CyberWire Daily - Blocking and tackling in the cyber phases of Russia’s hybrid war against Ukraine. Info-harvesting SDK. Recon into a power grid. Hydra Market indictment. Catphishing. Advance fee scams with a new twist.
Episode Date: April 7, 2022An update on US cyber defensive operations and the war in Ukraine. You can’t tell your oligarchs without a scorecard. Google ejects data-harvesting apps from Play. China preps the cyber battlespace ...against India’s power grid. More moves against Hydra Market. Bearded Barbie’s catphishing. Betsy Carmelite from BAH on a blueprint for achieving a secure and resilient dot gov. Our guest is Padraic O'Reilly from CyberSaint with a fresh look at ransomware. And your majesty, meet this here dissident, who also needs to move money for the best of reasons…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/67 Selected reading. Pentagon: Russia has fully withdrawn from Kyiv, Chernihiv (Washington Post) Zelenskyy tells UN: Act now on Russia or dissolve yourself altogether (Atlantic Council) DoJ takes down Russian botnet that targeted WatchGuard and Asus routers (ZDNet) FBI Disables "Cyclops Blink" Botnet Controlled by Russian Intelligence Agency (SecurityWeek) Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (US Department of Justice) Adversarial Threat Report (Meta) Facebook cracks down on covert influence networks targeting Ukraine (Washington Post) Russian-backed hackers broke into Facebook accounts of Ukrainian military officials (CBS News) Britain slaps sanctions on Russia’s biggest bank (The Telegraph) Russia hit with new round of U.S. sanctions as Biden decries 'major war crimes' (Reuters) U.S. to Sanction Putin Children, Banks Over Bucha Atrocities (Bloomberg) The Forbes Ultimate Guide To Russian Oligarchs (Forbes) Suspected Chinese Hackers Collect Intelligence From India’s Grid (Bloomberg) Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (Recorded Future) Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials (Cybereason) Google Bans Apps With Hidden Data-Harvesting Software (Wall Street Journal) The Nigerian Prince Scam, with a Russian Twist (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An update on U.S. cyber-defensive operations in the war in Ukraine.
You can't tell your oligarchs without a scorecard.
Google ejects data harvesting apps from play.
China preps the cyber battle space against India's power grid.
More moves against Hydra market.
Bearded Barbies catfishing.
Betsy Carmelite from Booz Allen Hamilton on a blueprint for achieving a secure and resilient
dot gov.
Our guest is Patrick O'Reilly from CyberSaint with a fresh look at ransomware.
And your majesty, meet this dissident who also needs to move money for the best of reasons.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 7th, 2022.
The U.S. Department of Justice announced late yesterday that the command and control functionality of Cyclops Blink,
a major GRU-run botnet afflicting WatchGuard firewalls and ASUS routers, had been taken down. The department described the court-ordered act of lawfare as follows.
The Justice Department today announced a court-authorized operation
conducted in March 2022 to disrupt a two-tiered global botnet of thousands of infected network
hardware devices under control of a threat actor known to security researchers as Sandworm,
which the U.S. government has previously attributed to the main intelligence directorate
of the General Staff of the Armed Forces of the Russian Federation, the GRU.
The operation copied and removed malware from vulnerable Internet-connected firewall devices
that Sandworm used for command and control of the underlying botnet.
Although the operation did not involve access to the Sandworm malware
on the thousands of underlying victim devices worldwide,
referred to as bots,
the disabling of the C2 mechanism
severed those bots from the Sandworm C2 devices' control.
Cyclops Blink had been publicly in British-American crosshairs
since February 23rd,
when the NCSC, CISA, the FBI, and NSA issued a joint advisory describing the malicious campaign.
WatchGuard published remediations that same day, and ACES followed suit shortly thereafter.
The New York Times points out that the takedown was preemptive, as Cyclops' blink had simply been
staged and not, as far as is known, actually been used.
It could have been employed in a range of operations, from simple surveillance to destructive attacks.
U.S. Attorney General Garland said,
Fortunately, we were able to disrupt this botnet before it could be used.
The Washington Post reported this morning that Facebook's corporate parent, Meta,
had disrupted influence networks operated on behalf of the Russian and Belarusian governments.
The Post writes,
The social media giant disclosed the campaigns in a 27-page report, including efforts to falsely report Ukrainian users as breaking the rules and efforts to hack into the accounts of Ukrainian military personnel.
We continue to see operations from Belarus and Russia-linked actors target platforms across the Internet,
Facebook head of security policy Nathaniel Gleiker said during a call with reporters.
We know that determined adversaries like this will keep trying to come back.
Facebook, which last year changed its name to Meta,
said it has been fighting efforts by Russian authorities to promote propaganda about the war,
including false claims about Ukrainian military aggression in the region
or blaming Western nations' complicity in the war.
The company said it gave fact-checkers in the region more resources
and launched a special operations center with Russian and Ukrainian speakers
to monitor war-related
issues on the platform. The Belarusian activity Facebook shut down included work by Ghostwriter,
well known for Eurocentric disinformation operations. Meta's quarterly adversarial
threat report details the Russian and Belarusian operations and the steps Meta took against them.
The report says, in part, government-linked actors
from Russia and Belarus engaged in cyber espionage and covert influence operations online.
This activity included interest in the Ukrainian telecom industry, both global and Ukrainian
defense and energy sectors, tech platforms, and journalists and activists in Ukraine, Russia, and abroad.
Russia at midweek offered payment in rubles against dollar-denominated bonds.
The move, forced by U.S. blocking of additional Russian dollar accounts,
is generally seen as a possible sign of approaching Russian default.
Banks refused to process about $650 million in payments, Bloomberg reports,
which forced Russia to offer rubles instead.
Both the U.S., according to Reuters, and the U.K., according to The Telegraph,
have substantially tightened financial sanctions.
The oligarchs haven't been forgotten either.
Forbes has a useful list of who's who among the oligarchs, if you're keeping score at home.
The Wall Street Journal reports that Google removed dozens of apps from its Play Store when it was found they contained
data harvesting code carried in a software development kit provided by Measurement Systems,
a Panamanian company said to have connections with the U.S. firm Vostrom Holdings. Infected
products researchers at AppCensus found include Muslim prayer apps,
a QR code reader, and a speed trap detector.
Recorded Future reports a Chinese government campaign against India's electrical power sector.
It appears to be in its reconnaissance phase and directed toward battle space preparation
as opposed to, say, theft of intellectual property.
Recorded Future says,
The prolonged targeting of Indian power grid assets by Chinese state-linked groups
offers limited economic espionage or traditional intelligence gathering opportunities.
We believe this targeting is instead likely intended to enable information gathering
surrounding critical infrastructure systems
or is pre-positioning for future activity. Germany's BKA took down HydraMarket's servers.
Then the U.S. Treasury sanctioned the contraband market and some associated operations. And now
the U.S. Justice Department has indicted the Russian boss, whom the U.S. Attorney for the Northern District of California alleges is responsible for the operation. Dmitry Pavlov faces charges
of money laundering conspiracy and narcotics conspiracy. If convicted, he also faces forfeiture
of all assets acquired through his crimes and of any assets he used in the furtherance of his
crimes. Mr. Pavlov is said
to have provided Hydra Markets servers through his company Prom Service. At present, he's at
large and presumed to be living it up in Russia. Researchers at Cyber Reason describe an elaborate
and well-researched catfishing campaign. Its unlikely name is Bearded Barbie. That's associated with Hamas and aimed at
Israeli officials. The threat actors involved are familiar names, the Mole Rats and APT C-23.
Cyber Reason says the attackers used fake Facebook profiles to trick specific individuals into
downloading Trojanized direct message applications for Android and PC,
which granted them access to the victims' devices. The principal malware used is GNU,
Barbie Downloader, and Barbwire Backdoor, both of which are said to be stealthy. Cyber Reason
also found an upgraded version of the previously known Volatile Venom Android implant.
The campaign will be familiar to all connoisseurs of social engineering.
According to Cyber Reason, this campaign relies mostly on classic catfishing,
using fake identities of attractive young women
to engage with mostly male individuals to gain their trust.
These fake accounts have operated for months
and seem
relatively authentic to the unsuspecting user. The operators seem to have invested considerable
effort in tending these profiles, expanding their social network by joining popular Israeli groups,
writing posts in Hebrew, and adding friends of the potential victims as friends. So, sure, she says she's the friend of a friend of maybe a friend,
but trust us, that doesn't make it so.
Finally, Nigerian princes are so yesterday,
now everyone who's anyone is getting email from Russian dissidents.
Like the rest of us, you've no doubt been emailed by widows of Nigerian princes.
Now, Avanon warns, there's a new kid on the advance fee scam block.
Nigerian princes meet the Russian dissidents.
They're asking for your help in withdrawing money from a Turkish bank account.
75% of the money will go to Ukrainian relief, and you get to keep the balance.
There are really actual Nigerian princes
and there are really actual Russian dissidents. But the real ones have one big thing in common.
They don't need your help moving money.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Security firm CyberSaint recently released their State of Ransomware Attacks report,
highlighting which industry sectors pay the most in ransom
and who's getting hit the hardest.
Patrick O'Reilly is co-founder and chief product officer at CyberSaint.
The big one that stood out for me was that the propensity to back up, that is across
the critical infrastructure sectors we looked at, is related to the propensity to pay.
So if you are not all that inclined to back up,
you are certainly more, you are more inclined to pay the ransom. The industries that do a better
job with backups more generally, and sort of, you know, contingency planning, and incident response
are more confident in saying no, when it comes to paying ransom. So that one, it seems obvious
on the face of it, but it was good to see it in the data. And that's something when we talk to
companies, because a whole host of things is suggested with respect to ransomware and backups
is certainly on the list, but sometimes companies don't know how to prioritize all of that.
What about ransom payments? You did some
digging there as well. Yeah, we did. And we looked at sort of the propensity by industry. You know,
some of that is, you know, industries that, you know, I mean, Colonial, for example, came out and
announced within days that they had paid the ransom. You know, industries with, you know,
huge OT infrastructure and products that they have to deliver to market who can't afford any downtime whatsoever often pay.
Twinned with that, you might see local government and, you know, healthcare and others that are maybe quicker to pay the ransoms because of the inability maybe to have backups.
And also they're protecting you know patient data or
individual citizen data or social security numbers and things like that so there's fear maybe of you
know class action lawsuits when i talked to the irish government last year their health service
had been hacked and they announced that they weren't going to pay but they were very concerned
when i talked to the politicians over
there that class action suits would be following hot on the heels of that announcement.
What are you all tracking in terms of organizations' approach to risk management?
Is there a general maturation that's happening across industries?
maturation that's happening across industries? I think so. We have an offering in our product.
It's sort of a tier of the software that is easier for commercial or smaller interests to operationalize. And it takes the ransomware framework that came out last year from the FBI and NIST and operationalizes that in systems.
So we're seeing companies that have some exposure, and all companies really do,
when you look at the frequency of the attacks,
beginning to try and understand the risk management challenges around ransomware
and have some graphics and just some high-level things they can show to their senior management in order to prioritize the remediation of some of the gaps with respect to ransomware.
always underfunded and playing catch up with a lot of these things.
I was a little surprised at medical.
What is the reasoning behind that?
Is it the velocity they run at?
What do you suspect?
Well, I'm always scratching my head when it comes to where they are with respect to some of this.
And I do think some of it is the velocity they run at.
They do have a lot of data. They have a lot of challenges around claims and filing claims.
When things were moving to the cloud, they were rapidly hiring developers to integrate
different applications and do new claims processes. And they do a lot of things on the fly with data in healthcare.
So I think there is often in healthcare a retrospective tendency to be reactive and to
try and fix things in retrospect. I do think that COVID has put a lot of pressure on them
to migrate a lot of their data services to the cloud. You can kind of see that with the online doctor's appointments.
That came very quickly.
But actually, the protections around it may not be fully baked.
So I do think there is an aspect of the speed of innovation.
I know that all sorts of healthcare concerns hire individual dev teams to integrate many
applications and to create new interfaces all the time.
I don't know that they're always speccing those out for secure development lifecycle stuff.
That's Patrick O'Reilly from CyberSaint.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Betsy Carmelite.
She is a senior associate at Booz Allen Hamilton and also a federal attack surface reduction lead.
Betsy, it is always great to have you back.
attack surface reduction lead. Betsy, it is always great to have you back. I want to talk about a report that you and your colleagues recently put out there, and this is about
security in the federal space. What can you share with us today?
Sure, Dave. One of the things that we wanted to talk about was revolutionizing a way for the dot-gov environment to approach and execute
cybersecurity. To ensure the resilience against increasing digital threats,
we want to look at how the U.S. can design and activate a whole-of-nation cyber strategy
and a supporting cybersecurity system that integrates cyber defense and offense to provide a credible deterrence policy.
It also empowers greater collaboration between the public and private sectors and critical domains,
and it mobilizes the cyber technology and innovation base.
One of the ways that we are approaching this is through a recent study we conducted and devised called
the Blueprint for Achieving a Secure and Resilient.gov. Well, can you take us through some of the
details of what's in that report? Sure. This provides a framework which serves as really a
North Star that can empower federal cyber leaders and sets federal agencies from CISA to smaller civilian agencies on that path to cybersecurity transformation. There needs to be a full spectrum capability to project power and defend against cyber espionage, sabotage, and influence operations so that we're all coming together and it's not really conducted in disparate pockets.
So that means developing policies, plans, programs for, again, that whole of nation effort.
Secondly, we're looking at the need to leverage
both offense and defense
and really the integration of those two
and synchronizing the way it conducts those activities.
We could talk to defenders about capturing the tactics
that they've seen used by attackers
and feed them to NSA and U.S. Cyber Command
to support defense-led
offensive operations. And that way, the U.S. can deter cyber adversaries through punishment,
by retaliating in cyberspace and other domains against those who would attack the nation.
And at the same time, the government must find ways to capture insights from offensive cyber operations,
anonymize them, and share them with defenders to accelerate those defensive improvements.
So from a practical point of view, how do you envision a plan like this being executed?
So there are a few kind of verbs I'm going to throw out here that can really put the
.gov space on a path to that cybersecurity revolution.
So in terms of direction, directing, we can really accelerate the positioning of the Department of Homeland Security, CISA,
as the director and orchestrator of federal cybersecurity.
CISA's job really must focus on eliminating complexity, establishing single standards and reporting requirements for
.gov agencies, and then working with the Office of Management and Budget to centralize cyber
budgeting, planning, and program execution. Next, identify in which we want to embrace that
threat-centric risk management across the entirety of the digital ecosystem. So using modeling, emulation,
and all that identification of how adversaries might attack, especially, for example, in supply
chains. For defend, we want to move from reactive threat detection and incident response to proactive
cyber defense operations. For connect, we want to recognize that the data and the ability
to work with it, use it, operationalize it, needs to be a lot faster than adversaries and is
imperative for effective cybersecurity. So we're looking at those, reimagining that public and
private cooperation and partnership. And then finally, for Protect, really let's break free of the tools and realize that cutting-edge technology is really not the be-all, end-all.
Instead of layering products in a redundant manner, let's shift our emphasis to architecting more defensible networks and finding the talent who can operate well within those networks.
well within those networks. Yeah, you know, it really strikes me that, you know, to your point of collaboration and the public-private partnerships that I think more than we've seen in the past,
we're really seeing organizations like CISA, organizations like the NSA are really public
facing in a way that they haven't been before and really, you know, engaging with the private sector in a way that, to me, seems to be very productive.
And I think that CISA's reliance on the private sector, with the private sector owning the
majority of critical infrastructure in the U.S., their reliance on that real-time information
sharing is going to become critical. We see in many of the ISACs where companies really need to do some more company-to-company, organization-to-organization sharing to help each other understand what threats they're seeing.
But what would also help from CISA are cybersecurity standards to make it easier for companies to focus on cyber defense mitigation
rather than compliance. Because compliance is going to take you only so far when you have to
respond to an incident. And so using kind of those publicly available standards, blueprints,
and understanding how they can build on the work of NIST would really be helpful in that
public-private cooperation.
All right. Well, Betsy Carmelite, thanks for joining us. Savor the new small and mighty Cortado Cozy up with the familiar flavors of pistachio Or shake up your mood with an iced brown sugar oat shake and espresso
Whatever you choose, your espresso will be handcrafted with care at Starbucks
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Guru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.