CyberWire Daily - Cyberespionage against Finland. Moscow’s displeasure. ICS security. Two indictments and why the PLA should stick to Buicks.
Episode Date: March 19, 2021Helsinki blames Beijing’s APT31 for cyberespionage against Finland’s parliament. Russia withdraws its ambassador to the US, calling him home for consultation, post the US IC’s report on election... influence ops. Risk management for industrial control systems, and especially for an often overlooked part of the power grid. Johannes Ullrich from SANS on Evading Anti-Malware Sandboxes with New CPU Architectures. Our guest is Tony Cole from Attivo on dealing with adversaries already inside your network. A guilty plea in an odd extortion attempt, why China’s wary of Teslas, and the indictment of a hacktivist. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/53 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Helsinki blames Beijing's APT31 for cyber espionage against Finland's parliament.
Russia withdraws its ambassador to the U.S., calling him home for consultation after the USIC's report on election influence ops.
Risk management for industrial control systems and especially for an often overlooked part of the power grid.
Johannes Ulrich from SANS on evading anti-malware sandboxes with new CPU architectures.
Our guest is Tony Cole from Ativo on dealing with adversaries already inside your network.
A guilty plea in an odd extortion attempt.
Why China's wary of Teslas.
And the indictment of a hacktivist.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 19, 2021. The AP reports that Helsinki's domestic security service, the SUPO,
has identified China as responsible for a cyber espionage incident
that breached Finland's parliament last year.
The intrusion was detected last October,
and the investigation has now concluded that the specific threat group responsible for it
was APT31,
an intelligence unit run by Beijing
that's also known as Zirconium or Judgment Panda.
Finnish broadcaster YLE quoted a detective superintendent
of the National Bureau of Investigation
to the effect that the espionage aimed at
acquiring information for the
benefit of a foreign nation or to harm Finland. That by itself is uninformative. It's practically
a tautology to say that governments spy to advance their own interests at the expense of other
governments. So, that statement is probably best read as meaning our investigation is still in progress.
In an apparent expression of displeasure with American policy and public diplomacy,
Russia has recalled its ambassador to the United States from Washington,
bringing him back to Moscow for consultation. The Wall Street Journal notes that the move came the day after the U.S. intelligence community released its unclassified assessment
accusing Russian President Putin of personal involvement in malign influence operations directed at the 2020 U.S. elections.
Mr. Putin is unhappy that the report was as specifically personal as it turned out to be.
The U.S. Government Accountability Office yesterday released a study that highlighted vulnerabilities in the U.S. power distribution system.
Many of the risks the GAO describes derive from utilities' increased permission of remote access and connection of control systems to business systems.
The report is focused on power distribution, and that perhaps warrants some explanation, which the GAO itself provides.
The power grid includes three distinct functions. First, there's power generation and storage.
These include both the obvious conversion of various other forms of energy, chemical,
mechanical, thermal, radiant, or nuclear, into electrical power, and the often overlooked,
by consumers at least,
storage of energy in such repositories as batteries or pumped hydroelectric facilities.
Second, there's transmission, which connects power storage and generation to the places where the power is consumed.
These include such familiar things as transmission lines and electrical substations.
And finally, there's distribution,
which is the subject of the GAO's study. Distribution systems move electrical power
out of the transmission system and into industrial, commercial, residential, and other end users of
the electricity. The distribution systems might include distributed energy resources,
like the solar panels sometimes
installed on houses and networked meters thermostats chargers and so forth at consumer's
location these are for the most part networked industrial control systems and these especially
as they're found in power distribution are increasingly exposed to potential cyber attacks
the department has paid more attention to generation, storage, and transmission
than it has to distribution,
and it told the GAO that its general opinion
is that the risks are greater in these areas than they are in distribution.
That there's a risk here, the GAO says, is clear.
What the scope of that risk may be, however, is unclear,
and the report asks the Department of Energy to take a the scope of that risk may be, however, is unclear, and the report asks the
Department of Energy to take a closer look at that risk. A bill intended to enhance cybersecurity
for industrial control systems advanced in the U.S. House this week, FCW reports. The DHS
Industrial Control Systems Capabilities Enhancement Act of 2021,
cleared the House Homeland Security Committee yesterday.
The measure, introduced by Representative John Kotko,
Republican of New York's 24th District,
would give the CISA director the lead federal role in identifying and mitigating risks to industrial control systems
and process control technologies.
risks to industrial control systems and process control technologies.
FCW suggests that the attempted cyber-sabotage of the Oldsmar, Florida, water utility provided the motivation for the proposed law.
Representative Katko did allude to Oldsmar in talking about the bill,
quote,
operate many vital components of our nation's critical infrastructure and remain under constant attack from cyber criminals and nation-state actors.
As we saw recently when a Florida water treatment facility was targeted,
these attacks can have devastating real-world consequences.
End quote.
CISA continues to try to help both government agencies
and the private sector secure their systems against recent severe threats.
For one thing, CISA has released CHIRP, the CISA Hunt and Incident Response Program Forensics Collection Tool,
the agency developed to help organizations find indicators of compromise CISA has associated with SolarWinds and the Microsoft 365 Azure environments.
In thinking about risk, it's of course a truism that there are three things you can do with it.
You can accept risk, you can manage risk, or you can transfer risk.
We were able to attend Wednesday's session of the Johns Hopkins University's
7th Annual Virtual Cybersecurity Conference, the second of a planned three. Wednesday's session of the Johns Hopkins University's seventh annual virtual cybersecurity conference,
the second of a planned three.
The presentations took up the latter two as experts described how to reduce risk,
fix liability for it, and arrange insurance that covers such risk.
Our account of Wednesday's conference takes you through the presentations.
You can find that on our website.
conference takes you through the presentations. You can find that on our website.
The draft of NIST SP 1800-22 Mobile Device Security Bring Your Own Device is out and open for comment until May 3rd, 2021. It's a practice guide designed to help organizations protect their
data and their personal privacy of their personnel while their people use personal mobile devices to get work done,
as so many are doing during the pandemic.
We're used to ransomware being installed by phishing or waterholing
or other online social engineering,
but sometimes the social engineers go old school
and try to do their convincing in person.
That has its own perils for the scammer as well as the scammed.
Witness one Yegor Yegorich Kriuchkov, 27 years young and a Russian national.
Mr. Kriuchkov has taken a guilty plea in the U.S. District Court for the District of Nevada,
copping to conspiracy to get a Tesla employee to introduce malware into his company's
systems. Mr. Kriuchkov and his co-conspirators intended to use the malware to steal corporate
information, which they'd then hold hostage, threatening to release it if they weren't paid
a generous consideration for returning it unreleased. The employee reported the approach to Tesla, who reported it to the FBI, who got
the goods on Mr. Kryuchkov. Sentencing is scheduled for May 10th. Speaking of Tesla,
the Wall Street Journal reports that China intends to restrict military and state employees from
driving them. It would be easy to dismiss this as a mean-spirited shot in the ongoing
Sino-American competition, but despite all the stick the government in Beijing takes in this
podcast, in fairness we have to say that they're not crazy to have security concerns. Late model
cars have lots of sensors and connectivity, and the Teslas are more fashion-forward in this than
any other mark we can think of off
the top of our head. A Tesla is a sweet ride, but from another point of view, it's also a big
mobile sensor package chattering in somebody's cloud. Even grim regimes have legitimate security
concerns. If in 1999 NSA could tell its people to keep their Furbies out of Fort Meade, Furbies tending to repeat the things they hear,
then it seems fine for the People's Liberation Army
to tell the troops to drive their Buicks to work instead.
Leave the Tesla home in the carport.
And finally, Swiss hacktivist Tilly Kottmann,
the one who claimed responsibility for the Verkada security camera hack,
has been indicted by the U.S. Justice Department on federal charges of conspiracy, wire fraud, and aggravated identity theft.
The Verkada caper was just the last straw, if it was even that.
Cotman's apparently been acting as a malign nuisance for some time, if the Justice Department has it right, at least since 2019.
for some time, if the Justice Department has it right, at least since 2019.
Cotman has told The Record, among others, that the data Cotman obtained came from misconfigured GitLab and Bitbucket Git servers, but also from SonarQube source code management apps.
Justice says that's not the whole story, or even the main story.
Some of the data Cotman is alleged to have obtained, and subsequently used,
included improperly obtained employee credentials.
What were the alleged motives?
More the pursuit of cashier than cash, apparently.
The Justice Department says promotion of Cotman's own reputation in the hacking community was a goal.
How that weighed in comparison with the hacktivist's desire
to strike a blow against contemporary surveillance practices
remains to be seen.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There's a line of thinking in cybersecurity that basically says, assume you have already been breached.
Operate as if the adversary is already in your system.
Of course, there's nuance to this argument,
and joining me to discuss that is Tony Cole.
He's chief technology officer at Ativo Networks.
For those of us in the business,
most of us have realized this for a long period of time.
We don't know who's inside the environment today.
Solar winds is really, and I hate to use the term because we've said it so many times over the last couple of decades,
but it truly should be a wake-up call that we need to be cognizant of the fact that the adversary,
sooner or later, is going to get inside the environment,
and we need to be aware of that
and build an assumption of breach mentality. And by that, I mean, we need to really start
instrumenting on the inside of our networks, prevent what we can, but focus on detection
as well so that we can catch them knowing that they will break in sooner or later.
Well, let's dig into that. I mean, what sort of things are available
that you recommend for detecting these sorts of things?
Well, I think that there's a lot of pieces that we need to focus on today that, you know, get some coverage but not near enough.
You know, when you look at lateral movement, MITRE has done some tremendous work and NIST has as well.
You know, with 853, REV5, you know, and those controls, I'm sure your listeners know,
feeds into the cybersecurity framework. You know, they've started to focus on deception.
MITRE has now built an active defense, you know, structure called MITRE Shield. That's the counter
to MITRE ATT&CK. And both of those teams now do some work around deception. And MITRE Shield truly
does a tremendous amount of work around deception. It has all deception team there led by Dr. Stan Barr.
And those pieces are really important to instrument inside your environment and look for that lateral movement.
The other piece that's critically important is the solar winds breach that just took place and really tells us why we should also be focusing on active directory.
That's been a problem for a very long period of time.
should also be focusing on active directory. That's been a problem for a very long period of time. Most red teams and attackers, that's one of their first targets they go after, and yet very
little is done on the defensive side for active directory. So that is a critical, critical point,
looking at that, protecting it, and stopping privilege escalation.
You know, I can imagine a lot of folks feeling a bit overwhelmed when you look at something like SolarWinds
and you try to imagine how far down my supply chain do I have to go
to verify that there's security there.
But I suppose to a certain extent,
if really what you're focusing on is behavior,
that helps take away that concern. You don't have to
be so concerned with that. You're keeping an eye on what's going on under your own roof.
Yeah, absolutely. And we all know the old saying, trust but verify. And I think in this instance,
we kind of need to turn it on its head. And you can continuously verify and then trust.
But even after you trust, you need to still keep verifying across the board that there's no malicious actors inside the environment and they're not moving laterally or escalating privileges.
And I think it's going to continue to be a problem for a long period of time.
I heard a number of speeches on this, and I won't name names of companies, but people talked about, you know, this is the most significant breach, you know, in history that we know of. And to me, mentally,
I chuckle and I've got a lot of old other gray beard friends that same thing that chuckle
because what no one ever says and they should is that we know of, you know, it's like,
and so far, right? Yeah, exactly. Right. Right. So what other existing ones are out there? I mean,
there's a lot of other, you know, very deeply penetrated into enterprises out there, you know,
different technologies, different software, you know, suppliers that, you know, we don't know if
that technology is good, unless you're looking for that lateral movement inside your environment,
and you're stopping privilege escalation in its tracks, then you
simply don't know. So that's just a critical piece for people to focus on. And I think why
we've seen NIST and MITRE really double down on it in the last three years.
You know, again, going back to that person who may feel a little overwhelmed,
you know, overworked and under-resourced, where should they start? What are your
recommendations for where to begin?
Yeah, that's a really great question. You know, the EDR technology is good, you know, and that's
an easy area to focus on because everybody knows endpoints are an important piece. The perimeter
is gone, you know, with the pandemic ongoing. The little bit of perimeter we had left has been blown away.
You know, down the line, we're going to have pretty much cloud and endpoints.
So focusing on the endpoint is a great first start, you know, in an area that most defenders know very, very well.
So upgrading that endpoint technology, EDR, and then adding additional pieces onto that endpoint that can help you protect active directory and help you detect lateral movement very quickly.
You know, those can be a fantastic addition, you know, that will stop the adversary very, very quickly.
So you're literally building instrumentation inside your enterprise via the endpoint to detect when somebody is on those systems.
And you're not trying to completely from a preventative fashion.
Instead, you're focusing an additional level of effort on detection,
all in an area that the defender already knows from the endpoint security perspective.
That's Tony Cole from Ativo Networks.
There is a lot more to our interview.
Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro. It's on our website, thecyberwire.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's great to have you back.
You know, my attention has been caught recently
by Apple's release of their Silicon Macs
based on ARM architecture.
And I'm curious what your insight is
on what sort of effect this could have on evading malware.
Are the malware folks taking notice of these new processors
and potentially
the opportunities they're in? Yeah, and I think that surprised me too,
how quickly malware actually was released, optimized for Apple Silicon, as it's sometimes
called. There was initially no real sort of good reason for it. Apple did a pretty good job with its Rosetta
software to make it seamless for x86 software to still work on these new Apple Silicon Macs.
So performance usually isn't a big problem either for malware. So the big question is why? And one
of our Internet Storm Center readers actually provided a real good reason and that's
anti-malware a lot of advanced anti-malware these days has sort of some kind of sandbox component
where it runs a particular sample that it receives for a while and then sort of does some behavioral
analysis on it and that's sort of how you know a lot of the good exploits are found these days. But then again,
one big shortcoming of the Apple Silicon architecture right now is that there aren't
really any great virtualization platforms to actually set up these sandboxes. So in short,
if you compile it for an Apple Silicon architecture, the malware will not run in these sandboxes,
behavioral analysis will not work,
and the end effect is that it may pass the filter.
Should we expect this to be a closing window
that eventually these sorts of things will run on Apple Silicon
and so it won't be effective anymore?
I hope so.
Now, I expect there is at least a year or so
where we don't really have any out-of-the-box commercial
sandbox technology for it, maybe even longer.
It doesn't appear to be trivial to do this cross-platform virtualization.
There are some open- source products that do some
of this, like QEMO and such, but they're not terribly straightforward to get going. Now,
in the past, we had sometimes these other platforms being used for IoT devices,
like these famous Mirai-style bots. They usually came in different varieties.
But that kind of malware, you're not typically concerned about running in a sandbox.
It's usually the one that affects the end user, that affects your general computing platforms.
And yeah, up to now, that was pretty much an x86 world.
That has really had some inroads from ARM only in the last year or so.
And of course, the big one now was with Apple's new processor.
So if you're someone who's taking advantage of these new processors from Apple,
what should your approach be? How should you best protect yourself?
Well, probably the best approach is if it's an attachment and if it's an executable,
block it. Don't allow it in.
I get an awful lot of weird attachments myself,
of course, doing research and such.
I don't remember the last time someone sent me an executable.
People sometimes send me intentionally malware.
By the way, if anybody's listening, I love malware.
Send it my way.
Really hard to ever get an executable, so just block it.
Be careful what you ask for, Johannes.
All right, Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. It takes grease out of your way.
Listen for us on your Alexa smart speaker, too.
If you're looking for a fun way to fill part of your weekend, do check out Research Saturday
and my conversation with Jen Miller Osborne from Palo Alto Network's Unit 42.
Our conversation focuses on Bendy Bear, a novel Chinese shellcode linked with cyber espionage group Black Check.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here next week. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.