CyberWire Daily - Impersonation campaign targets China’s Uyghur minority. US DHS issues pipeline cybersecurity requirements. Recovering from ransomware. Notes on privateering.
Episode Date: May 27, 2021Chinese-speaking operators are reported to be phishing to compromise devices belonging to Uyghurs. The US Department of Homeland Security issues pipeline cybersecurity regulations. Security companies ...take various approaches to offering decryptors against ransomware. Huawei would like to chat with President Biden. Rick Howard speaks with authors Peter Singer and Emerson Brooking on their book "LikeWar - The Weaponization of Social Media". Our guest is Darren Shou of NortonLifeLock on the findings of the 6th annual Norton Cyber Safety Insights Report. And a few notes on privateers, then and now, whether on High Barbaree or the dark net. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/102 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Chinese-speaking operators are reported to be fishing to compromise devices belonging to Uyghurs.
The U.S. Department of Homeland Security issues pipeline cybersecurity regulations.
Security companies take various approaches to offering decryptors against ransomware.
Huawei would like to chat with President Biden.
Rick Howard speaks with authors Peter Singer and Emerson Brookings on their book, Like War, The Weaponization of Social Media.
Our guest is Darren Show of Norton LifeLock on the findings of the six-annual Norton Cyber Safety Insights Report.
And a few notes on privateers then and now, whether on the high Barbary or the dark net.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, May 27th, 2021. Researchers at security firms Checkpoint and Kaspersky report another campaign targeting China's Uyghur minority with messages and sites that impersonate UN and human rights groups.
Quote,
Quote, attackers use fake United Nations documents and human rights websites to spread malware that has the ability to exfiltrate information and take control of victims' PCs, the report says, adding that the threat actor baited its attack in two ways.
They created documents that appear to be from the UN, using real UN information to ensure these looked authentic.
The organization principally impersonated was the Office of the High Commissioner for Human Rights.
They also set up websites for non-existent organizations claiming to fund charity groups.
Prominent among the NGOs impersonated was the Turkic Culture and Heritage Foundation, the Uyghur are a Turkic people.
The campaign appears to have been highly
targeted, prospecting a relatively small number of individuals, both Uyghurs living in China and
some members of the Uyghur diaspora, mostly resident in Pakistan. The report is reticent
about its code-based attribution, saying, although the researchers were unable to find code or
infrastructure similarities to a known threat group,
they attribute this activity with low to medium confidence to a Chinese-speaking threat actor.
When examining the malicious macros in the delivery document,
the research team noticed that some excerpts of the code were identical to VBA code
that might have appeared in multiple Chinese forums and might have been copied from there directly.
That said, the target list is suggestive.
It's difficult to come up with a Chinese-speaking threat actor
interested in compromising Uyghur targets
who wouldn't be working on behalf of the Chinese security services,
but that, of course, is merely circumstantial.
That, however, is basically the way MIT Technology Review reads the evidence.
As expected, the U.S. Department of Homeland Security this morning released its cybersecurity requirements for pipelines.
The Transportation Security Administration Directive requires pipeline owners and operators
to report confirmed and potential cybersecurity incidents
to the DHS Cybersecurity and Infrastructure Security Agency and to designate a cybersecurity
coordinator to be available 24 hours a day, seven days a week. It will also require critical
pipeline owners and operators to review their current practices as well as to identify any
gaps and related remediation measures
to address cyber-related risks and report the results to TSA and CISA within 30 days.
Those requirements have been imposed, obviously, as part of a response to the DarkSide ransomware attack
that disrupted Colonial Pipeline's operations earlier this month.
While control systems were not apparently directly affected by the attack,
Colonial's ability to track what it was delivering through its lines was affected.
Some sources have represented Colonial's decision to halt operations as a coarsely commercial one.
They couldn't bill for the product, so they stopped delivering it.
But this seems misleading.
Not being able to determine what's moving through your system with high confidence
isn't just a business issue, but probably a safety problem as well.
The Wall Street Journal reports that Colonial last year passed up a TSA security audit of its systems,
offering, instead of the in-person audit, TSA proposed a virtual inspection
instead. TSA said that this happened with several other pipeline operators as well,
who were, with the pandemic at its height, limiting their employees' exposure to in-person
interactions. As these restrictions eased, operators began rescheduling TSA inspections.
Restrictions eased, operators began rescheduling TSA inspections.
Colonial was doing so as the DarkSide attack hit them.
Fast Company thinks organizations should expect more ransomware attacks in the future.
The crime in its present form has grown too lucrative,
and the tools have now become too commoditized to expect any abatement.
The security firm Bitdefender has replied to critics and made its case for releasing ransomware decryptors publicly,
as opposed to providing them quietly only to affected organizations.
The company argues that because many victims are small
and lack dedicated security teams,
and because many organizations don't disclose the attacks they suffer,
the benefits of a general release of a decryptor outweigh the risks
that the criminals will use the decryptor to improve their attack code.
Emsisoft, well known for providing decryptors,
is an example of a security company that takes the other, more targeted approach to decryption.
It's offered to help Waikato DHb recover from the ransomware attack the new
zealand health care agency has sustained emsisoft gives itself even odds of being able to deliver
a decryptor stuff reports good hunting to both bit defender and emsisoft nikkei asia has published
an open letter from a huawei U.S. President Biden in which Huawei
urges the two parties to talk. Maybe sovereign-to-sovereign talks, although the letter doesn't
put it exactly like that. And finally, signs of connections between criminal groups like DarkSide
and the Russian government's organs have led, as we saw yesterday, to Cisco's Talos Group's introduction
of a new threat category to its taxonomy, privateers. Their discussion of cyber-privateering
has attracted considerable interest, and it's worth a few brief words about what actually makes
a privateer. Privateering was outlawed by international convention in the late 19th century, but it had until then been a recognized form of lawful warfare.
Privateers were not pirates.
They were mariners who received from their government a letter of mark and reprisal
that authorized them to take as prizes the merchant ships of their government's enemies.
Thus, privateers were legal combatants.
Think of them as naval auxiliaries. The prizes
they took were subject to adjudication in admiralty courts, and if they were found to
have overstepped the terms of their letter of mark, they could be required to make restitution
to the injured ship owners or the merchants whose cargo they'd seized. So, privateers operated under explicit government authorization
and within generally recognized limits. This isn't really what's going on with Darkseid and
others like them. The category is a useful contribution to the threat taxonomy, and Talos
is very probably right to see Darkseid as acting in the interest of and with some form of authorization from the Russian
government. But the resemblance to classic privateering stops there. Extorting hospitals
and critical infrastructure operators has no coloration of legality, which is no doubt one
reason why Moscow has sought to maintain deniability. Cyber-privateering is closer in
some ways to the state-sponsored terrorism of
the Cold War than it is to anything John Paul Jones, to mention one famous Russian admiral,
would have recognized as a letter of marque. In any case, if you're a skid working from a
tacky walk-up in Chelyabinsk, buddy, then Robert Syorkov, you ain't. And Captain Barrett probably wouldn't even have considered giving you a berth on the antelope.
And Krasnodar ain't Halifax neither.
No four-pounder for you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire's Rick Howard joins us once again with another entry in his series of interviews
with cybersecurity authors who've had their books inducted into the prestigious Cybersecurity Canon.
Here's Rick.
It's Cybersecurity Canon Hall of Fame week here at the Cyber Wire,
and I'm interviewing all the winning authors for this year.
Today's interview is with Peter Singer and Emerson Brooking,
the authors of Like War, the Weaponization of Social Media.
And I started out by asking Emerson
why they both felt compelled to write this book.
Because we saw something coming down the pipeline.
We had our first conversation about what would become Like War
in the summer of 2013, back when everyone
in DC was talking about a terrorist group called Al-Shabaab out of Kenya. And they were particularly
famous for using Twitter and using it very effectively. But even then we saw that it wasn't
just going to be Shabaab. It wasn't just going to be limited to Africa. There are going to be other terrorist groups that are going to use this tool. And that maybe over time,
there will be more national militaries who'd be using this as an instrument of warfare as well.
But when we had these initial framing conversations, I don't think we even
anticipated that it would be the Russians. It would be these clandestine information campaigns targeting the
United States, that there'd be a rise of, you know, white extremism and white nationalism also
fomented by social media, and that as soon it would consume our politics to the extent that it has.
Military influence operations have been around since the world was young, but so has media
influence operations. In the book, the authors
cite the Spanish-American War, where the St. Paul Globe newspaper changed its motto in 1894 to
live news, latest news, reliable news, but no fake war news. So, it's not that this is a new phenomenon.
I asked Peter to explain why it seems so overwhelming today. It's all been put on steroids. It's been driven viral
when it's pushed through social media. When people were talking about social media,
it was this assumption that it was going to aid the forces of democracy. It was only going to be
for the good. And of course, what we found very early on was that it was a weapon and it was a
weapon that was being used by terrorist groups, criminal groups, Russian information warriors.
But to use that example of the Russians, it was taking the kind of operations that they had done back in the Cold War, but making them move faster and with orders of magnitude greater effect than they'd ever had before.
of magnitude greater effect than they'd ever had before. Campaigns that in the past were taking them years to influence a couple thousand people, it was taking them seconds to reach millions of
people. The very same thing was playing out in celebrity, but the larger effect that we saw
was a little bit of a riff off of the field of cybersecurity. We had become consumed with the
idea of someone trying to hack the network,
and yet what we were seeing was, in some cases, even greater effect from people hacking the people
on the network by driving ideas viral. The book is called Like War, the Weaponization of Social
Media. Peter Emerson and I had a long-ranging discussion that covered way more details about
the book, including homophily and why the U.S. is particularly vulnerable to these kinds of information operations.
Did the Russians effectively change the outcome of the 2016 presidential election?
And the things that governments, commercial organizations, and individuals can do to build up a resistance to future attacks.
You can hear that longer interview in my CSO Perspectives podcast
exclusively on the Cyber Wire Pro subscription service.
And congratulations to Peter Singer and Emerson Brookings
for their induction into the Cybersecurity Canon Hall of Fame.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
The folks at Norton LifeLock recently released their six-annual Norton Cyber Safety Insights Report, looking at cybercrime and identity theft. Darren Cho is CTO at Norton LifeLock,
and he joins us with highlights from the report. This is our sixth annual report, and we do it for
two purposes. One is you really want to get an understanding of how consumers are feeling about
cyber safety and privacy needs and concerns because the cyber security landscape
is always changing and evolving, right? This year is a particularly interesting year given of all
the changes that happened with COVID-19 and the transformation acceleration of digital lives.
And then we can take this work that comes out of the Cyber Safety Insights Report and then also combine it with what
our protection labs is seeing in our telemetry from our threat telemetry databases. Well, let's
dig into that together. I mean, as you mentioned, I think it's fair to say, and I think all of us
understand that this past year was a bit atypical, but one of the results of that is that people spent a lot
more time online. In fact, in our cyber safety report, most people, I think it was a little bit
over 65%, said they spent more time online than ever before. And of course, this makes perfect
sense. I'm a father working from home for the last year myself. My daughter immediately went to an online learning environment,
and it felt like it was overnight.
And so how did that reflect in the findings for this year's report?
What sort of things are you tracking?
Yeah, so you're right.
You have a number of people experiencing cybercrime
and also just experiencing identity theft.
So what we saw was there were about 330 million cybercrime victims over the past 12 months that the survey covered and about 55 million identity victims.
perspective, you think about that being in the United States, two of five people experienced cybercrime as more and more people went online this year. I mean, that's a huge amount of folks
experiencing kind of a double whammy, right? You've got the physical virus taking over the world and
impacting us in unimaginable ways. And then we also have kind of the impacts of cybercrime, right?
Whether it be from malware or phishing or fraud, right?
Yeah, I was going to ask you to kind of spell out,
I mean, what are the spectrum of things that people are experiencing here?
What falls into the category of cybercrime as you all tracked it?
Right. So, I mean, this covers quite a bit from malicious software to disruptions from the network
access. Maybe it is even as you're working from home, having your personal Wi-Fi network attacked
or unauthorized access on a smart device that maybe had a web camera or takeover of a social media
account or a gaming account as people went online. You know, one thing that was really personal for
me was seeing that, you know, having my child being online, but also having her experience a
little bit of bullying as she was engaging in chat rooms, which was a brand new experience for her
to go online,
see her teacher, see her colleagues, and even do kind of what I would call, I guess, a cyber play
date, and yet experience and maybe some unwanted, you know, interactions as people are getting used
to this entire new way of living. That's Darren's show from Norton LifeLock. And that's the CyberWire. For links to all of
today's stories, check out our daily briefing at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland
at the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.