CyberWire Daily - Cyberattack hits Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Hacktivists, scammers, misconfigurations, and rogue insiders.
Episode Date: July 5, 2022Cyberattack hits a Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Royal Army accounts are hijacked. A hacktivist group claims to have hit Ira...nian sites. A very very large database of PII is for sale on the dark web. Chase Snyder from ExtraHop has a look back at WannaCry, 5 years on. Ben Yelin examines the constitutionality of keyword search warrants. And a rogue employee makes off with bug reports. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/127 Selected reading. Russian hackers allegedly target Ukraine's biggest private energy firm (CNN) Proruskí hackeri opäť útočili. Ďalšia významná spoločnosť hlási, že čelila kybernetickým útokom (Vosveteit.sk) Preparing for the long haul: the cyber threat from Russia (NCSC) Official British Army Twitter and YouTube accounts hijacked by NFT scammers (Hot for Security) British army confirms breach of its Twitter and YouTube accounts (the Guardian) British Army hit by cyberattack as Twitter and YouTube accounts hacked (The Telegraph) Iranians' Remote Access to Banking Services Cut Off Over 'Cyber Attacks' (IranWire) (Video) Iranian regime’s Islamic Culture and Communications Organization targeted in massive cyber offensive (EIN News) Hackers Claim Theft of Police Info in China’s Largest Data Leak (Bloomberg) Hacker Selling Shanghai Police Database with Billions of Chinese Citizens Data (HackRead) Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web (ZDNet) Hacker claims to have stolen 1 bln records of Chinese citizens from police (Reuters) HackerOne disclosed on HackerOne: June 2022 Incident Report (HackerOne) HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains (The Hacker News) Rogue HackerOne employee steals bug reports to sell on the side (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber attack hits a Ukrainian energy provider.
NCSC updates its guidance on preparing for a long-term Russian cyber campaign.
Royal Army accounts are hijacked.
A hacktivist group claims to have hit Iranian sites.
A very, very large database of PII is for sale on the dark web.
Chase Snyder from ExtraHop has a look back at WannaCry five years on.
Ben Yellen examines the constitutionality of keyword search warrants.
And a rogue employee makes off with bug reports.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 5th, 2022.
DTEK Group, Ukraine's largest private energy firm,
an operator of power plants in various parts of Ukraine,
Friday said that it had been the victim of a cyber attack.
The attack, in CNN's account, had complicated goals.
As DTEK put it, it aimed to destabilize the technological processes of its distribution and generation firms,
spread propaganda about the company's operations,
and to leave Ukrainian consumers without electricity.
Hacknet, and that's Hacknet with an X,
a hacktivist organization that's transparently a GRU front,
claimed last week to have penetrated DTEK's networks
and published some screenshots as coup-counting evidence of its success. The website Vosvietia.it, relying in part on information from Slovakia's National Security Authority,
makes two points that seem to position the incident in the larger context of both lawfare and kinetic combat.
They say these cyber attacks on the consortium occurred just days after Rinat Akhmetov,
one of the richest men in Ukraine and a shareholder of DTEK,
sued Russia at the European Court of Human Rights
for causing billions in damages to his assets. They also occurred at about the same time Russian
forces shelled a DTEK power plant in Krivyi Rih, a mining and industrial city in the Dnipro region.
The UK's National Cyber Security Centre has updated its earlier guidance on preparing for the consequences of a long-running extensive Russian cyber campaign.
Both that original guidance and the recent update concentrating on recommending measures that can be sustained for a long period of time
without exhausting security staff or otherwise degrading an organization's ability to operate.
staff or otherwise degrading an organization's ability to operate. The NCC says, That is why we have published the new guidance on maintaining a strengthened cybersecurity posture
in a sustainable way. Among the advice the NCSC suggests are revisiting risk-based decisions to
ensure defenses are implemented in an efficient way for the long term, empowering frontline staff
to take decisions about prioritization, ensuring that workloads are spread across individuals and
teams, and that frontline staff can take breaks to recharge, and providing resources to managers
and teams to recognize the signs of someone who is struggling. In other news from the UK,
on Sunday afternoon,
the British Ministry of Defence press office tweeted a terse announcement
that the MOD was aware of a cyber incident.
They said,
We are aware of a breach of the Army's Twitter and YouTube accounts,
and an investigation is underway.
The Army takes information security extremely seriously
and is resolving the issue.
Until their investigation is completed, it would be inappropriate to comment further.
The Army's own feed took an apologetic line toward any disappointed followers, saying,
Apologies for the temporary interruption to our feed.
We will conduct a full investigation and learn from this incident.
Thanks for following us and normal service will now resume.
It took the British Army about five hours to wrest back control of its Twitter account,
The Telegraph reports.
It's unknown who hijacked the accounts or why,
and the MOD isn't saying anything until it understands what happened.
The Telegram, quick to suspect the worst of the Russians,
asked if the incident was a Russian operation, but the MOD has no comment.
As they've said, they're not jumping to conclusions until they know more.
Bitdefender notes that many have jumped to the conclusion that the incident must have been the work of a nation state's espionage services,
but it has an alternative explanation, arguably more probable.
It was possibly crypto bros working an NFT scam.
They note that the hijacked YouTube account featured an NFT come-on
with the inevitable bogus Elon Musk attribution.
According to reports over the weekend, the group Uprising Till Overthrow,
apparently an anti-Tiran hacktivist organization,
conducted a large operation against Iran's Islamic Culture and Communication Organization.
Six sites were hijacked and 15 others were defaced with pictures of Iranian resistance leaders.
44 servers, a large number of endpoints, and at least 35 ICCO databases were wiped.
Before the systems were wiped, the hacktivists are believed to have obtained ICCO data
that includes information about money laundering, front groups, and espionage and terrorist networks.
The operation is said to have begun in the last week of January.
In an apparent response to recent nominally hacktivist actions,
not only those by uprising till overthrow,
but also operations attributed last week to predatory sparrow,
Iran Wire reports that Tehran has temporarily suspended
Iranians' ability to access bank accounts from abroad.
It's a measure whose purpose, the authorities say,
is preventing cyber
attacks. Also on Sunday, Binance's threat research team found a very large database of personally
identifiable information exposed on the dark web. They say, our threat intelligence detected one
billion resident records for sale in the dark web, including name, address, national
ID, mobile, police, and medical records from one Asian country.
Likely due to a bug in an Elasticsearch deployment by a government agency, this has an impact
on hacker detection and prevention measures, mobile numbers used for account takeovers,
etc.
It is important for all platforms to enhance their security measures in this area.
Binance has already stepped up verifications
for users potentially affected.
Binance is reticent about the source of the data,
but others say it came from the Shanghai National Police.
It's not clear who's obtained the data,
but according to Bloomberg,
the data are being offered for 10 Bitcoin, roughly $200,000.
Hackeread reports that the data include the following kinds of information,
name, address, birthplace, mobile number, national ID number,
and all crime and case details.
As Binance's tweet suggests,
the data exposure appears to be traceable to a misconfiguration
and not a
compromise or a breach proper. Reuters put the total number of people affected by the data
exposure at about 1 billion, but this is in any case based on the claims of someone offering the
data for sale. Someone using the hacker name China Dan posted this message to the breach forums late last week. In 2022, the Shanghai
National Police database was leaked. This database contains many terabytes of data and information on
billions of Chinese citizens. Databases contain information on one billion Chinese national
residents and several billion case records. Reuters sensibly points out that these claims are so far unverified.
The data offered for sale are said to amount in the aggregate to some 23 terabytes.
It's obviously difficult to confirm the legitimacy of sample data
China Dan posted to show that he had the goods,
but the Wall Street Journal spot-checked a few of the items
by calling some people whose phone numbers appeared in the tease.
The Journal found that in a tiny fraction of a billion or so people, the data was indeed genuine.
Chinese authorities have issued no statement so far on the incident.
And finally, HackerOne disclosed this past Friday that a rogue insider, a then-employee as the company puts it,
had been improperly accessing the bug bounty platform's vulnerability disclosures
with the aim of collecting additional bounties from HackerOne customers.
Alerted to the problem by a customer who reported an implausible disclosure
offered with uncharacteristically threatening language,
an implausible disclosure offered with uncharacteristically
threatening language,
HackerOne investigated
and found that an employee
had improperly accessed
security reports for personal gain.
The improper access ran
from April 4th
through June 23rd of this year.
HackerOne fired the employee,
upgraded its security,
and is considering referring
the former employee for criminal prosecution.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Time flies when you're having fun, they say.
So it's hard to believe it's been five years since WannaCry ransomware was unleashed on the world,
infecting more than 200,000 computers globally,
before Marcus Hutchins famously discovered and triggered a kill switch.
Tallies vary, but many believe damages from WannaCry totaled in the billions of dollars.
For a look back at WannaCry and insights on what we've learned since then,
I checked in with Chase Snyder. He's Senior Product Marketing Manager at ExtraHop.
When WannaCry first hit, the sort of emotional tone inside of ExtraHop and in the cybersecurity industry overall was one of, what can we do? The news was coming out fast. There was
this event where an independent security researcher created this sinkhole that kind of put the attack
on pause for a minute. And there was all these questions going around
about how do we stop this, who is doing it.
There's so much questioning going on,
but ultimately it came down to how do we help our customers
avoid being impacted by this,
not only avoid being hit with the ransomware itself,
but deal with the ramifications of having to investigate
and figure out, are
we vulnerable?
Have we been hit or are we about to?
My recollection also is that there was a good amount of collaboration, you know, a cross
company collaboration.
It was all hands on deck and a lot of people put their what would otherwise be competitiveness
aside.
Yeah, absolutely. I think there was a big tone of
camaraderie for defenders where this was a heretofore unseen scale and level of damage
that a ransomware was doing. I remember that the national health system of the UK was a major
victim of it. And the idea that a financially motivated ransomware attack could
be impacting people's health care really pulled people together to defend against it and to rise
up against that type of a soulless attack. Do you think we're in a place today where
something at the scale of WannaCry could happen? That's a challenging question. I
think that globally, the scale of ransomware is currently much greater than WannaCry. Could an
individual event at the scale of WannaCry occur? The way that ransomware is working is a little
bit different now. It has been refined towards the profit motive. WannaCry was still fundamentally
landing on devices, popping up a ransom note, and demanding a little bit of Bitcoin.
Nowadays, there's a lot more hands-on keyboard activity
where attackers are targeting specific organizations,
they're spreading as widely as possible inside of those organizations,
and then they're detonating.
And it's less about trying to extract a couple of hundred dollars worth of Bitcoin
from individuals.
The tactics have just changed.
But if you think about the NotPetya event
or you think about other more recent events
that have occurred,
the amount of damage that such an event can do
is still enormous and possibly much larger than WannaCry,
even if the exact nature of the WannaCry event and the way that
it spread and the breadth of organizations that it impacted isn't quite the same. So I would say,
globally, the scale of ransomware is bigger and continues to get bigger. The nature of it is
different, and defenders have to evolve. How would you describe the state of the art when it comes to
defending against this sort of thing?
I mean, the organizations who, you know, by any measure have all the right things in place.
What does that look like?
Yeah, fighting the current war on ransomware demands focusing on that network behavior inside of the environment.
You still need to have all of that perimeter defense that will stop a large percentage of less sophisticated attackers from getting in.
But for a state-of-the-art defense, you need to be watching internally for that stealthy,
low and slow behavior. The attackers that are actively evading defenses, they're deleting
activity logs, they're watching out for endpoint agents and actively avoiding those endpoints
as they escalate domains, conduct internal reconnaissance,
and access as many devices as possible inside of the environment.
The network is the supply line for this type of attacker.
So you need to cut off the supply line,
the way that they spread their access
and the way they ultimately spread the software,
the ransomware, in order to stop them.
And I think that's what the state-of-the-art in defense looks like right now, is you still have all of those perimeter defenses to cut out
the lower sophistication attackers, but you really need to take back the advantage on the network.
That's your home turf, and you need to observe and control it to stop the spread of ransomware
and to control those supply lines being exploited by the attackers.
Is it possible or even realistic to imagine a future where this is a solved problem?
It's difficult to picture, isn't it, Dave?
Yeah. I think that the profit motive, the existence of these ransomware as a service organizations
and these more and more sophisticated attackers, the fact that they continue to make
money makes it very difficult for me to picture a world where ransomware is a solved problem.
I think that there will be, for the foreseeable future, a continued escalation of attackers
innovating and develop new tactics and defenders having to innovate and develop new tactics as well.
That's Chase Snyder from ExtraHop.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, it's great to have you back.
Good to be with you, Dave.
A fascinating story came by.
This is from Forbes, written by Thomas Brewster,
and it's titled, Warrants Can Force Google to Look Through Your Search History.
A Tragic Arson Case May Decide If That's Constitutional. What's going on here, Ben?
This is really a fascinating case. It emanates from an incident in 2020 in the state of Colorado
where a house was set on fire. Police found a family inside. They were able to rescue that family,
but I believe five individuals who were unable to escape the building died. So we're talking
about a very serious crime of arson. Police only had grainy images of the potential perpetrators.
They had no information to go on. So they went to Google to ask for what's called a keyword warrant. Basically, they were asking Google to identify any users who had searched for this particular address within a particular time period, so over the past several days.
And they found several people.
One of them ended up testifying to law enforcement that he committed the arson.
He confessed that he did it because he thought somebody had stolen his iPhone. And to be clear, he said that he had accidentally
set the house on fire and that, just comment as you do. Right. But he pled not guilty. And,
you know, so guilty or innocent until proven guilty. Absolutely. And they identified a couple
of other individuals who have denied any involvement.
It's not, frankly, a very persuasive type of evidence because there are a lot of different reasons why people could be searching a particular property.
And that brings us to the civil liberties issues involved.
So a bunch of stakeholders, including the Electronic Frontier Foundation, other privacy and civil liberties groups. So an effort led by the National Association of Criminal Defense Lawyers is
challenging the practice in court of seeking these keyword warrants. So this presents very
difficult Fourth Amendment and First Amendment issues. From the Fourth Amendment perspective,
unlike traditional warrants, there's nothing particularized about what law enforcement
is requesting. They don't have any individualized suspicion that somebody has committed a crime.
This is a real dragnet. I mean, you're dragging in potentially hundreds of innocent people who
just happen to type something incorrect into a, or something incriminating into a search bar.
So that would end up capturing a lot of the online activity of completely
innocent people. Then from a First Amendment perspective, there's concern about the so-called
chilling effect, where people would be afraid to engage in common online behavior, lest Google
could access all of those search terms. So all of us search things on Google that are seemingly not suspicious,
but we do so because we're curious, maybe for our job, maybe to do research.
If all of those were discoverable, if the government were able to obtain a keyword warrant
like this, then we might be less prone to doing these types of searches. And that would be a real
chilling effect on First Amendment activity.
These organizations are challenging this keyword warrant in Colorado State Court,
which means that if the Colorado State Court agrees with these civil liberties groups,
potentially even the person who has confessed to being a participant in this arson is going to be
set free. So that's obviously an outcome
that I think a lot of people would rather avoid.
What the civil liberties groups would say
is this is about a greater principle.
It's protecting the privacy of our online communications,
particularly in an era where we're so wed to our devices,
and about not allowing for these overbroad search warrants
where you have no particularized suspicion.
You have no indication that any particular person has done something wrong.
You're just engaging in a dragnet to get as much data as possible on an individual search term.
We've seen that for things like geofence warrants, where you try and get all of the
users that were in a particular location at a particular time.
That's kind of overbroad as well.
And there have been a lot of legal challenges to geofence warrants.
I think this is going to be the next frontier in Fourth Amendment jurisprudence.
The Fourth Amendment's drafting was about avoiding so-called general warrants,
where law enforcement among our British legal ancestors would just go into somebody's house and try and search for something incriminating.
That was offensive to our founding fathers.
That's why we have a Fourth Amendment.
It says it has to be a warrant issued by a neutral magistrate and it has to be based on probable cause.
These are not exactly general warrants, but they seem kind of oddly familiar to general warrants.
Well, they quote Mike Price, who is the counsel at the National Association of Criminal Defense Lawyers.
He says, no other warrant could authorize the search of every house in America,
and no warrant should be able to compel a search of everyone's Google search query.
Right.
So that might seem overbroad, but it is kind of a slippery slope. In this
particular case, they're just looking for people who search that address. Right. But we have talked
on a previous episode of this show and on our podcast, Caveat, which you should listen to,
that after the Supreme Court decision overturning Roe v. Wade, there might be vulnerable individuals searching
for abortion clinics on Google or on another platform. And in some states, even that type
of activity might be criminalized. So in that case, you might be encapsulating more than just
a few individuals who searched a particular address on a certain night. The slippery slope
could be a keyword warrant for something that is
broader and something that's searched at greater frequency that ends up encapsulating a lot of
individuals. And that comes even closer to this offensive concept of a general warrant. I think
that's what Mr. Price was getting at here and why there's so much concern with these types of
keyword warrants. Any sense for where we might be headed with keyword warrants?
Is this something, is this on a collision course with the Supreme Court or where do we stand right
now? I think it's a little preliminary to go there. This is simply going to be adjudicated
in Colorado State Court. There have been a handful of cases across the country in state courts about
these types of warrants, but I don't think we're as close to Supreme Court resolution as we are on, say, compelled decryption, which we've talked about,
or even geofence warrants. I think we're in somewhat of an infancy stage here. But I think
it's worth us keeping track of how courts decide these cases, whether they think that these warrants
are overbroad, or whether they think
that by typing something into a search bar, you are relinquishing your expectation of privacy.
So I'm curious as to how the Colorado State Court is going to see this, whether there are
disagreements among state courts, or if this makes its way into federal court. And then way down the
line, if there is disagreement among circuits or among states, then that might be right for review at the Supreme Court.
So I do think it's a little early, but I think it's certainly possible that it could end up there.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Guru Prakash, Justin Sabey, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.