CyberWire Daily - Hybrid aggression and hybrid resistance. Sanctions, defense, and (maybe) retaliation. MuddyWater is newly active. Trickbot seems to have retired. Notes on misinformation and the fog of war.
Episode Date: February 25, 2022Russia’s full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defense in cyberspace, as the civilized world impose...d sanctions on Russia. Iran’s MuddyWater threat actor is back, with renewed cyberespionage. Good-bye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp ( Logicworks) & "Rock" Lambros (RockCyber) on "The CISO Evolution". And some notes on the fog of war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/38 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia's full-scale invasion meets regular and irregular Ukrainian resistance,
public uses of intelligence products,
hybrid aggression and hybrid defenses in cyberspace
as sanctions are imposed on Russia.
Iran's muddy water threat actor is back with renewed cyber espionage.
Goodbye to TrickBot.
Carol Terrio wraps up her look at mobile device security.
Rick Howard checks in with Matthew Sharp from LogicWorks Goodbye to TrickBot. Carol Terrio wraps up her look at mobile device security.
Rick Howard checks in with Matthew Sharp from LogicWorks and Rock Lambros from RockCyber on the CISO evolution.
And some notes on the fog of war. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 25th, 2022.
There are confirmed Russian attacks in progress in some 20 Ukrainian cities, with Russian forces moving in from the Russian east, the Belarusian north, and the Black Sea south.
Fighting is reported in and around the capital Kiev,
as Russia seeks the replacement of the Ukrainian government.
Kiev appears to be a decapitation objective.
Ukrainian regular forces are resisting Russian heavy forces, that is mechanized forces equipped with tanks and
other armored vehicles, and there are reports of irregular resistance as well, which the Ukrainian
government has encouraged. Some of the Russian forces engaged in the invasion have staged through and attacked from Belarusian territory.
There are no credible reports of Belarusian troops proper involved in the invasion,
but they're apparently available should their participation become necessary or desirable.
Belarusian President Lukashenko said yesterday that they would fight if Russia needed them.
Russian Foreign Minister Lavrov has offered
to negotiate with Ukraine, the New York Times reports. All Ukraine needs to do is stop resisting
the Russian special military operation, so the price of negotiation is surrender.
Both the U.S. and the U.K. have been unusually forthcoming about the intelligence they've
developed concerning Russian capabilities and intentions over the past two months. The New York Times thinks it enabled greater transatlantic solidarity and more effective coordination of policy and sanctions.
Quartz argues that Russian disinformation was noticeably less effective than it might otherwise have been,
given quick American debunking and even more so predictive pre-bunking.
The Russian invasion of Ukraine was preceded by a distributed denial-of-service attack that included wiper malware Hermetic Wiper.
Russia has itself begun to experience some retaliatory DDoS attacks,
the record reports, whose responsible is unknown, but neither hacktivism nor state-directed action
can be ruled out. The record says, quote, the perpetrators of these attacks remain unknown,
but the sudden and senseless breakout of the Russo-Ukrainian armed conflict this week
has also drawn a lot of sympathy on
the side of the Ukrainians, including from the anonymous hacktivist group, which called on its
members to attack Russian government targets, end quote. Computing notes that someone, probably in
the Guardian's estimation, the Ukrainian government, has invited hacktivists to take action against
Russia, and the Daily Mail is running a screamer that credits the anonymous hacktivists to take action against Russia. And the Daily Mail is running a
screamer that credits the anonymous hacktivist collective with declaring war on Mr. Putin
and with taking down the media outlet RT. Governments generally sympathetic to Ukraine
have raised their own level of alert for Russian cyber attack. The U.S. Cybersecurity and Infrastructure Security Agency
continues to update its Shields Up advisory, posting more recently, quote, Russia's unprovoked
attack on Ukraine, which has been accompanied by cyber attacks on Ukrainian government and
critical infrastructure organizations, may have consequences for our own nation's critical
infrastructure, a potential we've been warning about for months.
End quote.
This is not based on specific indicators or warnings, but rather presents a prudential judgment.
Quote, while there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia's destabilizing actions to impact organizations
both within and beyond the region,
particularly in the wake of sanctions imposed by the United States and our allies.
Every organization, large and small, must be prepared to respond to disruptive cyber activity.
End quote.
NBC News reported yesterday that President Biden had been presented with options for cyber operations against Russian infrastructure.
Quote, two intelligence officials, one Western intelligence official and another person briefed
on the matter say no final decisions have been made, but they say U.S. intelligence and military
cyber warriors are proposing the use of American cyber weapons on a scale never before contemplated.
Among the options, disrupting internet connectivity
across Russia, shutting off electric power, and tampering with railroad switches to hamper
Russia's ability to resupply its forces, three of the sources said, end quote.
But White House Press Secretary Jen Psaki was quick with a denial. There's nothing to the story,
she tweeted, quote, this report on cyber options being
presented to POTUS is off base and does not reflect what is actually being discussed in any shape or
form. The EU is today working out the sanctions it will apply to Russia as a partial response to
that country's aggression in Ukraine, Reuters reports. The Kiev Independent tweeted that the Council of Europe has suspended
Russia's right of representation. British Prime Minister Johnson yesterday announced new sanctions
against Russia. These include, the Telegraph reports, asset freezes on all major Russian banks,
legislation to prohibit Russian companies from raising finance on UK markets, sanctions against more than 100 individuals,
entities and their subsidiaries, trade and export bans on a wide range of tech equipment,
an imminent ban on the Russian airline Aeroflot, and an intention to shut off Russia's access to
the SWIFT payment system. That last is an intention. Russia, for now, at least, retains access to SWIFT.
The additional sanctions the U.S. announced yesterday continued Washington's policy of gradual incrementalism.
None of them are regarded as a knockout blow against the Russian economy, but they will impose certain costs on Moscow.
on Moscow, and Washington notes with satisfaction that allies, including the European Union,
Australia, Japan, Canada, New Zealand, and the United Kingdom, are taking coordinated parallel measures. A White House fact sheet enumerating the new sanctions emphasizes their
effect on Russia's banks and on its ability to import crucial technology. It also singled out
a number of Russian big shots
who've been placed under full blocking sanctions.
The White House explained that, quote,
this action includes individuals
who have enriched themselves
at the expense of the Russian state
and have elevated their family members
into some of the highest positions of power in the country.
It also includes financial figures
who sit atop Russia's largest financial institutions
and are responsible for providing the resources necessary to support Putin's invasion of Ukraine.
This action follows up on yesterday's action targeting Russian elites and their family members
and cuts them off from the U.S. financial system,
freezes any assets they hold in the United States and blocks their travel to the United States.
End quote.
It's noteworthy that sanctions are being leveled against Belarus as well as Russia.
As the White House put it, quote,
costs on Belarus for supporting a further invasion of Ukraine by sanctioning 24 Belarusian individuals and entities,
including targeting Belarus's military and financial capabilities by sanctioning two significant Belarusian state and entities, including targeting Belarus's military and financial
capabilities by sanctioning two significant Belarusian state-owned banks, nine defense
firms, and seven regime-connected officials and elites. We call on Belarus to withdraw its support
for Russian aggression in Ukraine." The measures stopped short of cutting off Russia's access to
the swift international bank transfer system,
a move many observers thought would be among the more punitive measures that might be taken.
White House sources indicated that Russian access to SWIFT was permitted to continue at the request of U.S. allies.
U.S. Senator Bob Menendez, Democrat of New Jersey and chair of the Senate Foreign Relations Committee,
approved of the steps taken so far, but took care to point out that removing Russian banks from the SWIFT payment
system should be on the agenda for further rounds of sanctions. Ukraine, understandably, would like
to see the U.S. and its NATO allies doing much more. President Zelensky said yesterday, quote,
This morning we are defending our state alone.
Like yesterday, the world's most powerful forces are watching from afar.
Did yesterday's sanctions convince Russia?
We hear in our sky and see on our earth that this was not enough.
End quote.
While Russia's brutal indiscriminate hybrid war against Ukraine dominates the news,
other state actors haven't been idle in cyberspace.
A joint British-American alert calls out Iran's Muddy Water threat group for renewed cyber espionage, according to Cyberscoop.
CISA says, quote,
Muddy Water is conducting cyber espionage and other malicious cyber operations as part of Iran's Ministry of Intelligence and Security,
cyber operations as part of Iran's Ministry of Intelligence and Security, targeting a range of government and private sector organizations across sectors, including telecommunications,
defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.
As is customary with state threat actors, Muddy Water's name is Legion. It's also known as Earth Vitalla, Mercury, Static Kitten,
Seedworm, and Temp.Zagros. The record reports that Trickbot does indeed seem to have been retired.
It's been inactive for months, and its gang leaders have said they're calling it quits.
Such announcements should be treated with due skepticism, and they're not evidence that the hoods have reformed,
just maybe moved on to other fields of criminal endeavor.
We may have heard the last of TrickBot,
but we will probably hear from its masters again all too soon enough.
The U.S. Departments of Commerce and Homeland Security
have issued an assessment of the critical supply chains
supporting the U.S.
information and communications technology industry. It's the result of a year-long,
presidentially-directed study of the security of those supply chains. Its recommendations include
strengthening the U.S. manufacturing base and introducing greater security and transparency
into the industry's supply chains. Not all of the findings and
recommendations are immediately related to cybersecurity, but most of them are. The
cyber-specific risks addressed include theft of intellectual property and the outsourcing
of firmware development to untrustworthy, often overseas, third parties.
And finally, there will continue to be a lot of news about the hybrid war Russia is
waging against Ukraine. It's good to bear in mind that reports about combat are inevitably tentative,
and the more immediate and specific they are, the more tentatively they should be taken.
All specific reports of damage and casualties should in particular be treated with a degree of respectful skepticism.
MIT Technology Review offers some useful advice about the ways in which
mis- and disinformation easily spreads in wartime.
Old video and images circulate in social media and the mainstream press,
where they're represented as current imagery.
Some of this is a simple matter of error born of inexperience,
some of it is more or less sincerely driven by partisan desire and expectation,
and some of it is deliberate disinformation.
There are also often problems with mistranslations of reports,
especially between unrelated or more remotely related languages.
But there's another reason to treat claims with caution.
It's very difficult in ground operations for anyone,
including commanders and their staffs on the scene,
to know the detailed effects of combat with clarity and precision.
Anyone who's been involved in military training exercises
will have experienced this difficulty firsthand,
and combat intensifies it.
So it's wise to treat the reports from serious media
as representing more or less sound approximations,
and follow the news with that in mind.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
I'm joined by Matthew Sharp. He's the LogicWorks CISO and Rock Lambros, the CEO of Rock Cyber. Guys,
welcome to the show. Thanks, Rick. Good morning. Rick, thanks for having us. We're talking to you
because you just published a book called The CISO Evolution, Business Knowledge for Cybersecurity
Executives. So congratulations. I know how hard that is. Matthew, let's start with you. What's
the thesis of the book? Is there a three-line message that you're trying to convey here?
The message is primarily you need business acumen to thrive, to have a seat at the table.
And we comprise business acumen of three pillars.
We talk about foundational business knowledge, communication, and education, and leadership.
I'm so glad you did this book because just looking through it, the explanation
of just the financial statement for an organization, I wish I would have had that when I was much
younger. I had to learn all that through osmosis and crawling into the CFOs office and say, can you
please explain this to me? So thank you for explaining that to the masses. I really appreciate
that. So Rock, let me bring you into this. Why publish this book now? Has something significantly
changed in the CISO evolution that we all need to take a look at? Or is this a missing piece
that CISOs need to have under their belt? Yeah, I don't think anything's changed,
which is the problem, right? So, it is the missing piece that I think CISOs need to have
under their belt. Cybersecurity, we can't treat it like black magic anymore. We got
away with that for too long. Like saying, just give us money and we're going to do things over
here. Guilty. I've done that in my career and I feel bad about it now because it's definitely not
the right way to do it. CISOs are more and more being asked into the executive suite. And also,
on the flip side, CISOs are more and more complaining that they're not getting a seat at the table at the executive suite.
So what's that gap?
What's that missing divide?
And Matt and I believe it is that foundational business knowledge.
For those listeners to my own podcast, CSO Perspectives, over on the CyberWire Pro side, they know that I've been focusing on cybersecurity first principles.
So, Matthew, you know you hooked me when I discovered that your very first chapter is on first principles. So,
tell me what your take is on CISO first principles and how I can add that to my
philosophy going forward. Yeah, well, first of all, I think the work that you've done
in blowing up the entire concept of what we've been doing for the last 20 or 30 years,
starting anew from first principles is great.
I feel like one of the foundational, one of the very early things that should be in the list is business acumen.
And so early on in our book, we help articulate and we give some really neat case study examples are dissecting a business model, reading a financial statement, creating influence maps, creating a business case,
and articulating value. Without those things, I really feel like you're going to struggle and
fight an uphill battle. We have the opportunity to learn from generations past that the black art
approach doesn't work. And we see this heavy demand in the boardroom today that they want
better, more articulate information that directly ties
cyber programs to business outcomes. So your point to me about first principles is if you
don't understand the business, it doesn't matter if you have a grand strategy for zero trust or
intrusion kill chain prevention or resilience. It doesn't matter because you can't communicate
on the same level as business leaders. It's awesome to have this strategy, but where are you going to apply it? And how do you know when you should apply what?
I mean, and then further, I mean, some companies are lucky enough to have executive teams that
recognize the value or the need for cyber, but not all businesses have even come to the
conclusion that cybersecurity is an absolute requirement. Rock, you being a CEO of your own company,
you have an interesting view of the CISO world
that most other CISOs like me don't get on a daily basis.
And the book definitely slants more towards the business side of the CISO job
than, say, InfoSec strategies that Matthew and I were just talking about.
So is this book your message to security leaders
about how to get things done in the business world?
Absolutely.
It is really more of a business book aligned to cybersecurity than the other way around. Being on the consulting side for the last several years, as I walk into clients, I'm seeing
these gaps in these symptoms where my clients, CISOs or head of security programs, they're burned
out. Their programs are underfunded. They are not aligned to the organizational strategy.
They don't understand what the disconnect is,
why they can't get their message across.
And these are all symptomatic, in our opinion,
of not bridging that gap between operating cybersecurity in a vacuum,
where technical controls
rule the day and business outcomes.
So the book is called The CISO Evolution,
Business Knowledge for Cybersecurity Executives.
Matt, Brock, thanks for coming on the show.
There's a lot more to this conversation.
If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Carol Theriault continues her look at the security of mobile devices.
From the CyberWire UK desk, she files this report.
So I recently had a tete-a-tete with you about mobile security tune-ups because we are all super addicted to our smartphones.
And we talked about deleting legacy apps from our devices. I have a few more things for you
guys to consider, all in the hope of making your phone a little bit more secure. Okay, first let's
get the obvious out of the way. Let's talk passwords.
Password cracking is a real thing. And it's one of the key routes to breaking into accounts.
Now, most of us know that, but how many of you are reusing passwords across accounts?
Every app is created by people and people make mistakes. So let's say a mistake exposes your account details, perhaps even get
into the hands of a ne'er-do-well. If your email or your username and password are the same for
several accounts, how hard is it for somebody to hit up the most popular 50 apps with your stolen
username and password just to see if they can get access. And this is why it is vital to avoid reusing passwords.
And in my view, the best practice is to use a password manager, a reputable one.
They will guide you to create unique, hard-to-crack passwords
and will make sure that all your accounts have unique authentication practices.
Okay, now let's talk a little bit about privacy settings.
So let's imagine that you've cleared out the apps you don't use regularly, and you've addressed any
poor password practices that you may have been employing on your phone. The last thing I want
to talk to you about is privacy settings. And the big ones as far as I'm concerned are location
services. So of course course you have apps that legitimately
need to know where you are, like a GPS, SatNav app. But many apps have this turned on for no
justifiable reason. Take control, take a look and turn it off if you don't want them to track your
location. Same goes for the microphone. Your audio is needed by some apps, like if you want to make a phone call, but
many have it turned on by default. Again, make sure the apps that have access to your microphone
have a legit reason. You could also include photos, calendars, cameras, reminders, notes.
All these apps could be sharing information, so take a peek at the privacy settings on your phone
to make sure you are
tickety-boo with all the settings. I mean, listen, you spend hours and hours and hours every single
day on these darn things. It's worth taking a few minutes just to tweak and do a cyber security tune
up. And you know, if doing this on your own kind of daunts you, it's time to reach out to one of your techies in your life.
Buy or bake them a cake, make them a latte, whatever,
in exchange for a little smartphone security tune-up.
That's what I would call a win-win.
This was Carol Theriault for The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Dick O'Brien from Symantec's
Threat Hunter team. We're discussing Noberis, a technical analysis that shows sophistication of
new rust-based ransomware. That's Research Saturday. Do check it out. The Cyber Wire podcast
is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan,
Kirill Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.