The group that attacked Ukraine’s power grid is phishing a chemical-weapons lab critical to the Skripal case.
A state-backed Russian hacking group has is targeting a Swiss laboratory that’s helping investigators solve the March poisoning of Sergei Skripal and his daughter in London.
Called Sandworm, the group has been trying to phish employees of Switzerland’s Spiez Laboratory, a chemical-and biological-weapons facility that is doing forensics work on the Novichok poisoning of the former Russian colonel and double agent, according to Swiss news outlet Sonntags Blick, which reported the attacks on Sunday.
Russia has denied any involvement in Skripal’s poisoning.
Sandworm isn’t as well known as the Russian intelligence (FSB) and military (GRU) entities that stole emails from the Democratic National Committee in 2016, but it has run similar operations. In 2013, the group sent malicious emails to NATO officials and to a Polish energy concern. In 2014, they went after various Eastern European officials working in governments that are critical of Russia, using a version of the BlackEnergy botnet tool originally developed by Russian programmer Oleksiuk Dmytro.
“They’re not going after credentials. They want knowledge that only a few people can use. That’s security-related information and diplomatic information and intelligence on NATO and Ukraine and Poland,” FireEye’s John Hultquist toldWIRED in 2014.
In 2015, Sandworm made history with the first successful attack on a power grid, using a version of BlackEnergy to hit the Ukrainian energy sector. The group struck again in December 2016, disrupting power to as many as 200,000 Ukrainians in the dead of winter.
Sandworm’s recent attack on Spiez was subtler, a return to the highly directed phishing attacks they ran in 2013 and 2014. Impersonating members of the lab’s management, they sent an email inviting researchers to a chemical weapons conference — and encouraging them to click on a malware-laden Word attachment.
Kurt Münger of the Swiss Federal Office for Civil Protection told Blick that authorities had not seen any data theft resulting from the attempt.
Increasingly alarmed at foreign hacking, DOD and intelligence officials are racing to educate the military and defense contractors.
The Pentagon is warning the military and its contractors not to use software it deems to have Russian and Chinese connections, according to the U.S. Defense Department’s acquisition chief.
Officials have begun circulating a “Do Not Buy” list of software that does not meet “national security standards,” Ellen Lord, defense undersecretary for acquisition and sustainment, said Friday.
“We had specific issues … that caused us to focus on this,” Lord told reporters at the Pentagon.
“What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” she said. “Quite often that’s difficult to tell at at first glance because of holding companies.”
The Pentagon started compiling the list about six months ago. Suspicious companies are put on a list that is circulated to the military’s software buyers. Now the Pentagon is working with the three major defense industry trade associations — the Aerospace industries Association, National Defense Industrial Association and Professional Services Council — to alert contractors small and large.