CyberWire Daily - Chinese cyberespionage in Russia? US Executive Order rescinds TikTok, WeChat bans. Operation Trojan Shield. Privateering. NATO’s Article 5 in cyberspace. Patch Tuesday notes.
Episode Date: June 9, 2021SentinelOne attributes the cyberespionage campaign against Russia’s FSB to Chinese services. President Biden replaces his predecessor’s bans on TikTok and WeChat with a process of engagement, secu...rity reviews, and data protection. More on the FBI-led Operation Trojan Shield. Privateering, again. NATO’s Article 5 in cyberspace. Joe Carrigan weighs in on recent high profile cyber incidents. Our guest is Shashi Kiran from Aryaka on their 2021 State of the WAN report. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/110 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Sentinel-1 attributes the cyber espionage campaign against Russia's FSB to Chinese services.
President Biden replaces his predecessor's bans on TikTok and WeChat with a process of engagement, security reviews, and data protection.
More on the FBI-led Operation Trojan Shield.
Privateering, again.
NATO's Article 5 in cyberspace.
Joe Kerrigan weighs in on recent high-profile cyber incidents.
Our guest is Sashi Kiran from Ariaka on their 2021 State of the WAN report.
And notes on Patch Tuesday.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 9th, 2021. CyberScoop reports that Sentinel-1 believes it knows, roughly speaking,
who hacked into Russian government networks last year.
It was, the security firm says, Chinese espionage services, and not one of the Five Eyes.
The espionage group they call the Thundercats gets the credit, Sentinel Labs reports,
gets the credit, Sentinel Labs reports, and it bases its conclusions on what it regards as decisive code similarities to campaigns the APT has earlier used against targets in Southeast Asia.
Sentinel-1 researcher Juan Andres Guerrero Sade told Cyberscoop, quote,
the idea of Chinese targeting of Russian government and vice versa should not shock us.
Sino-Russian relations are complex and involve hot-button issues like a shared border, What is relatively unusual is Russia's decision to publicly call out a hostile espionage operation.
Diplomatic signaling by press release is more common in the West.
signaling by press release is more common in the West.
U.S. President Biden this morning issued an executive order that effectively rescinds his predecessor's bans of WeChat and TikTok.
While acknowledging an ongoing emergency,
the new executive order directs engagement, security reviews,
and data protection instead of outright bans.
The FBI's satisfaction at the outcome of Operation Trojan Shield,
which featured the use of an encrypted chat app under bureau control
to identify criminals who thought they were safe from snooping,
is well-deserved.
It's also becomingly modest.
Most of the bureau's fist-pumping has been done vicariously
by its international partners.
Most of the offenses
were related to drug trafficking. Stuff summarizes the arrests and seizures, quote,
Operation Trojan Shield involved police swoops in 16 nations. More than 800 suspects were arrested
and more than 32 tons of drugs, cocaine, cannabis, amphetamines, and methamphetamine, were seized along with 250
firearms, 55 luxury cars, and more than $148 million U.S. in cash and cryptocurrencies.
New Zealand's take alone collared senior members of the gangs with picturesque names like
Mongrel Mob, Headhunters, and Comancheros. Does the international police sting that collared more than 800 suspects
who unwittingly used an encrypted chat app secretly run by the U.S. FBI
mean that the underworld will be skittish about using encryption?
Probably not.
Texas News Today talked to a range of experts
who point out that the underworld's track record is to simply move on to other apps when one is known to have been compromised. The FBI's other big success this
week was its recovery of a substantial fraction of the ransom colonial pipeline paid the dark side.
The feds had the key to one of the wallets the gang used to share profits with its affiliates,
and they were able to use that to take control of the altcoin the dark side had deposited there. It's a commendable clawback,
but the Washington Post rains on the parade a little by pointing out that there's no single
solution to ransomware. As long as it remains profitable, the hoods will continue to attack.
Much recent ransomware activity has been regarded as privateering, state-tolerated
criminal activity. The crooks get to keep the money they steal, and the state, and for state,
read Russia, gets economic damage to its adversaries. For adversaries, read the United
States, among others. StateScoop reports that FireEye's Kevin Mandia told a New York State
cyber conference that the U.S. was getting sucker-punched in cyberspace
and that this would continue until the nation upped its defensive game.
NATO General Secretary Jens Stoltenberg has said this week
that a significant cyber attack could trigger NATO's Article 5,
the collective defense provision under which the Atlantic
Alliance treats an attack against one member as an attack against all members. He also pointed
out that NATO exercises now include cyber operations as a routine part of their scenario.
The Atlantic Council, where Stoltenberg spoke Monday, outlined his remarks on Russia and China.
He sees a dual-track approach to Russia.
A pattern of aggressive actions from Russia has led NATO to beef up its presence on its eastern
front and in the Black and Baltic Sea. But ahead of Biden's meeting with Russian President Vladimir
Putin, which will follow the NATO summit, Stoltenberg said the alliance must maintain a
dual-track approach. We have to be
strong, firm, but at the same time we need to strive for dialogue with Russia because Russia's
our neighbor. We have to work on issues like arms control. Stoltenberg even raised the possibility
of resuming the NATO-Russia Council, a forum for collaborative dialogue that has not convened
since July 2019. Quote,
Stoltenberg sees China as a different problem.
Quote,
We need to engage with China on issues like arms control and climate change,
and therefore China is not an adversary, end quote.
But from a crackdown on ethnic minorities to blocking freedom of navigation,
they don't share our values, Stoltenberg added.
How should NATO respond?
Given Chinese investment in European infrastructure,
NATO's 2030 agenda includes stronger guidance for resilience, telecommunications, undersea cables, energy grids and critical infrastructure, and also investing in and working more on technology, sharpening our technological edge. that the R-Evil gang, in the course of their ransomware attack against meat processor JBS,
succeeded in taking data from Australian and Brazilian units of the company.
Yesterday was patch Tuesday, and Microsoft addressed 49 issues, five of them rated critical,
the rest assessed as important. Six of the vulnerabilities were zero days that have been
undergoing active exploitation in the wild.
Intel also patched yesterday, addressing 73 vulnerabilities in 23 advisories.
Onapsis reports that SAP has issued 20 fixes to its products.
Memory corruption issues are among the important vulnerabilities addressed.
And Adobe also patched, issuing fixes for 41 vulnerabilities against 10 products. edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Researchers at Ariaka Networks recently published the latest edition of their State of the WAN
report, highlighting trends in SD-WAN and SASE planning and deployment.
I spoke with Sashi Kiran from Ariaka for some of the highlights.
This is something that we use to shape our own roadmap.
And we have a global presence with customers, a global footprint.
And we don't see a report out there in the industry that reconciles all the nuances and the trends in a detailed way across different countries and regions.
And so it's a good exercise for us to get in front of these trends and use them as a way to guide our own roadmaps. But at the same time, we also then end up sharing this with customers and prospects and partners
and it becomes an invaluable thought leadership asset for them to use in their own planning efforts,
which is doubly beneficial as a result.
What sort of things are you tracking in terms of challenges
that folks are facing from a WAN point of view?
The biggest challenge that we have seen, aside from complexity,
is really the focus on application performance.
The WAN is really the lifeblood of the organization
if you look at being able to connect users
regardless of
which location they're operating from and the kind of applications that they're using.
And if you don't have reliable performance, then it ends up really having an impact,
a negative impact on employee productivity and performance.
So that's been sort of top of mind.
And we've also seen as more applications became cloud ready and enterprises adopted a cloud
first approach to their van.
They're also moving away from more static protocols like MPLS, which have been around for a couple of decades now,
very reliable, focus on app performance.
But they're really not meant for change management
and dynamic nature of the organizations today
where businesses are rapidly evolving.
So that has led to greater preference towards more agile architectures, SD-WAN and SASE being amongst them.
But we've also seen, going back to this notion of complexity, that enterprises don't necessarily want to go build out a set of boxes by themselves and manage it by themselves.
and manage it by themselves.
So we're seeing this increased preference moving towards managed services where they would ideally like to consume these services based on their usage model
rather than go with a do-it-yourself approach and manage that inherent complexity.
So these are some top-of-mind things that we saw come out very prominently in this year's report.
That's Sashi Kiran from Ariaka Networks.
Their state-of-the-wan report can be found on their website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
So I wanted to touch base with you today about some of the trends that we're seeing when it comes to ransomware attacks.
The attackers are upping their game and shifting their targeting.
What do you make of all this, Joe?
What do I make of it?
I don't know what I make of it yet, but it's an interesting trend.
Normally, we see them going after businesses, right?
Right, right.
And they're targeting businesses who they know have deep pockets.
see them going after businesses, right? And they're targeting businesses who they know have deep pockets. And then they were basing their ransom demands based on the company's revenue.
They were actually doing a lot of business analysis in order to do this. Now they've kind
of shifted from doing that to shutting things down, right? Making it so that services are not available to the general public.
Things like the Colonial Pipeline shutdown that was carried out by DarkSide.
And then DarkSide saw that, or R-Evil saw that DarkSide got $4 million out of that.
And of course, that only incentivizes them to attack.
And they've since attacked the JBS meat plant
or a bunch of meat plants
and as well as the New York subway
and Martha Vineyard's ferries.
Yeah, yeah.
I wonder how much of it's intentional.
I mean, first of all,
I guess it's important to note
that when it came to Colonial Pipeline,
it wasn't the ransomware folks
who shut down the pipeline.
It was Colonial who shut down the pipeline because they couldn't do their billing, and they were concerned about that.
So that may be a distinction without a difference.
The bottom line is the stuff didn't flow.
Right, and there was an article in the Wall Street Journal where the CEO explained why he did it.
He said they didn't know how far they got into the system.
So he thought they may have been in the operational technology.
Right.
So better to be safe than sorry and shut things down than perhaps have things go really off the rails.
Right.
I guess was the rationale.
Yes.
Agreed.
And I think that was the right decision to shut the pipeline down.
Yeah.
If you don't have faith in the system running it, you shut it down.
Same with the meat plant.
There's a lot of SCADA systems in there that, you know, when I first heard about this, I'm like, well, what kind of SCADA systems are in a meat processing plant?
But there are a lot.
There's a lot of temperature control stuff that is absolutely imperative for food safety.
Right.
There's pumps.
Lots of pumps are controlled by these SCADA systems.
And now they're shutting down a ferry system.
This has a direct impact on people's mobility.
These are things that impact all of us.
And it's a change from the almost nameless, faceless ransomware attack on a corporation
that, oh, no, now this corporation
can't do their job and they have to pay some ransom or have to rebuild all their computers.
Now it's things like, hey, my meat prices are going up. My gasoline prices are going up. I can't
get where I need to be. It's a change. And I find it interesting that right now the Department of Justice is prioritizing these attacks.
They're saying it's the same level of terrorism.
The Business Insider has a story today saying that the FBI director, Christopher Wray, has compared the latest spate of ransomware attacks in the U.S. to 9-11.
I don't know if that's a valid comparison. I'm not sure that very many
people have died as a result of these ransomware attacks. But it is certainly an attack. It is
certainly a series of attacks. And Darkseid says that they've gone away, right? That's what they
said when they were a gang crab, right? So they'll be back. You know, you don't make $4 million and
then just disappear in this kind of market. Yeah. And I wonder if they've all sort of gone a bridge
too far or, you know, I guess the sports analogy, how they outkicked their coverage in that by doing
this, yeah, they got their $4 million or whatever the ransom was, but now they have the attention of the U.S. government at
the highest levels. And, you know, President Biden has said he'll be speaking with President
Putin about this when they get together in a few weeks. It'll be interesting to see
to what degree is he able to apply pressure to try to stop this?
Right.
Yeah, we'll have to pay attention and see how that goes.
It'll be interesting to watch.
Yeah.
I think it's also interesting how it puts ransomware
in the larger global scale where a nation could be,
for example, the U.S. could put financial pressure on the Russians.
The U.S. could have more sanctions on the Russians.
In other words, it's not just sort of tit for tat within cybersecurity.
It's reached the point where we're using the other levers of diplomacy
that we have to try to say, hey, knock it off, knuckleheads.
Right, And the Russian
counter-argument to that is these are criminal elements within our organization or within our
country. We don't have control over these guys. You don't have control over your criminal elements.
How can you expect us to have control over ours? Right. Yeah. Okay. I hear you, Dave. Yeah. I mean, you know, I guess, you know, yeah.
All right.
I think we all know, you know, how the degree to which we should take those sorts of statements
coming out of Russia seriously.
Yes, agreed.
History has proven us the degree to which we should take those sorts of statements coming
out of Russia seriously.
So we will.
All right. Well, Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening. We'll see you back here tomorrow. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.