CyberWire Daily - Disinformation and cyberattacks in Russia’s hybrid war against Ukraine. DDoS attack hits Israeli telcos. Captured tools are old news. Recent trends in cybercrime.
Episode Date: March 15, 2022Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists). Ukrainian cybersecuri...ty firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS attack takes down Israeli sites. China claims to have “captured” NSA hacking tools. Our guest is Ben Brook CEO of Transcend with a look at data privacy. Recent trends in cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/50 Selected reading. Researchers find new destructive wiper malware in Ukraine (The Verge) Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks (Aqua Security) Financially motivated threat actors willing to go after Russian targets (Help Net Security) Kyiv’s hackers seize their wartime moment (POLITICO) Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums (Accenture) Political fallout in cybercrime circles upping the threat to Western targets (CyberScoop) A protester storms a live broadcast on Russia’s most-watched news show, yelling, ‘Stop the war!’ (New York Times) Denial-of-service attack knocked Israeli government sites offline (CyberScoop) China claims it captured NSA spy tool that already leaked (Register) Ransomware Variants Q4 2021 (Intel471.com) Cequence Security Releases Report Revealing Top 3 Attack Trends in API Security (Cequence) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bio-war disinformation.
A new wiper is discovered in Ukrainian systems.
Cyber criminals look for letters of marque from both sides.
Ukrainian cybersecurity firms and intelligence services mobilize against Russia.
Ben Yellen evaluates cyber engagements in the crisis.
A protester crashes a Russian news broadcast.
DDoS takes down Israeli sites.
China claims to have captured NSA hacking
tools. Our guest is Ben Brooks, CEO of Transcend, with a look at data privacy and recent trends in
cybercrime. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 15, 2022.
The operations map maintained for the public by the British Ministry of Defense shows more Russian airstrikes but continued sluggish progress of ground forces.
There are reports that in some areas, notably around Kiev,
Russian forces have halted their advance and turned to constructing field fortifications.
That is, they're now digging in and not moving forward, for the time being at least.
ESET researchers have found a new wiper they're calling Caddy Wiper,
the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine.
ESET tweeted, quote,
This new malware erases user data and partition information from attached drives.
ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations.
End quote.
First observed yesterday morning, the malware seems to have been compiled the same day it was deployed.
Caddywiper has little in common with its two predecessors.
As ESET put it,
Caddy Wiper has little in common with its two predecessors.
As ESET put it,
Caddy Wiper does not share any significant code similarity with Hermetic Wiper,
Isaac Wiper, or any other malware known to us.
The sample we analyzed was not digitally signed.
End quote.
It did share one tactic with Hermetic Wiper,
deployment via Group Policy Object, which suggests to ESET that the attackers had prior control of the target's network beforehand.
The Wiper's operators are apparently interested in maintaining persistence in the target's networks.
Quote, interestingly, Caddy Wiper avoids destroying data on domain controllers.
This is probably a way for the attackers to keep their access inside the organization while still disturbing operations.
The Verge reports that the effect of the attack seems so far to have been small.
One organization appears to have been affected, but the consequences of that attack and the organization's identity remain publicly unknown.
Researchers at Aqua Security review the techniques, many involving commodity malware and
cloud-native services, being used in the cyber phases of Russia's hybrid war against Ukraine.
HelpNet Security reports that financially motivated, that is, criminal, cybergroups
are choosing sides in Russia's war against Ukraine. In a rough-and-ready way, the criminals have tended
to side with Russia, for whom many of them have historically served as privateers, and the
hacktivists, like Anonymous, have tended to side with Ukraine. But this may be changing, as some
Russophone gangs are expressing a willingness to hack Russian targets if there's a good prospect
of making it pay. There also appear to be personal and ideological rifts in the underworld
that are leading some gangs toward one side rather than the other.
So, privateering is converging with hacktivism.
Accenture reports that this is something new.
Quote,
For the first time in the more than 10 years that Accenture's cyber threat intelligence team
has been tracking dark web activity, we're seeing previously coexisting financially motivated threat actors divided along ideological factions.
Those actors who previously acted opportunistically with financial motivations and a global outlook are now following a highly targeted attack pattern. Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors
and are increasingly attempting to target Russian entities in support of Ukraine.
However, pro-Russian actors are increasingly aligning with hacktivist-like activity
targeting enemies of Russia,
especially Western entities due to their claims of Western warmongering. This change in
targeting and motivation has had several far-reaching consequences for underground actors
and the threat they pose. Politico describes how Ukrainian cybersecurity firms have pivoted
from defense to offense, deploying their capabilities against Russian targets.
Defense to Offense, deploying their capabilities against Russian targets.
The account takes Haken as representative of the trend and describes the challenges of adjusting to the different set of norms that prevail in wartime.
Cyber units of Ukraine's intelligence services are said to have successfully infiltrated the Kalashnikov concern,
a major Russian defense company.
Quote,
the Kalashnikov Concern, a major Russian defense company, quote, over three terabytes of data has been downloaded for analysis, which included everything from technical specifications of
their civilian and military weapons to all of their financial data, including offshore shell
companies, bank accounts, and customers, both illicit and licit, end quote. That's reporting from Inside Cyber Warfare,
who add that the technical details of weapons
have been shared with Western intelligence agencies.
Bloomberg reports that the Russian state-directed television news show Vremia,
broadcast by First Channel,
was briefly disrupted by a young woman,
subsequently identified as Marina Ovsianikova,
an editor with the station, who walked behind a newsreader holding a sign that said in English,
No war, followed by the message in Russian, Stop the war. Don't believe propaganda. They're lying
to you. She spoke a few sentences, including Stop the war. The newsreader spoke louder in an attempt to drown our Ms. Ossianakova,
and then the program cut quickly to a generic scene of a hospital.
The New York Times has video of the protest.
First Channel told TASS,
The gesture of dissent was brief but remarkable.
Ms. Osyanikova was taken into custody by police
and will probably be charged with an administrative violation
for discrediting Russia's armed forces.
A Meduza editor tweeted a link to a video Ms. Osyanikova posted
shortly before her protest.
The Telegraph's translation of her remarks run as follows,
Unfortunately, in recent years I worked on Channel One, making Kremlin propaganda,
and I am now very ashamed of this.
I'm ashamed that I allowed lies to be spoken from the TV screen.
I'm ashamed I allowed Russian people to be zombified.
We were silent in 2014 when this was all just beginning.
We didn't go to protests when the Kremlin poisoned Navalny.
We just silently observed this anti-human regime.
And now the whole world has turned away from us.
End quote.
The Israeli National Cyber Directorate has confirmed
that Israel sustained a distributed denial of service attack
yesterday, CyberScoop reports. The attack briefly knocked some government sites offline. While most
service was quickly restored, some overseas sites remained unavailable into this morning.
NetBlocks traced the outages to two leading Israeli telcos, Bezek and Selcom. Haaretz says
that a defense establishment source told the paper
that it was the largest such attack the company has experienced
and that it was believed to be the work of an unnamed nation-state.
That state is widely thought to be Iran,
but the Israeli government has offered no specific attribution.
Chinese security services claim to have captured an NSA hacking tool,
but the register points out that there's less here than meets the eye. The tool in question,
Nopen, is old news, having been leaked by the shadow brokers back in 2016.
Intel 471 describes recent trends in ransomware attacks. Looking at the fourth quarter of 2021,
they found that the most common strains of ransomware
were, in descending order, Lockabit 2.0, Conti, Paisa, and Hive.
The sectors most often affected were consumer and industrial products,
manufacturing, professional services and consulting,
real estate, life sciences and healthcare,
technology, media and telecommunications, energy, resources, agriculture, public sector, real estate, life sciences and healthcare, technology, media and telecommunications,
energy, resources, agriculture, public sector, financial services, and non-profit.
Sequence Security finds that cyber criminals are increasingly using APIs as attack vectors.
The researchers see three trends in this area, more variety in payment fraud, more sophisticated
shopping bots, and more cunning account takeover attempts. And finally, Elon Musk has challenged President Putin to single combat.
Quote,
I hereby challenge Vladimir Putin to single combat. Stakes are Ukraine. End quote.
He emphasized his challenge in a subsequent tweet.
Do you agree to this challenge?
Mr. Musk even flashed some Cyrillic characters and some Russian phrases in the tweets,
Cyrillic and Russian in the originals.
But how will Mr. Putin get the message?
Sure, the Cyrillic characters are probably helpful, but
we hear Twitter's blocked where Vladimir Vladimirovich lives. Poor guy. But if he takes
Mr. Musk up on that virtual glove across the face, he's a wilder and crazier guy than we would have
thought. A real Cyrillic character. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Data privacy firm Transcend recently surveyed decision makers in fintech, e-commerce, and B2C sales organizations to gain insights on their concerns over privacy regulations and compliance.
Ben Brook is CEO of Transcend.
Very few of those polled felt very confident in their organization's current ability to comply.
very confident in their organization's current ability to comply.
This full range of privacy laws that are already in effect around the world.
And in fact, only one in five of those surveyed said that they're confident that their company is compliant with global laws.
And similarly, 89% of them were at least slightly concerned about their ability to keep up with
new laws that end up being enacted over the next year or two.
So as we see new laws come into effect in Colorado and Virginia and China and India,
the layers of complexity that are going in for compliance, they're really compounding.
And so it's driving a lot of concern within these organizations today.
Yeah, one of the things that struck me as I was reading through the information that you shared was that it seems as though a lot of organizations are a bit frustrated with the situation here in the U.S., that there are so many data privacy laws and it's hard to keep up. Yeah, absolutely. And what we're seeing is within the states,
there's a fragmentation occurring of privacy laws where each state is passing its own privacy law
that looks a little bit different from the other ones.
And that means a lot more complexity
in terms of how one can regulate the way they use data,
where it actually comes down to the geography
of the end user in question.
There's certainly some frustration across orgs
where it's just plain difficult to keep up
when there's just so many interwoven requirements.
What about all of this falling on the chief information officer or the
CISO? Is there any sense that we're heading towards a time when it should be standard for
organizations to have a chief privacy officer? I think absolutely. I think it's something we're
already seeing is the rise of the chief privacy officer. We've actually already seen that 25% of the organizations surveyed
had a chief privacy officer in place. And that's a number that's effectively grown from zero over
the past four years. And so we're definitely seeing that stakeholder rise into organizations,
but it also does not necessarily completely take privacy off of the
CISOs plate. So based on the information you've gathered here, what are your recommendations for
organizations moving ahead here? I mean, how should they plan to operate in this new reality where privacy is going to have increased focus on it?
Pretty much boil it down to two things.
The first is having just the framework to be ready to basically ingest new laws
that will come every year for the next decade.
So basically accepting and then planning for the fact
that there will be compounding complexity
on the front of actually using data and actually having rules around each use case for data.
So that will continue to compound over the next decade, I think.
The next is to actually start investing in infrastructure that is specifically built for privacy.
So there's a rise in tooling,
essentially focused on personal data specifically,
that helps businesses comply with these privacy laws.
So for example, as I mentioned,
at the top of the priority list was the need to automate these workflows
for responding to privacy requests.
That's a very unique infrastructure that didn't exist five years ago, where it's specially tailored to actually delete a given individual across your data stack.
really growing need to invest in the infrastructure that actually treats personal data as something,
as a special class of data that has to be governed, and developing those capabilities to actually go in and execute on any given individual. Those companies, Transcend, my company is one of them,
that are specifically tailored for personal data and generally called data
privacy infrastructure. That's Ben Brook from Transcend.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting article caught my eye.
This is from Kim Zetter writing over on Politico,
really highlighting what we have and have not seen when it comes to cyber capabilities in this ongoing war in Russia and Ukraine.
What's going on here, Ben?
Yeah, so maybe I'm out of line here, but I almost found this article somewhat reassuring. So we know that our intelligence agencies, the CIA and the NSA, have spent decades now spying on Russia's computer networks.
They are collecting intelligence, both for the purposes of figuring out what Vladimir Putin is going to do, as they did prior to this war in Ukraine.
Right.
But also for the potential to order destructive cyber attacks on Putin's regime.
the potential to order destructive cyber attacks on Putin's regime. I think we've always imagined that we would use this as a defensive weapon, that if we were attacked with some type of kinetic or
cyber incident, that we would want to have the capabilities to respond in kind. But what this
article gets at is both sides, the United States and Russia, are treading very slowly in this
potential cyber conflict. And I think the reason they are treading very slowly in this potential cyber conflict. And I
think the reason they are treading slowly is the same reason we didn't have widespread nuclear
Armageddon during the Cold War, and that's mutually assured destruction. We don't know
exactly what Russia's capabilities are, but if we went in and, you know, for the purposes of
responding to Russian aggression in Ukraine, damaged the critical infrastructure in Moscow.
We shut off the lights, we damaged the sewer system,
water treatment plants, etc.
There's a very real fear that they not only would retaliate against us,
which would escalate the conflict,
and that certainly could be very difficult for our own citizens,
having power cut off in a major American city
or attacks on other parts of our critical infrastructure.
But it could escalate from there.
You know, the cyber warfare could lead to kinetic warfare,
which could eventually lead where a place where none of us want to be,
which is a full-on war between two nuclear powers.
So I just thought it was interesting and encouraging
that both sides are treading lightly.
Government hackers have been working for the past couple of decades
to develop these capabilities.
I just think there's the reluctance to use them
knowing that Russia potentially has the capability to retaliate.
I find it fascinating that we look at this
and in retrospect it makes absolute sense.
But this is not the way that people were thinking going into this conflict. What do you make of
that? Right. I think people were expecting that Russia would have already used offensive cyber
operations in Ukraine to help their war efforts. So shutting down Ukrainian power grids. A point that you made on the Caveat podcast when we discussed this
is they really haven't done that really because they think it would be detrimental
to their own war effort.
They've needed to use the same cellular networks that are already deployed in Ukraine
for their offensive military operations.
So I think we haven't seen that yet as part of this conflict. I think the
conflict has been, I don't want to say traditional, but has kind of been more of a 20th century type
of warfare. They, with their military through air and ground support, invaded a sovereign foreign
country and we responded with economic sanctions. I think that's the safest
place for all of us to be right now, given that this could potentially turn into a large global
conflict. I think people imagine that we would, if they destroyed Ukrainian power grids or nuclear
facilities or something or any other attack on critical infrastructure, I think people were anticipating that we might use our cyber capabilities to do the same in Russia.
But I think there is a real reluctance to do that because of this fear of escalation.
Breaking into their country's core systems is something we frankly have been able to do.
is something we frankly have been able to do.
It's kind of a power that we can't use lightly because if our calculus is wrong
and we use this as an offensive weapon,
as we say in the 2000s,
we don't want the smoking gun to be a mushroom cloud.
Yeah.
To what degree is this situation
establishing norms in cyber conflict? Because this is all new. A hybrid war
like this is still relatively new. So to what degree, if any, is this establishing future rules
of the road? I think it's really unclear. It's a unique situation when we're dealing with Russia
as opposed to some of our other adversaries,
whether they are nation states or
terrorist groups. For one,
they've lost a lot of their
economic power as a result of this war, but they're
still a nuclear-armed country.
And we also
have reason to believe that they
have enhanced cyber capabilities.
We've seen them perpetuate cyber attacks before.
Certainly their involvement in the 2016 election, GRU,
indicates that those capabilities are there.
So we know that they could respond in kind.
I'm not sure that that would be the case in other cyber conflicts across the world.
So I don't think this is setting any broad ground rules for cyber warfare.
Right.
I think the fact that it is Russia is significant for the reasons that I mentioned.
So I think it might not be precedent setting,
but I think it's just an interesting outgrowth of the conflict that we're seeing now.
Yeah.
All right.
Well, that article is over on Politico.
It's written by Kim Zetter. It's titled Not the Time to Go Poking Around, How Former U.S.
Hackers View Dealing with Russia. Ben Yellen, thanks for joining us. Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liv Ervin,
Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sebi,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.