CyberWire Daily - Cyber sabotage and cyberespionage. Updates on Russia’s hybrid war against Ukraine. REvil seems to have returned.
Episode Date: May 2, 2022Cable sabotage in France remains under investigation. Spearphishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivis...m and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week’s DDoS incident was retaliation for Bucharest’s support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnappings. REvil seems to be back after all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/84 Selected reading. How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities (CyberScoop) Russian hackers compromise embassy emails to target governments (BleepingComputer) Ukraine's defense applies lessons from a 15-year-old cyberattack on Estonia (NPR) Feared Russian cyberattacks against US have yet to materialize (C4ISRNet) Hacking Russia was off-limits. The Ukraine war made it a free-for-all. (Washington Post) A YouTuber is promoting DDoS attacks on Russia — how legal is this? (BleepingComputer) Ukraine’s Digital Fight Goes Global (Foreign Affairs) Romanian government says websites attacked by pro-Russian group (The Record by Recorded Future) REvil ransomware returns: New malware sample confirms gang is back (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cable sabotage in France remains under investigation.
Spearfishing by Cozy Bear.
Widespread and damaging Russian cyber attacks have yet to appear,
but criminals find a new field of activity.
Hacktivism and privateering.
The legal and prudential limits to hacktivism,
applying lessons learned from an earlier cyber war.
Romanian authorities say last week's DDoS incident
was retaliation for Bucharest's support
of Kyiv. Rick Howard is dropping some S-bombs. Carol Terrio reports on virtual kidnapping.
And our evil seems to be back after all.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 2, 2022.
The sabotage incident in which fiber-optic cables in France were cut,
severing internet and telecommunications connections, is seen as exhibiting the vulnerability of infrastructure to physical disruption,
CyberScoop reports.
The incident remains under investigation.
The sabotage is regarded as having been coordinated,
but there's so far been
no attribution. Cozy Bear, also called Nobelium or APT-29, a threat actor associated with Russia's
SVR foreign intelligence service, has continued to engage in cyber espionage against a wide range
of diplomatic targets. The campaigns have achieved initial access through spear phishing,
and they're marked by the abuse of Atlassian Trello
and other legitimate cloud services platforms
for command and control communication, Bleeping Computer reports.
Widespread and damaging Russian cyber attacks have yet to appear,
but that's not entirely for want of trying.
Nuisance-level distributed denial-of-service attacks have yet to appear, but that's not entirely for want of trying. Nuisance-level
distributed denial-of-service attacks have occurred, as have some relatively ineffectual
wiper attacks against Ukrainian targets. Russia hasn't sustained any devastating cyber attacks
either, but it's feeling the effects of a range of government-run and hacktivist attacks.
Many of these have taken the form of doxing, and these too have been
nuisance-level operations. But both the extensive participation of hacktivists and the novelty of
the experience of coming under cyber attacks have, in the case of Russia, been striking.
Russia had hitherto enjoyed a degree of immunity from criminal attack, for one thing. There were
more lucrative targets elsewhere.
Many of the gangs were based in Russia and enjoyed Russian government protection,
or at least benign neglect.
And there's some opinion that they were deterred from hitting Russian targets
by a fear of Russian ability to retaliate.
Much of that immunity seems to have evaporated
over the course of Russia's war against Ukraine.
The Washington Post describes how this has changed.
It's become, the headline says, a free-for-all.
The article says,
Experts anticipated a Moscow-led cyber-assault.
Instead, unprecedented attacks by hacktivists and criminals have wreaked havoc in Russia.
Particularly telling is a report from the Lithuanian security firm Surfshark,
which has made a practice of tallying the number of leaked credentials
and now finds that Russian addresses amount to more than half the world total.
The Washington Post says,
the number of presumed Russian credentials, such as those for email addresses ending in.ru,
in March jumped to encompass 50% of the global total, double the previous month,
and more than five times as many published as were in January.
They go on to quote Surfshark, saying,
The U.S. is first most of the time. Sometimes it's India. It was really surprising for us.
time. Sometimes it's India. It was really surprising for us. All of this said, U.S.
authorities continue to warn that Russia still poses a substantial cyber threat. C4ISR.net reports that testimony before Congress last week continued to emphasize that threat.
No one has so far turned out the lights in Kiev or Moscow, but a distinctive style of non-governmental activity
has emerged. On the Russian side, this has been a continuation of the privateering that's long
been in evidence. Some Russophone gangs, notably the Conti ransomware group, have expressed their
patriotic adherence to Moscow's cause, but in general they haven't enjoyed as much success as
might have been expected. Criminal activity continues, but not general they haven't enjoyed as much success as might have been expected.
Criminal activity continues, but not with noticeably greater effect than has been seen
before Russia's invasion of Ukraine. The gangs themselves have become targets of hacktivist
reprisal, with the doxing of internal Conti chats being a prime example. Such doxing doesn't seem
to have had much effect on Conti, at least in the near
term, but the leaks may offer some useful insight into the gang's organization and operations.
The Ukrainian side has benefited from a surge of ideologically aligned hacktivism by Anonymous
and others who have received some encouragement and some targeting suggestions from the Ukrainian government via its volunteer IT army channels.
An analyst at security firm Flashpoint told the Washington Post,
there are state institutions in Ukraine interested in some of the data and actively helping some of these operations.
The Post quotes Distributed Denial of Secrets co-founder Emma Best as saying,
The Post quotes Distributed Denial of Secrets co-founder Emma Best as saying, The sense that Russia is off-limits has somewhat expired,
and hacktivism is one of the most accessible forms of striking at an unjust regime or its supporting infrastructure.
Distributed Denial of Secrets is a hacktivist data dump site
that has prominently displayed some of the hacktivist take from Russian organizations.
It hasn't by any means confined itself to Russian government data,
but such data have recently been prominent on the site.
Emma Best calls much of the hacktivism a symbolic pantsing of President Putin,
saying,
He's cultivated a strongman image for decades,
yet not only is he unable to stop the cyberattacks and leaks hitting his government and key industries, he's the one causing it to happen. A YouTuber is calling for other hacktivists to join in a distributed denial-of-service campaign against Russia.
That call, Bleeping Computer points out, not only violates YouTube's terms of service,
but would also be illegal in most jurisdictions,
and that means not just Russian jurisdictions, but jurisdictions throughout the rest of the world as well.
The tool being recommended and offered to would-be hacktivists, Liberator, is murky in its workings and provenance.
Perhaps it functions as advertised, but it's difficult to be sure.
Perhaps it functions as advertised, but it's difficult to be sure.
Bleeping Computer quotes a comment on the relevant YouTube channel by a user who goes by the screen name Junk.
He's sympathetic to Ukraine's cause, but warns that Liberator is a closed-source tool that transfers information about a user's device to a disbalancer server,
and that it does so through a non-encrypted channel.
Disbalancer server and that it does so through a non-encrypted channel. Avast warned last month about the risks involved in using such tools for hacktivist purposes. The users expose themselves
to considerable risk, and besides, it's almost surely illegal. In 2007, Estonia was the target
of Russian cyberattacks that significantly disrupted the country's financial and commercial sectors.
The campaign, while it did not extend to physical invasion, nonetheless foreshadowed Russia's operations against Ukraine.
Estonia's perceived affront was the relocation of a Soviet-era war memorial, the Bronze Soldier,
that Russian state-controlled media seized upon as evidence of persecution of
Estonia's Russophone minority. Estonia learned from the experience and has since become one of
the countries that punches far above its weight in cyberspace. It appears, NPR reports, that Russia's
playbook has not changed significantly since 2007 and that the lessons learned since then have served Ukraine
and others who've come under Russian cyber attack as well.
Romanian authorities have attributed the distributed denial-of-service attack
government websites experienced late last week to Kilnet,
a threat actor that specializes in DDoS attacks conducted in the interest of Russia,
the record reports.
The attack affected Romania's Ministry of Defense, its border police, the National Railway, and the OTP Bank.
Kilnett claimed that the attacks were a retaliation for Romania's support of Ukraine in the face of Russia's invasion.
And finally, there's more evidence that the R-Evil ransomware gang is back from what appears to have been a temporary break.
Its Tor network returned, Bleeping Computer says, but researchers were looking for code that could be attributed to the gang.
Researchers at Avast found code samples that seemed to connect the new activity to R-Evil.
Rebranding appears to be underway, but the gang seems careless
about covering its tracks.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
Cyber crime often mirrors or takes inspiration from tried and true real-world criminal techniques,
things like identity theft, fraud, or harassment.
Our UK commentator, Carol Theriault, files this report on virtual kidnappings.
Virtual kidnappings are nothing new.
In fact, they've been talked about for decades.
But it seems that they may be on the rise once again, according to the FBI.
Now, a virtual kidnapping is where a scammer pretends to have kidnapped a loved one and tries to get someone close to them to pay the
ransom as soon as possible in order to secure their release. Typically, the FBI said, the virtual
kidnappers will request payments through a wire transfer and push families to act quickly. Of
course, in these virtual kidnappings, the loved one has not been kidnapped, may be safe at home or driving to daycare.
And sometimes it's too late for you because in the panic, you paid the ransom.
The FBI said, quote,
The caller might allege, for example, your daughter has been kidnapped
and you hear a female screaming in the background. That would get me jump-started. law enforcement. The caller might allege, for example, your daughter has been kidnapped and
you hear a female screaming in the background. That would get me jump-started. Another variant
of the fraud has a family member being held because he or she caused an auto accident,
says the scammer, and is injured and won't be allowed to go to the hospital until damages are
paid. Callers will typically provide the victim with specific instructions to ensure
the safe return of a family member. Targets may even be ordered to stay on the line until the
money is wired and safely transferred. The caller even might claim not to have received the money
and demand more payment. Not fun. So here's the FBI advice on how you can help avoid virtual kidnapping scams.
One is never post news of upcoming travel dates and locations online, like in your socials. Have
a secret password that family members can ask for in an emergency to confirm that the loved one is
really in trouble. I mean, my husband and I have
a secret word to say, let's leave this party now because we're done. But I've never had an emergency
one. The scammer knows virtually nothing about the kidnapee or the purported kidnapee, such as
what they look like, where they were picked up, where they were going, where they live.
And if they do call, they tend not to use the kidnapped person's phone, so you can't just check
the number. When they call you, they will obviously, like any scammer, try to really push
up the stress so that you act quickly and don't think clearly. And they will try and keep
you on the phone until you agree to pay the money, which means that you can't get off the phone to
call your partner just to find out that they are at home. And the scammer may request that the
ransom funds be wired to multiple people in several small amounts. The FBI asks anyone who believes they are targets of a virtual kidnapping
to call 911 immediately and ask that the FBI be informed.
So in reading all this, I'm thinking,
who is likely to be targeted in this type of scenario?
And this would be people that post way too much personal information
on social media and share it with too wide a group.
If this sounds like you, there's no shame, but this is maybe a really excellent time to go check your social media settings for every channel you use and check your contacts to make sure that all the information you're sharing
is with people that you trust. This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And joining me once again is Rick Howard.
He's the CyberWire's chief security officer and also our chief analyst.
Rick, always great to welcome you back to the show.
Hey, Dave.
So on this week's CSO Perspectives podcast, which of course is over on our CyberWire Pro side of the house,
you are pulling out your Rick the Toolman toolbox and you are going to drop some S-bombs.
That is a software bill of materials. What have you got for us?
Man, we were talking before the show started. I wish I would have thought of that before you just said that.
That would have been perfect for the episode.
Right, right. the show started, I wish I would have thought of that before you just said that. I would have been perfect for the episode. And so, you know, Dave, the idea of SBOMs has been in the news of late,
mostly, I think, because President Biden signed an executive order on cybersecurity last year that compelled the U.S. government to use this concept to manage all of its software.
Yeah. And I noticed in some of the coverage you've been doing that you refer to SBOM as
a concept and not a tool.
Is that deliberate on your part?
Yeah, it is because, you know, we really don't have a standard SBOM tool or platform yet.
What we do have is a bunch of developing standards and requirements for tools that will, these
will all help us reduce the risk of software supply chain exposure.
Although vendors are starting to sell these SBOM platforms,
but the idea of an SBOM at this point is still more of a concept than a reality.
So when does it actually become a reality?
What is it and what could that do for us?
Well, in its simplest form, an SBOM is a formal record
containing the details and supply chain relationships of various components used to
building software. They're like lists of nested software components designed to enable supply
chain transparency. All right. Well, what problem are we trying to solve here? And I guess on top
of that, why is it so important that President Biden would include
it in a presidential directive? I know it's amazing this kind of geek detail would hit his
level. But so let me explain it this way. According to a report by Synopsys this year, 97% of commercial
code has an open source component. And within that 97%, 78% of that code is based on, is all
of that code base is open source. Okay. So that was a lot of numbers. All right. Let me just restate
that. Get English for me, Rick. Get English. So here's what it boils down to. Almost all commercial
software is over three quarters open source. So let that sink in. So that means that we as a
community really have no idea where our software component parts are coming from, who built them,
and whether or not the people who did build them are even maintaining them. And it opens the door
for all kinds of supply chain attacks that we saw last year against victims like SolarWinds,
Aceluin, and Casilla. So this week on the show, we're going to break open the Rick the Toolman toolbox,
like you said, and talk about the current state of SBOM evolution.
All right.
Well, listen, before I let you go,
you also head up our efforts on a fun little podcast that we call Word Notes,
and that is where each week you try to parse the word salad
that we love so much in the cybersecurity community. What are is where each week you try to parse the word salad that we love so much in the
cybersecurity community. What are you covering this week? Yeah, you know, I love word notes and
it's just five minutes each week, but it's eminently bingeable. And it takes on the word
that we are all familiar with and explains it and tries to determine how it fits into the
cybersecurity zeitgeist. You know, in the last month, we've talked about Shields Up and DMARC and Pegasus. But this week's word, though, is DevOps.
And most of us probably think that phrase is relatively new, say, the last 10 years. But
we've traced the origin all the way back to 1994. So if you like this kind of thing,
just come check it out. It's fun for newbies, it's fun for veterans.
So just come and give it a shot, I think you'll like it.
All right, terrific.
Well, that is Word Notes, and of course,
there is also CSO Perspectives over on Cyber Wire Pro.
Rick Howard, thanks for joining us.
Thank you, sir. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion
of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sebi,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your