CyberWire Daily - Killnet hits Norwegian websites. Hacktivists tied to Russia's government. Looking ahead to new cyber phases of Russia's hybrid war. C2C market differentiation. Gennady Bukin, call your shoe store.
Episode Date: June 30, 2022Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation. C2C commodification extends to script kiddies. Andrea Little Limbago... from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on Breach Communication. Roscosmos publishes locations of Western defense facilities…and subsequently says it sustained a DDoS attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/125 Selected reading. Pro-Russian hacker group says it attacked Norway (The Independent Barents Observer) Cyberattack hits Norway, pro-Russian hacker group fingered (AP NEWS) Norway blames "pro-Russian group" for cyber attack (Reuters) Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’ (Bloomberg) Market Differentiation: Cybercriminal Forums’ Unusual Features Designed To Attract Users (Digital Shadows) Minors Use Discord Servers to Earn Extra Pocket Money Through Spreading Malware (PR Newswire) Russia publishes Pentagon coordinates, says Western satellites 'work for our enemy' (Reuters) Russian Space Agency Targeted in Cyberattack (Wall Street Journal) Cyberattack hits Russian space agency site after sharing NATO photos (Jerusalem Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Killnet hits Norwegian websites.
Hacktivists are tied to Russia's government.
Amunet is a case study in C2C market differentiation.
C2C commodification extends to script kitties.
Andrea Little-Limbago from Interos examines borderless data.
Rick Howard speaks with Cody Chamberlain from NetSpy on breach communication.
Roscosmos publishes locations of Western defense facilities
and subsequently says it sustained a DDoS attack.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, June 30th, 2022.
Killnet, operating again as the Cyber Spetsnaz yesterday announced a campaign against Norway in its Telegram channel.
The post led with a doctored photo of Norway's Foreign Minister Annekin Huitfeldt,
in which she's called Mrs. Error and made up to look like the Disney villainous Maleficent.
Good morning, Norway, the introductory text read. All units to battle.
This was followed by a list of Norwegian targets.
The Russian complaint against Norway, as the Barents Observer reports,
is that Norway isn't permitting Russian goods to transit Norwegian territory
en route to the island of Svalbard via the Russian port of Murmansk.
Thus, it has some similarity to the Russian complaint against Lithuania,
which had prevented shipment of some goods to the non-contiguous province of Kaliningrad,
and which also attracted the attention of Kilnett.
Svalbard is under Norwegian sovereignty,
but a treaty guarantees Russian coal mining operations on the island.
Members of Russia's Duma have questioned Norway's sovereignty,
given what they call Oslo's violations of the Svalbard Treaty,
and the AP reports that Norway's ambassador to Moscow
was summoned to the Russian Foreign Ministry to give an explanation of Norwegian policy.
The cyberattacks claimed by Kilnet have been distributed denial-of-service incidents.
Several sites were disrupted for a matter of hours,
but Norwegian authorities said the effects were limited and have been largely mitigated.
Norway's NSM attributed the attacks to a criminal pro-Russian group
and are investigating the group's possible ties to the Russian government.
investigating the group's possible ties to the Russian government. Bloomberg reports that Hacknet,
a nominally independent pro-Russian hacktivist group that's denied answering to Moscow,
may in fact be tied to the Russian government. The source of the attribution is Mandiant.
John Holtquist, Mandiant's vice president of intelligence analysis, says,
It's important we scrutinize the actors who claim to be Russian hacktivists because the intelligence services regularly use that facade to carry out their operations.
If we wait until after a major attack to ask who is really behind these personas,
it may be too late.
This is unsurprising.
Russian intelligence and security services have long operated nominally independent
hacktivist groups.
Guccifer 2.0's actions during the 2016 U.S. elections are an example of the practice.
The group was eventually associated with the GRU.
While Russian cyberattacks have, like Russian ground forces, fallen far short of expectations in terms of effectiveness,
if not in terms of effort.
NATO continues to prepare for renewed cyber offenses that could extend beyond the borders of Ukraine.
Such cyber attacks, as have extended to NATO members,
have not succeeded in achieving more than a nuisance level of effort.
But Protocol discusses Russian capabilities with a variety of cybersecurity experts
who say that desperation could drive Russia to attempt more extensive and more destructive cyber attacks.
The views of former U.S. Cybersecurity and Infrastructure Security Agency Director Chris Krebs are representative.
He told Protocol,
are representative, he told Protocol, once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say,
hey, wipe off the sanctions. How are they going to do it? It would be a highly visible,
likely destructive attack. So, shields up. Looking ahead to such an eventuality,
NATO this week announced plans to increase
resilience and organize a rapid response capability to address Russian cyber threats.
Why major destructive Russian cyber attacks have yet to materialize remains open to debate.
The Jerusalem Post reviews two of the leading explanations floated by experts at Cyber Week 2022 in Tel Aviv,
overconfidence and poor preparation. If you expected quick victory, you might want to leave
infrastructure you as an occupier might like to use intact. Or if you're serious about cyber war,
well, that takes a serious investment, and that investment may have fallen short.
serious investment, and that investment may have fallen short.
Digital Shadows this morning updated its account of Amunet, an English-language cybercriminal forum launched in January 2022.
Researchers have discovered a roadmap for 2022 on Amunet, explaining how the site plans
to branch out as the year progresses.
The roadmap highlights the January launch, followed by an
intended launch of a leaks circle in March, described as a project for visualization of
leaked sources, which has not been identified by researchers. This is followed by the intent to
launch their own cryptocurrency in May 2022, which has not been seen in the forum as of June,
in May 2022, which has not been seen in the forum as of June, barring one post in early May explaining that those who shared leaked databases would earn forum credits that can be exchanged
for cryptocurrency. In July 2022, the forum is anticipated to see the addition of a leaks detector
that checks for emails and corporate domains in leaked databases. The final stop on
the roadmap is set for October 2022, coined as a time-back machine, which is described as
a couple of hacking forums returned as snapshots for public observation.
While researchers regard Amunet in its current state as unremarkable when compared to other forums.
Those intended upgrades could be enough to lure threat actors into using it.
The observations also provide an interesting perspective on how criminal groups try to
differentiate themselves in the C2C market. Avast has published a study of the way in
which teenagers are earning money in the criminal-to-criminal cyber underworld market. The researchers found a malware-as-a-service family whose operators
spent a lot of time on Discord and seemed to have an unusual set of interests. The criminal vendors
offered some of the usual wares, like InfoStealers, CryptoJackers, Ransomware,
PasswordScrapers, and so on.
But their hearts appeared to be elsewhere.
Their offerings instead emphasized features like stealing gaming accounts,
deleting Fortnite or Minecraft folders,
or repeatedly opening a web browser with Pornhub.
That is, Avast points out, the puerile stuff you'd expect from teenagers.
It's a side hustle, done for pocket money and for the lulz,
but it remains criminal nonetheless.
Shame on you kids, you're going to break your mother's heart.
Roscosmos, the Russian space agency,
released overhead imagery and the geographical coordinates of a variety of Western installations online Tuesday.
Dmitry Rogozin, head of Roscosmos, explained,
The entire conglomerate of private and state orbital groupings is now working exclusively for our enemy.
He added in his Telegram channel,
Today, the NATO summit opens at Madrid, at which Western countries will declare Russia their worst enemy.
The summit opens at Madrid, at which Western countries will declare Russia their worst enemy.
Roscosmos publishes satellite photographs of the summit venue and the very decision centers that support Ukrainian nationalists.
At the same time, we are giving the coordinates of the objects, just in case.
The photos and geolocations include the venue in Madrid where the NATO summit met, the Pentagon, the White House,
various British government buildings in central London, the German Chancellery, the Reichstag,
NATO headquarters, other government buildings in Paris. None of these locations are secret,
which makes what Mr. Rogozin thinks he's up to a bit of a puzzle. The just-in-case sounds menacing, but it's difficult
to see what such a case might be. Anyway, he's displeased with the support Western space companies
and agencies have rendered to Ukraine, and he's got the pictures to prove it, darn it.
Whatever those pictures prove. And finally, yesterday, according to the Wall Street Journal, Roscosmos press chief
Dmitry Strigovets telegrammed that the agency had sustained a distributed denial of service attack.
You'd think he'd be quick to point the finger at NATO and Nazis and the like, but no, not this time.
It's kind of a mystery. Mr. Strigovets said it had been successfully repelled and that
it originated from the Russian city of Yakutianborg. As TASS has been authorized to disclose,
after Roscosmos had posted satellite images of NATO's decision-making centers,
the state corporation's website came under a DDoS attack. Unlike in March and April, this time the attack
did not come from overseas, but from our own city of Yekaterinburg. How such an attack might be
staged through Yekaterinburg is unclear, although the city is the setting of the sitcom that
features Gennady Bukin, Russia's Al Bundy. So it's got that going for it, which is nice. But seriously, the sitcom
is called Happy Together. It's a pretty good show based on the iconic American program,
Married with Children. Seriously. Shoe salesman? Check. Two kids? Check. Dissatisfied wife? Check.
Check. Dissatisfied wife. Check. Dog. Check and double check. Football star in high school.
Check-a-rooney. Okay, Football East is soccer player, not American football player, and Gennady was probably a fullback and not a halfback like Al, but close enough for government work. Anyway,
Roscosmos, that's a government agency, right? Well, just looking at some latitude and longitude numbers here,
we're looking at 56.8431 north and 60.6454 east.
Seriously, we just Googled it, just in case.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
When a breach occurs and you find yourself in the heat of the moment with all of the emotions that come with that, communications are key.
Our own CyberWire Chief Security Officer Rick Howard checked in with Cody Chamberlain from NetSpy about that.
I'm joined by Cody Chamberlain. He's the head of product at NetSpy. Thanks for coming on the show, Cody.
product at NetSpy. Thanks for coming on the show, Cody. So NetSpy is a penetration testing company,
but today we're talking about breach communication as part of any organization's resilience strategy.
And we've come a long way, Cody, from the early internet days when nobody would admit in public that they had been breached, you know, for fear it would damage their reputation. That changed in
2010 around there when Google admitted that the Chinese government had penetrated their networks
in something called Operation Aurora. And that single event, coupled with a bunch of breach
notification laws in almost all the states, changed the landscape. And today it seems there
are some organizations every day announcing they've been breached somehow. But it doesn't
mean that they're good at it, right? So there are plenty of examples of organizations that seem to have a handle on breach notification
and others who appear to be making it up as they go.
So let's start there, Cody.
What is breach communication and why should organizations put resources behind it?
When you look at breach responses or breach communications, there's really the two pillars.
There's the things you have to do and the things that you should do from a client or
a customer perspective, respective of what industry you're in, what compliance requirements
you have. There are certain things you're just going to need to provide at certain times.
On the other side, you have your customers and you want to provide a very high level of customer
service and retain your customers. And doing so and communicating with them with empathy and
transparency is really key.
And those are the two things that I really see as the most important kind of pillars of communication.
So in order to be good at this stuff, it goes without saying that you have to prepare for it,
that responding to a breach should be part of the company's overall crisis management plan.
So what should security leaders be thinking about here in terms of incident response?
At the end of the day, plan the work, work the plan, right?
And that's really key because practice makes perfect.
And taking the time to develop the IR policies, not just in your C-Cert organization, but with your public relations team, your communications team.
We're not always known in security as being great communicators,
especially on a customer perspective. When you do tabletops, when you do policy development,
there's no emotion involved, right? It's a Tuesday afternoon, we're being proactive.
But in the moment when you are leading this incident response, or you're the CISO or whatever,
and you realize this is a real breach, a real incident, emotion is going to take over.
We're human. I think a lot of us have been in the room when we've seen somebody jump to the best case scenario or they jump to, oh, it's okay because the firewall is there and we're
segmented, only to realize later that the segmentation rules are a little more porous than maybe we thought through testing.
So by really building that structure, building those processes, knowing here's who we're going to work with if things get really bad, when we have to kind of break glass and helicopter the third party in, trusting that process.
helicopter the third party in, trusting that process. And the more you do that, the more you develop that and have confidence in that process, I think the less emotion is going to take over,
which helps. This isn't something that's probably an enjoyable exercise, right? I don't think
anybody likes preparing for the bad thing, but it's the reality of the industry. And like you
said, it happens more and more and more. To make sure we are fully prepped, we just do.
We have to practice.
We have to focus and do that in a way that we can be resilient against what are some
extremely motivated attackers, it seems.
One thing practicing an incident response plan does is get the executives in the mindset
of when they will go public with the information.
And you can either go public early without having a complete understanding of the incident
and then later get accused of holding information back
or even lying when the new facts emerge down the line.
Or you can wait until you have
almost a complete understanding of what happened,
but then you get accused of withholding information
from your customers.
So how do you advise your security leaders on this concept
when you're out talking to them about this? I'm sure I'll get some eye rolls and it's
like, it depends, right? That's the answer I get from everybody I talk to. It depends on the
situation. Yeah, it depends on the situation. The reality is, is a lot of organizations at the end
of the day are going to have specific requirements. And that's really unfortunate for organizations who want to be very customer
focused. I think having empathy with your client or your customer saying, hey, this is what we
identified. We hear you. We understand you want to know X. We're investigating X and we have these
experts involved or whatever, just being transparent with what you're doing, I think helps appease that.
Yeah, I was going to say you guys advocate transparency for all organizations doing this stuff. And I think you're right that
you'll get cut some slack because you tried to do the right thing. You may not have gotten it
completely correct, but you were being transparent with the information you knew and try to communicate
that as a series of things as you go through the crisis. Is that what you mean by transparency?
That's exactly it. You know, and again, you're going to be constrained, right?
There's certain things that you're not going to be able to share,
but acknowledging that as well, right?
Like these are the things we just can't share.
It could be a legal issue.
It could be a law enforcement issue.
But again, acknowledging that, showing like that empathy of like,
I understand what you're going to want to know.
All good stuff, Cody, but we're going to have to leave it there. That's Cody Chamberlain. He's the
head of product at NetSpy. Thanks for coming on the show. Thank you. It was a pleasure.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And I'm pleased to be joined once again by Andrea Little-Limbago.
She is Senior Vice President of Research and Analysis at Interos.
Andrea, always great to welcome you back.
There is this notion of borderless data.
This idea, I suppose some would say, you know, there's that whole data wants to be free and the Internet connects the world.
But we're seeing some evolution there.
Yes?
Yeah, you know, I think for the longest time, and this was especially, you know, some of the foundational aspirations of the Internet were for a global, free, and open
internet. That's the aspiration. And I think that still remains the aspiration in many segments of
the tech sectors. But the reality is that governments actually do have a say,
and that borders actually matter a lot. And it's almost this interesting juxtaposition right now
where borders have never mattered so little and yet so much at the same time. And what I mean by that is, so we see, you know, Russia's invasion of Ukraine, there's a lot
of territorial disputes coming in. And so territory really is coming back into something that's
extraordinarily important and a driving factor among geopolitics. You think about, you know,
China, Taiwan as well. You know, there are many, many examples along these lines where
borders increasingly matter.
But then at the same time, with the internet, borders didn't matter at all.
You could see attack a country from overseas.
You don't need to actually be present there.
And so there's that interesting juxtaposition going on where borders don't matter and they matter a ton.
And then you overlay that now with a lot of these data localization and data sovereignty laws that
are really been emerging over the last decade across the globe. And those are really reshaping
just what the experience is with data and changes from one where I'm sitting to where someone in the
EU is sitting to where someone in Nigeria is sitting to Brazil. If we all went on to the
same social media site, we'd have a different experience on it.
And what comes along with that is both aspects of censorship and also aspects of requirements for data to be stored and actually to be stored locally as opposed to being able to flow freely
across borders.
And that's where some of the big changes are really coming in that there are gradients
of it.
In some countries, there's cross-border data flow controls almost writ large.
And for others, it's for small silver, such as for healthcare information or something
that more, the most personal of information and data.
So it's a great variation popping up in that, but it's really impacting just how data can
flow.
And it's really impacting organizations' data strategies for multinational
corporations. Is there a bit of cat and mouse here? I mean, I think about the increasing ease
with which people can access satellite internet around the world, and could that be an end around
to some of the nations that are trying to restrict access for their citizens? Yeah, so I think that that's a good way to put it, because I think there will always
be citizens trying to work around it.
And we've seen that over time, right?
So even in the most restricted areas, citizens are finding a means to work around and access
data.
And I think that will always be perhaps in one segment of society, but that isn't necessarily
what global corporations can pursue.
If they're thinking about their global footprint,
what their strategy is going to be for data minimalization,
where they should be storing things.
So I do think for that segment of society that wants to find that workaround,
they'll continue to try and do that.
But for corporations that have to stay within the legal frameworks
of the sovereign area that they're in, they can't necessarily do that.
You and I have talked in the past about this idea of a splinternet, that we could end up with regional versions of the internet.
To what degree is that playing out?
Yeah, I think we're seeing that increasingly happen.
I mean, even in the U.S. right now, there's an executive order that's being passed around.
It has not been actually passed.
It's been the draft versions circulating that would try and limit various kinds of U.S. citizen data from falling in the hands of potential adversaries.
And that's something to keep an eye on, where the U.S. has strong been a big proponent of cross-border data flows and so forth.
Even the U.S. is starting to rethink some of those strategies.
And that's in large response to what's going on across the globe and what's going on in the EU.
A lot of the companies in the U.S. already have to be GDPR compliant because they need to actually have economic activity in Europe.
And then they see what's going on as far as just the,
what happens with unchecked data flows
is becoming a larger national security
and economic security issue.
And so the response, so as we continue to see
various kinds of data breaches, data theft,
destruction through Wiper malware,
governments are stepping in.
And one path they're pursuing
is more so as data,
localized data storage.
Right.
Because the pendulum kind of swings, right?
So initially it was storing everything on-premise.
Then with cloud computing,
you could store wherever you want
across the globe,
but not even know exactly where it might be.
And now it's kind of swinging back like,
oh, maybe we should rein that in a little bit
and actually know where the data is.
On second thought, it might be a good idea
for us to know where our data is.
Yeah.
And it does, it introduces different threats, right?
So in the US, if Canada has some data localization laws,
that's probably not viewed as much of a threat
for companies having to store
data in Canada. If it turns out it has to be somewhere that may not be as friendly to the
United States or it may not be in a place that protects human rights as well, that becomes a
much bigger issue. So even the implementation of these laws has different meanings, even if they're
the same kind of laws, depending on where they are.
All right. Well, Andrea Little-Limbago, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin
Sebi, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Karol Terrio, Ben Yellen, Nick Valecki, Gina
Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter
Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.