by Dezhina, which surveyed some of the most published and cited Russian researchers, three out of four of them report at least some fallout from sanctions, mostly economic ones2.
Russia’s isolation has particularly affected the medical sciences, because it means that international clinical trials are no longer held there, says Vasily Vlassov, a health-policy researcher at the Higher School of Economics University in Moscow. He fears that being cut off from the global community will erode Russia’s expertise in this fast-moving and technically complex field: “It’s a problem we have yet to fully appreciate.”
Researchers in the social sciences and humanities are less dependent on overseas partners, but they are affected by increasingly nationalist ideology, says a Russian researcher who asked to remain anonymous. When reviewing articles for publication in Russian journals, the researcher says, they are seeing an increasing number of submissions blaming problems in research and higher education on ‘the collective West’, a common propaganda term. “It’s everywhere, and it’s poisoning minds.”
Uncertain future
The election outcome serves as a reminder of the ongoing war and the openly totalitarian environment in Russia, says Alexander Kabanov, chief executive of the Russian-American Science Association, a US-based non-profit organization. “We are still dealing with an ongoing disaster,” he says.
Yet the impacts of sanctions on Russian science are beginning to fade from public consciousness in other countries. Pierre-Bruno Ruffini, who studies science diplomacy at Le Havre University-Normandy in Le Havre, France, says that academic sanctions and their consequences have “rapidly and completely disappeared” from discussions in the French research community. Dezhina agrees, and adds that, in her experience, even cooperation between individual scientists, once seen as a promising workaround for institutional bans, is on the decline.
Researchers in exile are working on an alternative to the state’s vision of the future for Russia and national science. A policy paper published earlier this month by Reforum, a European project that aims to create a “roadmap of reforms for Russia”, presents a to-do list for revitalizing Russian research. Three out of five of the tasks listed focus on bringing it back into the international fold. Olga Orlova, a science journalist who wrote the policy paper, thinks that scientists in Russia have a part in building that future.
“They shouldn’t be afraid of the change — they should be working for it,” she says.
The Federal Communications Commission (FCC) is investigating the potential risks posed by Russian and Chinese satellite systems that are used by some US mobile devices.
There are concerns that some satellites operated by Russia and China could be siphoning Global Navigation Satellite System (GNSS) data.
The FCC rules state that only approved satellite systems can process GPS data, with the only approved satellites being the existing US constellations, and the European Galileo GNSS.
Potential for Russian “jamming and spoofing”
Chair of the House Select China Committee, Representative Mike Gallagher, said in a letter to FCC Chair Jessica Rosenworcel that, “Current events in Eastern Europe (including significant Russian jamming and spoofing of GNSS signals) call into question the wisdom of accepting this workaround and suggest it is critical that the FCC enforce its rules against using unauthorized signals from foreign satellites.”
Satellite constellations belonging to the People’s Republic of China ‘BeiDou’ and Russian ‘GLONASS’ systems can be used by some US mobile phones to receive and process GNSS signals.
“Many devices in the United States are already operating with foreign signals,” Rosenworcel said in 2018, after pointing out that US phones can send GNSS signals to the satellites of foreign countries.
Among the handset manufacturers contacted by the FCC are Samsung, Nokia, Motorola, Apple, Google, and others that make up around 90% of the US mobile phone industry.
Speaking on the FCC investigation, a spokesperson said, “There is no established record of what security threats, if any, these signals carry and whether the manufacturers of handheld devices are processing these signals in violation of the Commission’s rules.”
The US has been taking steps to increase the domestic production of semiconductors as part of the CHIPS act. There are serious and credible concerns that manufacturing chips for US devices in Taiwan could subject them to Chinese espionage and sabotage.
The CHIPS act has set aside $53 billion to invest in domestic manufacturing using the existing expertise and infrastructure of companies such as Intel, Samsung, Micron, and Taiwan Semiconductor Manufacturing Company.
For years, Registered Agents Inc.—a secretive company whose business is setting up other businesses—has registered thousands of companies to people who appear to not exist. Multiple former employees tell WIRED that the company routinely incorporates businesses on behalf of its customers using what they claim are fake personas. An investigation found that incorporation paperwork for thousands of companies that listed these allegedly fake personas had links to Registered Agents.
State attorneys general from around the US sent a letter to Meta on Wednesday demanding the company take “immediate action” amid a record-breaking spike in complaints over hacked Facebook and Instagram accounts. Figures provided by the office of New York attorney general Letitia James, who spearheaded the effort, show that in 2023 her office received more than 780 complaints—10 times as many as in 2019. Many complaints cited in the letter say Meta did nothing to help them recover their stolen accounts. “We refuse to operate as the customer service representatives of your company,” the officials wrote in the letter. “Proper investment in response and mitigation is mandatory.”
Meanwhile, Meta suffered a major outage this week that took most of its platforms offline. When it came back, users were often forced to log back in to their accounts. Last year, however, the company changed how two-factor authentication works for Facebook and Instagram. Now, any devices you’ve frequently used with Meta services in recent years will be trusted by default. The move has made experts uneasy; this means that your devices may not need a two-factor authentication code to log in anymore. We updated our guide for how to turn off this setting.
A ransomware attack targeting medical firm Change Healthcare has caused chaos at pharmacies around the US, delaying delivery of prescription drugs nationwide. Last week, a Bitcoin address connected to AlphV, the group behind the attack, received $22 million in cryptocurrency—suggesting Change Healthcare has likely paid the ransom. A spokesperson for the firm declined to answer whether it was behind the payment.
And there’s more. Each week, we highlight the news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.
In January, Microsoft revealed that a notorious group of Russian state-sponsored hackers known as Nobelium infiltrated the email accounts of the company’s senior leadership team. Today, the company revealed that the attack is ongoing. In a blog post, the company explains that in recent weeks, it has seen evidence that hackers are leveraging information exfiltrated from its email systems to gain access to source code and other “internal systems.”
It is unclear exactly what internal systems were accessed by Nobelium, which Microsoft calls Midnight Blizzard, but according to the company, it is not over. The blog post states that the hackers are now using “secrets of different types” to breach further into its systems. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
Nobelium is responsible for the SolarWinds attack, a sophisticated 2020 supply-chain attack that compromised thousands of organizations including the major US government agencies like the Departments of Homeland Security, Defense, Justice, and Treasury.
Russian hackers keep trying to infiltrate Microsoft, the company These hacks follow a of last year, in which state-sponsored agents obtained the emails of Microsoft’s senior level managers. An internal investigation led by Microsoft identified the hackers in both instances as a Russian group called Midnight Blizzard.
It looks like Midnight Blizzard has gotten bolder in its approach. Last year’s attack seemed to prioritize the collection of email addresses, but this most recent attack finds the group repeatedly attempting to breach the company’s systems and gain access to source code. Microsoft with the U.S. Securities and Exchange Commission.
We don’t know exactly what these hackers want, but Microsoft said they are likely using email addresses acquired during November’s attack to help gain access to internal systems. Midnight Blizzard “may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so,” the company wrote. I know one thing. They had better leave Clippy alone.
Midnight Blizzard is believed to work directly for Russia’s Foreign Intelligence Service (SVR) and is said to operate at the behest of Vladimir Putin. The group is likely behind 2016’s hack of the Democratic National Committee and 2020’s hack of the software company SolarWinds, which led to a breach of government networks.