CyberWire Daily - British-American warnings of a Russian cyber threat, and Russia’s response. More on the Lapsus$ gang incidents at Microsoft and Okta. And Secureworks looks at Conti and sees a criminal ecosystem.
Episode Date: March 23, 2022The US and the UK warn of impending Russian cyberattacks, and Russia responds with warnings against “banditry,” crime, and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lap...sus$ gang incident, and so does Okta, but Okta’s case is more complicated. Josh Ray from Accenture on the cyber workforce. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxietySecureworks takes a look at the criminal ecosystem around Conti. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/56 Selected reading. Ukraine war has put our relationship with US at breaking point - Russia (Daily Post Nigeria) Kremlin dismisses U.S. warning of potential Russian cyber attacks (Reuters) . As Biden puts US on alert, Russia seeks talks to help prevent cyber war (Newsweek) U.K. echoes Biden warning on Russian cyberattacks (The Record by Recorded Future) Biden: Russia mulling cyberattacks on US (C4ISRNet) National Security Advisor details new intelligence on potential Russian cyberattacks (FOX 5 DC) The Threat of Russian Cyberattacks Looms Large (The New Yorker) FBI sees growing Russian hacker interest in US energy firms (AP NEWS) CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S. (YouTube) CISA highlights new reporting hotline amid warnings about potential Russian cyber attacks (Federal News Network) Delta Electronics DIAEnergie (CISA) Delta Electronics DIAEnergie (Update B) (CISA) Microsoft, Okta Investigating Data Theft Claims (SecurityWeek) Hackers hit authentication firm Okta, customers 'may have been impacted' (Reuters) 'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack (Wired). Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach (The Record by Recorded Future) Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack (Wall Street Journal) Fury As Okta—The Company That Manages 100 Million Logins—Fails To Tell Customers About Breach For Months (Forbes) Cloudflare’s investigation of the January 2022 Okta compromise (Cloudflare Blog). Updated Okta Statement on LAPSUS$ (Okta) GOLD ULRICK leaks reveal organizational structure and relationships (Secureworks) Details of Conti ransomware affiliate released (ComputerWeekly.com) More can be done to curb misuse of Cobalt Strike, expert says (VentureBeat) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. and the U.K. warn of impending Russian cyber attacks,
and Russia responds with warnings against banditry, crime, and bad manners.
CISA issues two new ICS advisories.
Microsoft confirms a lapsus gang incident, and so does Okta.
Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxiety.
SecureWorks takes a look at the criminal ecosystem around Conti,
and Josh Ray from Accenture talks about the cyber workforce.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire
summary for Wednesday, March 23rd, 2022.
U.S. President Biden's warning Monday that Russia was likely to engage in cyber attacks against the U.S. continues to
draw attention. Deputy National Security Advisor Ann Neuberger clarified the president's statement,
quote, as the president has said, the United States is not seeking confrontation with Russia,
but he has also said that if Russia conducts destructive cyber attacks against critical
infrastructure, we will be prepared to respond, end quote. National Security Advisor Jake Sullivan And quote,
National Security Advisor Jake Sullivan discussed some of the implications such an attack might have for NATO's collective defense agreement.
Quote,
We could see circumstances wherein which a collective response by the alliance to a cyber attack would be called by an ally.
a cyber attack would be called by an ally.
That is absolutely something we and other countries could bring capacities to bear to help a country both defend itself and respond to a particular cyber attack.
End quote.
The FBI reports seeing signs of battle space preparation against U.S. energy providers
and the U.S. Cybersecurity and Infrastructure Security Agency
continues to recommend that organizations take appropriate precautions.
The U.S. has emphasized the importance of taking basic steps to improve cyber defenses and organizational resilience,
Federal News Networks reports.
Quote,
There is evolving intelligence that Russia may be exploring options for cyber attacks against the United States.
CISA director Jen Easterly told a session with critical infrastructure operators and stakeholders yesterday,
quote,
Her comments came at the beginning of a three-hour session that CISA was quick to make public.
That's not, as Easterly commented, exactly shocking news,
but she emphasized the importance of taking appropriate precautions against such attacks.
In an apparent nod to the military proverb that those who defend everything defend nothing,
she said that CISA was focusing on the lifeline sectors,
that is, communications, transportation,
energy, water and financial services. That last sector is of particular concern, Easterly said,
because it seems a likely target for Russian retaliation for the heavy sanctions most of
the world has imposed on Moscow for its war of aggression against Ukraine.
We've been working very hard here at CISA
to reach across sectors,
but we're really focusing right now
on what we call the lifeline sector.
So specifically the communications sector,
the transportation sector, the energy sector,
the water sector, and then of course,
the financial services sector,
just given the concerns about potential retaliatory attacks for the very
severe sanctions that the U.S. and our partners have imposed on Russia.
So the public U.S. response to the Russian cyber threat is essentially expressed by CISA's
Shields Up alert. The U.K.'s National Cybersecurity Center has seconded the White House warning,
quote,
In heightened periods of international tension, all organizations should be vigilant to cyber risks. And for several months, the NCSC has been advising organizations to bolster their cyber security.
The NCSC has already published actionable guidance for organizations to reduce their risk of cyber compromises,
guidance for organizations to reduce their risk of cyber compromises. While the NCSC are unaware of specific targeted threats to the UK resulting from Russia's illegal invasion of Ukraine,
we recommend organizations follow this advice as a priority, end quote. That published guidance
has much in common with CISA's shields up. Reuters quotes Kremlin spokesperson Dmitry Peskov as saying, quote, the Russian
Federation, unlike many Western countries, including the United States, does not engage
in state-level banditry, end quote. His contention, of course, is both pro forma and absurd. Russian
privateering and direct state cyber attacks have been notorious narratives in cyberspace for two decades.
Andrei Krushtik, a diplomat with a background in arms control
who presently serves as director of the Russian Foreign Ministry's Department of International Information Security,
struck a more statesman-like tone than did Mr. Peskov.
In an interview with Newsweek, Mr. Krushtik pointed out
the way in which cyberspace had become an international commons
and the importance of all sides working together to secure its beneficial use for all.
He said, quote,
security and survival. Relying on them, we can become richer or lose all our savings.
They are transboundary and almost almighty. Amidst this reality, the main task is not to frighten each other with digital means, but to try to reach agreements before it's too late.
He said that cyber attacks were particularly likely to drive escalation of any conflict. Quote, A cyber attack, be it accidental or intended, including one perpetrated under false flag,
can easily trigger escalation between states, leading to a full-scale confrontation.
Ensuring international information security, therefore, becomes one of the key factors
that directly influence strategic stability.
End quote.
one of the key factors that directly influence strategic stability.
End quote.
Mr. Kruska pointed with open-eyed innocence at the ways in which cybercrime had contributed to international mistrust.
Quote, hacker groups tend to target their activities
at big businesses, banks, and financial institutions,
ensuring international information security, therefore,
becomes one of the key factors that directly influence strategic stability.
End quote.
Elsewhere, Deputy Foreign Minister Sergei Ryabkov said Tuesday that Russo-American relations were at a breaking point.
Quote,
Yesterday, a note of protest was handed over to the American ambassador,
noting that what was happening has put relations on the verge of breaking off.
They must stop issuing threats against Russia, the they he's referring to being the Americans.
CISA has fish to fry outside of shields up, of course.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday issued two industrial control system security advisories,
both for products from Delta Electronics.
Both Microsoft and Okta have confirmed that they were hit by the Lapsus gang.
In Microsoft's case, Redmond said,
Our investigation has found a single account had been compromised, granting limited access.
Some company code was exfiltrated, but no customer data or code were affected.
Okta's case is more complicated.
The company, which will hold a webinar later today to discuss details of the incident,
said, quote,
The Okta service is fully operational and there are no corrective actions our customers
need to take.
After a thorough analysis of these claims, we have concluded that a small percentage of customers, approximately 2.5%,
have potentially been impacted and whose data may have been viewed or acted upon.
We have identified those customers and are contacting them directly.
Lapsus continues to claim, as the Record and other sources report,
that the effect on Okta was much more serious than the company's public statements suggest. According to Forbes, some of Okta's customers feel the company
has been slow to inform them of potential problems. One customer, Cloudflare, which uses Okta's
identity management solution for internal employee accounts, offers advice to other customers about how to respond to the possibility of compromise.
And finally, SecureWorks finds useful information in recent leaks involving Conti and its affiliates,
which comprise a mature cybercrime ecosystem across multiple threat groups
with frequent collaboration and support.
It's the kind of criminal ecosystem that could easily be used for those destabilizing
operations Russia's been warning against.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
One of the side effects of the pandemic, combined with global and national political and economic situations,
is an increase in a general sense of anxiety.
I know I've felt it, and the term doom-scrolling is related to it for sure.
Researchers at F-Secure were curious about the phenomenon of digital anxiety,
and they set out to gather facts and analyze the results.
Tom Gaffney is principal consultant at the consumer division of F-Secure.
Historically, it's really been looking at it from the angle of children. So there's obviously concerns from parents that kids have overexposure to digital devices
or social media and not engaging necessarily with the real world.
So lots of studies into that area.
But because of the pandemic, we wanted to understand how that affected the adults working
from home instead of being in an office.
Well, let's go through some of the things that you found out here in the survey.
What were some of the items that caught your eye? Well, the headline is that we found that across
the board, people have concerns that they are more stressed or suffer more anxiety online.
And the headline figure is that 58% of all respondents found that that was the case.
But when you talk about people who've shifted from working in a physical location
in an office somewhere to working online, that rose up to 67%.
That was probably the standout headline that we saw.
And do you have any sense as to what's driving this?
Why the shift to working from home is increasing their anxiety about online security and
privacy well we for the answer to that we we turn to academics um so we worked conjunction with some
academics in the uk and elsewhere and they helped us derive a few conclusions from this probably the
main one is the expectation that people are worried because they are being
thrust you know more of home working without a lot of training or preparation so typically if
you work for a company you've got a computer or a phone and they've got an it department that take
care of the security on that for you but in the new normal people are taking their devices and
manage and they're responsible for managing that security in a home environment.
And most of us don't necessarily have the skills to set up home devices and home network
that they've got the same kind of security strengths that you would have in a corporate environment.
So that brings itself an element of stress.
People wonder how and what kind of things they should do.
And at the same time, we think that, or we know, in fact,
that there's an increasing overlap when you are working all the time from home
between what you're doing for work and what you're doing in your personal life.
And these factors together increase the anxiety.
What can employers do to help put people at ease?
What sort of things could they put in place?
There's a lot of things that they can do.
They can do training to give guidance to people on how to run the actual practical tools
that they need for their security tools.
And it gives guidance on how to use their devices.
So, for example, we recommend that try and encourage some separation
between what you do in your work device, if you've got a work laptop or a work phone, and try and separate that from what you do for your own personal things.
So if you're browsing shoppings and social media, try not to mix doing that on the same device, because that line between what you do for work and for your private life is even harder for people to separate. So we recommend
highly that they have that kind of space. And if companies want to go
the extra mile, they can, as we've seen some companies globally around the world
use Volkswagen as an example. And they actually encourage or
they mandate that outside of working hours, they don't allow
bosses to send messages to their staff.
That might not work for a small company,
you know, under 10 employees,
but for larger corporations,
they can take a lead and sort of help employees
have a separate boundary between what they do for work
and what they do for private life.
That's Tom Gaffney from F-Secure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, always great to welcome you back.
Thank you, Dave.
I want to check in with you today on where things stand in terms of our cybersecurity workforce.
You know, we seem to be sitting at this moment, I think particularly right now with
the situation going on in Ukraine, this moment highlights the fact that there's a whole lot of
people out there who've been working really hard and it's been a while since they've had breaks.
I suspect there are a lot of teams out there that are teetering on the edge of burnout.
Oh yeah, I think to say they're well into burnout is probably an understatement.
I was just thinking about the amount of just global activities
that my team has had to be engaged in to support clients.
And just going as few years back as WannaCry, NotPetya,
the Salamini strikes, SolarWinds, Colonial, Kaseya, Elysium, Log4J, Ukraine. umbrella of a global pandemic that, you know, these security practitioners are having to kind
of deal with on a day-to-day basis, along with their regular jobs, on top of, you know, I'm sure
multiple incidents that, you know, don't make it up into the news. You know, that's a massive
amount of work that these folks are having to do, and they always have to be right. And it's a huge amount of pressure.
So, you know, when we think about like, how do we, how do we care and feed for that,
that workforce? I mean, I think it's a really kind of a multi-pronged approach and I don't think we've solved it by any stretch of the imagination, but we're taking a lot of different,
a lot of different approaches to try to, to try to get it right.
Well, let's dig into that some. I mean, one thing that strikes me is, you know,
having a deep enough bench that you can cycle folks in and out
as people need breaks.
But, you know, the flip side of that is we have a shortage of qualified people, right?
Right.
And, you know, demand for services are incredibly high too, right?
So I think, you know, so there's, there's a couple
of things. I mean, growing talent is one that you have to take kind of a long-term approach on,
right? So how do you, how do you start them young? How do you go into the high schools or even
the middle schools and get kids excited about this idea of cybersecurity? And it's not so much
that everybody needs to be, have a, everybody needs to have a programming background, but more
along the lines of how do you excite them about the mission? How do you get them excited about
combating bad guys every day and really engender that investigative mindset within the middle
school and high school ranks, and then start to kind of focus and train them on specifics.
You know, there's massive amounts of disciplines just within security operations and cyber
defense where we play, but just across the whole security landscape.
So I would say, you know, kind of starting those programs young and kind of engaging
the youth to build that next generation.
And then I think, you know, we got to be more creative about how do we
attract talent. The computer science
degree is great, but we've had a lot of success recruiting from a variety
of different types of backgrounds, whether that be some type of
history majors or religion majors or folks that have more of a
soft sciences background,
you're going to get a variety of different points of view. And I think it takes all kinds of
diverse thought to really help be successful within this mission space.
What about specifically burnout, taking care of the people that you already have?
How do you, you know, you can only hand out so many bonuses, right? burnout, taking care of the people that you already have.
You can only hand out so many bonuses, right? Right, yeah. And I mean, anybody can go
at this point in the industry and go make more money.
It's just a known fact. But it's really about how do you
engender that sense of belonging and culture and mission?
That's something that we spend a lot of time on.
And quite frankly, I think the pandemic has really dealt that a blow
because this is a community of people that really likes to be around one another.
And I'm not saying they have to work in an office nine to five every single day,
but they need to be able to get together. They need that human interaction to really share ideas
and just talk about what they do many times in their free time as well.
So I think we've got to get back to, in the safest way possible,
being able to work together and collaborate together,
going back to conferences and kind of rebuild the culture of the security community.
So that's one. And then secondly, the idea of recognition.
Right. Making sure that they're recognized for the work that they're doing.
I think whether that's, you know, through different programs that HR can help you stand up.
But just as leaders, you know, making sure that we take time to reach out personally and say,
hey, thanks, you know, you guys are doing a great job.
And that goes a long way.
It makes people feel, you know, feel valued.
But I think most of all is folks want to feel that sense of belonging.
They want to serve something that's bigger than themselves.
And I think that's why, you know, people get attracted to this particular mission.
Yeah. All right. Well, Josh Ray, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karf, Eliana White,
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.