CyberWire Daily - Japan calls out China for cyberespionage. Colonial Pipeline restores service. Wither the DarkSide? Conti hits Irish health organizations, and Avaddon strikes AXA.
Episode Date: May 17, 2021Japan calls out China for cyberespionage. Colonial Pipeline restores service, as organizations look to their own vulnerability to ransomware. The DarkSide gang may have said it’s going out of busine...ss, but it’s at least as likely, probably likelier, that they’re either rebranding or absconding. Two other gangs are in business: Conti is hitting Irish health organizations, and Avaddon says it compromised insurer AXA. (AXE-uh) Rick Howard looks at new responsibilities for CISOs. Our guest is Samantha Madrid of Juniper Networks on establishing automation and security integrations seamlessly. And a spy gets fifteen years in a US prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/94 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Japan calls out China for cyber espionage.
Colonial Pipeline restores service as organizations look
to their own vulnerability to ransomware. The Dark Side gang may have said it's going out of
business, but it's likely that they're either rebranding or absconding. Two other gangs are
in business. Conti is hitting Irish health organizations, and Avedon says it compromised
insurer AXA. Rick Howard looks at new responsibilities for CISOs. Our guest is
Samantha Madrid of Juniper Networks on establishing automation and security
integrations seamlessly. And a spy gets 15 years in a U.S. prison.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 17, 2021.
Japan has publicly identified the Chinese government as responsible for recent cyber attacks, Nikkei Asia reports.
It's an unusual move for Japan, which has normally been circumspect in its attributions of hostile activity in cyberspace.
Japanese police chief Mitsuhiro Matsumoto officially identified China as responsible for an attack for which the Tokyo Metropolitan Police Department filed a case on April 20th.
According to Yahoo News, the suspect is a Exploration Agency, and some 200 other Japanese
companies and research institutions in 2016 and 2017. Zee News reports that the suspect has now
fled Japan. Japanese police were specific in their attribution, quote, it's highly likely that the
PLA's Unit 61419, a strategic support unit operating from
the Chinese city of Qingdao in Shidong province, was involved in the cyber espionage, end quote.
China's government has dismissed the attribution with indignation, quote, China is firmly opposed
to any country or institution using allegations of cyber attacks to throw mud at
China, a foreign ministry representative said. The reliably Beijing-aligned Global Times asks
if Japan is about to, quote, fumble policy to behave like Australia in confronting China,
end quote, which suggests that both Tokyo and Canberra are on to something.
which suggests that both Tokyo and Canberra are on to something.
Colonial Pipeline tweeted Saturday that its service had returned to normal.
The company's decision to pay the extortionists' ransom has drawn generally adverse comment,
ironic given that paying $5 million to DarkSide, the gang responsible,
apparently didn't aid the recovery, which Colonial Pipeline had to do in the end from its own resources.
Some, like the U.S. National Security Council's Ann Neuberger, expressed some sympathy for organizations caught in a tough spot.
CNBC quoted her as saying, We recognize that victims of cyber attacks often face a very difficult situation, and they often have to just balance the cost-benefit when they have no choice with regards to paying a ransom. This is not by any means an endorsement of giving in to extortionists,
she pointed to the FBI's unambiguous advice against paying ransom.
And overall, the consensus is with CISA, whose advice is summarized by Signal,
paying the ransom isn't a good practice. Wired offers a long summary of the ways in which
payment perpetuates a vicious cycle and fuels a bandit economy.
The consensus is also that ransomware attacks against critical infrastructure are likely to be attempted again.
An op-ed published by the Australian Broadcasting Corporation frames the incident as a warning that there's worse to come unless the major cyber powers can arrive at some international norms that would produce an effective arrangement in cyberspace. The New York Times, in a piece that accepts Darkside's self-presentation as a group of apolitical criminals, argues that the incident should
be assessed in terms of the vulnerabilities it exposed. The Darkside ransomware gang,
which has said that it lost control of both servers
and at least some of the money it had extorted from victims,
said late last week it was closing down, going out of business.
The Wall Street Journal has an update on this particular going-out-of-business announcement,
and they note that cybercriminal gangs have been known to announce their ride into the sunset,
only to reappear again after a decent interval, usually under a new name.
So it could be, as Security Week puts it, that the dark side operators are running scared.
It's also possible, as FireEye tweeted,
that the hoods are simply taking advantage of an opportunity to abscond
with their criminals' affiliates' money in an exit scam.
That's happened before, too,
but it's a bit too early to tell exactly what's going on with them.
It would be naive to think that the people behind the scam
have retired, gone straight, or moved on to another criminal line.
DarkSide isn't the only ransomware gang to make news.
Ireland's health service executive has come
under a ransomware attack that's interfered with scheduling care and that may, the Wall Street
Journal reports, end up costing the public health care organization tens of millions of euros to
remediate. The Irish Times says the country's Department of Health has also come under attack,
probably by the same gang. Sources in the Irish government
indicate that the victims do not intend to pay the ransom. Bleeping Computer identifies Conti
as responsible. Conti's technique is usually to breach a network and move laterally until it
obtains domain admin credentials. At that point, the operators use reflective DLL injection to deploy fileless ransomware payloads.
Conti is described as a private ransomware-as-a-service operation.
It recruits hoods to deploy its malware in exchange for a share of any ransom the victims might be induced to pay.
The government of Ireland said in an official statement issued by the Department of Environment, Climate and Communications, quote, the HSE became aware of a significant ransomware attack on some of its
systems overnight. The National Cyber Security Center was informed of the issue and immediately
activated its crisis response plan. Insurer AXA last week took a strong line about ransomware payments, saying that it would no longer cover them.
Over the weekend, the underwriters' business units in Thailand, Malaysia, Hong Kong, and the Philippines were themselves hit by ransomware.
Sleeping Computer reports that the Avedon gang has claimed responsibility and says they've taken some 3 terabytes of sensitive data from the company's networks.
Coincidentally or not, AXA was also subjected to some distributed denial-of-service activity.
And finally, on Friday, Peter Zabinski-Debbins,
the former U.S. Army Special Forces officer convicted of spying for the Russians,
was sentenced to 15 years' imprisonment by the U.S. District Judge Claude Hilton.
That's two years shy of the 17 years prosecutors had asked,
but a lot more than the five years his defense attorneys had recommended.
The case touched on all four of the traditional motivations for espionage expressed in the acronym MICE.
M for money, I for ideology, C for compromise, and E for ego.
Mr. Debbins received a little bit of direct compensation of some monetary value,
apparently not much, from the GRU for information he provided them. He also had conceived a quasi-
patriotic attachment to Russia, at least as far back as his days in ROTC at the
University of Minnesota, characterizing himself as a loyal son of Russia. Whether that involved
serving the Kremlin or freeing Russia from the Kremlin's boot apparently varied from time to time.
According to the Army Times, Debbins wrote,
I had a messianic vision for myself in Russia that I was going to
free them from their oppressive government, so I was flattered when they reached out to me, end
quote. He also said he was being blackmailed by the GRU, who were threatening to either expose him
for same-sex attraction or kill him, or both, should he fail to play ball. The prosecutors said
at the sentencing hearing that claims of extortion were news to them,
that Mr. Debbins hadn't mentioned that to investigators.
And finally, Mr. Debbins seemed to have felt a sense of ill-use
and injured merit that turned him against the United States Army.
At any rate, it's an old story.
Change Russia to His Majesty King George III
and take out the same-sex attraction stuff,
and it all could have been said by Benedict Arnold.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There is a tension that often occurs when configuring a data center.
Focusing on agility helps make operations fast and productive,
but a focus on security infrastructure can establish protected networks.
This can create a type of seesaw effect as operators split their resources between these two priorities.
Samantha Madrid is Vice President of Security Business and Strategy at Juniper Networks, and she joins us with insights on how intent-based networking can help put data centers in proper balance.
There are traditional data centers, and when people think of it, I think they think of the centralized racks of servers, which most people think of when you think of data center. But there is an emerging model
in distributed compute nodes deployed deep in a network and close to end users. And so when you
think about what a data center is, all of this, in my view, is a data center. And so it's about really strengthening that posture and bridging
both operational efficiencies with security. And I think the seesaw effect is really
kind of shining a light on trade-off decisions that have been made in years past and teams being
put in that position. And I think organizationally, companies need to think about
security more holistically, taking the step back and thinking about what security needs to look
like in terms of business outcomes. And I think that one of the challenges has been historically
is decisions have been made in a very siloed way, meaning we see a problem, let's address that
specific problem, instead of taking a step back and asking a very fundamental question,
what is it we're trying to protect? So then what is to be done here? What do you recommend? So, you know, I really recommend when you're kind of like with anything, whatever the security or initiative is, what is the business outcome you're trying to drive towards?
And bringing in security at the start of that from the forefront. security specifically, I think we have to shy away from as an industry, this brand bias, if I will,
if I will be as bold to say, where I think a lot of times there's a level of comfort that gives
away to a popularity contest about a lot of vendors with respect to security. And we're not
making the actual security decisions, which in my
view, what needs to happen is you need to have validated security efficacy. You need to understand
and continuously monitor the ability to evolve with the threat landscape. What's the threat
coverage? What's the catch rate? What's the false positive, false negative rate? Are you bringing
security to
every point of connection, you know, from your gateways, between your servers, each application,
and between data center locations and the workload itself? I mean, the goal at the end of the day of
a security team should be to be able to expand their aperture to see and detect as much as they possibly can and know that false positives will
cause a team to turn off protections because it then starts to impede the business outcome.
So to me, one of the most important things is maintaining high-level efficacy and evaluating
technologies and validating your proposed architectures against them versus what
I personally see a lot of times a popularity-driven decision based on a given, you know,
bender du jour. That's Samantha Madrid from Juniper Networks. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
Thank you. to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, it's great to have you back.
Hey, Dave.
So on your CSO Perspectives podcast, which is over on the CyberWire's Pro side,
you are on part two of a three-part series on new CISO responsibilities.
What do you have lined up for us this week?
Well, that's right, Dave. We are looking at potential new CISO tasks that have emerged in the last five years or so
that have not traditionally been given to the CISO tasks that have emerged in the last five years or so that have
not traditionally been given to the CISO before. Like when I had my first CISO gig, geez, over 10
years ago, I don't like to admit that number. Okay. But I pretty much only had to worry about
the firewall, the intrusion detection system, and the endpoint antivirus system.
It was a lot less to secure back then, right?
Yeah, you know, it was a lot easier. Okay. But that was it. Okay. That was a lot less to secure back then, right? Yeah, you know, it was a lot easier.
But that was it, okay? That was all we had to worry about. But today, these modern CISOs,
they have so many more things on their plate. They still have to do all the things that I had to do,
you know, a decade ago. But they also have securing internal data centers and mobile endpoints and multiple clouds. And that's not even including the OT environments and the supply chain
that have been in the news of these last few weeks.
So last week, we indeed took a look at operational technology
and industrial control systems,
and whether or not the CISOs of the world have been formally given
the responsibility to secure those environments.
But in this week's show, we're talking about identity.
All right. Well, I like the sound of that. You know, one of the things that strikes me that,
you know, identity is more complicated than it used to be. It used to be just user ID and
password. But now with the hotness being zero trust, seems to me like it's more complicated
than that. Yeah. In the old days, identity was essentially managing user ID and passwords in active directory.
And so that task generally fell to the CIO.
But in today's complex environments, like you said, as we all try to implement the zero trust stuff,
a robust, and I mean robust, identity management system is an essential first step.
So the question we try to answer this week is,
if that is true, and I think both of you and I think it is, if identity is the most important
thing that CISOs have in their utility belt to build zero trust, shouldn't they own their
responsibility to design it and maintain it? Well, CSO Perspectives is in season five over
on the CyberWire Pro side, but you've also been releasing your season one episodes to the public at the same time.
What are you talking about there this week?
Yeah, we've been trying to give the general public a taste of what the CSO Perspectives podcast is all about in a brazen attempt to show everybody what they're missing on the Pro side.
Right.
And as you know, Dave, since you are an internet celebrity yourself,
you don't come cheap, right? So we have to pay the bills somehow, right? And maybe my salary too.
So this week's episode is a fun one. We talk about what exactly is the dark web and how does
Tor or the Onion Router fit into it. And the fact that Tor started out as a U.S. Navy research project.
And finally, we get to the meat of the matter, which is we address whether or not you should
be paying commercial intelligence companies for intelligence products that focus on that
world.
All right.
Well, there's plenty to check out.
We've got CSO Perspectives over on the pro side and earlier episodes from CSO Perspectives
on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Thank you, sir.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.