CyberWire Daily - Criminal gangs at war. A "cyber world war?" A new DPRK ransomware operation. Media organizations targeted by state actors. NSA guidance on characterizing threats and risks to microelectronics.
Episode Date: July 15, 2022Gangland goes to war. Is there a "cyber world war" in progress? Ukraine thinks so. A new North Korean ransomware operation is described, but it’s not yet clear if it’s a state operation or some m...oonlighting by Pyongyang’s operators. Media organizations remain attractive targets for state actors. NSA releases guidance on characterizing threats and risks to microelectronics. Betsy Carmelite from Booz Allen talks about why now is the time to plan for post-quantum cryptography. Our guest is Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly discussing her time at CISA and the work of her team. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/135 Selected reading. Inside The Russian Cybergang Thought To Be Attacking Ukraine—The Trickbot Leaks (Forbes) Who is Trickbot? (Cyjax) Who is Trickbot? (Cyjax) NATO and the European Union work together to counter cyber threats (NATO) The Man at the Center of the New Cyber World War (POLITICO) Russian cyber threat to Canada worse than previously reported: CSE (National Post) North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware (Microsoft Security) Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media (Proofpoint) NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics (National Security Agency/Central Security Service) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Gangland goes to war.
Is there a cyber world war in progress?
Ukraine thinks so.
A new North Korean ransomware operation is described.
Media organizations remain attractive targets for state actors.
Betsy Carmelite from Booz Allen Hamilton on planning for post-quantum cryptography.
Our special guest is CISA director Jen Easterly.
And NSA releases guidance on characterizing threats and risks to microelectronics.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
July 15, 2022.
The most notorious early adherent to the Russian cause among the cyber gangs was the now possibly defunct, dispersed, and rebranded Conti,
which on February 25th announced its full support of the Russian government and promised to use all
the resources at its disposal against enemy infrastructure. This prompted a wave of doxing
in which disaffected and possibly foreign Conti collaborators, released the gang's internal chatter through their
ContiLeaks account. Cyjax, which was following development's notes, this leak caused significant
unrest within the group, with the ContiLeaks account itself tweeting,
We know everything about you, Conti. Go to panic. You can't even trust your GF. We against you.
Conti itself did a bit of backpedaling for damage control,
backing down from its promise of unconditional cyber war
to a more measured claim that it would only target Western warmongers,
but the reputational damage had been done
and may have contributed to the gang's subsequent hibernation.
On March 4th, shortly after Conti's ill-advised patriotic screed,
researchers at Cyjax noticed another leak-and-dump operation
targeting a different Russian gang, Trickbot.
The leakers tweeted under the name Trickleaks,
and the main point of their doxing was to expose and close connection
between Trickbot's criminal operators and Russia's FSB security service.
TrickLeaks announced itself to the world with the tweet,
We have evidence of the FSB's cooperation with members of the TrickBot criminal group,
WizardSpider, Maze, Conti, Dayaval, and Rayak.
The close collaboration between Gangland and the Russian Security Service isn't surprising,
but Syjax thinks the degree of organization and interconnection among apparently disparate criminal groups is useful news that will help organizations defend themselves against organized
cybercrime in the future. Gangland seems to have more mutual dependencies than had been
generally appreciated. Wondering if we're in a cyber world war seems a bit overheated, and a cyber war isn't,
after all, as damaging as a full kinetic war, even when cyber attacks have kinetic effects.
But in terms of scope, the name doesn't seem too far off.
For example, Canada's communications security establishment yesterday warned that the
current Russian cyber threat is not to be underestimated. The National Post quotes a
CSE report as saying, the scope and severity of cyber operations related to the Russian invasion
of Ukraine has almost certainly been more sophisticated and widespread than has been
reported in open sources. The most immediate threat is heightened cyber espionage,
but attacks against critical infrastructure are also held to be a real possibility.
Canada has been an early, consistent, and strong supporter of Ukraine during the present war.
Canada is also home to a large Ukrainian diaspora.
Politico has a long interview with Yuri Shchichyal,
who directs Ukraine's State Service of Special Communications and Information Protection,
the SSS-CIP, which Politico describes as roughly equivalent in terms of its responsibilities
to the U.S. Cybersecurity and Infrastructure Security Agency. The article aims to describe what it characterizes
as a generally successful Ukrainian defensive effort in cyberspace
and summarizes the Ukrainian view of how to fight Russia in cyberspace.
First of all, isolate it and deny it access to resources and technology.
Tracing the history of the cyber phases of the hybrid war,
Shachial says that Russia's cyber campaign preceded the physical invasion by more than a month.
He says, for Ukrainians, the first cyber world war started on January 14, 2022,
when there were attacks launched at the websites owned by state authorities.
Twenty websites were defaced,
and more than 90 information systems
belonging to those government authorities were damaged.
Attacks against Viasat ground terminals
disabled the satellite-borne Internet provider
a matter of hours before the invasion itself.
Shachial thinks the Russian cyber campaign
has been well-resourced,
but also that it's used familiar tools.
He says, in terms of their technical capabilities,
so far the attackers have been using modified viruses and software that we've been exposed to before,
like the Indestroyer 2 virus, when they targeted and damaged our energy station here.
It's nothing more than a modification of the virus they developed back in 2017.
We all have to be aware that those enemy hackers are very well sponsored and have access to
unlimited finances, especially when they want to take something off the shelf and modify it
and update it. He emphasized the importance of denying Russia access to the civilized world's
security companies and IT infrastructure,
and in restricting Russia's participation in international IT organizations
like the International Telecommunications Union.
He had some interesting if guarded disclosures about the cooperation Ukraine is receiving
from NSA and U.S. Cyber Command, which he described as constant synergy,
and explained that,
like in further supply of heavy weapons and other forms of weaponry,
the same is true for cybersecurity.
We expect that level of assistance of those supplies will only increase
because only in this manner can we together ensure our joint victory against our common enemy.
Above all, Shachial warns against any relaxation of vigilance. He expects the war to continue,
and that operational pauses happen in cyberspace much as they do in physical space.
So, just because Fancy Bear hasn't turned the lights off in Kiev or London or Toronto or New York,
or not yet at least, don't get cocky, kid.
Microsoft describes an emerging North Korea ransomware operation it tracks as DEV-0530
that's using a relatively new strain of ransomware called Holy Ghost.
The blasphemous name, Microsoft points out, is the hood's own choice, not Redmond's.
Dev 0530, a provisional designation assigned until more is known about the group, is noteworthy
in that it appears to be entirely financially motivated, and in that selects small and mid-sized
businesses as its target.
select small and mid-sized businesses as its target. Mystic, the Microsoft Threat Intelligence Center, assesses that DEV-0530 has connections with another North Korean-based group tracked
as Plutonium, also known as Dark Soul or Andarial. While the use of Holy Ghost ransomware in
campaigns is unique to DEV-0530, Mystic has observed communications between the two groups,
as well as DEV-0530 using tools created exclusively by Plutonium.
The gang's communications with its victims and others cop an altruistic and humanitarian line,
claiming to be helping its victims improve their security posture,
as if they were white hat pen testers, and to be contributing to an egalitarian leveling of
rich and poor to the advantage of the poor, as if they were Robin Hood. The group is asking for
between 1.2 and 5 Bitcoin in ransom, roughly $25,000 to $104,000 at current conversion rates.
But so far, Microsoft says their wallet seems to have remained empty,
even though DEV0530 has shown a willingness to negotiate their asking price.
Pyongyang has long used cybercrime as a source of income to redress the financial pressures it labors under
due to the decades
of international sanctions that have crippled the DPRK's economy. It's even more difficult to
separate North Korean intelligence and security services from criminal activity than it is to
tell the Russian privateers apart from the Russian organs. But this latest campaign is sufficiently
ambiguous to suggest that it might be the work of a gang that's obtained access to some state actors' tools,
or even the work of state actors who are moonlighting for personal gain.
North Korean state actors have usually cast a broader net.
This campaign seems more tightly focused in its target selection.
The activity remains under study, but in the meantime,
Microsoft has offered indicators of compromise and some advice for defenders.
Late yesterday, Proofpoint released a study of recent activity
by state actors directed against media organizations.
The researchers find that China, North Korea, Turkey, and Iran
have been particularly active in prospecting media
organizations. They say, proof-point researchers have observed APT actors since early 2021
regularly targeting and posing as journalists and media organizations to advance their state-aligned
collection requirements and initiatives. Journalists' social media accounts have been And finally, right out of Fort Meade, the U.S. National Security Agency has released new guidance on the classification of threats and risks to the microelectronics used by the U.S. Department of Defense. The document, DOD Microelectronics, Levels of Assurance Definitions
and Applications, outlines the process for determining levels of hardware assurance for
systems and custom microelectronic components, which include application-specific integrated
circuits, field-programmable gate arrays, and other devices containing reprogrammable digital
logic. Levels of assurance come down to three basic elements, NSA explains,
and those are consequence, threat, and mitigation.
The guidance addresses all three and seeks to do so in a rigorous fashion.
The document will be of immediate interest to providers and users of microelectronics
and of more general interest to anyone concerned with risk management.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Gen Easterly is Director of the Cybersecurity Infrastructure and Security Agency,
a job for which she was sworn in a year ago.
In her time as CISA Director, she's led a team focused on the cybersecurity of the nation,
guiding the mission of protecting
both the public and private sectors. I spoke with Director Easterly earlier this week.
Well, first of all, it's great to be with you, Dave. And I just have to say thanks
because you all reached out to us to actually put our alerts on CyberWire. And we are huge fans of
the CyberWire. And it's terrific to actually have that as an
additional platform for people to get our alerts. So we try and get them out as often as and in
various different ways and various different platforms, but fantastic to be part of the
CyberWire family and you guys reached out. And so I really appreciate it.
We're very excited about the collaboration as well. And just, you know, hoping it continues to lead to more good things. You know, there's
been commentary about using the phrase shields up with the initiative. And I have to say that
as someone who grew up watching Star Trek The Next Generation, it resonates with me, and I get it.
Not everyone has been a big fan of that.
What's been the feedback so far with Shields Up?
Not everyone's been a big fan because they don't like Star Trek or they don't like Shields Up.
Well, I think there's a little bit of the Star Trek thing,
but I think maybe what people take issue is more that it's kind of a binary thing. They're
either up or down. And the natural question is, will they ever be down? Yeah, no, it's a great
question. You know, we started this a little bit, was my kind of obsession with Star Trek, but
we started this as a way to signal a sense of urgency to our stakeholders, from our critical infrastructure owners and
operators to our partners at the state and local level, that this was a different situation.
And we wanted to be able to provide a message that could be received and absorbed by all of
our stakeholders, you know, to include the American people, but business owners, large and
small, chief executive officers, the technical community, and we wanted a pretty simple way of
doing it. And that was this sort of shields up. I think, you know, to get to your question,
and I've been interrogated on this before by others, at the end of the day, I think we all
realize that shields up has to be the new normal.
What we've been focused on over the past couple years, certainly motivated by the attacks that we've seen from nation states and cyber criminals and certainly the scourge of ransomware over the past couple years, is the need to collectively raise our game in cyber.
to collectively raise our game in cyber and to recognize that this is not a government thing.
This is not an industry thing. This is not an individual thing. We're all in this together, and we all have responsibility to implement the basics of cybersecurity controls, cyber hygiene
for the good of the nation. And so, you know, Chris Inglis and I wrote an op-ed on
this. Essentially, shields up is the new normal. So the question is, how do we actually distinguish
from being at our highest level of urgency to a shields up, which is, yes, we can let our incident
responders and our SOC personnel take vacation once in a while. Because what we
don't want to have is vigilance fatigue. And as head of America's Cyber Defense Agency,
Dave, I'm particularly worried about that. I want to make sure that my great network defenders,
my threat hunters, my vulnerability management folks, my incident responders are not earning out.
And so ultimately, I think we need a way to calibrate
what the threat is, whether it's at a significantly high level based on what we're seeing from the
intelligence community, our industry partners, or is it a level of what I would call guarded,
which is we always need to be at some level of alert for cyber threats, but we don't need to be at our highest level of alert. And so that's what we are looking to create, essentially a national cyber alert system.
The FSISAC, the Financial Services Information Sharing and Analysis Center, had a mechanism to say, okay, we are at this level. We are going to move to this level. These are the things you should be doing at this level. And then we're not going to stay there forever. We're actually going to come together and decide, do we stay? Do we go up one? Do we move down one? And so we'll never be at level green. I think we always as a nation need to be guarded, but then we need to calibrate when do we move to elevated? When do we move to
critical? And we need a disciplined and rigorous way to say, this is why we're moving and signal
to the American people and to critical infrastructure owners and operators, this is what it means.
And these are the actions that you should be taking.
And I think part of that is clarity of communications that technical folks have not always been
awesome at.
And it's one reason why we are working so hard to make sure that we are communicating
with clarity and with a way that distinguishes the various
audiences that we need to communicate to, whether it's the business community, the technical
community, the individual.
And so we're really putting a lot of effort in communications and the cyber threat advisory
system will be a piece of that that I think will be value added.
Could you give us some insights as to what
goes on behind the scenes at CISA in terms of collaborating with the various other government
agencies to help spread the word and get this information out to the public? Yeah, absolutely.
You know, one of the things, Dave, that motivated me to come back from the private sector to government was the impression I had as a member of critical
infrastructure owner and operator doing cybersecurity within Morgan Stanley was the
government was just not as coherent as it should be, could be to the private sector in the partnership
that needs to be forged to be able to protect and defend
critical infrastructure that Americans rely on every hour of every day. And I had seen,
you know, different products coming from different parts of the government and sometimes sending a
slightly different signal. And one of the things that we are really trying to work hard on is, and hopefully you've
seen this in the alerts that you all publish on your platform, is almost all of our advisories
now, Dave, are joint. We do them with FBI. We do them with NSA. Sometimes we'll do them with
the sector risk management agency like Energy or Treasury, if it's specific to those sectors.
risk management agency like energy or treasury, if it's specific to those sectors, will often do it with our international partners, which is terrific because it sends that common signal that here is
the guidance that we're putting out. It's informed by the full federal cyber ecosystem and some by
the international cyber ecosystem. And so that is one of the real behind-the-scenes pushes that we've
been very focused on over the past year is much greater coherence. The other thing that we're
really focused on is making sure, and this is also informed by my time in the private sector,
that everything we put out is timely, is relevant, is actionable. When you're a network defender, whether it's at the state or
local level, whether it's in a small business, a large business, you want the information that
you get to be something that you can actually do something with to help secure your network.
And so we are very focused on making sure that everything we put out is of value and is timely.
And one of the things that I would say
to your audience is please continue to give us feedback. We are the newest agency in the federal
government. We are a startup agency. We are evolving. And my general view in life is we need
to treat feedback as a gift and approach everything we do with a sense of gratitude and a
sense of humility. We need to realize that we are part of a community, which is awesome. And I'm
sure you recognize this, right, Dave? I mean, the cybersecurity community is in many ways really
magical, incredibly focused, dedicated, imaginative, creative people who, whether they work in the
government or whether they work in industry, are very mission focused and like to solve
hard problems. So we need to approach all of this as a community. So we're looking to add value.
We are looking to collaborate with all of our partners. But behind the scenes,
We are looking to collaborate with all of our partners.
But behind the scenes, we're very focused on being coherent and being value-added.
So please continue to give us feedback on these advisories because we want to make them useful to the community.
There is much more to my conversation with CISA Director Jenny Sterling. We'll be sharing the full interview as a special edition in your CyberWire podcast feed. Thank you. solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default by Betsy Carmelite.
She is a principal at Booz Allen Hamilton,
and she is the Federal Attack Surface Reduction Lead.
Betsy, it's always great to have you back.
I want to touch base with you today about where we stand when it comes to post-quantum
cryptography.
Sure, Dave.
So I think where I want to start around this is really to touch on why we started looking
at this concept.
Obviously, quantum technologies are going to offer fundamentally
new ways to obtain, distribute, and process information. But Log4j and that cyber incident
signaled a growing need for post-quantum cryptography. And in this case, many organizations
were using Log4j and were victim to that visibility struggle. It was hard to scan for and hard to find,
and so with complex systems,
it's hard to have the visibility of your software inventory.
If you translate that undertaking
to discovering every type of cryptography being used
by every business unit and third party and organizations,
it's overwhelming.
However, it's vital to avoid being vulnerable to
future attacks because although quantum computers' current abilities are more demonstrative than
immediately useful, we see their trajectory suggesting that in the coming decades, quantum
computers will likely revolutionize numerous industries
from pharmaceuticals to material science and eventually undermine all popular current public
key encryption methods. So organizations are going to need to react not just to quantum threats,
but whatever comes next. And there's this agility that's going to be needed.
It's going to be key, such as, for example,
the ability to modify algorithms quickly to counter a quantum-based attack
or adopt new encryption methods.
So where do we stand when it comes to this sort of preparation?
Are we in a place where people can put this stuff into motion?
I think where we've come at it is looking at how the adversary
and what adversaries are really emerging
to understand the threat first and foremost.
And so which major players are out there in quantum computing.
And there are definite things that can be put in place,
but really I wanted to touch on some of the implications
from a national security standpoint and that threat.
We did release a report called Chinese Threats in the Quantum Era.
And Chinese threat groups will likely soon be able to collect encrypted data
with long-term utility, expecting eventually to
decrypt it with quantum computers.
So one of the reasons why we embarked on this report was we wanted to know how and when
Chinese cyber threats might be shaped by this change to help our clients and organizations
manage their changing risk profile.
And so what are your recommendations there?
We identified two main areas of data confidentiality threats related to this adversary.
First, there will likely be an increase over this decade in the theft of data that can be used for quantum simulators.
of data that can be used for quantum simulators. And organizations with this sort of data that attackers seek tend to be involved in research and development-related work, such as pharmaceuticals,
biology, chemistry, material science. And many of these organizations in the government, commercial,
and academic sectors are already using this sort of data for simulation using classical computers.
So we are looking at likely targets aligning with Chinese economic and national security priorities.
Second, there will be likely increased theft or interception of encrypted data
with long-term intelligence value. And although stolen data tends to have a limited shelf life,
some may be useful for a state adversary for more than a decade in the future. And examples include
business strategies, trade secrets, biometric identification markers, social security numbers,
weapons designs, and the identities of human intelligence officers and assets.
So if an organization holds that data, that data that must be kept secret for more than 10 years,
the process of securing it really must start now.
And there are a few things now that we've identified for organizations
that they can do to ensure their infrastructure and data are protected.
that they can do to ensure their infrastructure and data are protected.
While quantum may not pose a direct threat to most organizations for at least a decade,
developing and deploying certain critical medications like post-quantum encryption will also likely take at least a decade.
And so there are some things to do to manage strategic risk
around cyber threats. It's important to conduct threat modeling to assess changes to organizational
risk, develop an organizational strategy for deploying post-quantum encryption. That's that
agility I referenced. And then really understand and educate on quantum computing.
Changes in quantum computers will likely appear dramatically
rather than as some smooth roll or evolution.
And so that creates substantial exposure to, as we say,
strategic surprise as a major source of risk
and a failure to understand and monitor the growing significance
of quantum computing, maybe right now because it seems so far off in the future, really could
result in missed opportunities to make necessary proactive risk decisions. How heavy a lift is it
at this moment if I wanted to switch over to using encryption that was post-quantum ready, what am I in for?
Well, I think the first step in that heavy lift is for an organization to take stock of their crypto inventory.
Really discovering where you have instances of certain algorithms or certain types of cryptography.
Understanding how strong or not and vulnerabilities within that cryptography.
So that's really the first step, and that's a lot of work.
So that's what we're really recommending if organizations are looking to take a first glance at how they can get ready for this next decade.
All right. Well, Betsy Carmelite, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday, my conversation with Chad Seaman.
He's team lead with Akamai's Security Incident and Response Team.
We're talking about their research about a record-breaking DDoS attack amplification in the wild.
That's Research Saturday. Check it out. Thank you. Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.