CyberWire Daily - A nation-state threat actor targets industrial systems. It’s hard to recover from a threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin is back. Conti runs like a business.
Episode Date: April 14, 2022A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat t...o industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/72 Selected reading. Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg) INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant). PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos) APT Cyber Tools Targeting ICS/SCADA Devices (CISA) U.S. warns newly discovered malware could sabotage energy plants (Washington Post) Industroyer2 Targets Ukraine’s Electric Grid: Here’s How Companies Can Stay Protected and Resilient (Nozomi Networks) Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine) Lazarus Targets Chemical Sector (Symantec) Old Gremlins, new methods (Group-IB) Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A nation-state threat actor targets industrial systems.
A quick look at the GRU's earlier attempt against Ukraine's power grid.
The difficulty of recovering from a credible threat to industrial systems.
Lazarus Group resumes Operation Dream Job.
Old Gremlin speaks Russian and it holds Russian companies for ransom.
Carol Terrio looks at research on lie detection.
Josh Ray from Accenture drops some S-bombs.
And another look at the privateers in the Conti gang.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 14th, 2022.
Late yesterday, the U.S. Cybersecurity and Infrastructure Security Agency announced that
with its partners in the Department
of Energy, the National Security Agency, and the Federal Bureau of Investigation, CISA had issued
a joint cybersecurity advisory. It warns that certain advanced persistent threat actors have
exhibited the capability to gain full system access to multiple industrial control system supervisory control and data acquisition devices using custom-made tools.
The advisory recommends familiar best practices for protecting ICS and SCADA systems
and explains the threat actors' tools as follows.
The APT actors have developed custom-made tools for targeting ICS and SCADA devices.
The tools enable them to scan for,
compromise, and control affected devices once they have established initial access to the
operational technology network. Additionally, the actors can compromise Windows-based engineering
workstations, which may be present in information technology or OT environments, using an exploit that compromises an AS-ROC motherboard driver with known vulnerabilities.
By compromising and maintaining full system access to ICS SCADA devices,
APT actors could elevate privileges, move laterally within an OT environment,
and disrupt critical devices or functions.
The immediate actions CISA recommends are to implement multi-factor authentication,
change system passwords, especially any default passwords,
and use a properly installed continuous OT monitoring solution
to log and alert on malicious indicators and behaviors.
The Washington Post reports expert consensus that the energy sector,
especially liquefied natural gas facilities, are probably the tool's most likely targets.
Dragos calls the activity group Chernovite the malware pipe dream. While CISA's advisory called
out specific products and merely suggested that others might be vulnerable,
Dragos is explicit in its assessment that other systems are at risk. They said,
the tooling may be used to target and attack controllers from hundreds of additional vendors.
PipeDream can target a variety of PLCs in multiple verticals due to its versatility.
That versatility has been observed elsewhere. Wired quotes sources
at Dragos to the effect that Pipe Dream is like a Swiss army knife with a huge number of pieces to
it. It's equally capable of collection, compromise, disruption, and destruction of industrial systems.
Two of the points Dragos makes illustrate the versatility. They say,
Chernobylite can manipulate the speed and torque of Omron servo motors used in many industrial
applications and whose manipulation could cause disruption or destruction of industrial processes
leading to potential loss-of-life scenarios. PipeDream's Windows-related components facilitate host reconnaissance,
command and control, lateral tool transfer, and the deployment of unsigned rootkits.
The warnings about this threat to control systems are forward-looking,
as the tools don't appear to have been used yet. Researchers at Mandiant have a different
nomenclature. They call the toolkit InController, which emphasizes its ability to seize control of industrial processes.
Their report describes three scenarios in which InController might be used.
First, disruption of controllers to shut down industrial processes.
Second, reprogramming controllers for the purpose of sabotage, and third, perhaps most alarmingly,
shutting down safety systems to cause physical destruction.
Like others, Mandiant believes the tools were prepared by a nation-state for its own use.
That nation-state is, they think, probably Russia.
Their evidence is circumstantial, their reasoning suggestive but compelling.
The tools required resources and expertise to develop and don't have an obvious payoff,
and there are similarities in style to earlier Russian efforts.
And, of course, Russia is presently engaged in a large-scale hybrid war.
Nozomi Networks has commented on Sandworm's attempt to disable portions of Ukraine's power grid.
The company's advice is familiar but worth attending to,
recommending as it does implementation of sound practices and good cyber hygiene.
Chris Grove, Nozomi's director of cybersecurity strategy,
sees continuity between this attack and earlier, more successful takedowns of portions of the Ukrainian grid.
He says, the nature of this attack is one that everyone in the international critical infrastructure community should note,
as it's one of a handful of attacks that has directly hit OT systems.
He strongly recommends keeping an eye out for more Russian activity against power grids.
recommends keeping an eye out for more Russian activity against power grids.
An apparently and probably unrelated cyber attack against an industrial concern shows the difficulty such an organization can have returning to normal operations.
The Nordex Group, a major wind turbine manufacturer that sustained a cyber incident on March 31,
continues its recovery some two weeks later.
Only Nordec's internal systems are believed to have been affected.
North Korea's Lazarus Group has resurfaced with an industrial espionage campaign
directed against the chemical sector.
Symantec researchers this morning outlined their findings,
which conclude that Pyongyang is running a continued version of Operation Dream Job.
First observed in August 2020, Operation Dream Job, as its name suggests, is a social engineering campaign that uses bogus job offers as the fish bait
to lure the unwary quarry to bite on a malicious attachment that installs an information-stealing payload on the
victim's devices. The operation's goal is believed to be theft of intellectual property for the
benefit of the DPRK's chemical industry. Group IB reports that an unusual ransomware gang,
Old Gremlin, has resumed attacks against Russian targets. Old Gremlin is an outlier in several ways.
For one thing, it's careful and selective,
watching the news closely as it shapes its fish bait.
The fish bait proffered in this latest round of attacks
details the coming suspension of Visa and MasterCard payment processing in Russia.
The payload, located in a drop box, was the tiny fluff back door.
Old Gremlin's episodic activity may indicate that its members are part-timers working a side hustle.
But the most unusual thing about Old Gremlin is that it's a Russophone gang targeting Russian
organizations. Most Russian ransomware gangs operate effectively as privateers and scrupulously
avoid hitting Russian enterprises. Its most recent campaign, run last month, impersonated a senior
accountant at a large Russian financial institution. And finally, while attention has shifted to Russian
intelligence and security services cyber operations during Mr. Putin's hybrid war.
The privateers, like Conti, are still with us.
CNBC has joined those who've sifted through the internal chatter
taken from the gang and dumped online.
Conti's operations look a lot like those of a legitimate business.
The messages show that Conti operates much like a regular company,
with salaried workers, bonuses, performance reviews, and even employees of the month.
Employee of the month is a particularly nice and caring touch, and note to self,
why don't we have those around here? There's one big difference between the gang and a legitimate
business. A lot of Conti's associates are unaware
that they're working for a criminal enterprise. Lots of them, CNBC says, think they're working
for an advertising company. We'd love to see the rate card they were given.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Anyone with a security clearance or anyone who's watched old police procedurals are familiar with the notion of the polygraph machine,
the old lie detector.
Well, whether or not those are actually good at detecting lies is certainly questionable and up for debate,
but the technology of lie detection has advanced.
Our own Carol Terrio has this report on the latest.
Today I want to talk about lie detectors, something that I rarely think about, but I
guess that's probably true for most of us, unless of course we're faced with having to
pass one.
So a little history, because it's actually quite interesting.
The polygraph, known as the lie detector test, is a medical device for recording a patient's
vital signs. Things like pulse or blood pressure or temperature or breathing rate. It seems the
first polygraph machine was invented in 1921, so 100 years ago in Berkeley, California. Apparently
at the time Berkeley had a very famous police chief called August Vollmer,
and he was in charge of police reform,
and he wanted to use the science to make the cops more law-abiding themselves.
You see, until that point, if you were giving a suspect a third degree,
it often meant beating them up.
But lie detectors have had a very complicated history, and with good reason.
Even as near as 2003, Gary Ridgway admitted that he was the Green River Killer, having murdered 49
women in the Seattle area. Ridgway had passed a lie detector test in 1987, while another man,
who turned out to be innocent failed. And the American
Psychological Association stated the most psychologists agree that there is little evidence
that polygraph tests can accurately detect lies. So, you know, controversial. But none of this has
dampened our desire to have a tool that helps us know whether someone's telling the truth or not.
I mean, if we could find it, amazing. And the question is, is technology to the rescue?
Professor Hanine and Professor Dino Levy have led a team at Israel's Tel Aviv University
that have developed a new method of lie detection. They say they have identified two types of liars. Now get this,
there are those that involuntarily move their eyebrows when they tell a fib,
and there are those that cannot control a very slight lip movement where their lips meet their
cheeks. Presumably this has to be virtually invisible to the human eye. Otherwise, why would
we need electrodes strapped to the user's face in order to detect these micro movements? Spokesperson
says, when you try to conceal a lie, one of the things you try to avoid of any sort is a body
reaction. But it's very, very hard for you to conceal a lie with this
technology. And they say their software and algorithm can now detect 73% of lies. And they
intend to improve that as they develop the system. Well, thank heavens. I mean, a lie detector that
works 73% of the time, to me, is near useless. It means if it's used in a setting for someone to be employed
or someone who's going to go to jail,
you don't want something that's 73% accurate.
That is just way, way too high a false positive rate.
But I suspect we're going to be working on this for a while.
After all, the first documented example comes from 1000 BC in China,
where a suspect would have to fill his or her mouth with dry rice. If it stayed dry,
they were lying. At least we're not doing that anymore. This was Carol Theriault for the Cyber
Wire. Thank you. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Josh Ray. He's Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it's always great to have you back.
Thanks for having me, Dave.
You know, seeing a lot of chatter about SBOM, which is the Software Bill of Materials,
and some of the mandates that are coming down the pike when it comes to that sort of thing,
I wanted to check in with you, your take on this. A good idea? You know, something that it's time has come?
Oh, absolutely. Yeah. I mean, when you think about it, you know, we put labels and ingredients on
things that we eat, you know, that are on the sides of our medicines. And just the simple fact
that, you know, we don't know everything that's in the software that we're linking up.
I mean, I equate it to Bob, the IT guy, getting ready to install the recent update.
And his buddy Bill's like, hey, what's in this update?
And he's like, I don't know.
That just should never happen, right?
Just hook it up to the life support system so we can go to lunch. I mean, this is not like something that we should necessarily tolerate going forward.
And I think the most recent executive order from a policy standpoint,
and then obviously seeing this play out with Log4J only reinforces the necessity
because this is far overdue and something that our clients are very interested
in as well. What about folks who say that this is an added burden on folks, a regulatory burden,
and may even provide a bit of a roadmap for bad guys? Yeah, I mean, that's always the other side
of the coin. But that's also like saying security through obscurity too.
And I think that being transparent
and allowing defenders the opportunity to understand
what is in their code and what they're deploying on their enterprises
and how they're making smart purchase decisions from vendors
only makes sense.
This natural move towards transparency will hopefully give both the government and
other customers, you know, more of a chance to proactively mitigate vulnerabilities before
they're exploited.
All right.
Well, Josh Ray, thanks for joining us.
Thank you, Dave.
Thank you, Dave.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Guru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.