In this months episode of the what we’re reading series, we deep dive into an investigation into Russia’s military intelligence service (GRU), the recent Ethereum merge, and tracking the Russia -Ukraine war in Liveuamap. Check out the key takeaways from the team below.
Riam: Bellingcat GRU investigation
Late last month, Bellingcat released findings from an investigation into an alleged agent from Russia’s military intelligence service, the GRU. The joint investigation by Bellingcat, Der Spiegel, The Insider, and La Repubblica reads like a spy novel: Filled with deception, exotic locales, and tragic backstories. Although the agent under investigation is no James Bond— despite their shared love for fast cars—the report is fascinating in its demonstration of open-source intelligence (OSINT) practices, as well as the benefits and dangers of online data breaches.
According to the investigation, Maria Adela Kuhfeldt Rivera—real name Olga Kolobova—was a GRU spy based in Naples, Italy, home of one the North Atlantic Treaty Organization (NATO)’s Allied Joint Force Commands. Bearing the backstory of a Russia-raised Peruvian-German socialite, jeweller, and philanthropist, Kolobova managed to charm and befriend senior NATO officers in the city. After nearly a decade abroad, she returned to Russia for unknown reasons in 2018, ending her operations.
The information about Kolobova was acquired from a variety of sources. Passport information was purchased from online Russian black markets. Her GRU affiliation was confirmed using call record metadata. Considerable information about Kolobova’s movements and social network was acquired using open-source information such as social media and news sources. Her real identity was discovered using Microsoft Azure’s facial recognition tool, AND confirmed against a leaked database of Russian drivers’ licenses.
This investigation goes to show both the use of, and challenges posed by open-source intelligence. As cyber threat intelligence researchers, we are always looking for new techniques to improve our investigations. But what well-meaning investigators can discover may also be exploited by threat actors for more nefarious purposes, such as VIP impersonation, identity theft, and extortion. Governments, companies, and individuals should take note of the ways in which data can be used demonstrated in this article and take measures against them accordingly.
The full investigation is available here.
Chris: The Ethereum merge
Yes another Chris contribution to this series and another opportunity to talk about cryptocurrencY. This time, we’re mentioning what is likely the biggest crypto event of 2022, the Ethereum merge. The merge, which took place on 12 September 2022, refers to the move of the world’s second largest cryptocurrency from proof of work to proof of stake; i.e. changing the consensus method of validating the ledger of transactions. Within proof of work (PoW), consensus is achieved through cryptomining, with miners competing to solve a computational problem. Any miner that solves the problem updates the ledger by appending a new block to the chain, and gets newly minted coins in return. This requires an enormous amount of computing power and, thus, energy consumption.
Proof of stake (PoS) instead allows users to instead act as the consensus mechanism through using their investments in Ethereum’s native coins, ETH. ETH that is locked up, or “Staked” in a smart contract, allows users to act as validators for transactions. The validator is then responsible for checking that new blocks propagated over the network are valid and occasionally creating and propagating new blocks themselves. PoS is used among several other leading crypto projects, including Cardano, Solana, and Avalanche.
Fundamentally, PoS has one enormous advantage over PoW, in that it is enormously less taxing from an energy perspective. By moving to PoS, Ethereum is reportedly now 99.9% more energy efficient. To put this into perspective, Ethereum before the merge, consumed around 83.89 TWh of electricity each year. This is equivalent to the consumption of a medium-sized country such as Finland, highlighting the enormous improvement in energy consumption that the move to PoS will bring.
The Merge has been on the timeline for many years, with many crypto enthusiasts wondering if this monumental event would ever take place. Well as of 15 September 2022, its finally here. There’s a great summary of the recent changes, including the benefits and incentives to new traders, on Coindesk.com. Check out the article here.
Dani: Liveuamap and piercing the fog of war
Since Russia invaded Ukraine on 24 Feburary 2022, it’s been difficult to keep track of exactly what’s going on. The information war remains as complicated as ever, and though we can almost watch the war in real time via combat footage uploaded to Telegram, it’s difficult to separate truth from rumor and visualize territorial, materiel, and personal gains and losses. This doesn’t just apply to government representatives, who have their own agenda and—especially in the case of Russia—frequently distort the truth or outright lie for propaganda purposes. This also applies to the thousands of military bloggers (milbloggers) who contribute their analysis, opinions, and predictions of the military situation from behind the fog of war.
I’ve been monitoring Live Universal Awareness Map (Liveuamap), a leading independent global news and information site that monitors activities on online geographic maps. This is particularly useful for locations with ongoing armed conflicts, with the service developed by Ukrainian software engineers. The map provides real-time (or as close to real-time as possible) updates on artillery strikes, troop movements, aircraft sorties, state announcements, and cyberattacks, which are all independently verified. This week the map showed that following Russia’s announcement of partial mobilization—that will see roughly 300,000 reservists called up—all tickets for direct flights for 21-22 Sep 2022 from Moscow, to the capitals of Turkey, Armenia, Uzbekistan, and Azerbaijan, had sold out. Additionally, it showed that the mobilization notice will now be sent to eligible men via paper notices, and identified that the Russian state services digital portal “GosUslugi” website is partially down.
The Liveuamap system tracks authors of social media posts of interest by identifying their former posts, number of activities, whom they follow and applies filter techniques to extract relevant information. When an accumulation of correlated messages about an event occurring at a location passes thresholds defined by the algorithms, the situation is listed for human intervention. At least two Liveuamap members decide whether the information about the event is valid, and whether it should be used on the map or if further verification is needed.
In addition to the ongoing war in Ukraine, the service has covered armed conflicts in many countries and regions, with over 30 maps with comments in eight languages. Furthermore, users can toggle a “Cyberwar” view that covers ongoing attacks and the effects of previous attacks in the cybersphere, which included attacks on critical infrastructure at the onset of the invasion.
In recent days I’ve found it particularly useful for visualizing the conflicts that have broken out between Armenia and Azerbaijan, and between Kyrgyzstan and Tajikistan. I’d highly recommend Liveuamap as a “one-stop-shop” for getting an accurate and unbiased overview of ongoing conflicts.
Check out the Liveuamap service here.
THE Digital Shadows (now ReliaQuest) DIFFERENCE
This is the stuff us analysts love to do: Researching and learning more about the myriad threats out there, and contextualizing them with the world around us. We love cyber threat intelligence!
Find out more about the intelligence we provide in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a 7-day test drive, or contact us to schedule a demo to learn more about your use cases and how intelligence might make a difference for you.