August 23, 2022

Happy Tuesday! Welcome back to Codebook. Hopefully today's newsletter isn't as spooky as the haunting sound of a black hole NASA shared over the weekend.

No promises, though.

Today's newsletter is 1,410 words, a 5.5-minute read.

1 big thing: Russia's phantom cyber assault against Ukraine

Illustration: Brendan Lynch/Axios

Russia's six-month-old invasion of Ukraine kicked off with fears of a cyber warfare Armageddon, but so far it's been more slow burn than scorched earth.

The big picture: Though cyberattacks haven’t yet been as massive as anticipated, experts tell Axios Russia's tactics could still be working to shake Ukrainian confidence.

  • The war in Ukraine is the first where an aggressor has had strong cyber capabilities to pair with physical warfare — setting a precedent for cyber’s role in future wars.

Driving the news: Wednesday marks six months since Russian troops officially invaded Ukraine.

But so far, attacks on that scale haven't surfaced.

  • Instead, Russian hackers have seemingly opted for less sophisticated cyber techniques, like overloading government websites with bot traffic and deploying malware wipers against organizations in Ukraine and neighboring countries.
  • Ukraine’s top cyber agency estimates Russia launched more than 200 cyberattacks against Ukrainian organizations in July alone.
  • The day before the war started, Russia knocked several Ukrainian government websites and banks offline — preventing people from accessing their money as the invasion became imminent.

Between the lines: While some have argued Russia's attacks aren’t advanced enough to be considered cyber warfare, several cybersecurity experts are starting to warn these continued, low-grade attacks will become more commonplace in future wars.

  • Continuous, less sophisticated cyberattacks have the benefit of avoiding further diplomatic retaliation while also shaking the confidence of the targets.

Plenty of cyberattacks have flown under the radar, says Chris Kubecka, a cybersecurity specialist who helped Ukraine prepare for attacks and was in Kyiv when Russia invaded.

  • Kubecka tells Axios a malware wiper — which erases all information from the hard drive of the computer it hits — targeted the border crossing through which she was trying to flee to Romania in the early days of the war, leaving officials with only pen and paper to process Ukrainian refugees' information.
  • Continuous Russian distributed denial of service attacks on the Diia mobile app, a Ukrainian government platform where people store digital copies of their passports and other info, also held people up at the border, Kubecka said.

The intrigue: Other experts argue that Russia has been sticking to less sophisticated attacks out of necessity after underestimating the impact Western aid to Ukraine would have.

  • Ukraine thwarted an attempted Russian cyberattack against its electric grid in April.
  • Part of that can be attributed to the investments the U.S. has made in Cyber Command, the U.S. military's cyber wing, which was able to step in at the start of the war and aid Ukraine, says Josh Lospinoso, chief executive of military cybersecurity company Shift5 and a veteran of the command.

What’s next: Experts are hesitant to rule out future destructive Russian attacks.

  • U.S. officials have been warning that Russia could still deploy more sophisticated cyberattacks — especially since such attacks can take longer than six months to plan and execute.

2. Ex-Twitter security chief turns whistleblower

Peiter Zatko, also known as Mudge, poses for a portrait on Aug. 22 in Washington, D.C. Photo: Matt McClain/The Washington Post via Getty Images.

A new whistleblower complaint from Twitter's former head of security suggests the company misled regulators about its efforts to reduce spam and protect Twitter from security threats, Axios' media reporter Sara Fischer writes.

Why it matters: The complaint plays into the narrative from billionaire Elon Musk that Twitter has misled the public about the number of spam accounts on its platform, which he is using in a Delaware court this fall to try to end his $44 billion takeover bid.

Details: The complaint from Peiter Zatko, a well-known hacker who goes by the pseudonym Mudge, was filed with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission.

  • Mudge was fired from Twitter in January amid a broader shakeup of the company's security team by Twitter's then newly appointed CEO Parag Agrawal.
  • The complaint, which was first reported by the Washington Post and CNN, alleges that Twitter broke the terms of a settlement with the FTC by misleading regulators about its security protocols.
  • Zatko alleges that he warned colleagues about out-of-date and vulnerable software on the company's servers, adding that executives withheld important data about the number of breaches and had insufficient protections for user data, per the Post.

What they're saying: A Twitter spokesperson said Zatko was fired "for ineffective leadership and poor performance," and alleged that his complaint is designed to "capture attention and inflict harm" on Twitter, its customers and its shareholders.

💭 Sam's thought bubble: Twitter is going to have a tough time pushing back against Zatko's claims given his high standing in the hacking community.

  • Zatko is a seminal figure in the world of cybersecurity, building a reputation as a co-founder of the legendary Cult of the Dead Cow hacker collective and an early researcher into buffer overflow attacks.
  • Through that work, Zatko has built a reputation in the last three decades as a trusted information security professional who isn't afraid to publicly disclose security flaws in high-profile companies' technology.
  • He's a former Pentagon official, has held several corporate executive jobs and has testified before Congress on cyber issues before.

3. Microsoft: Ransomware gig economy here to stay

Illustration: Aïda Amer/Axios

The freelance hacker job market that has fueled the growth of ransomware is now a permanent fixture of the cybercrime gangs behind those attacks, two Microsoft security experts tell Axios.

The big picture: The tools and techniques ransomware gangs use constantly change and evolve, making it difficult to know what trends will stick around or have a lasting impact.

Catch up quick: Ransomware gangs have ramped up hiring of what they call “affiliates,” or freelance hackers, over the last two years.

  • Those freelancers are the ones who break into organizations and deploy the network-encrypting ransomware that the gangs developed.
  • These affiliate hackers can be located anywhere in the world, making it difficult for law enforcement to squash these gangs or arrest everyone involved.
  • Hackers go through a tough vetting process: Conti, a Russian ransomware gang that shut down earlier this year, even had a human resources department that interviewed potential new hires.

Driving the news: Microsoft released a report Monday warning that, on average, it takes a hacker just one hour and 12 minutes to access a victim’s private data once they click on a phishing email — the main way ransomware gangs gain access to an organization before locking their files.

  • The report urged companies to learn more about affiliate hackers so they can better understand how criminals might gain access to their systems.

What they’re saying: "If you’re focused on just the ransomware aspect, that’s really not going to cut it in this age where we have this entire criminal economy," Emily Hacker, a Microsoft threat analyst who contributed to the report, tells Axios.

  • "It’s here to stay because everybody is making money through it," Vasu Jakkal, Microsoft’s corporate vice president of security, tells Axios. "If you have affiliates, you have a whole ecosystem that you can distribute work, but still make more money."

4. Catch up quick

@ D.C.

📬 The Federal Trade Commission is now accepting comments on its proposed data privacy and security rules. (

🗳 The U.K.'s Conservative Party is letting people cast ballots online for the first time, ignoring potential cybersecurity risks. (Wall Street Journal)

🇨🇳 A University of Maryland professor developed machine-learning software for surveillance systems using a grant from Chinese tech giant Alibaba — raising national security concerns. (The Daily Beast)

@ Industry

💰 Cybersecurity startup Arctic Wolf is reportedly in talks to raise $300 million in convertible debt from investors, including Owl Rock Capital. (The Information)

👀 Israeli spyware maker NSO Group is naming a new CEO and laying off 100 people. (Axios)

🏛 Oracle is facing a class-action lawsuit claiming the company collects information about internet users without their consent. (TechCrunch)

@ Hacks and hackers

🇮🇷 Iranian state hackers have developed a tool that allows them to download all the emails from someone's compromised account, Google researchers warned today. (Google)

👾 One of the most active ransomware gangs, LockBit, was locked out of its own dark-web sites over the weekend due to a cyberattack from someone supporting recent victim Entrust. (BleepingComputer)

💽 Cybersecurity leaders are warning about the next big cyber tactic: Hackers tampering with sensitive data inside of an organization. (Protocol)

5. 1 fun thing

Don't worry, everyone. The teens know what Rickrolling is, and they've started putting their own cyber spin on it. The kids are all right.

See y'all on Friday! ☀️