CyberWire Daily - Further developments in Russia’s hybrid war. Conti claims responsibility for the Nordex hack. Lazarus Group heist. Indictments in influence ops case.
Episode Date: April 15, 2022Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. An...d indictments in an influence ops case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/73 Selected reading. Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News) Live Updates: Russia Sets Stage for Battle to Control Ukraine’s East (New York Times) Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg) Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune) What Victory Day means for Russian identity (Washington Post) Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian) Finland and Sweden pursue unlinked NATO membership (Defense News) What Finland Can Offer NATO (Foreign Policy) U.S. warns energy firms of a rapidly advancing hacking threat (E&E News) Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer) Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer) Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum) US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future) North Korea Designation Update (U.S. Department of the Treasury) Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek) Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Further developments in the in-controller Pipe Dream industrial control system threat.
Conti claims responsible for the Nordex hack.
The half a billion stolen from Ronin went to the Lazarus Group.
Betsy Carmelite from Booz Allen Hamilton shares insights on the cyber implications of the conflict in Ukraine.
Our guest is Ian McShane from Arctic Wolf.
And indictments in a case of influence operations.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 15th, 2022.
E&E News reports that it seems clearer that the ICS-focused tools,
now generally attributed unofficially to Russia,
were designed with the energy sector and particularly liquefied natural gas facilities as their targets. We've received a number of comments from industry on
the discovery of the attack kit being called in-controller by Mandiant or Pipe Dream by Dragos.
The unusually large number of industrial control system advisories that CISA released yesterday
seems a partial response to this recently discovered threat.
Bleeping Computer reports that the Conti gang has claimed responsibility for the ransomware
attack on wind turbine manufacturer Nordex. Conti had long been the leading suspect in the incident.
In related news, Istanbul-based security firm Infinitum IT
says it's determined that the data extortion operation Karakurt is really just an arm of
the Conti gang. They were able to track the activities of one gang member and that led them
to other evidence that suggests the distinction between Conti and Karakurt is really a distinction without a difference.
Karakurt's activities have been confined to the second half of double extortion.
They steal data. They don't encrypt it.
Having attributed the $540 million theft from DeFi platform Ronin to North Korea's Lazarus Group,
the U.S. Treasury Department has updated its North Korean entries
on OFAC's list of sanctioned persons and organizations. The record reports that
blockchain researchers at Peck Shield have been laundering the rough Ethereum equivalent of $9
million every two or three days for the past several weeks, moving funds from the wallet
where they held their take.
Only about 7.5% of their take seems to have been laundered by the end of last week.
The Lazarus Group is thought to be using the cryptocurrency mixer Tornado Cash to move its funds. And finally, the U.S. has indicted three Russian nationals on connection with a long-running influence operation.
A Russian legislator and two of his staffers face U.S. federal charges connected to sanctions
evasion and illegal influence operations. The U.S. Department of Justice has unsealed an indictment
filed with the U.S. District Court for the Southern District of New York that alleges
three violations of federal law, one count of conspiring to have a U.S. citizen act as a Russian agent in the United States
without notifying the Attorney General.
One count of conspiring to violate and evade U.S. sanctions
in violation of the International Emergency Economic Powers Act.
And one count of conspiring to commit visa fraud.
The activities the trio are charged with
have none of the high-spy drama one would associate with the recruitment of agents of
influence. There's nothing particularly lurid in the Justice Department's account of what they are
alleged to have done. They sought meetings with members of Congress, for example, offered free
trips, all expenses paid,
to receive an award.
They wrote letters.
They sought to arrange meetings
with the prime minister of Crimea,
someone who in the official U.S. view
doesn't really exist.
The Congress members are said to have
turned them down at all points.
The influence operation is alleged to have run
from 2012 through 2017.
None of the three gentlemen charged are in custody,
but the indictment will limit their travels to countries without effective extradition treaties with the U.S.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Arctic Wolf Networks recently published their 2022 State of Cybersecurity
Report, tracking where security professionals and IT leaders
rank themselves, their risk appetite, and their ability to mitigate cybersecurity risks.
Ian McShane is field CTO at Arctic Wolf Networks.
So I think there's three things that are really interesting to me. I think firstly,
the kind of confirmation that information security or cybersecurity is really financially driven.
And that might seem like an obvious statement.
But what I mean by that is that, you know, while defenders or operators or practitioners, they might be in it for the security, you know, to do some good or to disrupt adversaries.
Really, what it comes down to for businesses and organizations is how they can balance that fiscal spend against the risk. You know, they don't want their wallets to hurt. And
so what they really need to understand is how is the trade-off going to work from investing here
or not investing here? What are the other things that drew your attention? Yeah, the second one
is around cloud security, right? And it's been no surprise for the last decade or so
that cloud security adoption's on the up.
But what was interesting in this survey
is that only around 20% have serious security monitoring
for the cloud.
28% of our respondents actually said
it's their biggest concern.
So that's a relatively small number of people
that think it's concerning
and a relatively small number of organizations
that are able to do something about it.
But when we look at the kind of incidents that we investigate at Arctic Wolf, almost half of them include some kind of cloud asset touchpoint.
So that was an interesting statistic there as well.
What do you suppose is driving that disconnect?
Is it a matter of not having resources to come at this? Or what do you suspect
is going on? I think there's a number of issues. The biggest one is probably not fully understanding
the shared security responsibility model that a lot of cloud infrastructure certainly has. So
it's no surprise over the last few years that a lot of breaches that involve cloud assets
linked to misconfiguration or, you know,
people leaving the default setting, the default security configuration in place, and then allowing
that to be exploited. So I think if organizations are trying to abstract their infrastructure,
they also have this kind of implicit trust in the provider, which isn't necessarily the right
thing to have. Well, let's move on to the third thing then. You mentioned three. What was the third one that caught your eye? Well, the third one, and this has been a big
topic for a couple of years now, is that staffing. When we see three quarters of organizations saying
they don't have enough people, that's no surprise. But it's something that's really impacting their
ability to achieve their security objectives or to meet their security objectives. And so what's
interesting is when you look through the responses that a lot of them are saying they don't, it's not only lacking the ability to bring
people in, you know, it's lacking the ability to keep people in their organization already.
You know, we're seeing this kind of musical chairs or great resignation, as it's been called, where
some organizations are able to attract new people and not able to maintain the current level of staffing that they have.
Do you have any sense for what could be done to turn that around? I mean,
it strikes me that a lot of organizations expect folks to come in sort of fully baked and ready
to go and that there's a lack of internal training and real pathways for learning.
Yeah, you've got it. Like Companies are really keen to hire people that
they expect to hit the ground running, have an instant impact, rather than looking for people
maybe with fewer years of experience who can learn on the job. I think the reality is that
many of the most experienced people, the ones that would tick the, in air quotes, unicorn or rockstar
kind of checkbox that a lot of organizations look for,
they've realized that their skills can not only command a premium, but they're able to pick and choose their roles more than ever. So while some might relish the challenge of picking up and
helping to modernize a struggling security practice, other experienced professionals might
want to get back to cutting edge security rather than spending months and years
getting back to basics. So what are your recommendations then? I mean, based on the
information that you've gathered here, what advice do you have for organizations looking
to protect themselves? Yeah, I think it comes around to spending. I talked about the fiscal
side of things and we've talked about the human side of things. But I guess the way I see it is
that organizations we know are definitely spending more than ever on cybersecurity.
But honestly, a lot of that spending is focused more on the tools
than it is on the actual human operators.
And when infrastructure scope expands,
things like cloud adoption and growth and remote working and globalization,
so does the volume of the work that has to be done.
Alert fatigue is talked about a lot, right? But that's not the only issue that's affecting staff. It's the inability to be able to do enough
tactically and strategically to keep their security ship afloat. And I think a lot of
frontline staff, practitioners and operators, are asking why more isn't being spent where it's
needed, which is in the people. And I don't think that means an increase in spending.
I often recommend that most organizations can actually benefit from an audit of what they already spend on toolings
and ask themselves, I guess, some pretty tough questions like,
am I using this to the best of its ability?
And what would happen if I stopped using this?
Because when organizations can have 20, 30, 40 upwards security tools,
there's usually significantly more value in having that honest audit
and a project to calculate the benefit of having an additional human or two
versus continuing to subscribe to or use semi-effective security tools.
That's Ian McShane from Arctic Wolf Networks.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro
and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. client. And joining me once again is Betsy Karmelite. She's a senior associate at Booz Allen Hamilton and federal attack surface reduction lead. Betsy, it's always great to have you back on the show. I want to touch base with you on the situation in Ukraine, the Russian invasion,
and your take on what you and your colleagues are tracking when it comes to the situation as
it affects cybersecurity. Sure, Dave, and thanks. It's great to be back. We all know that last week,
President Biden made the statement that Russia may be exploring options for potential cyber attacks against the U.S. surrounding the situation with the hostilities in Ukraine.
Then we saw in response the Kremlin spokesperson Peskov telling reporters that the Russian Federation doesn't engage in banditry, outright rejecting the warning.
And then, in addition, we saw CISA gather critical infrastructure partners
in a public meeting asking them to respond to the Shields' up call
for guarding themselves against potential cyber attacks.
So with all that in mind, what we are doing is looking at what is happening
around potential cyber attacks from Russia through a logical framework to Russian military cyber operations.
And as a firm, we've done quite a bit of research in this area and released a report recently about uncovering the logic behind Russian military cyber operations.
Well, can you take us through that? What does that framework look like?
Sure.
So we're looking at the methods and philosophy behind Russian military cyber operations,
which align historically to Russia's cyber operations timing, target selection, tactical
characteristics with Russian military doctrine.
tactical characteristics with Russian military doctrine. Considering that framework,
Russia may engage its cyber capabilities to respond really to its evolving strategic military initiatives. Russia's military is a leading user of offensive cyber weapons that deny, degrade,
disrupt, destroy. And really, we see that Russia uses these operations quite logically to respond
to specific declared circumstances that impact their national security in ways consistent with
that published doctrine. You know, I think a lot of folks have been left scratching their heads
that we haven't seen more from Russia when it comes to offensive cyber in
this particular campaign. Do you have any insights on that? Yeah, I think that is really the big
question. When are we going to see cyber in all of this? When are we going to see that big,
not Petya-like attack again? And in looking at the situation, what we really feel is that there's a lot of fog of war
around this situation cyber-wise. There are lots of actors. There are lots of operations.
We see volunteer cyber actors. Really, who is doing what? So it's really difficult right now
to say comprehensively what is happening. which is the main intelligence directorate in the Russian military, GRU attributed cyber activity and the GRU's mission to monitor,
neutralize, and counter certain publicly enumerated circumstances.
So if we're seeing something,
if Russia's seeing something that endangers its military security,
the GRU executes its mission using methods consistent with declared strategic concepts.
We also recently saw the Washington Post come out with a report saying that the attack on Ukrainian satellites was probably attributed to the GRU.
So we're seeing that action and reaction as a direct threat to Russian national security interests.
So is it fair to say that, you know, because just because we haven't seen much activity on
this front so far that we should not have our defenses down, that it may be yet to come?
That's right. That's right. One of the ways to protect yourself around this type of situation is really understanding the context in which this threat operates and what are really some of the historical actions it's taken. And how would attack against your organization advance your adversary's interests, advance possibly Russia's interests, with security strategies tailored to that understanding?
So we look at that through a threat-centric risk management process, first creating an organizational profile, understanding your locations, partners, customers, information you possess, and so forth.
And then you consider your potential adversaries.
Once you've established some of those parameters,
I would say two of the best things you can do for your risk management strategies and activities
are using threat intelligence and looking at implementing internal and external threat hunts focused on expected
adversaries. All right. Well, stay vigilant for sure. Betsy Carmelite, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation
with Symantec's Alan Neville.
We're going to be discussing Antlion,
the Chinese state-backed hackers using custom-backed doors
to target financial institutions in Taiwan.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana
White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick
Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back
here next week.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.