Sandworm Targeting Ukraine Critical Infrastructure Demonstrate Russia Streamlining Operational Technology Cyberattacks
In 2022, Mandiant researchers analyzed a disruptive multistage cyber incident affecting critical infrastructure located in Ukraine. [1] Sandworm was attributed to the incident, possibly lasting up to three months. Analysis of the cyberattack is notable for the APT’s heavy use of native executables and services (living-off-the-land, lol-bins, tools) possibly indicating a shift in tactics. Previous cyberattacks from the same APT targeting the same vertical were categorized by highly customized malware, which is harder to develop and takes longer. While weaponization of native tooling is not novel, in the context of critical infrastructure cyberattacks, the technique importantly allows Sandworm to adapt new cyberattacks more quickly since far fewer resources are required. It allows the actor to be more flexible, adapting to different tools rather than developing different malware. Lastly, successful tool adaptation enables better obfuscation of malicious activity by blending in with native traffic. The larger implication of heavy tool usage is expanding intention for operational technology cyberattacks.
Overlooked AI Privacy Challenges: Predicting Sensitive Information From Non-Sensitive Forms of Data
The vast rush of AI applications perhaps misses a key discussion point regarding end-user privacy. New advanced algorithms and large language models that use machine learning are able to infer and predict new information from non-sensitive situations with increasing accuracy. [2] Further capabilities being developed raise the issue of what data is fair game when major corporations become the purveyors of these capabilities inside private ecosystems. New privacy concerns arise from intelligence generated by machine learning systems.
Machine learning software can utilize an increasing variety of inputs like audio and visual, combining each to generate complex accurate conclusions regarding end-user real life behavior. Users might not mind creating data tied to them within a single application. However, if data already generated and stored is sold to foreign states who then further analyze the data with their own AI-type algorithms, they are able to produce sensitive information (e.g. using public social media posts to generate emotional profiles of individuals within an entire targeted population). End-users were not previously aware of how data generated by their online activities might be used when they posted to their social media account. Using machine learning, data not intended for this type of analysis can be transformed from a non-sensitive to a sensitive context.
AI-type machine learning capabilities are able to infer emotional states from facial recognition and keyboard typing patterns, or to tie someone to particular political views, as only a few examples. AI-type software models can easily integrate data generated by non-AI user applications. AI software risks weaponizing previous data sourced from other data contexts (applications) to produce new data of a sensitive nature. The new proprietary data now strays outside the original intent, may be of interest to adversarial parties, and creates further market interest for more data. Newer applications able to leverage more inputs create new risks to data privacy. Policy addressing the management and stewardship of data obtained by AI companies for new software will be important because of the risk to accurate sensitive information inference generated from data not previously considered sensitive.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Navigating Cyber Challenges: Biden's AI Executive Order, Ransomware Attack on German Municipalities
Cisco IOS XE Web UI Privilege Escalation Vulnerability; Sandworm Targets Ukrainian Telecom
Chinese State-Sponsored Cyber Espionage Activity Targeting Semiconductor Industry in East Asia
Appendix
[1] Mandiant, “Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology,” Mandiant blog. Accessed: Nov. 14, 2023. [Online]. Available: https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology
[2] H. Ahmed, “Challenges of AI and Data Privacy—And How to Solve Them,” ISACA. Accessed: Nov. 15, 2023. [Online]. Available: https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2021/volume-32/challenges-of-ai-and-data-privacy-and-how-to-solve-them/
