Hacker “Bentley” indicted; China weaponizing vulnerabilities; Journalists suspect poisoning; Breakfast on the Verge of the Apocalypse; Free WIFI in China comes with a cost; Disinformation wins a round
What We’re Reading, Hearing and Watching -- September 7, 2023
Russian “Bentley” and “Ferrari” Hackers
Hackers using Trickbot and Conti malware have stolen and attempted to extort funds from victims that included US health and public safety entities and the entire country of Costa Rica.
Massive leaks of data by Twitter handles @contiLeaks on February 28, 2022 and @trickLeaks in March 2022 have allowed researchers to analyze these well-organized groups.
Authorities in multiple countries have sought to hobble these cybercrime groups through take-downs of servers and other infrastructure in 2020 and prosecutions of Alla Witte, Vladimir Dunayev and other alleged participants. In February 2023, a US court unsealed a 2012 indictment in absentia against Vitaliy Nikolayevich Kovalev, nicknamed “Bentley,” for bank fraud allegedly committed in 2009-2010, before the emergence of Trickbot. The US and UK also issued sanctions against Kovalev and others for Trickbot activity.
On August 30, Wired magazine, citing research into @trickleaks data by US-based threat intelligence company Nisos, named another person associated with the “Bentley” nickname. Tracing the email handle volhvb (which resembles волхв, the Russian word for “wizard”), they identified Bentley as Maksim Sergeevich Galochkin, a 41-year-old from Abakan in Siberia. On September 7, US courts indicted Galochkin and additional Conti and Trickbot suspects, and the US Treasury Department sanctioned them.
Why do we have two different identities for “Bentley”? Wired cites “multiple sources” as assessing that the two Russian hackers only coincidentally both used the same nickname; likely Kovalev used it in the past and Galochkin used it later. An alternative possibility to consider is that both hackers simultaneously use the nickname; Kovalev appears to have shared a different car-related nickname, “Ferrari,” with Yevgeniy Bogachev (a.k.a. “Slavik“), a Russia-based hacker on the FBI’s Cyber Most Wanted list, whom investigators suspect of both cybercriminal activity and espionage on behalf of Russian intelligence.
Trickbot and Conti actors appear to have worked with Russia’s Federal Security Service (FSB) or other intelligence agencies on occasion. Indeed, the @trickLeaks Twitter account makes this claim in its bio, which reads, “We have evidence of the FSB's cooperation with members of the Trickbot criminal group (Wizard Spiders, Maze, Conti, Diavol, Ruyk) [sic].”
The Wired article links to additional research on cooperation between Russian cybercriminals and Russian intelligence, noting that this relationship will likely “endure and even deepen” as wartime Russia becomes more isolated. Natto Team has previously discussed the wartime evolution of this relationship and the “carrots and sticks” that the Russian government can exert to induce cooperation.
How China Weaponizes Software Vulnerabilities
The Atlantic Council’s report “Sleight of hand: How China weaponizes software vulnerabilities” gives details of how China’s vulnerability reporting system and vulnerability databases work and how these differ from the practices in the United States. The report reminds readers of the July 2021 regulations that require companies that do business in China to report vulnerabilities in their products to the Chinese Ministry of Industry and Information Technology (MIIT) even before patching and prohibits researchers from revealing vulnerabilities without coordinating with the company. The report points out that MIIT shares its databases of vulnerability and threat data with the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Ministry of Public Security (MPS). CNCERT/CC’s China National Vulnerability Database (CNVD) can be accessed by “organizations with offensive missions” such as the Ministry of State Security, which is “particularly concerning,” as the vulnerabilities are “almost certainly evaluated for offensive use.” In a sense, the PRC government has nationalized vulnerability disclosures.
Natto Thoughts wrote in May 2023 about how China is preparing for “the Era of Cyber Warfare”. Members of the Natto team picked up on the PRC’s nationalization of vulnerability disclosures in 2017, when Qihoo CEO Zhou Hongyi first postulated that idea at the China Internet Security Conference that year. Zhou Hongyi claimed the essence of cyber warfare is vulnerability, a flaw or weakness in an IT system that can be exploited. This concept goes beyond technical vulnerabilities in software and encompasses broader weaknesses in whole networks. Understanding these network vulnerabilities is equivalent to mastering the basic resources for building a network of weapons. Indeed, vulnerabilities should be considered as national strategic resources, Zhou Hongyi said. The PRC government soon adopted this approach as policy.
“I Love Russia” Author Likely Poisoned
Journalist Elena Kostyuchenko, who works for the independent Russian journals Novaya gazeta and Meduza, fled Russia in April 2022 after an editor warned that her reporting from war-ravaged Ukraine would put a target on her back. She moved to Berlin and, feeling safe, continued reporting. On October 18 2022 she fell ill with symptoms including strange-smelling sweat, nausea, brain fog, swelling, and elevated hepatic enzymes, she recounts in an article newly available in English on N+1 magazine. After numerous doctors failed to diagnose her ailments, fellow journalists suggested she may have been poisoned. In addition to the well-known poisonings of Russian opposition activists Aleksey Navalny and Vladimir Kara-Murza, investigative journalists have also found a pattern of such illnesses affecting Russian critical journalists.
Yet Kostyuchenko has chosen “I Love Russia” as the title for her book, forthcoming on October 17. The publisher’s website describes the book as an “unrelenting attempt to document her country as experienced by those whom it systematically and brutally erases: village girls recruited into sex work, queer people in the outer provinces, patients and doctors at a Ukrainian maternity ward, and reporters like herself” and as “... an essential cri de coeur for journalism in opposition to the global authoritarian turn.”
Breakfast on the Verge of the Apocalypse
Another émigré writer in Berlin who mourns the tragedies within his country of birth and its atrocities against Ukraine is Wladimir Kaminer, an essayist and DJ whose book Russendisko (subsequently made into a movie) is a hilarious rendering of his 1990 emigration to Germany at the age of 23. If you are old enough to have spent time in the Soviet Union, and if you want some practice in German, you may enjoy Kaminer’s clearly enunciated, Russian-accented German narration of his stories in the form of podcasts and audiobooks.
His wide-ranging essays span his youth in Moscow, his experiences visiting relatives in the North Caucasus region of Russia and in the Ukrainian city of Odesa, and his life in Germany. He riffs on topics that range from comparing the fat, happy “lice of freedom” in Western countries with the skinny lice of Russia, to his mother-in-law’s noisy Soviet-era refrigerator that sounds like a tank, to the similarity between raucous, chatty Berliners and the residents of (pre-war) Odesa. His rueful, ironic tone evokes that of beloved late-Soviet bards such as Bulat Okudzhava and Vladimir Vysotskiy. He also observes the quirks of society in his new homeland of Germany, ranging from the garden gnomes in obsessively orderly community gardens, to a nosy neighbor who helps him out when he most needs it, to the German volunteers who helped Syrian refugees even as they were baffled by the refugees’ strange ways.
Kaminer’s newest book, Frühstück am Rande der Apokalypse (Breakfast on the Verge of the Apocalypse) meditates on the doom-filled daily morning news diet of climate crisis and war. He closes by citing several conversations with people who gloomily predict that the Russian war on Ukraine will not end anytime soon. In between, however, are flashes of kindness and even levity. His snarky, cosmopolitan daughter puts her bilingual skills and self-possession to work helping Ukrainian refugees arriving in Berlin. And he recounts the story of Odesa residents who insist on going for a swim on the city’s famous beaches, pushing past guards and protective nets and warnings of mines and chemicals in the water. Whereas Germans are always anxious and trying to prepare for all possible future dangers, Kaminer muses, these Odessites are living for the pleasure of the moment, because they never know whether they will live another day.
Free WIFI in China Comes with a Cost
A branch of China’ s Public Security Bureau in eastern Jiangsu Province penalized 14 businesses that provided WIFI services to customers without verifying their real names. Businesses that provide open WIFI with simple passwords violate China’s Cybersecurity Law, according to an official from the local Public Security Bureau. “Some cases of fraud and money laundering….happened in hotels, Internet cafes and other public places that do not require real name registration and provide free WIFI.” Therefore, it is necessary to strictly implement real name registration for WIFI services, according to a China News reposting of a report from a Jiangsu local news. Businesses complained that they lacked technical knowledge of how to provide WIFI services with real name verification, the report said.
This case is a reminder for readers of Natto Thoughts to evaluate whether providing personal identifiable information to a street noodle shop for free WIFI when travelling in China is worth the risk. Please refer to Natto Thoughts’ China travel recommendations if you need help.
Setbacks in the Battle Against Disinformation
The European Union (EU)’s Digital Services Act, which went into effect August 25, requires large social media companies to “assess the risk of false information,stop the worst from being boosted by algorithms, and subject their performance to auditing,” the Washington Post reported on September 1. The EU unveiled a report based on a year-long study it had commissioned from a nonprofit called Reset.
As the Washington Post reports, researchers found that “the law and the companies were not equipped for a full information war of the type Russia has been waging,” using assets ranging from state-owned accounts to unofficial pro-Russian accounts on Telegram and other social media. Under coordination by “Russian interests,” these social media accounts would post simultaneously “to manipulate the formulas that boost popular content” or would silence pro-Ukrainian accounts through threats or doxing or false violation reports against the pro-Ukrainian accounts. They would introduce pro-Russian messaging on obscure social media accounts and then repost them on more popular channels, a technique that has elsewhere been called “information laundering.”
Social media platforms fell short in catching Kremlin-operated accounts, the report said. “In addition, platforms fundamentally ignored cross-platform coordinated campaigns,” the EU report said, referring to engagement and interaction between accounts across platforms that can produce an effect disproportionate to the seemingly small audiences on any one platform, as Team Natto has pointed out. (Team Natto has also written about Russian information operations here and here). The reach of pro-Kremlin accounts increased dramatically after Elon Musk bought the Twitter platform and cut back on rules and staff that had formerly identified disinformation and state-affiliated media, the EU report found.
In a recent example of a Russian influence operation, disinformation researcher Caroline Orr Bueno has shown how, after wildfires devastated parts of Hawaii, “Russian state media amplified a coordinated campaign” that had apparently been “initially seeded with inauthentic activity” and that exploited the Hawaiian tragedy to “promote divisiveness and make people think that the U.S. was neglecting Hawaii while sending continuing aid to Ukraine.” Update September 13: Chinese “information warriors” also capitalized on the disaster to spread false posts, such as attributing the fires to US testing of a “weather weapon,” according to researchers from Microsoft, Recorded Future, the RAND Corporation, NewsGuard and the University of Maryland. Chinese and Russian officials have promoted each other’s public messaging in recent years and in 2021 inked an explicit agreement on media cooperation, the Intercept has reported, citing allegedly leaked Russian documents.
September 13: Updated with relevant new reporting on exploitation of the Hawaii fires