CyberWire Daily - Cyber dimensions of Russia’s hybrid war against Ukraine. Hacktivists and cybercriminals choose sides. Lapsu$ releases NVIDIA and Samsung data (and says a victim hacked back).
Episode Date: March 7, 2022Russian influence operations fail as few support Russia's war of aggression. Ukraine will become a "contributing participant" in NATO's CCDCOE. Ukrainian cyberattacks, and the marshaling of hacktivist...s. Russian cyberattacks: surprisingly restrained and unsurprisingly supported by criminal organizations like Conti. The FBI’s Bryan Vorndran joins us with insights on the work his team did on Sodinokibi. Rick Howard looks at vulnerability management. Lapsu$ gang releases data taken from NVIDIA and Samsung in separate extortion incidents. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/44 Selected reading. What Happened on Day 11 of Russia’s Invasion of Ukraine (New York Times) Putin says Ukraine's future in doubt as cease-fires collapse After temporary cease-fires break down, Putin threatens Ukraine’s government (AP NEWS) Ukraine to join NATO cyber defence centre as 'contributing participant' (Reuters) Putin Is Raising an Iron Firewall Around Russia (Bloomberg) Three reasons Moscow isn't taking down Ukraine's cell networks (POLITICO) Hacktivists Stoke Pandemonium Amid Russia’s War in Ukraine (Wired) DDoS hacktivism: A highly risky exercise (Avast) This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites (The Record by Recorded Future) Ukraine Cyber Official: We Only Attack Military Targets (SecurityWeek) Volunteer Hackers Converge on Ukraine Conflict With No One in Charge (New York Times) Russia shares list of 17,000 IPs allegedly DDoSing Russian orgs (BleepingComputer) Ukraine's 'IT army' targets Belarus railway network, Russian GPS (Reuters) HawkEye 360 detects GPS interference in Ukraine (SpaceNews) Hackers are being forced to pick sides in the Russia-Ukraine war (KTVH) Nvidia allegedly hacks back (Avast) Credentials of 71,000 NVIDIA Employees Leaked Following Cyberattack (SecurityWeek) Leaked stolen Nvidia cert can code-sign Windows malware (Register) Hackers claim massive Samsung leak, including encryption keys and source code (Android Police) Lapsus$ group leaks 190GB of Samsung data, source code (Computing) Samsung’s secret data leaks after devastating cyberattack (SamMobile) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russian influence operations fail as few support Russia's war of aggression.
Ukraine will become a contributing participant in NATO's CCDCOE. Russian influence operations fail as few support Russia's war of aggression.
Ukraine will become a contributing participant in NATO's CCD-COE.
Ukrainian cyberattacks and the marshalling of hacktivists.
Russian cyberattacks surprisingly restrained and unsurprisingly supported by criminal organizations like Conti.
The FBI's Brian Vordren joins us with insights on the work his team did on Sodinokibi.
Rick Howard looks at vulnerability management.
And the Lapsus gang releases data taken from NVIDIA and Samsung in separate extortion incidents.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 7th, 2022. A quick note about the situation on the ground in Ukraine.
Within hours of agreeing to ceasefires late last week that would have permitted civilians to evacuate areas of active fighting,
Russian forces resumed shelling the evacuation routes they'd agreed to protect.
Russia today declared new humanitarian ceasefires in areas with heavy refugee traffic,
but it seems unlikely that these will be any more reliable than earlier ceasefires.
The UK's Ministry of Defence, in its regular update on Russia's war against Ukraine,
yesterday assessed the situation as follows.
Quote, Russian forces probably made minimal ground advances over the weekend.
It is highly unlikely that Russia has successfully achieved its planned objectives to date.
Over the past 24 hours, a high level of Russian air and artillery strikes
have continued to hit military and civilian sites in Ukrainian cities, end quote.
Demonstrations around the world this Sunday ran strongly against
Russia, the Washington Post reports, with governments disputing Russian government
propaganda in social media. The fear and suffering produced by Russia's war against Ukraine are,
in Russian President Putin's view, the fault of Ukraine and NATO, since sanctions against Russia
amount to a declaration of war.
Ukrainian actions, and not, as one might think, the full-scale and unrestrained Russian invasion,
have called Ukraine's continued existence as a state into question.
The current leadership, that is, Ukraine's government, needs to understand that if they
continue doing what they're doing, they risk the future of Ukrainian statehood, Mr. Putin said.
In a call with Turkey's President Erdogan,
President Putin said that suspension of hostilities would only be possible,
quote, if Kyiv stops military operations and carries out well-known Russian demands,
end quote.
Those demands include demilitarization and neutralization,
both to be guaranteed in perpetuity by constitutional amendment, formal recognition of Crimea as a Russian province, and formal recognition of the independence of both Donetsk and Luhansk. Mr. Putin said, but it would not stand for protracted negotiations designed simply to draw the fighting out.
Indeed, given that his well-known Russian demands are non-negotiable,
there would seem to be no room for negotiation beyond perhaps choosing a time and place for the formal surrender.
The NATO Cooperative Cyber Defense Center of Excellence, the CCDCOE,
announced Friday that Ukraine will become a contributing participant.
The 27 members of the CCDCOE voted unanimously to extend membership, which Ukraine has accepted.
Participation in the CCDCOE isn't necessarily restricted to NATO members.
Austria, Finland, and Ireland are members who don't belong to the Atlantic Alliance,
and participation doesn't constitute NATO membership.
Distributed denial-of-service attacks, relatively easy to mount,
lend themselves to the sort of hacktivism that's surged with sympathy for Ukraine.
Bleeping Computer reports that Russia's National Coordination Center for Computer
Incidents, a service established by the FSB, has distributed a list of 17,576 IP addresses
said to be used in the DDoS campaign and a second list of referring domains involved in the
operation. The Russian organization also recommended measures organizations should
take to defend themselves. The volunteer hacker army that Ukraine has sought to rally and succeeded
in rallying to its cause have been given some targeting instructions. They've been told,
Reuters reports, to hit Belarusian railroads and the GLONASS positioning system. The volunteers
are said, according to
officials in Kyiv, to be principally tasked with collecting intelligence and aren't supposed to
pursue non-military targets. So, stated Ukrainian policy is to have its volunteer IT army operate
under real operational control. Tight control over a quickly assembled and protean volunteer corps may be
difficult to achieve in practice. Concerns about control aren't trivial. The responsibility to
exert control over an armed force is a central concept in the law of armed conflict. While
international law governing the cyber phases of a hybrid war remains largely unformed, there are analogies with armed
conflict that ought to give one pause. To whom do the hackers answer? When peace is negotiated,
will they cease virtual fire? What about the familiar difficulty of attribution of cyber
activity? In some respects, the hacktivist enthusiasm represents, according to Wired,
In some respects, the hacktivist enthusiasm represents, according to Wired, pandemonium.
The New York Times, while reporting that Ukraine has been deliberate and intentional in its recruitment of hackers,
quotes Matt Olney, director of threat intelligence at Cisco Talos, quote,
This is not going to be solely a conflict among nations.
There are going to be participants that are not under the strict control of any government.
Much of the hacktivist activity so far has involved website defacements and DDoS attacks.
The DDoS attacks have raised more questions among observers.
Security firm Avast, no crew of Russian stooges, are very alive to the inequity of Russia's war.
They've released a decryptor for hermetic ransom used in the early stages of that war,
and they nonetheless caution that freelancing DDoS can be a dangerous game.
For one thing, it's worth remembering that even in a war, there's such a thing as an illegal combatant. Avast offers four
reasons to think twice before casually signing on to a DDoS operation. First, performing DDoS
attacks is illegal. Second, ensuring your security while using such tools is difficult to achieve,
and by participating in these actions, you risk your privacy. Third, by using these tools, you could cause counterproductive collateral damage,
especially if you don't understand what you're doing by using them.
And finally, historically, similar tools have been abused by various actors
who piggybacked on their popularity and started distributing their own variants, including malware.
and started distributing their own variants, including malware.
Russian cyber attacks have been more muted since the outbreak of President Putin's war against Ukraine,
but they haven't been absent.
Ukraine's State Service of Special Communications and Information Protection tweeted Saturday,
quote,
Russian hackers keep on attacking Ukrainian information resources non-stop.
Since the beginning of the invasion,
DDoS attacks have been primarily aimed at the resources of Verkhovna Rada,
Cabinet of Ministers, President of Ukraine,
Defense Ministry, and Internal Affairs Ministry.
The only thing the occupants managed to do was to substitute the front pages at the sites of some local authorities.
End quote.
This morning, the UK's Ministry of Defense tweeted an updated assessment of Russia's operations,
highlighting their effects on communications.
Russia is probably targeting Ukraine's communications infrastructure
in order to reduce Ukrainian citizens' access to reliable news and information.
Russia reportedly struck a TV tower in Kharkiv yesterday,
suspending broadcasting output.
This follows a similar strike on a TV tower in Kyiv on 01 March 2022.
Ukrainian Internet access is also highly likely being disrupted
as a result of collateral damage from Russian strikes on infrastructure.
End quote.
Russian cyber-offensive operations have thus far had a negligible effect on either the war or international support of Ukraine,
particularly as that support has been manifested in sanctions.
Defense Daily, Government Technology, and The Hill all reiterate warnings that organizations should remain on their guard against Russian cyberattacks. The Hill on Saturday published an appreciation of why
a general cyber campaign against Western supporters of Ukraine has so far not materialized.
As much as sanctions have hurt Russia, Moscow's risk and reward calculus so far
indicates that it may have more to lose than to gain from an escalation in cyberspace.
InfoRisk Today late last week offered an inventory of various explanations for Russia's relative restraint.
They include such disparate assessments as operational incapacity,
a decision to hold cyber capabilities in reserve, a desire to avoid escalation,
and, least plausibly, probably, simple unreadiness to go on the cyber offensive.
The Lapsus gang has followed its extortion attempt against NVIDIA with a similar attack against Samsung,
claiming to have obtained sensitive information, 190 gigabytes of which it's now released online, computing reports.
Bleeping Computers said Friday that Lapsus claims to have
source code for every trusted applet installed in Samsung's TrustZone environment,
algorithms for all biometric unlock operations,
bootloader source code for all recent Samsung devices,
confidential source code from Qualcomm, source code for Samsung's activation servers, and full source code for technology used
for authorizing and authenticating Samsung accounts, including APIs and services. Concerning
the NVIDIA hack, Lapsus said that the victim retaliated by hacking back.
The gang said, quote,
They were able to connect to a virtual machine we use.
Yes, they successfully encrypted the data.
But, added Lapsus,
The gang followed anti-ransomware best practices and backed up the stolen data, so everything's fine.
Avast argues that hacking back represents a slippery slope.
It can be hard to stop and hard to contain.
We should note that the hacking back claims originate with Lapsus, not NVIDIA.
As the Hoods put it, we have a backup and it's safe from the scum, said the scum.
We note they emphasized their outrage with three, count them, three exclamation
points. Do you know the status of your compliance controls right now? Like, right now? We know that
real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak.
Learn more at blackcloak.io.
And it's always a pleasure to welcome back to the show Rick Howard.
He is the CyberWire's chief security officer, also our chief analyst.
Rick, great to have you back.
Hey, Dave.
You know, usually on these segments, we talk about your CSO Perspectives podcast. And I want to get to that in a second.
But before we do, there's another show that you head up around here. And what I love about this show is it is an
example of a very simple idea, well executed. And there's a great pleasure in that. And that
is called Word Notes. Just give us the short little description of what Word Notes is about.
Well, thanks for saying that, Dave.
I'm glad you like it because I'm having a blast putting it together.
And WordNotes episodes are really short.
They're less than five minutes.
And they attempt to explain the alphabet soup of words and acronyms that permeate the cybersecurity space.
So if you're really not sure about the meaning of words like cryptographic failures or non-fungible
tokens or even fast flux attacks, you know, you know, those words just kind of spring off your
lips. Okay. So, so this is the show for you. So we define the word, we give it some historical
context, you know, so that we can see where it fits into our world. And then we attempt to find
where the word has popped up in our pop culture,
meaning, have we seen it in any of our nerd properties in TV and movies, or did some famous
person somewhere refer to it? Yeah. I mean, you know, one of the things about this is that every
industry has its lingo. And I think you have to be really careful about that lingo not being
gatekeeping. And I think that's something that can happen here, because if you don't know the lingo and I think you have to be really careful about that lingo not being gatekeeping and I think
that's something that can happen here because if you don't know the lingo, it's hard to be part of
the conversation. So this, you know, this show helps folks stay up to speed on the lingo and
get some perspective on it as well. I have to ask, what is your favorite nerd reference so far?
Oh, you know, I love that being able to put the nerd references in Oh, you know, I love being able to put the nerd references in
because, you know, the secret might be out. I'm a little bit of a nerd myself. Really? I hadn't
noticed that. So one of my favorite nerd references so far is the show we did for Monte Carlo
Simulations. And the clip we ran, it was from the Avengers Infinity War movie when Doctor Strange
goes into a trance to calculate the odds of defeating the big bad guy Thanos in the next movie, right?
And he's essentially doing a Monte Carlo simulation.
So how cool is that?
Yeah, okay.
Cool's one word for it.
Yeah, I may have my nerd hat on.
Okay, what can I say?
That's fine.
Hey, listen, I'm a card-carrying member myself.
Hey, I meant to talk to you about that. Your dues are, you have to pay your dues. You're a little
late. All right, so we're watching you. I'm not an honorary member. I still have to pay. All right,
all right, fine. Before I let you go here, what is this week's CSO Perspectives show about?
Yeah, so for this show,
I have a different take, a hot take, you might say, on where vulnerability management fits into
our InfoSec program. I think it directly supports our zero trust strategy, but it requires help from
our intelligence teams, our DevSecOps teams, and our ability to forecast risk. So it all
sort of comes together in one little ball. All right. Well, that is all part of CSO Perspectives. You can find that as part of
CyberWire Pro, which you can find on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to welcome back to the show, Brian Vordren. He is the assistant director of the FBI's Cyber Division. Brian, welcome back to The Cyber Wire.
I wanted to touch on some specific work that you and your colleagues have done at the FBI,
some of the value that you bring to the table here.
Hoping today we can go through some of the work that you all did on Sodinokibi.
What can you share with us today?
Thanks, Dave.
When we look at our role within the cyber ecosystem of the United States government, we really see ourselves as an enabler and an action arm. And at times, we would be in the lead to action certain operational opportunities. And in other scenarios, we would be in a position to enable others such as NSA or Cyber Command or private sector partners.
such as NSA or Cyber Command or private sector partners.
Related to Sodin Akibi specifically, Sodin Akibi was obviously a ransomware group based in Russia that had very significant effects on thousands of victims here in the United States and even more globally.
But I think it's a good highlighting case for me to explain how we work at the center of that ecosystem.
case for me to explain how we work at the center of that ecosystem. So we had good intelligence based on our investigation that had been ongoing for over 18 months earlier this year. And through
that, we were able to enable specific actions on behalf of the part of IC partners and private
sector partners. But that case also shows our global
reach because when Yaroslav Vysinsky conducted the attack against Kaseya, we immediately got to work
and our ability to prove through evidence that Vysinsky's hands were on the keyboard that
conducted that ransomware attack and then our follow-on work with DOJ to ensure
that we were able to get a red notice in place and an arrest warrant in place allowed us to work
with Polish authorities to secure his arrest. And now Vyszynski is facing extradition.
So the Sotnik-Kibik case specifically shows how we sit at the center of that ecosystem.
case specifically shows how we sit at the center of that ecosystem. We have tremendous relationships with Cyber Command and NSA. Because of our investigative authorities, we're able to
generate significant intelligence and evidence to share with them. And then lastly, as I mentioned
with the global reach to Poland, and Poland's just one example, we actually have representation in 70
countries around the world. We just have the tremendous ability to expand from our U.S. footprint to impact adversaries that are
thousands and thousands and thousands of miles away and bring them to justice.
So I think that case very much highlights our central role in the ecosystem. And Dave, I
didn't even mention all the cryptocurrency seizures that were part of that case.
We have millions of dollars of seizures that have been made public in that case.
And again, that speaks to the central role of the FBI, but also as importantly, our work with our interagency partners and the intelligence community.
Can you give us some insights as to how often is it that the FBI takes the lead in these investigations?
And what are the elements that dictate which organization within the federal government takes the lead from case to case?
So when we speak solely about investigations, certainly the FBI is going to be the lead investigative agency for nation-state cyber actors. The criminal space that
would really comprise botnets, ransomware, these types of threats, there is some differentiating
between whether Secret Service or the FBI is going to be lead. On the traditional large ransomware
variants, the FBI is generally going to be a lead. And that has certainly come to
attention in the last eight to 12 months here in the country. But in terms of prioritization,
moving forward into a broader conversation about operational impact, I think what we
value the most is conversations with private sector partners and our intelligence community
partners about how we can impose the maximum
cost on an adversary. How can we make their life more difficult? How can we cause them to have a
bad day or a bad week? Sometimes that's done through indictments. Sometimes that's done
through arrests. Sometimes that's done through cyber effects operations. Sometimes that's done
through sanctions or rewards for justice provided by Department of State.
The point is that there is very good ongoing dialogue within the interagency.
And when I say the interagency, I do mean the FBI, Secret Service, State, Treasury, NSA, CISA, and Cyber Command, right, about how do we impose cost.
and Cyber Command, right, about how do we impose cost. And so those are becoming very mature conversations within the government about how do we use all of our tools, all in tandem,
all in a synergistic way to impose the maximum cost. And I'm proud to be a part of that,
to be honest with you, because I've seen maturity in the last year,
and I expect more maturity to continue to grow in the upcoming years.
All right. O'Brien Borndren, Assistant Director of the FBI's Cyber Division,
thanks so much for joining us.
Thank you, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.