CyberWire Daily - Chinese industrial espionage warning. Trickbot's privateering. Russian influence ops target NATO resolve. Cozy Bear sighting. Chinese APTs target Russia. NFT scams are pestering Ukraine.
Episode Date: July 7, 2022The FBI and MI-5 warn of Chinese industrial espionage. Revelations of Trickbot's privateering role. Russian influence operations target France, Germany, Poland, and Turkey. Chinese APTs target Russian... organizations in a cyberespionage effort. Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative. Ben Yelin speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act. And who would guess it, but NFT scams are pestering Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/129 Selected reading. Heads of FBI, MI5 Issue Joint Warning on Chinese Spying (Wall Street Journal)Â FBI and MI5 leaders give unprecedented joint warning on Chinese spying (the Guardian) FBI and MI5 bosses: China cheats and steals at massive scale (Register) FBI director suggests China bracing for sanctions if it invades Taiwan (Washington Post)Â Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (Security Intelligence) Trickbot may be carrying water for Russia (Washington Post) Russia Info Ops Home In on Perceived Weak Links (VOA) Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (SentinelOne) Chinese hackers targeting Russian government, telecoms: report (The Record by Recorded Future) Near-undetectable malware linked to Russia's Cozy Bear (Register) Russia's Cozy Bear linked to nearly undetectable malware (Computing) When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors (Unit 42)Â NFT scammers see an opportunity in Ukraine donations (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI and MI5 warn of Chinese industrial espionage.
Revelations of TrickBot's privateering role.
Russian influence operations target France, Germany, Poland, and Turkey.
Chinese APTs target Russian organizations in a cyber espionage effort.
Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative.
Ben Yellen speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act.
And who would have thunk it, but NFT scams are pestering Ukraine.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 7th, 2022. In a joint appearance yesterday at the London headquarters of MI5,
the British counterintelligence organization,
the directors of MI5 and the US FBI issued an unusually direct and bluntly worded warning
about the threat of Chinese industrial espionage, much of it cyber espionage.
The effort is extensive, focused, and marked by
both close attention to detail and an unusually wide net. FBI Director Wray told an audience the
Wall Street Journal described as composed of business people, the Chinese government is set
on stealing your technology, whatever it is that makes your industry tick, and using it to undercut
your business and dominate your market. They're set on using every tool at their disposal to do it.
China disagrees. A representative of Beijing's embassy in Washington,
Louis Peng Yu, complained of U.S. politicians who have been tarnishing China's image
and painting China as a threat with false
accusations. IBM Securities' X-Force this morning published an account of TrickBot's recent activity,
the well-known Russian cybercriminal gang, and its new interest in Ukraine. X-Force says,
Following ongoing research, our team has uncovered evidence indicating that the Russian-based cybercriminal syndicate Trickbot Group
has been systematically attacking Ukraine since the Russian invasion,
an unprecedented shift as the group had not previously targeted Ukraine.
There's some overlap with other criminal gangs, including the perhaps retired but probably quietly returned Conti operation.
IBM says,
Between mid-April and mid-June of 2022, the TrickBot group, tracked by X-Force as ITG-23
and also known as WizardSpider, Dev0193, and the Conti group, has conducted at least six campaigns,
two of which have been discovered by X-Force,
against Ukraine, during which they deployed Iced ID, Cobalt Strike, Anchormail, and Meterpreter.
Ukraine is no longer on a near-abroad do-not-touch list, IBM says. Prior to the Russian invasion,
ITG-23 had not been known to target ukraine and much of the group's malware was
even configured to not execute on systems if the ukrainian language was detected so trick bot up
till now known for its straightforwardly mercenary interest in banking trojans and the like appears
to be a russian privateer after all an instrument of state power that's permitted to realize a profit from its
operations. X-Force elaborates, the observed activities reported in this blog highlight the
trend of this group choosing targets that align with Russian state interests against the backdrop
of the ongoing conflict. In addition to an announcement by the Conti ransomware group
that they would act in support of Russian state
interests at the beginning of the invasion of Ukraine, leaked chats between ITG-23 members
indicated that two senior individuals within the group had previously discussed in mid-April 2021
the targeting of entities that work against the Russian Federation and agreed that they were
Russian patriots.
Additionally, the executive director of Bellingcat claimed to have received a tip that a cybercriminal group was in communication with Russia's Federal Security Service, the FSB.
The six campaigns X-Force has tracked show evidence of more precise targeting
than TrickBot has typically shown, and that targeting aligns closely with
Russian state interests. Establishing identity conditions for threat groups is notoriously
difficult. They are protean, shifting, and their name is usually Legion. The Washington Post,
for one, takes particular notice of some Conti veterans, either current gang members or alumni,
who seem to be working for TrickBot.
It's like an exorcism, really. It's hard to tell the demons without a scorecard,
and far be it from us to offer His Infernal Majesty, Prince of this World, advice,
but even the demons have trouble telling themselves apart. Or so we hear.
Russian influence operations are now concentrating on opening fissures in NATO,
Voice of America reports.
Moscow's concentrating its efforts on what it perceives as high payoff targets
in France and Germany,
whose governments are widely perceived as softer in their support for Ukraine
than are NATO's more easterly members like the Baltic states and Poland
and its non-continental members like the UK, Canada, and the US.
Poland, which shares a border and a complicated history with Ukraine,
and Turkey, which controls access to the Black Sea.
The efforts are very much in the Russian style,
entropic and aimed at confusion as opposed to persuasion.
Cobalt strike is often mentioned in dispatches as a penetration testing tool that threat actors often turn to malign use.
Other such tools are also susceptible to abuse.
Palo Alto Network's Unit 42 reports that Cozy Bear, generally regarded as a unit of Russia's SVR,
CozyBear, generally regarded as a unit of Russia's SVR, is deploying BrutRatel C4,
a pen-testing tool in use since December 2020 in a range of cyber espionage campaigns.
Unit 42 doesn't formally attribute the campaign to CozyBear or even Russia, but it does offer circumstantial evidence that points in that direction.
The particular style of attack, observers agree, is unusually stealthy and evasive.
Unit 42 has some advice on what to look for.
Sentinel Labs reports noticeably increased Chinese cyber espionage activity
directed against Russian targets.
In this, Sentinel Labs independently confirms recent reports by Ukraine's CERT of
Beijing's interest in its sometime friends in Moscow. The relationship, again, is complicated.
The report says, on June 22, 2022, CERT-UA publicly released Alert 4860, which contains
a collection of documents built with the Royal Road malicious document
builder, themed around Russian government interests. Sentinel Labs has conducted further
analysis of CERT-UA's findings and has identified supplemental Chinese threat activity.
And of course, a de facto alliance, or better, an opportunistic collaboration of convenience,
in no way obviates the need for mutually suspicious partners to collect against one another.
The report says,
China's recent intelligence objectives against Russia
can be observed in multiple campaigns following the invasion of Ukraine,
such as Scarab, Mustang Panda, Space Pirates, and now the findings here.
Our analysis indicates this is a separate Chinese campaign,
but specific actor attribution is unclear at this time.
It is a fishing expedition.
The report concludes,
We assess with high confidence that the Royal Road-built malicious documents,
delivered malware, and associated infrastructure are attributable to Chinese threat actors.
Based on our observations, there's been a continued effort to target Russian organizations
by this cluster through well-known attack methods, the use of malicious documents exploiting
end-day vulnerabilities with lures specifically relevant to Russian organizations.
Overall, the objectives of these attacks appear espionage-related,
but the broader context remains unavailable from our standpoint of external visibility.
So, the enemy of my enemy is my friend, sort of, but only within certain limits,
and the line is drawn somewhere on the other side of espionage.
The five families arrange these things more amicably,
although even there some wise guy might get whacked
and end up in the Meadowlands.
Forget about it, Jake, it's East Rutherford.
Or so we hear.
And finally, hey everybody, dog bites man,
some NFT are scams.
No, really, they are,
attaching themselves like a nasty boil to the
charitable body of Ukrainian relief efforts. The Ukrainian government and various celebrities,
in sympathy with the Ukrainian cause, have sold NFTs, non-fungible tokens, and if you're unclear
about what these are, find yourself a crypto bro and talk among yourselves, to raise funds for
the Ukrainian military and various related causes. They've enjoyed some success, and success draws
scammers the way meat draws flies. Investigators at the Ukrainian OSINT firm Molfar and the editors
of the AIN news service have found that the NFTs in question are being flacked as Zelensky NFT,
which depict the Ukrainian president as a range of superheroes.
Avengers, for the most part, as far as we can tell.
The purveyors of these NFTs say their I am Ukraine studio.
No one can really find out much about them beyond Molfar's claim that I am Ukraine
is a small group of Russians with one Belarusian tagging along. The outfit appears to exist only
in its Zelensky NFT, and where the money you might spend on one of the tokens would go is
anybody's guess. But it's a safe bet it won't be to anything anyone other than the proprietors of I Am Ukraine
would recognize as a good cause.
So keep your altcoins in your wallets, friends.
The best NFT ever was one offered by Monty Python's John Cleese a year or so ago.
He drew a picture of the Brooklyn Bridge and offered it up as an NFT.
And who could argue with that?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Matt Kent is the competition policy advocate for Public Citizen, a nonprofit consumer advocacy organization. My Caveat co-host Ben Yellen recently spoke with Matt Kent about the bipartisan American Innovation and Online Choice Act and the potential privacy and security benefits
of the legislation.
So essentially, about two years ago,
there was a big push for big tech accountability
using the antitrust laws.
And this is a bipartisan thing.
Democrats and Republicans have slightly,
I think, different reasons for opposing the big tech companies, but they coalesced around a series of bills in the House Judiciary Committee.
They were like – this was two years ago.
There were wall-to-wall hearings, all kinds of legislative activity.
It was really cool.
Like it was actually what congressional committees are supposed to do. They hauled in the tech executives. Jeff Bezos had to
answer questions in front of everybody. It was great.
They produced a very thorough, over a thousand page
report on the practices, the anti-competitive practices
of the big tech companies. Out of that effort came
a package of six bills aimed at big tech companies. So out of that effort came a package of six bills aimed at big tech
accountability through antitrust competition. A lot has happened since those bills passed out
of House Judiciary, ups and downs. But where we are now is two of those bills have really
sort of taken the momentum and everything is largely settled on the Senate versions.
So the two bills are the American Innovation and Choice Online Act.
That's the Klobuchar-Grassley bill.
You'll hear it referred to as the self-preferencing bill.
But there's also the Open App Marketplace app, and that's from Blumenthal and Blackburn.
I just want to pause and say that the pairings on these co-sponsorships are just wild stuff.
So for the non-legal people, that means you or I as consumers
wouldn't have the ability to sue these tech companies directly
for their anti-competitive practices.
It would have to be instituted by the AGs or the DOJ.
That's right. That's right. So from that point, a lot of the arguments against the bill are,
well, we're concerned that a sort of wild-eyed state AG would pick up a case
that touches on content moderation or privacy and security.
And through a series of bad decisions,
you know, that part is sort of murky
in Big Tech's argument of exactly how these,
the legal arguments on how this would bear out.
But they're saying the whole thing would whiplash
and, you know, we'd no longer be able to moderate content.
You know, we would be scared because of litigation,
which is sort of a laughable
argument when you think about the resources that these companies have at their disposal.
There's also arguments that the bills would affect national security negatively.
That has died down a little bit. You know, if you look at the text of the self-preferencing bill,
you look at the text of the self-preferencing bill, there are many, many carve-outs regarding China, companies owned by China. I would say that it is well covered in both the text of the bill
and sort of the affirmative defenses available to the companies, that they won't have to give over
sensitive data to China or Chinese-owned companies.
That was a big part, I think, of the concern at committee,
which is why a lot of these changes were made.
That has died away a little bit when it became pretty clear
that TikTok would be a covered entity under these bills.
So they'd essentially be prohibited from doing the same practices
as the big four, ostensibly American companies.
Although the question as to whether they act in American interest all the time is,
is it open one?
Right, it sure is.
I know you to be a good prognosticator of what happens in Congress.
What do you see as the major obstacles on the Senate floor?
And then going back to the House side,
and where do you see this going over the next several months?
Oh, Ben, if I knew, I'd be a much happier person right now.
This keeps you up at night.
Yeah, this is the number one thing I'm working on right now.
And I would say, the issue, it's sort of interesting,
the issue is not whether they'd pass if put to a vote, because they would. They have, you know,
at least 20 Republicans who would go and a bulk of Democrats. Like, I don't think there's any
question if forced to vote on this bill, like looking at the polls and where big tech accountability
stands, I think any sane
chief of staff or member of Congress would understand that they need to support these bills
if the vote is there. Now, the big question is convincing leadership to put these votes on the
floor because there are some in the Democratic caucus who are concerned that, in their words, the bills would endanger their chances at the midterm being forced to vote on the bill.
Now, you know, we argue that this would help your midterm chances by showing voters that you're actually doing something about big tech accountability. names, some members of Congress are concerned that if they're forced to take this vote and vote in
favor, they would lose significant fundraising support from big tech companies or consulting
firms or just the whole sort of ecosystem. That's Matt Kent from Public Citizen speaking
with my Caveat co-host, Ben Yellen. You can hear an extended version of this interview
on this week's Caveat podcast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to welcome you back to the show.
We recently had an announcement from CISA that they have expanded the Joint Cyber Defense Collaborative to include industrial control systems.
This, of course, is your neck of the woods.
I wanted to get your take on this development here. This is good news, is your neck of the woods. I wanted to get your take
on this development here. This is good news, yes? It's absolutely good news. And so, you know, I
think when you look at what CISA has been doing really well since they started is they're taking
part in the community, right? It's not, let me speak to you from DC in the pulpit that is the
DC bubble and try to tell an operator in California and Washington and Oregon
how to do things without visiting them.
Because that can come off very tone deaf.
But even when Chris Krebs was there, he was going to DEF CON and Black Hat and RSA.
He was out in the community.
And Gen East really has done exactly the same thing.
Let me get out there, part of the community, be there,
encourage people to join us,
encourage people to cooperate with us, etc., etc., etc.
So I don't look to CISA to solve the problem,
which is where I think,
I'm not the person setting the rules for CISA,
so it doesn't really matter my opinion,
but my opinion is,
I don't think CISA needs to be solving the problem.
And I think Congress a lot of times
looks to them to solve the problem.
Oh, there was an attack, what is CISA doing about it? I'm like, what? needs to be solving the problem. And I think Congress a lot of times looks to them to solve the problem. Oh, there was an attack.
What is CISA doing about it?
I'm like, what?
They're not an operational agent.
Like the government isn't protecting
day-to-day infrastructure.
That's not how that works.
It's on the asset owners and their vendors
and community that they're leaning on.
It's not like you're going to airdrop a team in from CISA
to go do security operations at a power company for a month.
It's not happening.
It should not happen. And so the idea that CISA to go do security operations at a power company for a month. It's not happening. It should not happen.
And so the idea that CISA needs to be doing everything
and fixing everything, they're not resourced for that.
And it's just not possible to scale that
across all the different critical infrastructure industries.
What CISA can do and what they do extremely well at
is engage the community, level up the conversation,
fight for resources for the community, level up the conversation, fight for resources
for the community to do work that they need to do, provide best practices, basically set the rules of
the game, but don't be a player in the game. And when you look at the JCDC, I was really excited
to see it extend out to ICS because one of CISA's core mandates is the protection of critical infrastructure.
And the critical part of critical infrastructure is ICS.
And for too long, it's gotten a backseat to everything else.
And it is infuriating.
When I go talk to electric companies and manufacturing companies
and pharma companies and oil companies and everybody else,
the private conversations is they're generally infuriated
at how much attention gets paid to a cloud provider
or the latest vulnerability impacting Microsoft,
but not to industrial control systems.
There's been an ICS SERP,
and it got taken away unceremoniously.
And then we had an ICS, JVJBG conferences
and they kind of got downplayed.
And it's always been like gambling infrastructure
is more important than electric infrastructure.
It's like, what are you doing?
Not everything is actually critical.
And so to see JCDC and then Jen Easterly
come out and talk about the importance of ICS,
the focus on it, why we need to elevate this conversation,
to me that's perfect.
I've already started hearing critiques of,
yeah, but what is the JCTC even doing?
Sure, yet another information sharing group
or operational collaboration or whatever.
I think there's plenty of critiques to throw,
but the reality is they're leveling up the conversation
and they're including ICS where it should be.
We should be popping bottles and being happy about that.
So I'm very excited that the conversation is getting started.
But no, don't expect a government agency
that's not resourced to fix your security issues
to fix your security issues with some new group.
That's not the point.
To what degree is there active collaboration
within the ICS community?
You know, your organization, other organizations who are listed as being some of the ones initially joining this effort.
To what degree does that exist?
Inside the JCDC today on the ICS level, not so much.
I mean, it's just getting started.
And I don't know, I mean, even though we're a part of it, I mean, I'm excited about it.
I don't actually know what their intention is fully with it yet.
I think it's still getting baked a little bit,
but I'm fully supportive of that.
Inside of the ICS community,
I would say it depends on the industry.
As an example, in the electric community,
we always talk about them,
but they've done a phenomenal job of setting up the ISAC,
the ARC, the little informal information sharing group,
sharing with the MS-ISAC, the ARC, the little informal information sharing group, sharing with
the MS-ISAC and the multi-states. And so there's a lot of sharing and collaboration and work.
And I think what I tend to find is there's more actual collaboration when the government's not
present than when they are. And so the forums for that sharing, the forums for the collaboration is actually not through government forums as much.
I'd like to see that shift,
but that's going to be based on building trust.
As an example, if an electric utility
or a manufacturer or oil company
tells something to CISA,
CISA hasn't done anything wrong,
I'm not picking on it, it's just an example.
If CISA were to turn around
and that would end up in the media
or that'd be shared out to foreign partners and so forth,
you're going to have information sharing dry up real quick.
And so I think there's a trust-building exercise
that's needed because there has been some historical mistakes.
But no one in the infrastructure community
that I've ever come across is just anti-that succeeding.
Most of them are just so focused on doing the mission
that if you're there to support the mission, come on board.
If you're there to talk about one day how you might support the mission,
sorry we don't have time for it.
And so nobody's against any of these things.
It's just we want to stay focused because we all have limited resources.
And I do view, again, some of SZA's steps here recently
as being very encouraging
to the development of that interaction. It's a seat at the table, right?
Exactly. Again, I mean, when we were talking about, and again, it sounds like critiques of
SZA, and it's really not. And it always comes off that way. I feel like I always had to be like,
here's why I love you, but let me give you one suggestion, but here's why I love you.
They're amazing people there.
But a great example of this is,
we're talking Shields Up.
Phenomenal message out to the community.
Hey, let's go Shields Up, the war in Ukraine,
et cetera, et cetera, et cetera.
At the same time though,
when we've had major incidents and impacts before
like SolarWinds, there was almost no discussion about the ICS component of that.
And so there's a lot of good messaging in general, but if you look at the ICS specific part, again the critical part of critical infrastructure, it's either usually absent or it's such a broad stroke brush of ICS that it doesn't actually apply beyond an industry or two.
And one of the things that I think is a really unique opportunity for CISA
is as it is the front door to government,
it is the critical infrastructure agency.
And there are 16 critical infrastructure groups or sectors.
There should be a specialization on each sector at CISA
to take anything that's coming out
and be able to translate and go,
hey, here's what that means, not for
ICS, but here's what that means
for positive train control systems
on rail, because that's the type
of ICS that we're concerned with a safety impact.
And here's what you do in PTC instead
of what you might do in a gas turbine
and an electric power provider.
But instead, right now, we're in the phase of we either don't talk about ICS or we talk about ICS as this broad thing that doesn't really exist.
And so I'm hopeful that CISA takes the opportunity to start developing expertise in individual sectors because that's where they're going to show a lot of value.
All right. Well, Robert M. Lee, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.