CyberWire Daily - FBI fingers REvil as the gang behind the JBS ransomware. Privateering may come up at the US-Russian summit. Ransomware at regional transportation operations. Cyberespionage in Southeast Asia.
Episode Date: June 3, 2021Evil, your name is REvil, except when it’s Sodinokibi. That’s what the Bureau says about the JBS ransomware attack, anyway. The US is expected to make strong objections to Russian cyber privateeri...ng at the upcoming summit. Other ransomware incidents are disclosed by regional transportation operators. A possible Mustang Panda sighting. Andrea Little Limbago from Interos on cyber related executive orders. Our guest is Terry Halvorsen from IBM on the need for investment, research and collaboration in preventing quantum cyberattacks. And mommas, don’t let your babies grow up to be DDoS jockeys. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/106 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Evil, your name is our evil, except when it's a tinukibi.
The U.S. is expected to make strong objections to Russian cyber-privateering in the upcoming summit.
Other ransomware incidents are disclosed by regional transportation operators,
a possible Mustang Panda sighting,
Andrea Little-Limbago from Interos on cyber-related executive orders.
Our guest is Terry Halverson from IBM
on the need for investment, research, and collaboration
in preventing quantum cyber attacks.
And mamas, don't let your babies grow up
to be DDoS jockeys.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, June 3rd, 2021.
The U.S. FBI has attributed the ransomware attack against multinational food processor JBS to the R-Evil criminal gang, also known as Sodinukibi.
The Bureau's statement reads in full, quote,
As the lead federal investigative agency fighting cyber threats,
combating cybercrime is one of the FBI's highest priorities.
We have attributed the JBS attack to R-Evil and Sodinokibi
and are working diligently to bring the threat actors to justice.
We continue to focus our efforts on imposing risk and consequences
and holding the responsible cyber actors accountable.
Our private sector partnerships are essential to responding quickly
when a cyber intrusion occurs
and providing support to victims affected when a cyber intrusion occurs and
providing support to victims affected by our cyber adversaries. A cyber attack on one is an attack on
all of us. We encourage any entity that is the victim of a cyber attack to immediately notify
the FBI through one of our 56 field offices. End quote. Leaping Computer notes that R-Evil is an affiliate operation that surfaced in April of
2019. The gang, which operates from Russia, is generally regarded as a successor to the
Gandkrab group, which itself nominally suspended operations in June of that year. Bear that in
mind the next time a gang piously or smugly says it's either seen the error of its ways or made enough money to retire.
If you're quick to believe that, we've got a non-fungible token to sell you.
This is the second major ransomware incident to disrupt a large player in a sensitive sector in as many months.
May saw the Darksides attack on Colonial Pipeline, and now our evil has
hit a major meat supplier. Reuters reports that most affected JBS plants resumed operation
yesterday, but the incident, followed as closely as it did to the Colonial attack, has put a burr
under American saddles as President Biden prepares for a summit with his Russian counterpart later this
month. White House Press Secretary Jen Psaki said, quote, We're not taking any options off the table
in terms of how we may respond. But of course, there's an internal policy review process to
consider that. We're in direct touch with the Russians as well to convey our concerns about
these reports, end quote. The ransomware attacks are an increasingly
sensitive issue in Russo-American relations because of the evidence that gangs like R-Evil and Darkside,
and there are many others, operate with the permission, at least tacitly and effectively,
under the protection of the Russian state. The Washington Post reports that President Biden intends to hammer President
Putin over the gangs during their summit, but there's general skepticism that a diplomatic
protest, however starchy, will have much effect. The Russian response to complaints about its
misbehavior is traditionally to demand evidence so that Russia and the complaining parties can
jointly investigate and arrive at some consensus. The Post quotes Jim Lewis of the Center for Strategic and International Studies on
what's likely to happen at the summit, quote, the president is very determined on this, but the first
thing Putin will do is say prove it, and he doesn't mean prove we did it, he means prove you'll do
something back, end quote. Absent some proportional
retaliation that hurts the interest of people who count, few see much prospect of a change
in Russian policy with respect to cyber-privateering. Neither JBS nor Colonial, of course, have been
the only victims of ransomware. New York's Metropolitan Transportation Authority
also disclosed on Wednesday
that it had sustained a hack in April,
although the incident didn't affect
transportation systems or personal data,
which should count, really, as a kind of success.
The Gothamist reports that the Cybersecurity
and Infrastructure Security Agency
alerted the MTA to the incident on the day it occurred
and recommended some immediate responses.
The MTA brought in Mandiant and IBM to help with investigation and remediation.
They didn't find any evidence of data loss or compromise of systems,
so MTA's defenses seem to have held.
CISA seems to have been properly alert and helpful,
and IBM and Mandiant came in to help investigate.
MTA says it's gratified with the way things worked out, but that it's still looking into lessons learned.
MTA serves some 15 million passengers in the New York area.
The Steamship Authority, which operates ferries in the U.S. state of Massachusetts,
disclosed that it suffered a ransomware attack yesterday.
Ferries continue to run, and there's no reported safety of navigation issue,
but customers' ability to book tickets and pay for them has been disrupted.
The Steamship Authority recommends using cash to ride.
The Steamship Authority is best known for its runs to Nantucket and Martha's Vineyard.
These aren't the sort of quick 25-minute rides you New Yorkers accustomed to using the Staten Island Ferry
when you're not strap-hanging on the unrelated MTA subway might have in mind.
It's 45 minutes to the vineyard and two and a quarter hours to Nantucket, or so we hear.
The high-speed catamarans can make Nantucket in about an hour,
but if you're bringing your car along, it's a more leisurely passage. So a longer ride,
but still temporal chicken feed compared to the 9 to 11 hours it'll take you to get from Melbourne
to Tasmania. Checkpoint describes a Chinese cyber espionage campaign that deploys a novel
Windows backdoor to gain access to a Southeast
Asian government's sites. The campaign placed significant effort into avoiding detection
by limiting its working hours and changing its infrastructure multiple times. ESET researchers
who've been working on the case tweeted that the affected government was Myanmar's and that the
responsible threat group is Mustang Panda. The record reports
that the attack effectively transformed the country's presidential website into a watering
hole. The Wall Street Journal reports a surge this week in some meme stocks, that is, a rapid
rise in share prices driven by speculative chat in various social media. AMC Entertainment and BlackBerry, both popular with individual
retail investors, are among the meme movers. Also surging some 10% was Samsung Entertainment,
after a casual Elon Musk tweet about the kiddie song Baby Shark, owned by Samsung Entertainment,
pumped investment. Increased liquidity the U.S. Federal Reserve introduced into
American markets last year is seen as the root cause of the speculative jumps, with social media
providing powerful amplification. Game stops rise in January, and the short squeeze it produced
was the first famous instance of meme speculation. And finally, a 17-year-old who'd been a junior at St. Petersburg High School
before his hacking got him expelled,
has been arrested and charged with hacking the Pinellas County School District back in March.
The Tampa Bay Times reports that the teenage boy,
he remains nameless publicly on account of his tender years,
organized a distributed denial-of-service attack that knocked the district's 145 schools offline
for two days. The attack was especially inconvenient because it coincided with a period
of testing. The student says he immediately regretted what he'd done, but that he found
it impossible to unring that particular school bell.
He's sorry and now hopes to get his GED
and maybe work toward a career in cybersecurity
after the felony computer crime business is resolved.
Here's one more incentive for schools to up their security game.
Not only will it protect your systems,
but it will remove what the lawyers
might call an unattractive nuisance to, helping the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Research and development on quantum computing continues in both industry and at the nation-state level.
I recently spoke with Terry Halverson, IBM's general manager for client and solutions development for federal and the public sector.
Prior to IBM, he was chief information officer for the U.S. Department of Defense.
Here's Terry Halverson.
I think we're probably still a ways off from true quantum computers,
but we are certainly at the point where we are being able to start doing what I'll call the
beginnings of quantum compute. We're doing some work in the medical area with Cleveland Computing.
And on the secure side, there's two things we should talk about.
One is quantum proof encryptions, which is using today's type of computers,
but changing the algorithm so that when true quantum computers are out,
they will still have encryption that is quantum proof.
And then there is the promise of being able to use quantum computers
to develop truly quantum-based encryption.
Where do we stand in terms of organizations in general
putting in that effort to make sure that when the day comes, they're ready?
Well, I think you're seeing some work in the commercial sector,
but the biggest
areas that I see that are really focused on that today are governments. Certainly the U.S. government
and many of its allies are spending research dollars today. There are government initiatives
that are kind of funding some public sector work on the quantum-proof encryption.
And certainly governments today are showing great interest in developing quantum computers
and are backing some of that with research dollars.
Is there a bit of a space race going on with quantum?
I mean, is this something where we should be concerned about the progress
of some of our adversaries? I would just say that all governments are very interested in
getting to quantum, both quantum proof encryption and to getting to true quantum as fast as possible.
Where do you see things going in the next year or so then
in terms of the developments of these capabilities? Are we going to see them trickling down into
regular use anytime soon? I think you're going to see them certainly start becoming more a part of
government systems. I think we're probably a little bit longer, maybe a couple years before we really see
quantum proof encryption going beyond maybe government or government-related. And I will
say medical is certainly a government-related issue. So I think you'll see some interest in that area. And we're probably anywhere from three to five years away
before I think we will see quantum really begin to become part of more of the commercial ecosystem.
That's Terry Halverson from IBM.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
A quick note on this segment between me and Andrea Little-Limbago.
A quick note on this segment between me and Andrea Little-Limbago.
We recorded this segment right before the most recent presidential executive order on cyber was released.
So there are a few statements in here that might sound a little bit out of time.
The conversation is a good one.
So instead of spiking the whole thing, we share it with you today.
And trust you can interpret it in proper context on the fly. And joining me once again is Andrea Little-Limbago. She's the Vice President of Research and Analysis
at Interos. Andrea, it is always great to have you back. As you and I record this, we are expecting
some executive orders from the U.S. administration,
one of them probably about supply chain.
I know you're tracking these developments.
What can you share with us today?
Yeah, so there are two that are imminent, and one came out,
but the results of it are supposed to come out in June.
So the supply chain executive order came out in late February
and basically required 100 days to look at
various forms of building resilience across the supply chain. So that's going to come out in June.
And so it's focused on a lot of things that are near and dear to the cybersecurity folks as far as
a lot of the components that go into building our technologies. It's very emerging technology
focused. It's a good part on pharmaceuticals, which again makes sense. But for this audience,
there's a lot on emerging technologies,
raw materials, semiconductors, batteries,
everything that goes into the technologies that we all try and secure.
And so we'll see what happens with that.
And really it's toward building greater resilience
and also some level of self-sufficiency in it.
And so that's basically the 100-day review is supposed to come back
and give us some idea of how we're going to start rethinking
supply chains in the United States. And at the same time, any day now, there have been copies
of a cybersecurity executive order that have been starting to circulate. So we have a decent idea,
unless those drafts change, of what's going to be in it. And it's basically requiring a lot of what
the security industry has been asking for for quite some time. Everything, multi-factor
authentication,
various kinds of security controls to be
in place.
There could be a software bill of materials that goes in there
to ensure that you have some
traceability of where the code's coming from.
Probably a breach notification
requirement. The thing with the cybersecurity
executive order, though, it is only for federal
contractors and those within federal agencies. And I mean, it's true for both these,
but for the supply chain, it can expand a little bit more into other industries as far as regulation.
For cybersecurity, it really does focus only on the contractors and federal agencies, but it is a
big first step. And it can be a, for both cases, I'm hoping that it's a forcing function for a
broader strategic shift as we start thinking about supply chain security
and cybersecurity moving forward.
And for the cybersecurity law,
really it's a focus on a defensive posture.
And I think that's something that has been overlooked
a fair amount for quite some time.
And so the interesting thing along with it
is that on the one hand,
there's going to be, for companies that fail to meet some of these requirements, they'll lose the ability to work with the government.
So for many, that's a large amount of money.
But hopefully that spills over into other areas as well and can help inform a broader technology strategy technology strategy really across the U.S. Could this be hopefully a competitive advantage for companies who are able to meet these standards?
They can, you know, you see in marketing materials sometimes, you know, our product is military
spec, you know, that sort of thing. And I mean, that causes a certain amount of eye rolling,
I think. But the spirit of that, you know, could that trickle down to the business to business and even consumer markets?
Yeah, I think that's fine.
For sure, you'll start seeing people with a military grade security that's put on there.
But I do.
I 100% think it can be a competitive advantage.
And I think that, you know, if I was in the government, that's how I would frame it as well.
I mean, it's not just your good security, but it will be a competitive advantage.
in the government. That's how I would frame it as well. I mean, it's not just your good security,
but it will be a competitive advantage. And this is, again, where I look at cybersecurity and supply chains as so interconnected because, you know, as companies are looking out and they're,
you know, rethinking their supply chain, who their partners are, if all else equal, one has much
higher security and can demonstrate that versus another one who's pretty lackadaisical about their
security, the one with the higher security, I would imagine nine out of 10 times will get that
contract. And so I do think that it becomes a competitive advantage, both just as far as in the selection,
but then also if it should enable them to have that better security that keeps their company's name off the headlines,
which also can become a competitive advantage.
And so I do think it absolutely can be.
And I think there's a lot that can go along with, you know, of making cybersecurity good business.
And that's where hopefully it will go toward because we really do.
I mean, when we look at, you know, what's going on with the oil pipeline, you know, the city of Tulsa was hit with ransomware.
And we're still trying to figure out, you know, this executive order for cybersecurity was, you know, largely framed as a response to solar winds.
And, you know, the whole range of supply chain attacks that have been going on.
It's getting old hearing, seeing the headlines of,
this will be the wake-up call, right?
I mean, we've had wake-up calls, I would argue,
for decades now.
So I'm hoping, I'm cautiously optimistic
that this might be a start in reframing
how we think about cybersecurity and supply chains
and really preparing our federal government and our companies
for this new technological competition that we're emerging into.
All right. Well, Andrea Little-Limbago, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman, Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.