Cybersecurity & Tech

Russia’s Cyberwar + Predatory Sparrow in the Middle East

Tom Uren
Friday, January 12, 2024, 9:15 AM
The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.
City security camera, Stable Diffusion

Published by The Lawfare Institute
in Cooperation With

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack.

Russia’s Cyberwar Gets Smarter … and Dumber

Russia’s cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can’t resist destructive operations that are flashy but ultimately counterproductive.

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On Jan. 2, Ukraine’s security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes and for damage assessment.

At first glance, this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report mentions only two cameras.

It turns out, however, that many of the video surveillance cameras sold in Ukraine prior to the war were managed with a system known as Trassir, which was developed by a Russian company. Trassir software was used by individuals and enterprises and was even installed at critical infrastructure facilities such as the Chernobyl nuclear power plant. Worse yet, the video feeds from these cameras were routed via Russian servers.

So although the SBU mentioned just two cameras in this case, Russian efforts to compromise cameras could be widespread. Early in 2022, the SBU blocked a large number of Russian IP addresses, including those of Trassir servers. Presumably, this explains why the hacked devices the SBU reported on were altered to stream video via YouTube rather than directly to a Russia-based IP address. In this month’s announcement, the SBU said it had stopped the operation of 10,000 IP cameras since the start of the invasion and appealed for Ukrainian citizens to report online camera streams to its official chatbot.

Hijacking surveillance cameras to provide targeting support is also a fairly sensible use of cyber operations, because it complements conventional military capabilities with the intent of making them more effective. It’s quiet, but potentially deadly.

By contrast, a Dec. 12, 2023, attack on Kyivstar, Ukraine’s largest mobile operator, is the stuff of cyberwar fantasies. However, the attack feels like a squandered opportunity as Russia does not appear to have taken significant advantage of it.

The Kyivstar attack left over half of Ukraine’s population without mobile and home internet services for two days. It also disrupted some banks and ATM services, point-of-sale terminals, and air-raid sirens.

Illia Vitiuk, the SBU’s cyber security chief, told Reuters this was a long-term operation and that the hackers had been in Kyivstar’s networks since at least May 2023. Vitiuk said they had probably had “full access” since at least November.

He described the attack as wiping “almost everything,” including thousands of virtual servers, and said it “completely destroyed the core of a telecoms operator.”

Despite what sounds like pretty comprehensive destruction, the disruption was relatively short lived. Kyivstar services were back up within a matter of days, and the company’s CEO said services were fully restored just eight days after the attack.

The attack was not combined with any other significant Russian military action, such as a major drone or missile attack. And, according to Ukrainian government sources, there was relatively little impact on Ukrainian military communications.

When it comes to assessing the impact of this attack, timing is everything. If this type of attack had been executed in February 2022, at the beginning of Russia’s invasion and combined with Russia’s attack on Viasat’s KA-SAT satellite service, it could have measurably improved the chances of Russian military success.

Since the attack took place in December 2023, however, we think it is actually a net negative for Russia’s military prospects, because maintaining enduring access into Kyivstar would have been tremendously valuable. Vitiuk told Reuters the SBU assessed:

the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.

These capabilities would have been an intelligence gold mine that could have enabled many more impactful military actions over the longer term.

Destroying Kyivstar results in a short-term sugar rush but pretty much guaranteed that the Russians lost access. This cuts against the trend in Russian operations toward intelligence gathering that we wrote about in September 2023, so we are left wondering what the motivation for this particular operation was.

The SBU’s Vitiuk attributed the attack to Russia’s Sandworm group (the GRU, Russian military intelligence) and said, regarding the timing of the operation, “[M]aybe some colonel wanted to become a general.” We don’t have a better explanation.

Predatory Sparrow Won’t Move the Needle in the Middle East

Israel is trying to use cyber operations to warn off regional foes, but the current conflict is just too hot for this strategy to work.

In mid-December, Predatory Sparrow, a purported hacktivist group believed to be a persona of the Israeli military, disrupted petrol supply systems in Iran. In a statement on Telegram, the group claimed to have disrupted “a majority of the gas pumps throughout Iran … in response to the aggression of the Islamic Republic and its proxies in the region.”

Although we don’t know yet if the technical details are the same, this appears to be a repeat of an October 2021 attack that Predatory Sparrow launched against Iran’s fuel subsidy system. In that attack, petrol stations shut down because they were unable to charge customers for fuel.

As in the 2021 attack, Predatory Sparrow took steps to show that it was operating responsibly. In a recent Telegram statement it wrote:

As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services.

We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation.

In this case, the operation is all about sending a message to Iranian leadership. In its Telegram posts, Predatory Sparrow directly warned Iran’s supreme leader, saying, “Khamenei, playing with fire has a price” and, a few days later, “Khamenei! Playing with proxies a girl can get burned.”

Previous Predatory Sparrow attacks took place in the context of a series of tit-for-tat destructive operations between Iran and Israel that appear to have been kick-started by an Iranian cyberattack on Israeli water infrastructure. At the time, we wrote:

Following reports of cyber attacks against Israeli water infrastructure in 2020, a suspiciously large number of things have caught fire or gone boom in Iran since, including the Natanz uranium enrichment facility, a missile production facility, an oil pipeline, a shipyard in the Iranian port of Bushehr, Iran’s largest warship, and an oil refinery.

Other less physically destructive incidents have involved cyber attacks on the port of Bandar Abbas and a wiper attack on Iran’s national rail system. Some of these incidents could be the result of deliberate state-backed actions; others may simply be accidents.

This one wasn’t an accident, though: In November last year, Iran’s top nuclear scientist was assassinated with a self-destructing remotely-controlled machine-gun. ,

At one level, using precisely executed cyber operations to send a warning is clearly better than using operations that cause a lot of collateral damage and therefore escalate conflict.

Having said that, however, we are not sure that signaling via cyber operations has actually worked for Predatory Sparrow. Its previous petrol station hack occurred in October 2021, and by June 2022 it was carrying out spectacular destructive attacks on three Iranian steel mills. If its signaling had worked, would it have needed to carry out further operations?

The geopolitical situation is also vastly different today. Israel is involved in a war against Hamas, Israel and Hezbollah are exchanging strikes back and forth across Lebanon, and Iran-backed Houthi rebels are attacking cargo ships in the Red Sea. There’s genuine diplomatic concern that the Israel-Hamas war could expand to encompass Hezbollah in Lebanon.

Given the situation, will the repeat of a two-year-old fuel supply disruption operation move the needle at all? We don’t think so.

Three Reasons to Be Cheerful This Week:

  1. ALPHV Disruption: In mid-December, the U.S. Department of Justice announced that it had disrupted the ALPHV (aka BlackCat) ransomware gang, which it described as the second most prolific ransomware-as-a-service brand. The Justice Department also revealed the FBI had developed a decryption tool that it had offered to 500 affected victims. That’s the good news, but the weird addendum is that, although the FBI was able to get credentials for the site, it wasn’t able to prevent ALPHV from “unseizing” it. This “tug of tor” is well described at Ars Technica.
  2. Scam city seized by Myanmar rebels: A city that is a hub for online scams known as “pig butchering” has been ceded by Myanmar’s military government to rebel forces that claim to be focused on cleaning up scam centers. The change in control ultimately seems to be driven by the People’s Republic of China’s (PRC’s) frustration with the pig butchering epidemic that has affected thousands of Chinese nationals. This ABC report has good coverage of the broader issues.
  3. More cyber-focused FBI agents overseas: The FBI told CyberScoop that it is increasing the number of cyber-focused FBI assistant legal attaches at American embassies overseas by six people to 22. Given the international nature of cybercrime, we are actually surprised there are so few.


Russia Hates Democrats, China Loves China

Last edition, we talked about the inevitability of election interference. Since then, both the U.S. and the U.K. governments have released reports describing attempted interference. The Taiwanese government has also committed to releasing a report on PRC interference after its election is completed on Jan. 13. The report from the U.S. intelligence community assesses that Russian interference is mostly about denigrating the Democratic Party, PRC interference is about promoting pro-China interests without favoring any particular party, and a number of other foreign parties interfere more narrowly. It expects interference to peak during presidential election years, and the report says:

The involvement of more foreign actors probably reflects shifting geopolitical risk calculus, perceptions that election influence activity has been normalised, the low cost but potentially high reward of such activities, and a greater emphasis on election security in IC collection and analysis.

Extradition Tug-of-War Ends Up with Russian Victory

Russian cyber security executive Nikita Kislitsin, who was the subject of an extradition tug-of-war between the U.S. and Russia after his arrest in Kazakhstan, will ultimately end up in Russia. We examined this case in July 2023 when we looked at the underlying drivers behind these diplomatic contests that occur whenever a Russian citizen is arrested internationally on cybercrime charges.

SEC Twitter Hack Moves Bitcoin

On Tuesday, the Securities and Exchange Commission’s (SEC’s) X (formerly Twitter) account (@SECGov) was hacked and used to release a message stating that the commission had granted approval for a Bitcoin exchange-traded fund (ETF). This briefly moved the market for Bitcoin from $46,700 to $48,000 before the false tweet was exposed. On Wednesday, however, the SEC really did approve Bitcoin ETFs. Rather than a clever hack to make money by manipulating markets, the hacker appears to have just posted a draft tweet.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk with information security and antivirus veteran Martijn Grooten about how the infosec industry has changed over the years.

From Risky Biz News:

Turkish APT group Sea Turtle returns: Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations. In recent reports, the three security firms claim the group has now retooled and changed its modus operandi, although some connections to its old infrastructure remained.

[more on Risky Business News]

Ransomware wrecks Paraguay’s largest telco: A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay. The incident took place Jan. 4 and impacted the telco’s business branch.

Around 300 servers in Tigo’s data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation. At least 300 companies were impacted downstream. The companies lost phone service and files hosted on Tigo servers.

[more on Risky Business News]

Ukraine repels attack on state payment system: Ukraine says it repelled Russian cyberattacks against its state payment system for the second week in a row. Officials say Russian hackers tried to destroy vital systems used for budget payments. The operation comes after Russian hackers successfully wiped servers inside Kyivstar, the country’s largest mobile operator.


Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare