CyberWire Daily - Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection
Episode Date: June 24, 2022Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical... infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/121 Selected reading. Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer) Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future) The war in Ukraine is showing the limits of cyberattacks (Tech Monitor) Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group) BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks) CISA Tabletop Exercises Packages (CTEP) (CISA) CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Lithuania warns of increased DDoS threats,
limited Russian success in the cyber phases of its hybrid war,
another warning of spyware in use against targets in Italy and Kazakhstan.
Are you a critical infrastructure operator?
Well, CISA's got a tabletop exercise for you.
Kevin McGee from Microsoft has advice for recent grads,
a look back at the years since Colonial Pipeline with Patrick O'Reilly of CyberSaint.
And sometimes ransomware is just a spy's way of saying,
nothing up my sleeve.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWireania's National Cyber Security Center, the NCSC,
has issued a public warning that the threat of distributed denial-of-service attacks is rising.
The alert says,
most of the attacks are directed against public authorities, the transport and financial sectors,
leading to temporary service disruptions.
The NCSC urges all managers of critical information infrastructure
and state information resources to take additional security measures
and to follow the NCSC recommendations for protection against service disruption attacks.
There's no explicit mention of Russian operations in the alert,
but it's clear whence comes the threat.
Bleeping Computer notes that a nominally hacktivist group that claims to be acting in the Russian interest,
Legion, cyber-spetsnaz, declared in a telegram post, cyber-war against Lithuania,
and published an ambitious target list.
Large banks, logistic companies, internet providers, airports, energy firms, mass media groups, Leaping Computer reads the cyber Spetsnaz as an offshoot of Killnet.
Spetsnaz is the Russian term for its military special forces,
throat-cutting operators who've inherited their tradition from the Cold War Soviet army.
Rough Western equivalents would be cyber-sass or cyber-commandos or cyber-rangers,
a little grandiose and a little puerile and, so far, more than a little unearned.
The cyber-spetsnaz declaration dates from Lithuania's decision to forbid shipments of sanctioned goods
through its
rail corridor to the detached Russian enclave of Kaliningrad. Reuters reports that Moscow has
blamed Lithuania's action on Washington. The Russian Foreign Ministry said in a statement,
the so-called Collective West, with the explicit instruction of the White House,
imposed a ban on rail transit of a wide range of goods through
the Kaliningrad region. Microsoft's report, Defending Ukraine, Early Lessons from the Cyber
War, includes an account of Russian targeting in the cyber phases of its hybrid war against Ukraine.
The report says, Russian targeting has prioritized governments, especially among NATO members, but the list of targets has
also included think tanks, humanitarian organizations, IT companies, and energy and
other critical infrastructure suppliers. While Russian cyber operations have, as many have
observed, fallen as far short of the widespread devastation of infrastructure as Russian combined
arms operations fell short of the conquest of Kiev,
both widely expected, they've enjoyed some success.
According to Microsoft,
Since the start of the war, the Russian targeting we've identified has been successful 29% of the time.
A quarter of these successful intrusions has led to confirmed exfiltration of an organization's data.
successful intrusions has led to confirmed exfiltration of an organization's data,
although, as explained in the report, this likely understates the degree of Russian success.
Google's threat analysis group reported late yesterday that spyware developed by the Italian firm RCS has been found in use against targets in Italy and Kazakhstan. Google says, Today, alongside Google's Project Zero,
we are detailing capabilities we attribute to RCS Labs,
an Italian vendor that uses a combination of tactics,
including atypical drive-by downloads as initial infection vectors,
to target mobile users on both iOS and Android.
We have identified victims located in Italy and Kazakhstan.
Targets appear to have been infected by phishing
or through the installation of malicious apps,
and the malware comes in both iOS and Android versions.
One surprising conclusion is that in some cases,
the spyware operators worked with the victim's ISP
to disable the target's mobile data connectivity.
In some cases, RCS had earlier cooperated in its business with a now-defunct hacking team.
The tools RCS apparently sold to government customers were described last week by researchers
at Lookout under the name Hermit. TechCrunch reports that Google is notifying the victims it's been able to identify.
CISA hosted a workshop Thursday providing an overview of the CISA tabletop exercises packages,
an unclassified adaptable exercise resource focused on facilitating discussion around a
scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTAP
is designed to assist government and industry partners in developing your own tabletop exercises
with pre-built templates. There are over 100 scenarios to choose from that encompass both
cyber and physical security. Several of them involve both. The CTEP exercise materials include a situation manual, an exercise planner handbook,
a facilitator and evaluator handbook, and various templates that can be used throughout the exercise.
The ultimate goal of the resource is to help facilitate understanding,
identify strengths and areas for improvement, and or changes in policies and procedures.
areas for improvement and or changes in policies and procedures. GovTech reports that workshops on CTEP will be held monthly and hosted by CISA Exercises Infrastructure Security and Exercise
Branch with participation from private stakeholders and critical infrastructure owners and operators.
There is no registration required for these workshops, which are open to the public. To use the CTEP exercises, however, you need a critical infrastructure community account on the Homeland Security Information Network.
You can learn how to create an account on their website.
Finally, SecureWorks reports that a Chinese threat actor it tracks as Bronze Starlight is conducting ransomware campaigns against selected targets,
but that the ransomware is probably misdirection to cover cyber espionage and theft of intellectual property.
The researchers say the victimology, short lifespan of each ransomware family,
and access to malware used by government-sponsored threat groups
suggests that Bronze Starlight's main motivation
may be intellectual property theft or cyber espionage
rather than financial gain.
The ransomware could distract incident responders
from identifying the threat actor's true intent
and reduce the likelihood of attributing the malicious activity
to a government-sponsored Chinese threat group.
One of the marks of Chinese official involvement
is the distinctive loader Bronze Starlight uses.
It's been seen before in other campaigns run by Beijing's APTs.
Once the loader's installed,
it decrypts and executes a cobalt strike beacon for command and control.
At that point, the ransomware goes in and the data goes out,
and it's K Katie bar the door,
but too late. And the threat actors are far more interested in the data than in any ransom payment.
SecureWorks points out that good practices like keeping systems patched and up-to-date
and monitoring your network traffic will help, and they provide a useful set of
indicators of compromise.
So yes, indeed, Katie, bar the door.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives
are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
It was just over a year ago that news of the Colonial Pipeline breach
hit the news wires,
and with it, a flurry of activity,
speculation, and ultimately, response.
I wanted to get a reality check
on where we stand a year out
from that important event.
And for that, I checked in with Patrick O'Reilly, co-founder and chief product officer at CyberSaint.
In the wake of something like that, you know, major supply chain issue around something like
gasoline, people were just shocked and confused and didn't understand the implications of it and
just it was burbling into the public through mainstream media news outlets and it's sort of
difficult for people to understand what some of you know the announcements and uh you know press
releases out of colonial even meant you know what does what does it mean? OT is not IT and operational technology
and cyber to physical
and all of these sort of terms of art in cyber
confused the public to some extent.
So I think it was really chaotic week or two.
Do you feel like ultimately the messaging was correct
that the general public who's not steeped in this sort of stuff, do you think their understanding of it is accurate?
No, no, because even among people who are more sophisticated, there's still a great deal of confusion.
And I think that's just an artifact of our news cycles. They're so quick.
And I think that's just an artifact of our news cycles.
They're so quick.
And you need to talk a little more in depth about the context around an attack like that and what can be done going forward to get a better understanding.
So no, I think the public knows that some of our critical infrastructure is in danger of cyber attacks.
And I think they just sort of live in that,
you know, general free-floating anxiety, so to speak.
Yeah. My recollection,
one of the things that struck me
was when the realization came out
that, you know, one of the main things
that kept Colonial Pipeline
from getting the fuel flowing
were billing issues,
not necessarily technical, physical issues.
It was just, how are we going to know who needs to pay for this?
Right. Yeah. And the complexity of an operation like that, very hard to cover in a short format.
So in terms of response, I mean, let's start with the federal response here.
How do you rate how they responded to this and the things that have been put in place
since? I would rate the response highly, you know, in terms of, you know, the two directives
and some of even the back behind the scenes legislative activity, you know, senators sending
letters and encouraging the Department of Energy maybe to get a little more involved because long
term that's probably the solution.
So I think the government did all the right things.
The issue really is, I think, is TSA prepared to deal with this problem at scale going forward.
You can outline guidelines.
There were a couple of directives that came out.
They're pretty clear.
There were a couple of directives that came out. They're pretty clear. But it's not very easy to implement all of that for all pipelines. And there's a great deal of haggling going on. So I think the response was great, but the implementation, not so much.
Where do you suppose we stand today is, you know, we're in a negotiating period between some of the pipeline operators and the TSA. The TSA does have the regulatory authority to levy fines, but they're not going to do so until they feel like industry is in a better place with respect to, you know, getting on the same page with the directives.
What do you suppose it's going to take to reach that level of alignment?
I think a couple of things probably have to happen. Either the TSA has to get bigger,
has to devote more resource to this, or the Department of Energy is going to have to become involved long term. Because this kind of reminds me a little bit of 2008 and when NERCSIP came out.
There was a long period of, you know, how do we comply? How do we do this?
And it really didn't start to see the results of, say, NERC-SIP compliance until, you know, a couple of years out.
Do you think we're on a realistic timeline here? I mean, is it reasonable that these changes,
these adjustments in how things are done are taking as long as they're going to take?
No, you know, no, because, you know, I'm in the business of helping
companies, you know, comply more generally. And, you know, I just look at the other regulatory
frameworks that the government has right in place, say, for example, you know, DFARS or CMMC
for defense departments, subcontractors, it just takes longer. So, you know, even in directive one that came out, you know,
they were like, we need a gap, you know, analysis within 30 days. I don't know that that's possible.
You know, I see companies struggle to get their DFARs or their CMMC regulations in place in six
months, you know, or longer. So I think maybe the timelines are very aggressive.
I think that was probably intentional
to put everyone sort of on notice
that this had to get done.
But I think that'll probably be tweaked too
in the long run.
How do you suppose this is going to inform,
you know, the development of new infrastructure
as new pipelines are laid, as new, you know, the development of new infrastructure as new pipelines are laid,
as new, you know, as those upgrades happen and not just to pipelines, are we going to have a
different mindset going forward? I think there's already a different mindset among the, you know,
system integrators and the companies that work with pipeline. You know listen to the thought leaders in that sector, they're already advising
that new construction or new infrastructure should be built with new protections in place.
Some of the legacy infrastructure is pretty tricky stuff, as you hard. It's a notoriously difficult problem to patch operational technology
systems. So a lot of the companies that build infrastructure are mindful of that. A lot of the
consultants who put that infrastructure into place are mindful of that.
That's Patrick O'Reilly from CyberSync. There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Kevin McGee.
He's the Chief Security Officer at Microsoft Canada.
Kevin, always great to welcome you back to the show. It is hard to believe, but it is that time of year again when the graduates are hitting the pavement
looking for new jobs, and many of them want to enter this hot area of cybersecurity. I know this
is an area that is important to you. You actually give a lot of your time to speak to some of these
folks. What sort of things are you telling them, and what feedback are you getting?
Thanks for having me back, Dave.
And thanks for investing some time discussing something really important to me, which is making sure that we're not only building the pipeline, but we're getting these students out into the work world to start to close some of these gaps that we're seeing in not only talent, but just in workforce.
And it's one of my favorite things to do. I get asked to speak to a number of universities and colleges, primarily in Canada, more and more each year about, you know, how do you get that
first job or how do you hack your way into the security industry? What I've really found is
there's more than one skills gap out there. And I think the biggest one is that there are tons of
incredibly talented, aspiring cybersecurity professionals being graduated by colleges, universities across the country.
But there's also these tons of open jobs.
And CISOs are telling me they can't find the talent, but the students are telling me they can't get hired for these initial jobs.
So I think this is the challenge that I'm really excited about trying to figure out how to overcome.
So what's the gap there?
Why can't these two groups meet in the middle?
I think it's setting expectations.
So the universities and colleges will promote
how much money you can make in cybersecurity
or how big of demand is,
but that's for a fully proficient
and fully experienced cybersecurity professional.
And that's what the employers often want is a fully proficient and fully experienced cybersecurity professional. And that's what the employers often want is a fully proficient and fully experienced cyber professional. There's a
gap of five years and you'll see many of the students bring up the five years plus experience
that's really causing this challenge. And how do we get over that? Other industries like accounting
or lawyers, they have to do an articling period. Doctors need to do residencies.
or lawyers, they have to do an articling period.
Doctors need to do residencies.
Trades people need to do a period of time as an apprentice as well.
There's no sort of transition period in the cybersecurity industry.
So we're going to have to act like hackers as students. That's what I tell them, to figure out how you can find that first job and really hack
that gap to your own advantage.
Yeah, it strikes me too that a lot of the businesses out there need to recalibrate their
expectations as well to bring in those lower level people and train them up. Do it in-house.
Don't expect everybody to come in fully baked. And part of that is we often promote the most
technically proficient within our organizations to leadership roles, not those that are the greatest leaders and not those that can onboard talent, mentor talent, and train talent.
So that is one challenge.
And we don't invest in a lot of our technical leaders in teaching them these skills as well.
So a lot of this is going to fall to the student to figure out how to bridge that gap.
is going to fall to the student to figure out how to bridge that gap. Otherwise, they may find that they're not able to break into the career in cybersecurity or have to seek employment in
another area of the industry to build up that experience before they're able to come back to
security. That would be a great shame. For the students, is this a matter of getting the right
certifications? Is this a matter of getting the right internships? I mean, what's your advice to
them to get past those resume gatekeepers? Yeah, I'll boil down a one-hour talk into a
short clip for CyberWire. So one, explore your options. You know, the pandemic has moved a ton
of content online. Conferences are online. You can start to see what people do and what their
people are talking about. Learning about the different roles and getting connected to some of those people.
Reaching out. Great resource is CyberWire Career Notes.
If you hear someone who just resonates that their job would be the perfect thing you'd like to do,
why not reach out and say, I saw your presentation. Explain why you want to talk to them
and ask for their advice. Number two is become an
industry expert. You have to know
your skills, but also an industry insider. You know, who are the thought leaders in the space
you're interested in? Who are they talking to and what are they talking about on Twitter? Who are
they interacting with it? What conferences are they going to? What podcasts are they listening
to? What books are they reading? This can be really key. I love the cybersecurity canon. It's great. If you haven't looked up that, give it a search.
It's a great book intro reading list for those new to the industry.
Start anywhere that interests you and just build up your repertoire.
And that could be from deeply technical books to Neal Stephenson.
Nothing will get you further in an interview with me than dropping a Neil Stevenson quote or two,
I'm pretty sure.
We talked about deep reading the job descriptions
to look for that five years of experience.
How can you look at the or equivalent aspect of that
and demonstrate the at equivalent?
Can you show a GitHub project?
Could you get a certification and whatnot
that could demonstrate that to the employers?
These are the actions that you can take that can really make a difference.
But the most important one is show me, don't tell me.
Don't tell me you're a great communicator.
Write me a cover letter.
Send me a blog post you wrote.
Don't tell me all the skills that you have.
Send me your GitHub project to review.
How can you show the employer that you really have
the skills? Maybe it's a capture the flag event or whatnot as well, and not just tell them on a
resume. Because loading your resume with keywords is really not going to get the attention, but some
of these additional things really will. And those are all within your power to do as a student.
All right. Well, good advice as always. Kevin McGee, thanks for joining us.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Alan Neville from Symantec Broadcom. We're
discussing Lazarus Targets the Chemical Sector. That's Research Saturday. Check it out. The
Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where
they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.