CyberWire Daily - Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection

Episode Date: June 24, 2022

Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical... infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/121 Selected reading. Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer)  Defending Ukraine: Early Lessons from the Cyber War (Microsoft)  Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future) The war in Ukraine is showing the limits of cyberattacks (Tech Monitor) Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group) BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks) CISA Tabletop Exercises Packages (CTEP) (CISA) CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Lithuania warns of increased DDoS threats, limited Russian success in the cyber phases of its hybrid war, another warning of spyware in use against targets in Italy and Kazakhstan. Are you a critical infrastructure operator?
Starting point is 00:02:17 Well, CISA's got a tabletop exercise for you. Kevin McGee from Microsoft has advice for recent grads, a look back at the years since Colonial Pipeline with Patrick O'Reilly of CyberSaint. And sometimes ransomware is just a spy's way of saying, nothing up my sleeve. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWireania's National Cyber Security Center, the NCSC, has issued a public warning that the threat of distributed denial-of-service attacks is rising. The alert says,
Starting point is 00:03:16 most of the attacks are directed against public authorities, the transport and financial sectors, leading to temporary service disruptions. The NCSC urges all managers of critical information infrastructure and state information resources to take additional security measures and to follow the NCSC recommendations for protection against service disruption attacks. There's no explicit mention of Russian operations in the alert, but it's clear whence comes the threat. Bleeping Computer notes that a nominally hacktivist group that claims to be acting in the Russian interest,
Starting point is 00:03:53 Legion, cyber-spetsnaz, declared in a telegram post, cyber-war against Lithuania, and published an ambitious target list. Large banks, logistic companies, internet providers, airports, energy firms, mass media groups, Leaping Computer reads the cyber Spetsnaz as an offshoot of Killnet. Spetsnaz is the Russian term for its military special forces, throat-cutting operators who've inherited their tradition from the Cold War Soviet army. Rough Western equivalents would be cyber-sass or cyber-commandos or cyber-rangers, a little grandiose and a little puerile and, so far, more than a little unearned. The cyber-spetsnaz declaration dates from Lithuania's decision to forbid shipments of sanctioned goods
Starting point is 00:04:44 through its rail corridor to the detached Russian enclave of Kaliningrad. Reuters reports that Moscow has blamed Lithuania's action on Washington. The Russian Foreign Ministry said in a statement, the so-called Collective West, with the explicit instruction of the White House, imposed a ban on rail transit of a wide range of goods through the Kaliningrad region. Microsoft's report, Defending Ukraine, Early Lessons from the Cyber War, includes an account of Russian targeting in the cyber phases of its hybrid war against Ukraine. The report says, Russian targeting has prioritized governments, especially among NATO members, but the list of targets has
Starting point is 00:05:25 also included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers. While Russian cyber operations have, as many have observed, fallen as far short of the widespread devastation of infrastructure as Russian combined arms operations fell short of the conquest of Kiev, both widely expected, they've enjoyed some success. According to Microsoft, Since the start of the war, the Russian targeting we've identified has been successful 29% of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization's data.
Starting point is 00:06:04 successful intrusions has led to confirmed exfiltration of an organization's data, although, as explained in the report, this likely understates the degree of Russian success. Google's threat analysis group reported late yesterday that spyware developed by the Italian firm RCS has been found in use against targets in Italy and Kazakhstan. Google says, Today, alongside Google's Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan.
Starting point is 00:06:46 Targets appear to have been infected by phishing or through the installation of malicious apps, and the malware comes in both iOS and Android versions. One surprising conclusion is that in some cases, the spyware operators worked with the victim's ISP to disable the target's mobile data connectivity. In some cases, RCS had earlier cooperated in its business with a now-defunct hacking team. The tools RCS apparently sold to government customers were described last week by researchers
Starting point is 00:07:18 at Lookout under the name Hermit. TechCrunch reports that Google is notifying the victims it's been able to identify. CISA hosted a workshop Thursday providing an overview of the CISA tabletop exercises packages, an unclassified adaptable exercise resource focused on facilitating discussion around a scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTAP is designed to assist government and industry partners in developing your own tabletop exercises with pre-built templates. There are over 100 scenarios to choose from that encompass both cyber and physical security. Several of them involve both. The CTEP exercise materials include a situation manual, an exercise planner handbook, a facilitator and evaluator handbook, and various templates that can be used throughout the exercise.
Starting point is 00:08:14 The ultimate goal of the resource is to help facilitate understanding, identify strengths and areas for improvement, and or changes in policies and procedures. areas for improvement and or changes in policies and procedures. GovTech reports that workshops on CTEP will be held monthly and hosted by CISA Exercises Infrastructure Security and Exercise Branch with participation from private stakeholders and critical infrastructure owners and operators. There is no registration required for these workshops, which are open to the public. To use the CTEP exercises, however, you need a critical infrastructure community account on the Homeland Security Information Network. You can learn how to create an account on their website. Finally, SecureWorks reports that a Chinese threat actor it tracks as Bronze Starlight is conducting ransomware campaigns against selected targets, but that the ransomware is probably misdirection to cover cyber espionage and theft of intellectual property.
Starting point is 00:09:14 The researchers say the victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggests that Bronze Starlight's main motivation may be intellectual property theft or cyber espionage rather than financial gain. The ransomware could distract incident responders from identifying the threat actor's true intent and reduce the likelihood of attributing the malicious activity
Starting point is 00:09:39 to a government-sponsored Chinese threat group. One of the marks of Chinese official involvement is the distinctive loader Bronze Starlight uses. It's been seen before in other campaigns run by Beijing's APTs. Once the loader's installed, it decrypts and executes a cobalt strike beacon for command and control. At that point, the ransomware goes in and the data goes out, and it's K Katie bar the door,
Starting point is 00:10:05 but too late. And the threat actors are far more interested in the data than in any ransom payment. SecureWorks points out that good practices like keeping systems patched and up-to-date and monitoring your network traffic will help, and they provide a useful set of indicators of compromise. So yes, indeed, Katie, bar the door. Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their
Starting point is 00:10:58 controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Starting point is 00:11:56 Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. It was just over a year ago that news of the Colonial Pipeline breach hit the news wires,
Starting point is 00:12:36 and with it, a flurry of activity, speculation, and ultimately, response. I wanted to get a reality check on where we stand a year out from that important event. And for that, I checked in with Patrick O'Reilly, co-founder and chief product officer at CyberSaint. In the wake of something like that, you know, major supply chain issue around something like gasoline, people were just shocked and confused and didn't understand the implications of it and
Starting point is 00:13:05 just it was burbling into the public through mainstream media news outlets and it's sort of difficult for people to understand what some of you know the announcements and uh you know press releases out of colonial even meant you know what does what does it mean? OT is not IT and operational technology and cyber to physical and all of these sort of terms of art in cyber confused the public to some extent. So I think it was really chaotic week or two. Do you feel like ultimately the messaging was correct
Starting point is 00:13:43 that the general public who's not steeped in this sort of stuff, do you think their understanding of it is accurate? No, no, because even among people who are more sophisticated, there's still a great deal of confusion. And I think that's just an artifact of our news cycles. They're so quick. And I think that's just an artifact of our news cycles. They're so quick. And you need to talk a little more in depth about the context around an attack like that and what can be done going forward to get a better understanding. So no, I think the public knows that some of our critical infrastructure is in danger of cyber attacks. And I think they just sort of live in that,
Starting point is 00:14:26 you know, general free-floating anxiety, so to speak. Yeah. My recollection, one of the things that struck me was when the realization came out that, you know, one of the main things that kept Colonial Pipeline from getting the fuel flowing were billing issues,
Starting point is 00:14:43 not necessarily technical, physical issues. It was just, how are we going to know who needs to pay for this? Right. Yeah. And the complexity of an operation like that, very hard to cover in a short format. So in terms of response, I mean, let's start with the federal response here. How do you rate how they responded to this and the things that have been put in place since? I would rate the response highly, you know, in terms of, you know, the two directives and some of even the back behind the scenes legislative activity, you know, senators sending letters and encouraging the Department of Energy maybe to get a little more involved because long
Starting point is 00:15:24 term that's probably the solution. So I think the government did all the right things. The issue really is, I think, is TSA prepared to deal with this problem at scale going forward. You can outline guidelines. There were a couple of directives that came out. They're pretty clear. There were a couple of directives that came out. They're pretty clear. But it's not very easy to implement all of that for all pipelines. And there's a great deal of haggling going on. So I think the response was great, but the implementation, not so much. Where do you suppose we stand today is, you know, we're in a negotiating period between some of the pipeline operators and the TSA. The TSA does have the regulatory authority to levy fines, but they're not going to do so until they feel like industry is in a better place with respect to, you know, getting on the same page with the directives.
Starting point is 00:16:31 What do you suppose it's going to take to reach that level of alignment? I think a couple of things probably have to happen. Either the TSA has to get bigger, has to devote more resource to this, or the Department of Energy is going to have to become involved long term. Because this kind of reminds me a little bit of 2008 and when NERCSIP came out. There was a long period of, you know, how do we comply? How do we do this? And it really didn't start to see the results of, say, NERC-SIP compliance until, you know, a couple of years out. Do you think we're on a realistic timeline here? I mean, is it reasonable that these changes, these adjustments in how things are done are taking as long as they're going to take? No, you know, no, because, you know, I'm in the business of helping
Starting point is 00:17:26 companies, you know, comply more generally. And, you know, I just look at the other regulatory frameworks that the government has right in place, say, for example, you know, DFARS or CMMC for defense departments, subcontractors, it just takes longer. So, you know, even in directive one that came out, you know, they were like, we need a gap, you know, analysis within 30 days. I don't know that that's possible. You know, I see companies struggle to get their DFARs or their CMMC regulations in place in six months, you know, or longer. So I think maybe the timelines are very aggressive. I think that was probably intentional to put everyone sort of on notice
Starting point is 00:18:11 that this had to get done. But I think that'll probably be tweaked too in the long run. How do you suppose this is going to inform, you know, the development of new infrastructure as new pipelines are laid, as new, you know, the development of new infrastructure as new pipelines are laid, as new, you know, as those upgrades happen and not just to pipelines, are we going to have a different mindset going forward? I think there's already a different mindset among the, you know,
Starting point is 00:18:38 system integrators and the companies that work with pipeline. You know listen to the thought leaders in that sector, they're already advising that new construction or new infrastructure should be built with new protections in place. Some of the legacy infrastructure is pretty tricky stuff, as you hard. It's a notoriously difficult problem to patch operational technology systems. So a lot of the companies that build infrastructure are mindful of that. A lot of the consultants who put that infrastructure into place are mindful of that. That's Patrick O'Reilly from CyberSync. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Starting point is 00:19:43 Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Kevin McGee.
Starting point is 00:20:36 He's the Chief Security Officer at Microsoft Canada. Kevin, always great to welcome you back to the show. It is hard to believe, but it is that time of year again when the graduates are hitting the pavement looking for new jobs, and many of them want to enter this hot area of cybersecurity. I know this is an area that is important to you. You actually give a lot of your time to speak to some of these folks. What sort of things are you telling them, and what feedback are you getting? Thanks for having me back, Dave. And thanks for investing some time discussing something really important to me, which is making sure that we're not only building the pipeline, but we're getting these students out into the work world to start to close some of these gaps that we're seeing in not only talent, but just in workforce. And it's one of my favorite things to do. I get asked to speak to a number of universities and colleges, primarily in Canada, more and more each year about, you know, how do you get that
Starting point is 00:21:29 first job or how do you hack your way into the security industry? What I've really found is there's more than one skills gap out there. And I think the biggest one is that there are tons of incredibly talented, aspiring cybersecurity professionals being graduated by colleges, universities across the country. But there's also these tons of open jobs. And CISOs are telling me they can't find the talent, but the students are telling me they can't get hired for these initial jobs. So I think this is the challenge that I'm really excited about trying to figure out how to overcome. So what's the gap there? Why can't these two groups meet in the middle?
Starting point is 00:22:07 I think it's setting expectations. So the universities and colleges will promote how much money you can make in cybersecurity or how big of demand is, but that's for a fully proficient and fully experienced cybersecurity professional. And that's what the employers often want is a fully proficient and fully experienced cybersecurity professional. And that's what the employers often want is a fully proficient and fully experienced cyber professional. There's a gap of five years and you'll see many of the students bring up the five years plus experience
Starting point is 00:22:34 that's really causing this challenge. And how do we get over that? Other industries like accounting or lawyers, they have to do an articling period. Doctors need to do residencies. or lawyers, they have to do an articling period. Doctors need to do residencies. Trades people need to do a period of time as an apprentice as well. There's no sort of transition period in the cybersecurity industry. So we're going to have to act like hackers as students. That's what I tell them, to figure out how you can find that first job and really hack that gap to your own advantage.
Starting point is 00:23:05 Yeah, it strikes me too that a lot of the businesses out there need to recalibrate their expectations as well to bring in those lower level people and train them up. Do it in-house. Don't expect everybody to come in fully baked. And part of that is we often promote the most technically proficient within our organizations to leadership roles, not those that are the greatest leaders and not those that can onboard talent, mentor talent, and train talent. So that is one challenge. And we don't invest in a lot of our technical leaders in teaching them these skills as well. So a lot of this is going to fall to the student to figure out how to bridge that gap. is going to fall to the student to figure out how to bridge that gap. Otherwise, they may find that they're not able to break into the career in cybersecurity or have to seek employment in
Starting point is 00:23:49 another area of the industry to build up that experience before they're able to come back to security. That would be a great shame. For the students, is this a matter of getting the right certifications? Is this a matter of getting the right internships? I mean, what's your advice to them to get past those resume gatekeepers? Yeah, I'll boil down a one-hour talk into a short clip for CyberWire. So one, explore your options. You know, the pandemic has moved a ton of content online. Conferences are online. You can start to see what people do and what their people are talking about. Learning about the different roles and getting connected to some of those people. Reaching out. Great resource is CyberWire Career Notes.
Starting point is 00:24:31 If you hear someone who just resonates that their job would be the perfect thing you'd like to do, why not reach out and say, I saw your presentation. Explain why you want to talk to them and ask for their advice. Number two is become an industry expert. You have to know your skills, but also an industry insider. You know, who are the thought leaders in the space you're interested in? Who are they talking to and what are they talking about on Twitter? Who are they interacting with it? What conferences are they going to? What podcasts are they listening to? What books are they reading? This can be really key. I love the cybersecurity canon. It's great. If you haven't looked up that, give it a search.
Starting point is 00:25:06 It's a great book intro reading list for those new to the industry. Start anywhere that interests you and just build up your repertoire. And that could be from deeply technical books to Neal Stephenson. Nothing will get you further in an interview with me than dropping a Neil Stevenson quote or two, I'm pretty sure. We talked about deep reading the job descriptions to look for that five years of experience. How can you look at the or equivalent aspect of that
Starting point is 00:25:36 and demonstrate the at equivalent? Can you show a GitHub project? Could you get a certification and whatnot that could demonstrate that to the employers? These are the actions that you can take that can really make a difference. But the most important one is show me, don't tell me. Don't tell me you're a great communicator. Write me a cover letter.
Starting point is 00:25:57 Send me a blog post you wrote. Don't tell me all the skills that you have. Send me your GitHub project to review. How can you show the employer that you really have the skills? Maybe it's a capture the flag event or whatnot as well, and not just tell them on a resume. Because loading your resume with keywords is really not going to get the attention, but some of these additional things really will. And those are all within your power to do as a student. All right. Well, good advice as always. Kevin McGee, thanks for joining us.
Starting point is 00:26:43 And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Alan Neville from Symantec Broadcom. We're discussing Lazarus Targets the Chemical Sector. That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.