CyberWire Daily - A look at the cyber aspects of Russia’s war, on the first anniversary of the invasion of Ukraine. And a few notes from elsewhere in cyberspace.
Episode Date: February 24, 2023CISA advises increased vigilance on the first anniversary of Russia's war. CERT-UA reports current Russian cyberattacks were prepared in December 2021. How the war has changed the cyber underworld. Ai...r raid alerts sound in nine Russian cities; Russia blames hacking. Our space correspondent Maria Varmazis speaks with Zhanna Malekos Smith at the Center for Strategic & International Studies about a new security agreement between Japan and the US. Kathleen Smith of ClearedJobs.Net clears misperceptions about the cleared space. And Dole continues recovery from ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/37 Selected reading. CISA Urges Increased Vigilance One Year After Russia's Invasion of Ukraine (Cybersecurity and Infrastructure Security Agency | CISA) Ukraine says Russian hackers backdoored govt websites in 2021 (BleepingComputer) Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica) The First Crypto War? Assessing the Illicit Blockchain Ecosystem One Year Into Russia's Invasion of Ukraine (TRM Insights) Ransomware Gang Conti Has Re-Surfaced and Now Operates as Three Groups: TRM Labs (CoinDesk). Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica) Russia-Ukraine War: 3 Cyber Threat Effects, 1 Year In (ReliaQuest) Russian cybercrime alliances upended by Ukraine invasion (Register) Study: Old pacts ditched the moment Moscow moved in How the Russia-Ukraine war has changed cyberspace (The Hill) Authorities blame hackers after air raid sirens sound over radio in multiple Russian cities (Meduza) Russia blames 'hackers' for fake missile strike alerts (Register) Fruit giant Dole suffers ransomware attack impacting operations (BleepingComputer) Food giant Dole hit by ransomware (Computing) CISA Releases Three Industrial Control Systems Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA advises increased vigilance on the first anniversary of Russia's war.
CERT-UA reports current Russian cyber attacks were prepared in December 2021.
How the war has changed the cyber underworld.
Air raid alerts sound in nine Russian cities.
Russia blames hacking.
Our space correspondent Maria Vermasas speaks with Zana Maleko-Smith
at the Center for Strategic and International Studies about a new security
agreement between Japan and the U.S.
Kathleen Smith of
clearedjobs.net clears misperceptions
about cleared jobs.
And Dole continues recovery
from ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 24th, 2023.
The news at the end of this week has been dominated by the first anniversary of Russia's invasion of Ukraine.
The U.S. Cybersecurity and Infrastructure Security Agency advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war against Ukraine enters its second year. The agency said, CISA assesses that the United States and European
nations may experience disruptive and defacement attacks against websites in an attempt to sow
chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine.
CISA urges organizations and individuals to increase their cyber vigilance in response
to this potential threat. CISA draws particular attention to its DDoS attack guidance for
organizations and federal agencies and its Shields Up webpage.
According to Bleeping Computer, CERT-UA has detected cyberattacks this week against Ukrainian government networks that used a web shell installed in December 2021.
A Russian threat actor tracked as Ember Bear, also known as UAC-0056 or LORAC-53, used it to install three back doors,
Cred Pump, Hoax Pen, and Hoax Ape, in February 2022 as the invasion was imminent. They've
maintained a presence through this week. The State Service of Special Communications and
Information Protection of Ukraine described the incident as a
failed attempt by Russia to stay visible in cyberspace. Ember Bear is generally believed
responsible for the Whispergate wiper attacks conducted against Ukrainian targets at the outset
of the war. The use of such wipers has been a defining feature of Russian intelligence services' cyber campaigns
against Ukraine. Ars Technica summarizes recent research and concludes that nowhere on the planet
has ever been targeted with more specimens of data-destroying code in a single year.
TRM, in a study of the illicit blockchain ecosystem as it's evolved under wartime circumstances,
finds that the venerable Conti ransomware gang has resurfaced in the form of several splinter
groups. The principal successor to Conti, TRM believes, is Caricert. Coinbase reports that
Caricert, like its predecessor, has targeted health care organizations. It's significant that Conti declared its adherence to the cause of Russia
in the immediate wake of the invasion,
and that shortly after that declaration,
a cybercriminal with allegiances that ran toward Ukraine doxed Conti.
That doxing, along with hostile attention from law enforcement,
is held to have precipitated Conti's fading from
view. This seems, the register writes, to have been part of a more general disruption of the
Russophone criminal underworld. That underworld isn't confined within the borders of Russia,
but has extended to Russia, Ukraine, Belarus, the Baltics, and the nations in the South Caucasus and Central Asia,
all formerly parts of the Soviet Union.
They had, by general agreement, tended to refrain from hitting targets in the former Soviet Union.
That shaky unanimity has been shivered to pieces under the stress of war.
A study by Recorded Future concludes that Russia's invasion of Ukraine appears to have fractured gangland along national and political lines.
Recorded Future writes,
The so-called Brotherhood of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and group splintering due to declarations of nation-state allegiance both in support of and opposed to Russia's war against Ukraine.
Recorded Future adds that there have also been perturbations in the criminal labor market,
stating,
the organized cybercriminal threat landscape.
In addition to brain drain,
waves of military mobilization of Russia's citizens are resulting in decreased activity
on Russian-language dark web and special access forums.
There are also some other effects the war is having on the underworld.
The larger economic dislocations seen in Russia especially,
but elsewhere as well,
are changing the cybergang's cost-benefit calculus. Recorded Futures' Insicht Group writes,
The economic consequences of the war in Ukraine are likely creating conditions conducive to an
increase in the value of payment card fraud on the dark web, despite an overall slump in
carding volume in 2022. Regardless of fraud's reputation as an
unsophisticated form of cybercrime, it is likely becoming less a crime of opportunity than of
survival. International arrests, seizures, and disruptive actions have destabilized the business
model associated with commodified cybercrime, leading to wide-ranging and rippling effects
on the malware and ransomware-as-a-service threat landscapes. These disruptions have also spread to
the dark web shop and marketplace ecosystem, leading to price fluctuations and newfound
competition among market administrators. Cybercrime, both based in the cis and globally is entering into a new era of volatility
as a result of russia's war against ukraine those effects remain to play out but the criminal
marketplace seems to be undergoing some significant shifts meduza reports that missile alerts sounded
in nine russian cities on wednesday's Emergency Situations Ministry confirmed in its Telegram channel
that the false alarms were broadcast over radio stations whose networks had been hacked and should be disregarded.
The alerts were also distributed by text messages.
The Register reports that regional authorities in some of the affected cities blamed collaborators of the Kiev regime,
that is, Ukrainian hacktivists, or, and this is a more interesting possibility, Russian dissidents for the incident.
Dole PLC says that the ransomware attack it sustained remains under investigation
and that the impact to Dole operations has been limited.
No further details are available, although computing points out, without claiming attribution,
that in 2021, R-Evil hit food processing firm JBS with a ransomware attack. In any case,
the incident shows, again, how ransomware can interrupt physical supply chains.
again how ransomware can interrupt physical supply chains.
And finally, CISA yesterday released three industrial control system advisories.
As always, apply updates per vendor instructions, and happy trails.
Coming up after the break,
our space correspondent Maria Vermatzis speaks with Zana Maleko-Smith
at the Center for Strategic and International Studies
about a new security agreement between Japan and the U.S.
Kathleen Smith of ClearedJobs.net
clears misperceptions about the cleared space.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Maria Varmatsis is our CyberWire space correspondent,
and she recently spoke with Janna Maleko-Smith from the Center for Strategic and International Studies
about a new security agreement between Japan and the U.S.
Maria files this report.
My name is Janna Maleko-Smith.
I am a senior associate with the Aerospace Security Project Maria files this report. My name is Janna Malekas-Smith.
I am a senior associate with the Aerospace Security Project at CSIS, the Center for Strategic and International Studies,
where I'm also an adjunct fellow in their strategic technologies program, as well as a cyber law fellow with the Army Cyber Institute. Thank you so much.
fellow with the Army Cyber Institute. Thank you so much. And you are absolutely the perfect person to speak to about the news that you sent my way, actually, about a new agreement between the United
States and Japan. Could you walk me through that and what that means? The U.S.-Japan Space Pact
Agreement, recently signed on January 13th, is about promoting civil space cooperation. It reaffirms two significant programs. One,
Japan's involvement in the NASA-led Artemis Accords program, which is an international
space exploration program. Japan was one of the original seven parties to sign this agreement in
2020. The ambition of the program is to return humans to the moon in 2025 and also support a
mission to Mars towards the end of 2030. Apart from affirming the vitality of the Artemis Accords
program, the U.S.-Japan Bilateral Space Pact Agreement signed this month also supports the Lunar Gateway Project, which is to develop
a orbiting lunar research station around the moon. Okay, so that's awesome. And there are these two
phrases that have been coming up a lot in the context of this agreement about the Open Space
Treaty and the phrase peaceful purposes. Can you walk us through why those are important and why they're coming up in this agreement specifically? In the very title of the most
recently signed space framework agreement between Japan and the United States, you'll notice that
in the title it says the use of space for peaceful purposes. And in my research, I argue that that is significant in a forthcoming piece with CSIS because it affirms the landmark Outer Space Treaty of 1967 and specifically echoes language in the preamble of the treaty about the preservation of space and the exploration and use of it for peaceful purposes. Here's where it gets interesting because the term peaceful purposes
is not expressly defined in the treaty. And prior to the treaty even being signed in 1967,
there was a significant discussion about what does peaceful purposes mean and a divergence of
views. The majority view, one held by the United States, is that
peaceful purposes as enshrined in this treaty refers to non-aggressive activities like scientific
research, intelligence, surveillance, and reconnaissance activities. Contrast that with
the minority view held by several states such as Japan, India, and Iran, arguing that the term should be
more narrowly interpreted, focusing on the demilitarization of space and that it exclusively
be used for peaceful purposes. And you can go back and read on the United Nations website
the history of this long-standing discussion about what does peaceful purposes mean. And one
of the ambassadors representing the Iranian delegation stated that the draft treaty should
stipulate, and this was a recommendation he offered, that the treaty should stipulate the
exploration use should only serve peaceful purposes. By their definition of peaceful purposes,
right, non-military. And that opens up a whole other issue of how peaceful purposes is interpreted across different languages and cultures.
What activities should be nestled underneath that?
Yes, that's a good point, Maria.
Yeah, I mean, I can't help but wonder, and I am not a person who's very comfortable with law or treaties or anything like that. But as a person who's a nerd for language,
the fact that that phrase was not defined and left open for interpretation makes me wonder,
was that on purpose? Or was that sort of a placeholder for we'll figure this out later,
and here we are several decades later still trying to figure that out?
That is a good question. And I can see both sides to it, one being strategic ambiguity. At the same time, there's value in signaling to your. So does this actually represent a change for Japan's posture on peaceful purposes?
Or is it sort of a continuation of what they've been doing?
Or is it an escalation?
Or how would we characterize this?
I would describe the framework agreement as an accelerator.
If U.S.-Japan space collaboration partnerships prior to this agreement was a computer, you can think of the framework agreement as like adding hardware accelerator to enhance the performance of the
computing system. So yes, it affirms Japan's commitment towards the NASA Artemis program,
the Lunar Gateway Project, and deepening scientific and research collaboration in the space.
The tenor of the agreement and the press
statement talking about the agreement focuses on civil space collaboration. Interestingly,
the actual text of the agreement has not yet been released. So I'm very curious to present this as a
a broad-based legal agreement focusing on civil space cooperation.
That said, what about deepening defense space cooperation ties between the two countries?
It's an open question whether or not this agreement could be used as a vehicle for that.
And what we'll have come March is more textual nuance to chew on because the countries have announced a plan to hold a
comprehensive dialogue on space to build on the agreement and strengthen space cooperation.
And that is for this specific framework. However, if we look at the January 11th press conference
joint statement issued by the Security Consultative Committee, there was a mentioning in that text
that Japan and the United States have agreed that attacks to, from, or within space could lead to
the invocation of Article 5 of the U.S.-Japan Treaty. And that's, to me as a person who studied Japan for a while, that's a big deal.
Can you, maybe I'm overstating it, but could you, for our listeners, tell them what Article 5 means
in this context? Sure. And it is an important legal agreement, certainly. It is the full title,
it's the Treaty of Mutual Cooperation and Security between Japan and the United States. And Article 5 recognizes that each party regards an armed
attack, which is a legal term of art, against either party in the territories under the
administration of Japan would be dangerous to its own peace and safety and declares that it would
act to meet the common danger in accordance with international law. So while more information will be forthcoming on the nature of
the space framework agreement focusing on civil space cooperation, simultaneously we see this
joint statement being put out talking about national security concerns and how to modernize
the alliance. So it's a fascinating area and we'll know more in the coming months.
Yeah, we'll definitely need to check back in with you after the update in March because I'm super curious where this is heading.
And I can't help but wonder with everything that happened, especially last year between Russia and Ukraine and the Viasat attack, where cyber attacks might fit in with this.
I don't want to speculate because obviously it remains to be seen, but I'm very, very curious and will definitely need to follow up with you in March on it. So thank you so much for walking us
through this. This is fascinating and important, and I'm really glad you were here to tell us all
about it. So thank you. Thank you, Maria. It's been a pleasure. And I'd say the concluding
takeaway is that peaceful purposes fundamentally is about being a good steward of space. So
thank you. Thank you so much.
There's a lot more to this conversation.
If you want to hear more,
head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this
and many more extended interviews.
And I am pleased to be joined once again by Kathleen Smith.
She is the Chief Outreach Officer at ClearJobs.net.
Kathleen, always great to welcome you back to the show.
As someone who has never held a security clearance, and honestly is perfectly fine with that,
I am sure that I have a lot of misperceptions when it comes
to what exactly is going on when it comes to hiring in that cleared space. What are some of
the things that you run into in terms of misunderstandings, misperceptions from folks
who may be new to it? So many misconceptions all the time. The biggest one on the candidate side, the job seeker side,
is that they pay for their security clearance or they're willing to pay for it to get a security
clearance. And we frequently tell them, no, you are not the person that gets the security
clearance. Your future employer gets that for you and that there is a process. The other one that is similar to that is,
I will make more money if I have a security clearance. And that is a misconception because
all of the government contract positions and government agency positions have
certain labor categories. And so it is very codified as far as how much money you're going to be able to make.
What we really find with a lot of employers who are trying to find this talent is they believe if they throw money at it, that they can find the talent.
And there will be a staffing agency that will tell you, yeah, just give us a big commission and we'll find you the bodies. They might not necessarily find you the right people, but they will find you people
with security clearances. But, you know, when you're trying to fill a position within the
government contracting space, you're first trying to find someone with a specific type of clearance.
And then within that, you're trying to find someone who has 10 to 15 years experience
in a specific category. You're then also trying to make sure that they definitely have a graduate,
excuse me, a college degree certifications. And then the other problem is they have to meet the
culture. And this is something that's similar between the corporate world and the government contracting world is that when you're looking at people supporting the mission, people who are doing difficult work, there's a lot of stress.
And when you build a team, you need to make sure that everybody sort of meshes with that culture.
with that culture. Culture is so important when you go and you talk to people who are in a SCIF or someone who's part of a large government contractor or a small government contractor.
You really have to look at what that culture is. Is it many hands do light work and we're willing
to everyone do everything or are we a group of people who are very specialized? And I think
that this is one thing that's interesting that we see a lot with doing our in-person events
is that people come to them, recruiters specifically come to the in-person events
to hire people because they get to answer that question right up front. Will this person meet
the culture? Because you can go through the overall hiring process. Yes, they have the
clearance. Yes, they have the experience. Yes, they have the certification. But the final step
in that hiring process is that person meeting the customer. And the customer will frequently say,
that person meeting the customer? And the customer will frequently say, no, they don't fit.
And it's the culture fit. So if you can do that culture fit question up front, you save yourself a lot of time with, you know, the overall hiring process. I think another misconception is it's
only tech talent that people are looking for. And we talk to a lot of people and they say,
well, you know, security clearances,
you only need them if you're tech talent.
And that's not true because we need machinists,
we need truck drivers.
You know, we need truck drivers
with the highest level clearance.
We need, you know, gardeners to work at the White House.
There are, it's like a little city.
And I'm frequently amazed that people think, oh, I need to go get this specific tech talent or tech degree or something to be able to support the mission.
Where, you know, you and I were talking earlier, you have someone who wants to do this work, may not have tech talent, but may have some
other kind of applicable skills. And I think it's the biggest question that a candidate,
a job seeker really needs to ask themselves is, is this the kind of life that I want to have? Do I
want the work I do to support an overall mission? And when I talk to people who are in this space,
they're like, it's about the mission for me. It's always been about the mission. When I did a panel
for the Mid-Atlantic Chapter of Women in Cybersecurity, it was really about explaining
you make a decision to put up with the security clearance questions and you make a decision to do this kind of work because this is where you see your career going.
And this is where you want your life to make a difference.
And some people have that question and they answer yes.
And other people are like, that's not what drives me. And so that's what I think people have the biggest misconception about is this is a real personal mission.
It is not something driven by money or position or location.
It is really something that is driven by a personal mission.
a personal mission. Well, and I was going to ask about that because it seems to me like the flip side, which you mentioned, is that your life's going to be under a certain amount of scrutiny,
and that's not for everybody either. Right. It's not. And when I speak at colleges and they say,
you know, that they want to do this, it was like, do you want to do this for the next 30 years?
And they're like, well, no, I don't know what I to do this for the next 30 years? And they're like, well, no,
I don't know what I want to do for the next 30 years. And I said, well, this is not something
you can flip on and flip off. You do have to say, you know, you can't say I'm going to go be an
Intel analyst and then, you know, three years from now, I'm going to be a barista. And then maybe
five years after that, I want to go back to being an Intel analyst. This is a definite career path.
And in my 20 years, I think I've met no more than five to eight people who have said, I'm done.
I'm out of this space.
Pretty much everyone else has said, I made this commitment and I'm going to stick with it.
All right.
Well, interesting insights as always.
Kathleen Smith, thanks so much for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Andy Patel from With Secure Labs.
We're discussing their research that demonstrates how GPT-3 can be misused
through malicious and creative prompt engineering. That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
teams and technologies. This episode was produced by Liz Ervin and senior
producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show
was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.