CyberWire Daily - Both sides in the conflict over Ukraine are talking with their allies and preparing for conflict in cyberspace. A cyberattack disrupts gasoline distribution in Germany. Notes on APTs and privateers.
Episode Date: February 2, 2022Tensions between Russia and Ukraine, and between Russia and NATO, remain high as diplomacy is at a temporary impasse: both sides have stated their incompatible positions and are consulting with their ...allies. NATO prepares to render cyber assistance to Ukraine. An unspecified cyberattack affects gasoline distribution in Germany. The White Tur threat group borrows heavily from several APTs, but itself remains mysterious. Charming Kitten gets some new claws. Caleb Barlow on Harvard’s analysis of Equifax. Our guest is Gunter Ollmann from Devo discussing their third annual SOC Performance Report. And the Trickbot gang seems to be privateering in that old familiar way. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/22 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tensions between Russia and Ukraine remain high as diplomacy is at a temporary impasse.
NATO prepares to render cyber assistance to Ukraine.
An unspecified cyber attack affects gasoline distribution in Germany.
The White Tour threat group borrows heavily from several APTs, but itself remains mysterious.
Charming Kitten gets some new claws.
Caleb Barlow on Harvard's analysis of Equifax.
Our guest is Gunter Ohlmann from
Devo discussing their third annual SOC performance report, and the Trickbot gang seems to be
privateering in that old, familiar way.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 2nd, 2022.
The conflict between Russia and Ukraine is, for now at any rate, at an impasse,
with diplomacy between the two sides not advancing.
Russia continues to position itself as the aggrieved party,
Ukraine as dangerous, and NATO as misled by American bad faith. In the meantime, Ukraine digs in and NATO prepares for an escalation of hybrid conflict
that is expected to prominently feature cyber operations.
NATO is consulting with Ukraine.
Russia is consulting with Belarus,
as China stands by as a more or less sympathetic observer.
U.S. Deputy National Security Advisor
for Cybersecurity and Emerging Technologies Ann Neuberger is conferring with NATO policymakers in the North Atlantic Council, after which she'll visit her counterparts in Poland.
aid for Ukraine, and the New York Times characterizes Neuberger's mission as largely focused on how to coordinate a NATO response should Russia again attack parts of the power grid in Ukraine
or take out communications in an effort to destabilize the government of President Volodymyr
Zelensky, end quote.
The Times quotes an unnamed senior U.S. official to the effect that U.S. believes Russia is interested in replacing the government in Kiev with a friendly one, that is, one more like the regime in Belarus.
Quote, if Putin could accomplish that without occupying the country and sparking an insurgency, that would be his best option.
End quote.
And attacks on infrastructure, especially on Ukraine's power grid, could prove to be, from the Russian point of view, agreeably destabilizing.
Ukraine has, for its part, continued to seek close collaboration with NATO on cybersecurity.
While NATO turned down Ukraine's request last year for a formal association with the Talon-based Cooperative Cyber Defense Center of Excellence,
association with the Talon-based Cooperative Cyber Defense Center of Excellence.
Defense News reports that Estonia, in particular, has cooperated closely with Ukraine and continued to advocate for Kiev with Estonia's NATO partners.
The Estonian Ministry of Defense wrote in a statement last week,
The parties discussed the organization and overall state of Ukraine's national cybersecurity,
including the recent large-scale cyber attacks against Ukraine
and their impact on the current security situation.
End quote.
Margus Matt, Undersecretary of Cyber Matters at the Ministry, added,
quote,
Estonia is ready to send cyber specialists to Ukraine to further develop this exchange.
By supporting Ukraine, we are also strengthening our own defense posture, end quote.
It's possible for countries who aren't NATO members to become contributing participants in the CCDCOE.
Austria, Switzerland, Sweden, and Finland presently enjoy that status.
The center's director, Estonian Air Force Colonel Jok Tarjan, told Defense News that,
quote, right now the CCD-COE is mapping out new possible cooperation areas with Ukraine,
since Ukraine has unique experience in combating hybrid threats. Sharing it will help to improve
both the knowledge and readiness to face such threats in each member state of CCDCOE individually and in NATO as a whole.
The cyber threat doesn't run entirely in one direction,
and while the open letter from the Congress of Russian Intellectuals is a protest,
there's a possibility that other dissenters could move to hacktivism.
In addition to the prospect of NATO retaliatory or preemptive
cyber operations, hacktivists could begin to hit Russian targets. The Moscow Times looks at the
recent disruption of Belarusian rail transport by the cyber partisans and speculates that similar
hacktivism might also surface in Russia. Gabriela Coleman, professor of anthropology at Harvard
University and author
of two books on computer hacking, told the Moscow Times, quote, the BCP have been so spectacular and
effective that I could definitely see a few other groups popping up in the region, end quote. The
number of hacktivist groups, activists who use technology to affect social change, has been on
the rise across Russia in the last few years,
and with brutal crackdowns on public protests sweeping across the post-Soviet region,
cyberspace may be the safest place for collective discord.
There are dissenting voices within Russia itself, although it's not clear how much of the Russian populace they represent.
More than 2,000 members of the Congress of Russian Intellectuals,
Radio Free Europe, Radio Liberty Reports,
signed an open letter Sunday in which they decried the threat of military action against Ukraine as immoral
and denounced any such war as tragic and unjustifiable.
Gabriela Coleman added in her conversation with the Moscow Times,
quote, viable. Gabriela Coleman added in her conversation with the Moscow Times,
quote, in Russia there is clearly a highly trained technical class of people and there is disaffection,
so you would expect to find at least a small pocket of hacktivism, end quote. While so far Russian cyber operations against Ukraine have been relatively closely confined to their intended
targets, the malware used in the Whispergate pseudo-ransomware
lacked the worming capabilities that enabled NotPetya
to spread so quickly beyond its initial Ukrainian infestations.
Well, that could change.
CyberDive and others recount the potential threat
future operations could pose to Western businesses,
and those businesses would do well to inspect their
insurance coverage. Exceptions for acts of war and other acts of states made it difficult for
many of them to recover damages they sustained from NotPetya in 2017. We read yesterday in the
German business publication Handelsblatt that the gasoline distribution firm Oil Tanking and Mabanoft Group, an energy company, have come under an unspecified cyber attack that they're working to resolve.
Both companies are subsidiaries of Marquardt and Balls, and Bleeping Computer suggests that they may have been infected through their parent organization.
infected through their parent organization. Computing reports that the incident has taken the automated systems responsible for filling and emptying its fuel storage tanks offline
at 13 facilities in Germany that between them handle about 155 million tons of material every
year. The filling of petrol tankers is being held up as a result. Mabinov has declared force majeure at the oil terminals it operates in Germany.
Officials downplay the seriousness of the disruptions, which they say have not had a
major effect on German fuel supplies.
There's no attribution yet as to who's responsible for the attack, and so there's no consensus
either as to whether it's a criminal caper or a state-directed act of cyber espionage.
PwC describes a hitherto unknown threat actor they're calling White Tour,
and the White in PwC's naming convention means that the researchers haven't yet associated the actor with any particular geographical area.
PwC's study of the group began with the investigation
in January 2021 of a fishing campaign.
White Tour is unusual in that it seems to have borrowed
tactics, techniques, procedures, and code
from a range of unrelated advanced persistent threats.
Its only distinctive feature is its victimology.
It prospects defense, government, and research
organizations in Serbia, but PwC is unable to discern any unifying motive that would point to
a particular threat group. Cyber Reason says the Iranian threat group Phosphorus, also called APT35
and Charming Kitten, has increased its activity and shown new capabilities,
including highly modular malware and a novel PowerShell backdoor,
being called Powerless Backdoor,
that evades detection by running a.NET application without launching the telltale PowerShell.exe.
It's also using open-source tools and publicly available exploits.
Cyber Reason finds that some of Charming Kitten's indicators of compromise
overlap those associated with the Memento ransomware operation.
Wired has an account of the internal chatter of the TrickBot gang.
It does indeed seem to operate like a business,
and while it was briefly disrupted last October by U.S.
Cyber Command, it's back and operating from Russia with the familiar impunity Moscow confers
its privateers. And finally, happy Groundhog Day. The Pittsburgh Post-Gazette reports that
Puxatawney Phil emerged from his tree stump on Gobbler's Knob, saw his shadow, and predicted six more weeks of winter.
Sadly, the town of Milton, New Jersey reports their own groundhog, Milton Mel, passed away just days ago,
leaving locals scrambling to find a suitable rodent replacement.
Who knew there's no such thing as a strategic groundhog reserve?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
data and security analytics company devo recently released results from their third annual sock performance report gunter olman is chief security officer at devo one of the challenges he sees from
the report is getting leadership and sock analysts on on the same page. Well, I think the leaders are much more positive about how things are going,
about feeling much more positive about the value that SOC brings to business,
much more, you know, feels much stronger that they're bringing new value to the business,
that they're solving business problems, and that their analysts are on form and delivering
what the business requires.
Meanwhile, the guys and girls in the trenches are feeling swamped,
alert fatigue, posture fatigue, policy fatigue.
They're up against the grind.
They feel swamped by the number of tools, the technologies,
and they feel year on year less like they are contributing positively to their organizations.
And what do you suppose is causing that mismatch there?
Is there a lack of communication between the two groups?
Yeah, there's clearly a lack of communication. Certainly, if you ask those folks in the trenches about how leadership is communicating what they're delivering and how leadership understands what the day-to-day operation, that gap is broadening.
And so communication is key there. that maybe those leaders have a little bit of a rose-tinted glasses view of what it's like to now sit in front of those screens and respond to threats.
In terms of the SOC analysts themselves, can you give us some insights as to
what is the spectrum between the haves and the have-nots
in terms of the tools and the resources they have available to them?
I think one thing to sort of look at is, and it comes out in the report,
that 70% of those folks at the Coalface state that working in the SOC is painful.
And that pain affects their recruitment, their attention,
and the burnout is increasingly a problem.
I think one of the ones that is pretty scary in this,
and it applies to both the high-performing
and low-performing teams,
and that is 63% of the respondents
have said they considered changing careers
and leaving the job.
And all this report was done September time.
I would bet a dollar that those SOC teams that
managed through the log4j work over Christmas, I would say that many more have been reconsidering
their careers and leaving jobs.
What do you suppose they need then?
How do we move the needle here and make it so that they have the tools they need and
they're more satisfied with the job that they're doing?
Well, one of the pieces of feedback is that from the trenches
is there's too many tools, right?
Swamped with information, too many tools,
too many new things to learn.
And if that's the problem statement,
I think the other side of this is the looking for the integrations, the actual real application, machine learning and artificial intelligence to deal with both the drudgery of SOC response, but also just, you know, the triaging, the case management tools, but bringing it all together into,
I would hate to use the term suite, but effectively,
how do you bring all these disparate technologies, different tools,
into a single flow for response and mitigation?
For the high-functioning SOCs, what are the common elements there,
the ones who are doing well? Well, I think some of the problems, shared problems between both the leadership
and the operations teams there,
I think the ones that they sort of highlighted were information
overloads and the attack surface visibility has been a
shared sort of problem. And I think the attack surface visibility and the attack surface visibility has been a shared sort of problem. And I think the
attack surface visibility and the management of that has become probably one of the more critical
elements of modern SOC operations and protection with insider enterprise. As cloud expands and the
tools and technologies that every worker is now using requires so many new degrees of specialization.
So I think that has contributed to information overload
and new alerts and new tool creep.
The other one that was highlighted was really about the turf
or silo issues between the IT operations and SOC.
So who actually owns some of these things, whether it's the data,
the retention, the policy compliance of these things, whether it's the data, the retention, the
policy compliance of these alerts, for example, through to, you know, who's responsible for
actually responding for a different tiered, is it a security event?
Is it a policy violation?
So I think that's a key part.
And the last one, you know, on shared problems has been the whole aspect of compliance with data privacy and data protection requirements
has crimped the ability for many of these SOC teams and SOC analysts to understand, investigate,
and provide speedy remediation to attacks.
So those were sort of shared problems between those leaders and the trenches for those
high-performing teams. That's Gunter Ullmann, Chief Security Officer at Devo.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
Caleb, always great to have you back on the show.
There was a recent study that was released from the folks at Harvard,
and they were looking at the Equifax case.
I want to dig in with that with you. There's some interesting things in this report, yes? Well, it's not even a report.
It's actually a Harvard business study, you know, a case study that they use in teaching class.
And it's a whopping $8.95 if you buy it on Amazon. Well, this is an incredibly powerful tool
that I think most people don't realize is out there.
So, you know, the team at Harvard
basically took the time like they do
with all of these cases
to go do an intensive study of the Equifax breach.
They write up a case,
and then when they teach these things
at Harvard Business School,
they present the case
and the students have to discuss it
and decide, you know,
what would they do in this situation? Now, I've had the opportunity to sit in on this at Harvard
multiple times as kind of an outside expert when they discuss this case. And it's a really
fascinating case study that you can even use in your own executive team or if you're doing cyber
education. First of all, not only is it inexpensive, but it's not what you think is going to happen. So when, you know, most people hear Equifax, Dave, they kind of look at it and
go, oh yeah, well, that was, you know, a bunch of idiots that made a bunch of dumb decisions.
But when you read the case, you come back with a whole different opinion because the case is
walking through what do these executives know and when did they know it? And you suddenly look at it
and you scratch your head going,
yeah, I could see how they made that decision.
Yeah, maybe my company would make the same decision.
And then you suddenly start to realize
that what they were missing
might've been a little different than what you thought.
Can you give us an example here?
What are some of the things that stood out to you?
Well, I think when most people
hear about Equifax and what we saw in the news, you know, of course, this thing is predicated by
the fact that you had some insider trading and, you know, just a bunch of big screw-ups in the
process of response. But the reality is when you look at it, a lot of the tools and capabilities
were in place like many other companies. In fact, you know,
what I've seen classes end up with at the end of the discussion after talking about this for an
hour is really a conclusion that maybe this wasn't so much a lack of preparation for preventing a
breach, but maybe it was more about a lack of preparation of how to respond when one was
breached, having those run books in place,
exercising them, and making sure that was communicated well in the organization.
You know, unfortunately, this is a great example of where, you know, a siloed management team was
making independent decisions without looking at the bigger picture. And these are the types of
things we all need to learn. So it's a great way to kind of get across that point and have a little bit of fun in
discussing a case study. Interesting. So this is available on Amazon? Yeah, it's available on
Amazon. Like I said, it's literally $8.95. You can probably also pay a whole lot more and go to
Harvard and have this come up in a class. I think they teach it about once a year. They've also got
one out there on the Target study,
you know, Target case study,
which of course is a little more dated,
but it's just a really cool tool
because again, it's one of those things
that puts you in the seat of that executive
to really go, hmm, based on what they knew,
would you have made the same call?
And what do you think they could have done differently?
And these are great ways for everybody to learn.
Yeah, absolutely.
All right.
Well, Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.