New threat group underscores mounting concerns over Russian cyber threats

As fears mount over the prospects of a “cyberwar” initiated by the Russian government, the number of identified Russian threat actors also continues to climb. Last week CrowdStrike publicly revealed a Russia-nexus state-sponsored actor that it tracks as Ember Bear.

CrowdStrike says that Ember Bear (also known as UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) is likely an intelligence-gathering adversary group that has operated against government and military organizations in eastern Europe since early 2021. The group seems “motivated to weaponize the access and data obtained during their intrusions to support information operations (IO) aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations,” according to CrowdStrike intelligence.

Ember Bear is responsible for using the WhisperGate wiper malware against Ukrainian networks in January before Russia invaded Ukraine. The malware masquerades as ransomware but lacks a payment or data recovery mechanism, masking WhisperGate’s true intent, which is the destruction of data. The WhisperGate campaigns began with website defacements containing threatening messages in Ukrainian, Russian and Polish languages.

Despite its state-sponsored Russia nexus, Ember Bear differs from its better-known kin such as Fancy Bear or Voodoo Bear because CrowdStrike can’t tie it to a specific Russian organization. Its target profile, assessed intent, and technical tactics, techniques, and procedures (TTPs) are consistent with other Russian GRU cyber operations.

Praise for Biden’s efforts in addressing Russian threats

Before a House Homeland Security Committee hearing on Russian cyber threats yesterday, Adam Meyers, senior vice president, intelligence at CrowdStrike, said that “As Russia began to amass forces on the Ukrainian border, Russian cyber threat activity targeting the nation increased in kind.”

As Meyers noted, a host of other attacks followed the WhisperGate wiping attacks, including DDoS attacks, which CrowdStrike attributes to Russia’s GRU, other wiper attacks, and destructive attacks targeting Ukraine’s satellite capabilities.

On top of these efforts, criminal groups chose sides in the conflict, and a range of hacktivist organizations entered the fray. Despite this activity level, Russia hasn’t launched high-level cyberattacks thus far in the war. But, Meyers said, “there are indications that Russia may become more aggressive in retaliation for foreign support to Ukraine and significant sanctions on Russian personnel and entities.”

Speaking at the same hearing, Kevin M. Morley, manager, federal relations at the American Water Works Association (AWWA), said, “Recent federal recommendations on how to mitigate Russian cyber threats have been invaluable” to AWWA’s members. “The water sector has actively participated in multiple briefings provided by the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Environmental Protection Agency (EPA) that illuminate the evolving threat environment and help professional organizations, such as AWWA, build awareness among members. Working with sector partners, EPA reached out to 58,000 water systems collectively serving about 300 million Americans regarding cyber threat concerns at the end of December 2021. This led to several sector level briefings hosted by EPA to share information on Russian cyber threat activity.” Morley said.

Steven Silberstein, CEO, Financial Services Information Sharing and Analysis Center, told the panel members his group applauds “the Biden-Harris Administration and its various federal government components on the expeditious and early sharing of information throughout the escalating geopolitical situation in Eastern Europe and current Russian invasion of Ukraine. The sector appreciated the paradigm shift from reactive to proactive warnings forecasting Russian military action.”

Finally, Amit Yoran, chairman and CEO of Tenable, also praised the administration’s efforts to help companies deal with Russian cyber threats but said that “For almost all organizations, cybersecurity risk management practices are the same regardless of whether the attack is coming from the Russians, other nation-states, cybercriminals or other bad actors.”

“The representatives certainly understood that there is something new happening vis-a-vis CISA and the JCDC [CISA’s Joint Cyber Defense Collaborative], the public-private sharing and how important it is for the collective security of the United States,” CrowdStrike’s Meyers tells CSO.

Regarding Ember Bear and why CrowdStrike went public with what it knows about the group, Meyers says, “We were looking at this adversary that had engaged in several attacks in Eastern Europe and wiper attacks in Ukraine, keeping it internal versus making it public. The calculus had changed, and we wanted to share that information so that others could track this group and understand how they operate and what their objectives are.”

Russian escalation against the West now the big fear

As to why Russia hasn’t engaged in damaging cyber activity, Meyers says, “Widespread and destructive cyberattacks in Ukraine would have been counter to Russian efforts on information operations and psychological warfare against the people of Ukraine. They needed the systems to be up and running, the infrastructure to be up and running to be able to transpose the various messaging they wanted to get out into the Ukrainian media and public, whether that be for psychological purposes or to disrupt or create misinformation about how Ukrainian forces were reacting.”

Given the shifting dynamics in Ukraine, “At some point, that may become moot,” Meyers says. “They may decide they no longer wish to operate disinformation operations against Ukraine, and it’s more beneficial for them to operate disruptive operations that turn the lights out.”

Ukraine very well might become the lesser of Russia’s digital battlegrounds. “The big concern becomes escalation against the West. At some point, the calculus might be that it’s more beneficial to conduct a disruptive attack against the U.S. in order to affect some sort of political or ideological message.”

In the meantime, at least one member of the panel plans to introduce further legislation that shores up the cybersecurity posture of satellite operators in the wake of Russia’s cyberattack against satellite provider Viasat. During the hearing, Representative Tom Malinowski (D-NJ) said that he will be introducing legislation shortly that “will allow satellite operators to better protect themselves against cyberattacks.”