CyberWire Daily - A new RAT from Beijing. Muslim hacktivism in India. Ukraine reports a GRU spam campaign against media outlets. A Moscow court fines Wikimedia. And that UK cyber disaster was just a promo.
Episode Date: June 13, 2022A Chinese APT deploys a new cyberespionage tool. Hacktivism roils India after a politician's remarks about the Prophet. Ukraine reports a "massive" spam campaign against the country's media organizati...ons. A Russian court fines Wikimedia for "disinformation." From the NSA’s Cybersecurity Collaboration Center our guests are Morgan Adamski and Josh Zaritsky. Rick Howard sets the cyber sand table on Colonial Pipeline. And the Martians haven’t landed, and the Right Honorable Mr. Johnson is still PM. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/113 Selected reading. CERT-UA warns of cyberattack on Ukrainian media (Interfax-Ukraine) Russian hackers start targeting Ukraine with Follina exploits (BleepingComputer) Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp (CERT-UA # 4797) (CERT-UA) Wikimedia Foundation appeals Russian fine over Ukraine war articles (The Verge) GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (Unit42) Prophet remark: Slew of cyber attacks on Indian govt, private sites (The Times of India) 70 Indian government, private websites face international cyber attacks over Prophet row (The Times of India) Channel 4 faces Ofcom probe over ’emergency news’ stunt to promote cyber attack drama The Undeclared War (INews) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Chinese APT deploys a new cyber espionage tool.
Hacktivism roils India after a politician's remarks about the profit.
Ukraine reports a massive spam campaign against the country's media organizations.
A Russian court fines Wikimedia for disinformation.
From the NSA's Cybersecurity Collaboration Center, our guests are Morgan Adamski and Josh Ziritsky. Rick Howard
sets the cyber sand table on Colonial Pipeline, and the Martians haven't landed, and the Right
Honorable Mr. Johnson is still PM. From the Cyber Wire studios atribe, I'm Dave Bittner with your CyberWire summary for Monday, June 13, 2022.
In a report this morning, Palo Alto Network's Unit 42 outlines the recent activities of Gallium, a Chinese government threat actor particularly active against selective targets in Australia, Southeast Asia, Africa, and Europe.
Gallium has also been associated with Operation Soft Cell, a campaign against telecommunications providers.
The recent operations Palo Alto describes are distinguished by their employment of a new
difficult-to-detect remote-access trojan named PingPol. They're also marked by an expansion to
sectors other than telecommunications, specifically government organizations and financial services.
Palo Alto has shared detailed findings with fellow members of the Cyber Threat Alliance.
The company also extends special thanks to the NSA Cybersecurity Collaboration Center,
the Australian Cybersecurity Center, and other government partners for their collaboration
and insights offered in support
of their research. Remarks by a representative of India's ruling party, the BJP, have prompted
a defacement campaign against websites belonging to Indian diplomatic, academic, and agricultural
organizations. The actions, organized by the hacktivist group Dragon Force Malaysia,
are organized around the message, for you is your religion and for me is my religion.
The Times of India quotes the Director of Research and Operations at the Center for Research on
Cyber Intelligence and Digital Forensics as saying correctly, website defacement is the lowest form of cyber attack.
Data theft, particularly financial data theft and personal data, will impact people and the banking sector.
Companies and government organizations must step up cybersecurity.
The remarks themselves by Nupur Sharma were taken by many Muslims, including Muslim governments, to be defamatory, blasphemous,
and intolerable. An email from the press office of Ukraine's State Service of Special Communication
and Information Protection on Saturday warned that a massive spam campaign against media outlets had
begun. Over 500 destination email addresses have been identified. The emails contain an attached
document opening which may initiate downloading of Crescent Imp malware. Specialists warn that
cyber criminals have been increasingly resorting to email spamming from compromised addresses of
public institutions. If you fall victim to a cyber attack, please contact CERT-UA immediately.
The activity is tracked by UAC-0113, attributed to the Sandworm group, with a medium certainty level.
As reported earlier, this group was involved in orchestrating a massive attack on the energy
sector of Ukraine in April. Sandworm is a Russian threat actor associated with Russia's GRU military intelligence service
and perhaps best known for its role in the 2015 and 2016 cyberattacks
against sections of Ukraine's power grid.
The group has also been fingered for the 2017 NotPetya pseudo-ransomware attack
and 2018's Olympic Destroyer incident.
The payload in the spam emails appears to exploit the Folina vulnerability in the Microsoft
Windows Support Diagnostic tool to install a downloader for Crescent Imp malware.
Crescent Imp's provenance and functionality are unclear, bleeping computer reports, but CERT-UA has provided indicators of compromise to assist in Crescent Imp detection.
The Verge reports that a Moscow court has fined the Wikimedia Foundation 5 million rubles,
that's about $65,000, for its reporting on Russia's special military operation,
the war against Ukraine.
Wikimedia is appealing the fine.
Stephen Laporte, associate general counsel at the Wikimedia Foundation, said,
This decision implies that well-sourced, verified knowledge on Wikipedia
that is inconsistent with Russian government accounts constitutes disinformation.
The government is targeting information that is vital to people's
lives in a time of crisis. We urge the court to reconsider in favor of everyone's rights to
knowledge access and free expression. Wikimedia also argues that Russia lacks jurisdiction.
And finally, you know the lore about Orson Welles and his Mercury Theater of the Air broadcast of the War of the Worlds back in 1938.
It came in the form of a series of fictional breaking news alerts that interrupted what appeared to be a regular music program.
The breaking news bits were a lead-in to a conventional radio drama narrated by Mr. Welles.
were a lead-in to a conventional radio drama narrated by Mr. Wells.
The Martians' landing site was transposed from England to Grovers Mill, New Jersey,
in Mercer County, not far from Trenton.
The broadcast said it was fiction, but not all the listeners got the word,
and there was a minor panic over a Martian scare.
That panic wasn't as big as later legend had it, but some people were certainly
spooked. Anywho, there's been sort of another War of the Worlds scare, only this time it was in the
UK, and it involved an ad that announced a, wait for it, cyber attack. Be vigilant, be ready, and
above all, remain calm. The undeclared war coming soon to Channel 4 and all four.
Channel 4 tweeted,
Above a promotional video that showed what appeared to be a GCHQ warning
delivered by the Right Honorable Andrew Mekimbe, Prime Minister.
Apparently, some viewers were confused and carried their confusion to Twitter.
iNews quotes one such viewer,
I saw this and was really confused whether it is real or not. Wasn't really explained and then
announced undeclared war on screen. Don't know if this should be on TV or not. Others, without
acknowledging any such confusion on their part, were nonetheless moved to express concern for their neighbors, lest the British
public be led astray. One such concerned subject asked, is it not against Ofcom rules to broadcast
an advert or feature that could be mistaken for a real-life news emergency broadcast?
The undeclared war advert might have just breached that. We know, we know, Twitter is an unfiltered sluice through which the
random thought that forms within the private mind finds immediate public global expression,
but some people were apparently confused. There's always someone who doesn't get the word, right?
Adrian Lester, the actor who plays Prime Minister Mkeembe, pointed out,
I'm not actually the Prime Minister. I'm an actor.
And anyway, I don't have blonde hair.
Ofcom, the Office of Communications and the UK equivalent of the US FCC,
is looking into the matter.
In any case, there's no need to start hoarding canned goods
and the other familiar impediments of civilizational collapse,
like shortwave radios,
ammunition, and a rowdy dog. And if you're keeping score at home,
the Right Honorable Boris Johnson is still my minister.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
The U.S. National Security Agency has been actively engaging with private industry,
and one of the ways that happens is through NSA's Cybersecurity
Collaboration Center. At last week's RSA conference, I sat down with Morgan Adamski,
the center's chief, and Josh Ziritsky, deputy chief operations officer of the Collaboration
Center, for insights on their mission. So the Cybersecurity Collaboration Center really is
the external facing organization of the Cybersecurity Directorate and NSA.
And it is meant to essentially harden and defend the defense industrial base at scale.
And we knew that this was a critical mission when we set up the Cybersecurity Directorate and NSA.
Because if we're trying to protect the most critical weapons platforms, systems, networks,
you can't just focus on the big dib primes or the big companies or the
platform itself. You have to really secure the entire supply chain and all the companies that
underpin it because that's what our adversary is targeting every single day. Can you give us some
insights as to how that happens in a practical point of view, the behind the scenes workings of
it? So one thing that's fairly universal across much of
NSA, I think, is that no two days are going to be identical. So, you know, it depends a lot on
what's going on. But really, the focus is on bilateral, bi-directional sharing. So it's not
just us pushing information to partners. It's not just them pushing information to us.
It's a collaboration.
It's a dialogue.
Both of us talking about what we're seeing, what we're concerned about, how to mitigate various threats,
and really trying to take on the shared challenge of defending against foreign threats to our defense industrial base.
against foreign threats to our defense industrial base.
Have you seen any resistance from the organizations?
Or I get maybe wariness is probably the better question.
Do you have to prove yourself that this is going to be mutually beneficial,
that this is, as you say, a bi-directional relationship?
Absolutely.
I think that was the first step, right?
When we went to a lot of our industry partners
and we said, hey, we want to partner with you and we want to share Intel. They were like, okay, all right.
All right, we'll see, right? You know, and we're going to do that and we hope it works. And so we
started off small, right? We just started to share information and say, here's the type of things that
we think would be beneficial to you. Is it? Some of our partners came back and said, yes. And some
of our partners said, no, that's not what I really need. And we were constantly evolving. And so,
you know, it was a degree of, it's definitely a degree of trust. It's a degree of humility
and recognizing that we're just trying to get this right because we know it's important that we do.
But I think most of our partners have really been encouraged by what we've been trying to do in this space.
And so we see more and more people wanting to partner with us in different ways.
And so I think that's an encouraging metric.
Well, it also strikes me that, I mean, so much of our critical infrastructure when it comes to cyber is in private hands, right?
Yes, absolutely.
And of course, at NSA, our focus really is on the defense industrial base.
So not necessarily the broader critical infrastructure.
Right.
But yes, I mean, I think what we recognize is there's no way government can solve this problem.
It requires that collaboration.
The networks are owned, operated, and defended by the private sector.
And it's our responsibility to do everything in our power to arm them with the information they need so that they can do that job.
Are there things that you all have learned along the way in terms of, you know, we had intentions
to do this in the beginning, but in our interactions with the folks out there, we've had to make some
adjustments? Yes, every day, every event is another learning experience. When the center was getting off the ground was when the Nobelium incident from last year.
I try not to refer to the company, how everybody described that incident, because it was one of the things that really sort of defined how we began interacting
with some of these companies and understanding the types of information that was going to be
most useful. And then we've had, you know, various Microsoft Exchange exploits. We've had,
you know, some high-profile compromises of various organizations and ransomware attacks
and various things. And each one of those is a little bit different. And we understand,
you know, what kind of information that we might have is going to be most useful to each of our
partners, which types of partners are going to have the insights that are, you know, the most
relevant to informing the broader community of, you know, getting our arms
around the scope of the incident so that we can take the right steps necessary to mitigate and
remediate. And I would just offer, you know, one of the things that we've really learned and benefited
from over the last year and a half, and you've heard it a little bit from Chris Inglis and Jenny
Sterling and our director, Rob Joyce, is really how we play off of each other from an interagency perspective,
right? So, you know, especially the center was really stood up and hit the ground running during
SolarWinds. And whether we say it's fortunate or kind of unfortunate, right? You've had things like
Log4J and you've had the Nobelium compromise. And what we've really learned in the interagency is
how to interact with each other and how to play our best positions.
And so, you know, when we talk about
the Cybersecurity Collaboration Center
and our emphasis on the Dib,
very rarely do adversaries just target the Dib, right?
They're targeting large-scale sectors
and using the same techniques.
So how can we take what we're learning with the Dib
and give that to CISA to push to the other sectors, right?
We want to be able to protect
critical infrastructure at scale.
And we're going to need to be able to take those insights
from those deep technical conversations
and push it across.
We also have a fantastic relationship
at the center with the FBI, right?
You know, the FBI is able to get to any doorstep in an hour,
right?
But sometimes when the FBI shows up,
it's a hard conversation to have because they're asking for things they don't know in an hour, right? But sometimes when the FBI shows up, it's a hard conversation to have
because they're asking for things
they don't know what to share, right?
And so we've built fantastic relationships
with the field offices,
with FBI cyber under Brian Vornin.
How do we interact?
How do we share information in real time?
But how do we all benefit from the data we're getting
for different authorities and capabilities?
How do you measure success as time goes along?
How do you quantify the impact
that you're having? So that's a tricky question for all of us, right? Because our goal is to make
sure things don't happen. So how do you measure something that doesn't happen? It's great. That's
awesome. I know. Congratulations. We spent all this money and nothing happened. Yes, yes. We're doing a great job.
It's not the metric people want all the time.
Right.
But here's what we see in National Security Agency, right, is, you know, our goal is to frustrate the actor and make it harder on them.
So when we see actors having to change their techniques, having to create bespoke capabilities,
or having to invest in something and not just use the simplest thing on their shelf, having to create bespoke capabilities, or having to invest in something
and not just use the simplest thing on their shelf, that's a good metric for us to know that
we're making it harder on them. When we see the defense industrial base and we are able to take
a domain and pass it through our protective DNS and block and protect thousands of companies at
once, that's a good metric of success. And so, you know, we're constantly
figuring out what they are. The fact of the matter is, we know we're moving in the right direction.
Morgan Adamski is chief of NSA's Cybersecurity Collaboration Center,
and Josh Zyritsky is deputy chief operations officer. Thank you. I approach can keep your company safe and compliant.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, always great to have you back.
Hey, Dave.
So for this week's CSO Perspectives episode, you are dusting off your trusty cyber sand table.
And you're going to be talking about an infamous breach from days gone by.
Before we dig into that, though, let's revisit here what exactly is a cyber sand table and what makes it useful.
Well, thanks, Dave. And I got the idea of a cyber sand table from my old military days. Okay. So,
we use these sand tables after we completed a field exercise. It was kind of a physical model of the terrain we were all playing in. And sometimes they were really fancy, but most of
the times the sand table was a piece of dirt on the ground.
And we used rocks and twigs and things to represent the forces and obstacles both sides were contending with.
And we tried to capture the lessons learned by rolling through the exercise step by step,
watching what the red team did and then studying how the blue team reacted.
Because, you know, it's hard during the heat of battle to take a beat and think about what you were doing wrong in the moment
so that you won't repeat that mistake in the future.
The last time you and I talked about sand tables,
I said it was like how Tom Brady,
probably the greatest NFL quarterback of all time.
We look forward to your letters.
Johnny Unitas would like a word, but go ahead.
Anyway, his normal practice is to review game films and look for previous mistakes so he can learn from them.
So for cybersecurity, I think we can learn a lot by studying some of the famous breaches in our history to see what mistakes can be avoided in the future.
breaches in our history to see what mistakes can be avoided in the future. The last time we put the infamous OPM breach on the sand table, which you should definitely go check out. But for this
episode, we are examining the Colonial Pipeline attacks of 2021. So why choose Colonial Pipeline?
What makes that event particularly useful? Well, we are focusing the analysis through a resilience
lens because here we have Colonial
Pipeline, the company responsible for some key U.S. critical infrastructure, namely the gas pipeline.
I don't know if you knew this, Dave, but it carries roughly 3 million barrels of fuel a day
over about 5,500 miles from Houston to New York and connects directly to several major airports, including
Atlanta, Nashville, Charlotte, Greensboro, Raleigh-Durham, Dulles, and Baltimore, Washington.
In other words, this is how your airports on the East Coast get their jet fuel.
And if you remember, thousands of gas stations on the East Coast didn't have any gas for over a week
after the double extortion attack by the cyber criminal gang DarkSide.
So, if your resilience first principle strategy says that you will continuously deliver the
intended outcome, in this case, fuel delivery, despite adverse cyber events, the Colonial
Pipeline response was a big whiff. So, in this episode, we're going to try to discover the
reasons why. All right. Well, that is CSO Perspectives. It is part of CyberWire Pro. You can learn
all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.