A threat actor that can do both
Welcome to Memetic Warfare.
We’ll start this week with a look at Norway’s latest national threat assessment, and then move on to a nuanced and holistic look at cybercrime and its role in IO, cyber and so on.
Let’s skip right to the IO section:
So far the kind of things we’d expect, let’s take a look at some of the standout points. We’ll skip some of the general IO and Russia stuff as it’s mostly what you expect, with a refreshing emphasis on the arctic being a key region.
We then have the China section, which includes a reference to “Viking United News” - a domain attributed to the Chinese operation “Paperwall”.
There’s also a nod to espionage/recruitment and transnational repression:
Iran is also mentioned:
There’s a lot more on espionage, recruitment, dual use technology and more so give it a read, but we’ll skip ahead to the IO section.
There’s a mention of IO, both physical and digital, becoming increasingly common. AnzuTeam gets a shoutout as a prominent past operation despite having primarily targeted Sweden. It seems that at least some individuals in Norway were targeted with SMSes:
There’re some interesting historical throwback sections, like a mention of a Russian information operation targeting the Nobel Peace Prize Committee:
There’s a fair amount more, including a unique section on IO and state “dignitaries”, i.e. the royal family and symbols of state, but we’ll stop here.
From here, let’s move on to Google’s report on cybercrime and its role in cyber operations.
The report lays it out as it is, despite it not being “sexy” - cybercrime is an exponentially more relevant and high-likelihood vector than nation-state activity.
Despite its prevalence, many people (myself included) still myopically prefer to focus on nation-state activity.
More importantly, cybercrime powers nation-state threats:
The report then covers ransomware, healthcare and so on - I personally don’t really follow that space despite it being one of the most impactful vectors, so give it a read if you’re interested. We’ll move on to the more relevant sections for us.
The first thing to understand is that cybercrime “powers” nation-state activity, with nation-state actors serving as customers:
Russia is then covered as a holistic example, doing everything from buying infostealer logs to malware and beyond:
China and Iran get a shoutout:
Outsourcing activity to financially-motivated actors is also a trend:
Cybercrime also serves as a profitable side gig for nation-state actors:
There’s much more here for those interested, but it’s long, so we’ll look at their recommendations:
Overall, this is similar to the kind of stuff we saw from Microsoft’s latest report:
Strengthen defenses
Enhance cooperation
Promote synergy cross-functionally to hit KPIs and move the needle
These are fine as is, but these recommendations are all either well-known already and happening, easier said than done or even - god forbid - would lead to tax raises, such as investing in LE action:
I know that companies can’t be out there wilding and calling for drone strikes against ransomware operators or bombing bulletproof hosting centers, but if every company is going to put out the same trite recommendations (because there’s nothing else they can do and there are no other answers), then why even bother?
Also, interestingly enough, IO didn’t get much of a shoutout here despite being a big threat vector powered by cybercrime, as we’ve discussed here. Russian bulletproof hosting providers host Russian and Iranian domains, black PR firms provide end to end services, criminal forums offer proxies and accounts for sale and so on. Bit of an oversight, but hopefully we’ll see it next time.
We’ll close up with Viginum’s retrospective on Russian IO targeting Ukraine, available here.