The CyberWire Daily Briefing.

"Attacks on industrial systems in Europe and Africa."

Views expressed in this cybersecurity, cybercrime update are those of the reporters and correspondents.  Accessed on 15 August 2023, 1330 UTC.  Content provided by email subscription to "The CyberWire Daily Briefing."

Source: ("The CyberWire Daily Briefing").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.

First look: mWISE 2023 session catalog

Check out the topics, meet the speakers, and sign up for discount registration.

Daily Briefing

August 14, 2023.

At a glance.

  • African power generator hit with ransomware.
  • APT31 linked to attacks on industrial systems in Eastern Europe.
  • Cyber Safety Review Board will look into cyberespionage against Exchange.
  • Arrests in the LolekHosted takedown.
  • Ukraine's SBU claims Russia's GRU is attacking Starlink with custom malware.
  • Russian Ministry of Digital Development bans Apple mobile devices.
  • Microsoft will not renew Russian licenses for its products.

African power generator hit with ransomware.

Kaspersky warns that a new version of the SystemBC malware was used in an attack against a critical infrastructure power generator in an unnamed south African nation: “[A]n unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack. This attack occurred in the third and fourth week of March 2023, as a part of a small wave of attacks involving both DroxiDat and CobaltStrike beacons across the world. DroxiDat, a lean ~8kb variant of SystemBC serving as a system profiler and simple SOCKS5-capable bot, was detected in the electric utility. The C2 infrastructure for this electric utility incident involved an energy-related domain ‘powersupportplan[.]com’ that resolved to an already suspicious IP host.”

Kaspersky offered tentative attribution of the incident to a Russian-speaking cybercriminal gang, specifically to FIN12 (which has also been called Pistachio Tempest). FIN12 has hitherto been known for attacks against the healthcare sector. In May of 2022 it was one of the gangs prominently featured in the US Department of Health and Human Services report, Ransomware Trends in the HPH Sector. FIN12 has changed its target selection but not its playbook. The group's motivation is financial.

Sponsored by ActiveState

The Journey to a Secure Software Supply Chain - Get the Free eBook.

These days, everyone is at risk of a software supply chain attack. Now is the time for Dev and Security to work together to keep your pipelines secure. In this eBook, discover how to go from Complete Anarchy to Nirvana in 5 stages, eliminate implicit trust in open source components and implement scalable processes to verify their origins. Download the free eBook and get informed guidance to help on your software supply chain security journey!

APT31 linked to attacks on industrial systems in Eastern Europe.

Earlier last week another report from Kaspersky found that APT31 (also known as “Judgment Panda” or “Zirconium”) is targeting industrial systems in Eastern Europe. The researchers state, “The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.”

Kaspersky notes that the attack’s architecture “allows the threat actor to change the execution flow by replacing a single module in the chain.”

APT31 is generally regarded as an intelligence operation of the Chinese government. Much of its activity has involved industrial espionage, but the group has also been implicated in collection of political intelligence.

Cyber Safety Review Board will look into cyberespionage against Microsoft Exchange.

The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has announced that its third investigation will focus on “approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud.” The board stated, “The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July. The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves.”

Microsoft characterized the incident as a case of cyber espionage, and it attributed the operation to a Chinese-associated group it tracks as Storm-0558. The group typically gained access to email accounts via stolen credentials.

The CSRB, a relatively young organization, is neither a regulatory nor an enforcement agency. Like the National Transportation Safety Board (NTSB) on which it was modeled, the CSRB investigates important incidents with a view “to identify relevant lessons learned to inform future improvements and better protect our communities.”

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

Arrests in the LolekHosted takedown.

A joint Polish-US operation brought down the LolekHosted bulletproof hosting provider last week, the Record reports. The US Federal Bureau of Investigation (FBI) and the Internal Revenue Service (IRS) were joined in the action by the Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow. Europol announced the arrests of five administrators of the service in Poland. LolekHosted was a player in the criminal-to-criminal marketplace.

According to the US Justice Department, LolekHosted was used for a variety of criminal activities, including ransomware attacks: “The NetWalker ransomware was one of the ransomware variants facilitated by LolekHosted. The NetWalker ransomware was deployed on approximately 400 victim company networks, including municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities, which resulted in the payment of more than 5,000 bitcoin in ransoms (currently valued at approximately $146 million). LolekHosted clients used its services to execute approximately 50 NetWalker ransomware attacks on victims located all over the world, including in the Middle District of Florida. Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims.”

Ukraine's SBU claims Russia's GRU is attacking Starlink with custom malware.

The Telegraph reports that Ukraine's State Security Service (SBU) has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements.

Russian Ministry of Digital Development bans Apple mobile devices.

Workers at Russia's Ministry of Digital Development are no longer permitted to use either iPhones or iPads for work purposes. The responsible Minister, Maksut Shadaev, announced the order Friday, Reuters reports. Personnel at the Ministry will still be permitted to use iPhones for "personal needs," but they're henceforth prohibited from using them for work email or for accessing work applications. The ban is generally believed, as Livemint observes, to have been prompted by an FSB report in June that Apple devices had been compromised by the US NSA, probably with Apple's connivance. Apple has denied both the compromise and its alleged cooperation in undercutting its own security. If iOS devices represented the security risk the FSB says they do, a dilatory partial ban seems a curious response.

Microsoft will not renew Russian licenses for its products.

Microsoft stopped sales to Russia when Russia invaded Ukraine in February 2022. It did continue to license products that had been purchased before the invasion. Radio Free Europe | Radio Liberty reports that Microsoft has now served notice that such licenses will not be renewed after September 30th. Active licenses will run through their expiration dates, and then will terminate.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.



Today's issue includes events affecting Armenia, China, India, Israel, Kazakhstan, Kyrgyzstan, the Netherlands, Poland, Russia, Turkey, Ukraine, the United Kingdom, and the United States.


Cyber Security Summits This Summer (Multiple Locations / Virtual, July 20 - August 17, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/20 in DC, on 7/27 in Pittsburgh & on 8/17 in Detroit. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, US Secret Service & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+536: Fighting east of the Dnipro. (CyberWire) Ukrainian forces expand their presence on the eastern bank of the Dnipro. Russian strikes hit more ...

7 killed in Ukraine’s Kherson region, including a 23-day-old baby girl (Military Times) In Russia, local officials reported that on Sunday air defense systems shot down four drones in ...

Russia-Ukraine war: List of key events, day 537 (Al Jazeera) These are the main developments as the Russian invasion of Ukraine enters its 537th day.

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Mitigating Remote Access Trojan Infection Risk: Telegram/Qwixx RAT (Uptycs) Read about QwixxRAT, a new Remote Access Trojan infiltrating devices via Telegram & Discord: ...

DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) Kaspersky said the attackers deployed the payload to collect valuable system information

New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Russian threat actors suspected in cyber attack on South African power company using a new variant ...

Find MORE on our website.


Threat Intelligence Efforts, Investment Lagging, Says Opswat (Dark Reading) In an annual survey, 62% of respondents admited their threat intel efforts need stepping up.


What happens if cyber insurance becomes unviable? (Raconteur) Although insurers are innovating furiously to keep cover against attacks affordable, they’re running ...

Tysons cybersecurity firm Qomplx appears to have quietly ceased operations (Washington Business Journal) The company laid off dozens of employees on Aug. 1, according to state filings.

Nimbus announces cyber security investment of £250,000 (Belfast Telegraph) IT managed services provider Nimbus has announced an investment of £250,000 in cyber security ...

Find MORE on our website.

Products, Services, and Solutions

Detectify Improves Attack Surface Risk Visibility With New IP Addresses View (Business Wire) Best-in-Class EASM Player Launches Platform Enhancements for Asset Discovery and Regulatory ...

Exabeam and Cribl partnership helps enterprises accelerate SIEM deployments (Help Net Security) Exabeam and Cribl partnership gives enterprises more control over their data, accelerates SIEM ...

Fortra Introduces New Integrations for Offensive Security (Fortra) Fortra today announced new integrations for its offensive security solutions that streamline ...

Find MORE on our website.

Technologies, Techniques, and Standards

U.S. Issues Draft Cybersecurity Guidelines for EV Charging Networks (Wall Street Journal) The guidance for the electric-vehicle industry aims to protect charging payment systems and links to ...

Threat intelligence's key role in mitigating malware threats (Help Net Security) 62% of organizations recognize the need for additional investments in tools and processes to enhance ...

UK gov keeps repeating its voter registration website is NOT a scam (BleepingComputer) Every year local government bodies or councils across Britain contact residents, asking them to ...

Design and Innovation

Hackers Trick AI With ‘Bad Math’ to Expose Flaws and Biases (Bloomberg) At DEF CON conference, hacker gets model to say 9 + 10 = 21. AI has chance to transform everything ...

Google adds post-quantum encryption key protection to Chrome (Register) QC crypto-cracking coming in 5, 10, maybe 50 years, so act … now?

How to Prevent an AI Catastrophe (Foreign Affairs) Society must get ready for very powerful artificial intelligence.

Research and Development

For the first time, U.S. government lets hackers break into satellite in space (POLITICO) Hacker groups are on a military-endorsed mission to infiltrate an orbiting U.S. satellite.


Stanford University just schooled Congress on AI (Washington Post) The elite Silicon Valley university coaches Hill staffers on the benefits of artificial intelligence

Internship opportunities at Cyber Command (U.S. Cyber Command) The growth of U.S. Cyber Command over the last 12 years and the Cyber National Mission Force’s ...

University of Newcastle hosts a Cyber Industry Experience event (India Education) In partnership with the NSW Government and industry partner GuardWare, the University of Newcastle ...

Find MORE on our website.

Legislation, Policy, and Regulation

Top cyber official offers 'stark warning' of attacks by China on U.S. infrastructure (Yahoo News) China’s hackers have been positioning themselves to conduct destructive cyberattacks on U.S. ...

Russian and Chinese cyber attacks on Foreign Office risked national security, says ex-GCHQ boss ( Sir David Omand says the attacks, which were kept secret from the public, would have given the ...

Who do cybersecurity laws actually protect? (The Business Standard) Across the world, these legislations often evolved from mere tools to combat cyber threats in the ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Secretary of Homeland Security Alejandro N. Mayorkas announced that the Cyber Safety Review Board ...

Microsoft Exchange hack is focus of cyber board’s next review (Record) The China-linked attack on Microsoft email services will get a full review by the Cyber Safety ...

Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central) A U.S. Cybersecurity inquiry will look into Microsoft's role in an attack that saw government emails ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.