CyberWire Daily - An update on Russia’s hybrid war against Ukraine. Offensive cyber operations under hacktivist guise. Russian privateers return (also as hacktivists). Some non-war-related hacking.
Episode Date: February 28, 2022Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine (and Russia). Diplomacy, now short of surrender? A SWIFT kick. Return of the privateers, now i...n the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on KillACK Backdoor Malware Continues to Evolve. Rick Howard revisits the cyber sand table. Criminals exploit Ukraine's suffering in social engineering campaigns. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/39 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukrainian resistance may have stalled the Russian advance at key points.
Cyber operations against Ukraine and Russia, a swift kick.
Return of the privateers now in the guise of patriotic hacktivists.
Not all hacking is war-related.
Josh Ray from Accenture on the Killak backdoor malware and its continued evolution.
Rick Howard revisits the cyber sand table.
And criminals exploit Ukraine's suffering
in social engineering campaigns.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Monday, February 28, 2022.
Russian forces have failed to reach their initial objectives, stalling in the north and east while advancing more rapidly
from Crimea in the south. Neither Kiev nor Kharkiv, the two large cities under greatest pressure,
have yet fallen. Kiev mayor Klitschko described the city as suffering and hard-pressed but as
holding on, and significantly neither surrounded nor occupied. Military Times reports a quieter night in the capital.
The invading forces are also reported to have failed to take Kharkiv,
Ukraine's second largest city, with a population of nearly a million and a half.
The city is only 40 kilometers from the Russian border and was expected to fall quickly.
It's also a largely Russophone city and one that might have been expected to offer a
tepid resistance, if not an outright welcome to Russian forces. Instead, resistance has been
strong and violent, not at all the march of flowers some had expected. Failure to take Kharkiv
represents an early and surprising failure for the invading forces of Russia's Western Military District.
RiskIQ confirms that it's seeing Ghostwriter activity against Ukrainian troops.
Ghostwriter has been associated with the Belarusian government and with the group being
tracked by Recorded Future and others as UNC-1151. Recorded Future thinks it's likely that Russian
elements, particularly the GRU, have used Belarusian infrastructure and cooperated with Belarusian intelligence services to run operations against Ukraine.
The BBC reports that other hackers have rallied to the Russian colors and volunteered to hit Ukrainian online assets.
The ones talking to the BBC claim to be cutting quite a swath, but it's unclear how
effective they may actually have been. Over the weekend, the U.S. Cybersecurity and Infrastructure
Security Agency released, with its FBI partners, an updated advisory on the wiper malware used
against Ukraine last week. The advisory is principally forward-looking, intended to suggest
defensive measures that U.S. and allied organizations might take to protect themselves last week. The advisory is principally forward-looking, intended to suggest defensive
measures that U.S. and allied organizations might take to protect themselves should the attacks
expand beyond Ukraine, but it also contains significant information about last week's attacks.
Most of the attention in the hybrid war has gone to Russian attacks against Ukraine,
but there have been operations running the other way, too.
Hacker News reports that Russia's National Computer Incident Response and Coordination Center has warned its domestic clientele that cyberattacks against Russian critical
infrastructure are to be expected. The hacktivist group Anonymous seems to be siding with Ukraine,
although as always, it's difficult to know who speaks for an anarcho-syndicalist
collective, according to ZDNet. As always, statements by hacktivists should be received
with cautious skepticism. Anonymous, however, has claimed responsibility for an attack against
Russian media outlet RT, and RT was indeed knocked offline by a cyber attack, the Daily Beast reports.
Ukraine's government hasn't been reluctant to call for hacktivist volunteers.
Bleeping Computer reports that Kyiv is calling for an IT army to take on Russian targets
and that it's also released a target list.
Russian government agencies, government IP addresses, government storage devices and mail servers,
three banks, large corporations supporting critical infrastructure, government agencies, government IP addresses, government storage devices and mail servers,
three banks, large corporations supporting critical infrastructure,
and even the popular Russian search engine and email portal Yandex.
Mikhailo Fedorov, Vice Prime Minister of Ukraine and Minister of Digital Transformation of Ukraine, tweeted out the call, quote,
We are creating an IT army. We need digital talents.
All operational tasks will be given here.
There will be tasks for everyone.
We continue to fight on the cyber front.
The first task is on the channel for cyber specialists, end quote.
Caveat emptor for those considering freelancing.
However much one might wish Ukraine well,
cyber operations can be difficult to control and are inherently escalatory.
Dragos' Robert M. Lee reminds us.
Russian Foreign Minister Lavrov last week offered to negotiate with Ukraine,
but the New York Times reported only after Ukraine ceased all resistance to Russia's special military operation.
That hasn't happened, and Ukrainian resistance has, if anything, stiffened.
Apparently, unconditional surrender is no longer the price of negotiation,
as Moscow has agreed to meet today with Ukrainian representatives
to seek a resolution to Russia's war of choice.
Representatives of the two sides have now agreed to meet at a checkpoint
close to the Belarusian border,
according to Politico and many other sources.
President Zelensky has not expressed high hopes for the meeting.
The Guardian quotes him as saying,
I do not really believe in the outcome of this meeting, but let them try,
so that later not a single citizen of Ukraine has any doubt that I, as president, tried to stop the war.
Bloomberg describes the Russian delegates to today's talks. single citizen of Ukraine has any doubt that I, as president, tried to stop the war, end quote.
Bloomberg describes the Russian delegates to today's talks as a relatively low-level contingent composed of deputy defense and foreign ministers, but the fact that Russian officials seem willing
to negotiate at all without insisting on their earlier preconditions, suggests an erosion of confidence in the military situation.
A number of Russian banks will be expelled from SWIFT, the Society for Worldwide Interbank Financial Telecommunication.
European Commission President Ursula von der Leyen announced late Saturday
another incremental increase in sanctions to be levied against Russia in response to its invasion of Ukraine. She began with a direct and harshly honest characterization of Russian aggression.
Of the additional sanctions she outlined, the most significant involved blocking a number of
Russian banks, those most closely aligned with Russia's war economy from the swift international
funds transfer system. The new sanctions are in keeping with the graduated incrementalism
that's marked the Western response to the Russian invasion.
But curtailing access to SWIFT is regarded by most observers
as a serious blow to the Russian economy.
The measures are targeted.
They don't affect all banks, but rather a set of financial institutions
that are closely associated with
Russia's ability to make war. General export controls are expected to have a strongly negative
effect on the Russian tech sector. On an individual level, the AP reports, Russia is seeing a run on
banks and ATMs as people try to get what foreign currency they can. Conti, the familiar ransomware gang, says it will
strike those who oppose Russia. According to Reuters, Conti blogged, quote, if anybody will
decide to organize a cyber attack or any war activities against Russia, we are going to use
all our possible resources to strike back at the critical infrastructure of an enemy, end quote.
So, any serious suppression of cyber-criminal gangs by Russian security authorities has proven to be, as was foreseeable, largely an illusion, at best temporary and tactical.
On the other side, Computing reports that a Ukrainian hacker, possibly a member of Conti, has doxed the gang, releasing details of its internal chatter and some of the gang's sensitive data. Conti's blog was unavailable this morning.
There may be a reflexive tendency to blame any cyber incident on Russia, given the current war
in Ukraine, but it's worth remembering that there are other criminal organizations out there who
have little or nothing to do with that conflict.
California-based chipmaker NVIDIA, for example, was hit last week by a cyber attack,
the Telegraph reports.
The paper quoted a company insider as saying that internal systems were completely compromised,
and the Telegraph reported a priori speculation that the attack was related to the ongoing hybrid war in Ukraine.
Bloomberg subsequently reported that the attack was unrelated to Russia's war against Ukraine
and that the disruption to the company's systems was less serious than it first appeared.
NVIDIA told Bloomberg,
quote,
WCCF Tech said over the weekend that the incident was a ransomware attack by the South American group Lapsus.
And, according to Reuters, Toyota has also been affected by a cyber attack on a supplier that's caused Toyota to suspend Japanese production.
The nature of the attack on the supplier, Koima Industries, is unknown.
Toyota characterized the incident as a supplier system failure.
Authorities are investigating and haven't ruled out a Russian connection.
And finally, security firm Avast warns that criminals have begun, in their sorry but entirely foreseeable custom, to exploit people's sympathies for those suffering in Ukraine.
The company writes in its blog, quote,
As cybercriminals seek to take advantage of the chaos, we have tracked in the last 48 hours a number of scammers who are tricking people out of money by pretending they are ukrainians in desperate need of financial help in the past we have seen similar scams for
people stuck while traveling or looking for love unfortunately these attackers do not operate
ethically and will use any opportunity to get money out of people willing to help others in need
what's suspicious is the immediate mention of Bitcoin,
as well as the usernames that consist only of letters and numbers.
End quote.
If you are moved to help, Avast advises doing so through well-known, credible, trusted organizations,
and doing so through those organizations' official websites,
not through links shared on social media.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. and it is always my pleasure to welcome back to the show the cyber wires chief security officer
and chief analyst rick howard rick welcome back hey dave so for this week's cso perspective
episode you are dusting off your cyber sand table to talk about an infamous breach from the past, but first things first here,
remind our listeners, what exactly is the cyber sand table and why is it useful?
That's a very good question, Dave. So I got the original idea of a cyber sand table from my old
military days when after my unit completed an on-the-ground field exercise, the leaders would
all gather around a map board afterward for a hot wash and replay the exercise
to see if we could learn anything.
If we were really fancy,
we would use an honest-to-goodness,
and I swear I'm not making this up,
physical contour map complete with sand
to represent the terrain, thus the phrase sand table,
and a bunch of plastic army soldiers
to represent the units on the ground.
Or, you know.
Boys and their toys. Yeah, you know. Boys and their toys.
Yeah, you know.
Army guys, you know.
Right, right.
Army guys playing with Army men.
Yeah, and I know that there's people in the audience that don't really like to use the military metaphor in conjunction with cybersecurity. from when Tom Brady, the recently retired and perhaps most successful NFL quarterback of all time,
studied hours of game film each week to prepare for his next contest.
And what I'm advocating for here is that network defenders should take the time to review the game film, if you will,
of publicly known breaches to see if we can learn anything to improve our own security posture.
All right, I see.
improve our own security posture. All right. I see. So I don't know a whole lot about Mr. Brady,
but I do know about his reputation for spending a lot of time with game film. Like he would,
that was something he really dug into, you know, looking at mistakes from previous opponents and, you know, sort of being introspective, trying not to repeat those mistakes in future contests.
Exactly, exactly.
That's what we're trying to do here.
So what game film are you going to review for this particular sand table exercise?
So this is one of my favorite all-time public breaches because we have a lot of information today about what happened behind the scenes.
The breach is the Chinese government's compromise in 2013 of the U.S. government's Office of Personnel Management, or OPM.
It's a big, famous case.
You've probably heard of it.
One of the biggies, yeah.
I think what people forget, though,
is that the breach resulted in one of the largest hauls
in a publicly known cyber espionage operation
in terms of the sheer tonnage of personnel data stolen,
like some 20 million background check records,
each containing 10 years worth of data, and the most impactful in terms of how long the
information stolen will be useful to the Chinese government, since it will take at least 50 years
before the people that belong to those 20 million records will age out of the government workforce.
And I don't know about you, Dave, but I'm still pretty mad that this happened.
I'm extremely mad.
Like, you know, many in our audience
got the letter from OPM telling,
I got the letter saying,
hey, my records were stolen.
And when you read the accounts of what happened,
it reads like a Marx Brothers farce,
something like, you know,
Night of the Opera or something.
I mean, it's that nuts.
OPM had no
security team to speak of, no security tools deployed, and a leadership team who year after
year ignored their own internal inspector general about how serious the issue was. And they went up
against a world-class cyber operator named Deep Panda. OPM, they didn't have a chance.
Yeah. You know, my recollection of never having had a security clearance myself and honestly,
never wanting one.
I'm very happy that I don't have one now.
Yeah, I don't need that kind of anxiety.
But, you know, I have been on the side of having neighbors who have them.
And so having those phone calls, those interviews,
you know, neighbors saying,
hey, is it okay if the people who do the security clearances
give you a call?
And just because of that,
it made me wonder
to what degree was my information
in anything from OPM
because just from being on the sidelines.
Yeah, and you were definitely scooped up, right?
So the Chinese know about you, Mr. Bittner, okay?
And so they're coming for your food or something.
I don't know.
All right.
Well, do check it out.
It is CSO Perspectives.
That is part of CyberWire Pro.
You can find out more about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is a managing director and global cyber defense lead at Accenture Security.
Josh, it's always great to have you back on the show. I know you and your team have had your eye on a particular bit of backdoor malware called Killac, and you're seeing some evolution there.
Can you bring us up to date on what you all are tracking? Absolutely, Dave, and thanks again for
having me back. Yeah, this is really
geared towards the cybercrime kind of research community for those listeners out there. And it's
about the evolution or continued evolution of really the Kill Act malware. I think version
.028 has come out here. And the Kill Act PowerShell malware that one of our senior cybercrime threat
analysts, Kurt Wilson, was actually telling me about.
Many in the community know that it's a PowerShell malware that's been leveraged as part of ransomware operations by threat groups like Fin7.
And Kurt was telling me that he's seen Killac updated about nine times from October 2020 to now.
So this is a really good indication that the threat is actively evolving
to continue to avoid detection.
Can you give us a little bit of the backstory here,
exactly what this does and how it goes about its business?
Yeah, without getting too far into the weeds,
Kill Act provides really a lightweight backdoor
and system profiling function for threat actors.
So many of whom, as I mentioned before, use it for ransomware activity.
This is a post-compromised malware.
So it's a stage two malware.
And the stage one is typically a spear phishing type of attack from what we've seen.
Killac is memory resident malware, right?
So it's fileless.
And despite that not necessarily being new, it can make it difficult to detect and find, you know, when you're doing forensics.
Now, the newest version adds some capability to use a victim organization as proxies for, say, outbound traffic. from a detection standpoint that's been used in conjunction with other malware families like
Goodwin, JavaScript Backdoor, Carbonac, Takeout, Dice Loader, JSS Loader. So many of that are
working in the malware analysis. The cybercrime community will be familiar with these names.
And I highlight this not only for detection purposes, but also because using a variety of
these tools together really helps the actors kind of fly under the radar, but it also because using a variety of these tools together really helps the
actors kind of fly under the radar, but it also gives them a really interesting way to evaluate
the efficacy of really all their wares together. Well, let's talk mitigation here. I mean,
what are your recommendations for folks to best protect themselves?
Yeah. And the good news is, I mean, this is something that, you know, net defenders can
really kind of sink their teeth into and hopefully get, you know, a little bit left of boom and take a more proactive approach, right?
So one of the things that we talk to our clients about in trying to mitigate this activity is always deploying the newest version of PowerShell with logging enabled.
This could really help, you know, provide an early alert that your environment has been compromised.
to provide an early alert that your environment has been compromised. And it's important to be aware that threats like Kill Act can be mitigated earlier in the kill chain. Another thing you can
do is ensure that your EDR is properly tuned to protect this PowerShell activity. I mean,
think about normal everyday users are not going to be using PowerShell. One of the things that
we always recommend, especially if you can do it well,
is to implement really strong egress filtering. This is a great way to disrupt that command and
control traffic. So when you think about the fact that this is a stage two type of malware,
you really want to make sure that you're implementing strong egress filtering.
Network supplementation, obviously to help thwart that lateral movement. That's very important.
Having the advanced,
our ability to conduct advanced forensics,
especially in memory,
having a third-party retainer is also really important.
These are all things that we feel,
especially against this type of threat,
that you're going to need to really drive that resilient security posture.
All right.
Well, good information for sure.
Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karf, Eliana White,
Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.