Blended operations. Self-deception? Two inauthentic Palestinian networks downed. Primitive Bear is back, and his sister is still Cozy. – The CyberWire

At a glance.

Locked Shields, a NATO exercise of cyber defenses, this year concentrates on handling a mixed attack, one that combines cyberattack with disinformation campaigns, CyberScoop reports. The exercise was not a purely military one, as it addressed threats to critical infrastructure and saw substantial participation from the financial sector. The exercise scenario was suggested by campaigns operated by Russia, China, and Iran during the current pandemic. CyberScoop quoted Michael Widmann, chief of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Strategy Branch: This year, the exercise featured several new dilemmas for the strategic decision-making element as well. The cyber domain and information warfare operate hand in hand in the modern environment. Strong strategic communication policies can mitigate the effects of an enemys information warfare campaign.

A story that received widespread attention during the 2020 US Presidential campaign and into the early parts of this year was a claim that Russia had offered bounties on the heads of American servicemembers deployed to Afghanistan. This story has receded from recent rounds of US sanctions and complaints directed against Russian activity. The reports circulated within US intelligence circles with "low-to-moderate confidence," a confidence that can be difficult to distinguish from the noise of rumor, and which normally doesn't find issue in widespread media coverage. As the Dispatch argues, those who circulated the story were disposed to believe it, for reasons both foreign (suspicion of Russia) and domestic (it was a stick to beat the Trump Administration). Military Times points out that senior Defense civilians and military officers expressed skepticism at the time the reports surfaced in the press. In any case, this particular story no longer has legs, and what legs it did have seem to have been lent it by a mixture of self-interest and wishful thinking, probably in most cases no less sincere for being poorly founded.

Facebook announced yesterday that it's taken down two Palestinian groups who'd been using the social network for a politically motivated surveillance campaign. The two actors have been identified as the Preventive Security Service (the PSS) and the Gaza-based threat actor Arid Viper. They seem to have been particularly interested in prospecting (and impersonating) journalists andother gadflies. Some of their content presented itself as solicitation for complaints of human rights violations.

The PSS-associated group used both Windows and Android malware as well as social engineering campaigns to install spyware in targets devices. Arid Viper used bespoke, and hitherto unidentified, iOS surveillanceware. And they, too, relied on social engineering to distribute their malware.

Both operations, unconnected though they are, are more concerned with surveillance and social engineering than with dissemination of disinformation (except insofar as it might serve as social engineering bait). The campaigns appear, however, directed toward influencing the outcome of upcoming elections in the Palestinian Territories, with the Palestinian Authority and Hamas as the principal rivals. It's the first such electoral contest, SecurityWeek observes, in fifteen years.

The Russian threat actor Primitive Bear, also known as Gamaredon, has stepped up cyber operations against Ukraine as tensions rise between Kiev and Moscow. Researchers at Anomali have been tracking Primitive Bear's surge, which they say lasted from January of this year through March at least. The activity, like that Facebook observed in the Palestinian territories, is principally designed to support cyberespionage, but its phishbait is an interesting mix of bogus and genuine documents (mostly written in Ukrainian, but with some composed in Russian) that pertain to policies and activities in the Russian-occupied Crimean territory.

Russia's SVR has opened a Tor portal so patriots can confidentially blow whistles and otherwise report back to Moscow, the Record reports. A minor irony: Tor traces its technical legacy back to the US Naval Research Laboratory.

Here's some evidence that the Russian organs really don't like being referred to as cute bears. The SVR published a dismissive response to US accusations that it was responsible for the SolarWinds compromise, and, well, fine: no intelligence service is going to publicly cop to an operation if they can avoid doing so. That's what plausible deniability is all about.

But what really honks off the SVR is the way the Americans said that the SVR was "also known as Cozy Bear." The SVR finds that unpleasant. They want to remind everyone that the SVR has been known "since 1920" as the Foreign Department of the Cheka, then the 5th Department of the First Directorate of the NKVD, then the First Main Directorate of the KGB, "and now, the Foreign Intelligence Service of the Russian Federation."

So think about it. You'd rather be remembered for your lineage in the Cheka, the NKVD, and the KGB than by some bear nickname the Yankees gave you. Ah, Huggy Bear, you're still just as adorable as you were back when you were working for Dzerzhinsky, purging wreckers for Stalin...

Excerpt from:

Blended operations. Self-deception? Two inauthentic Palestinian networks downed. Primitive Bear is back, and his sister is still Cozy. - The CyberWire