CyberWire Daily - Notes on cyber phases of Russia’s hybrid war, including an assessment of Victory Day as an influence op. A look at C2C markets. And Spain’s spyware scandal claims an intelligence chief.
Episode Date: May 10, 2022A quick introductory note on Russia’s hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European C...ouncil formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain’s spyware scandal takes down an intelligence chief. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/90 Selected reading. Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph) Viewpoint: Putin now faces only different kinds of defeat (BBC News) Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters) On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis’ (Washington Post) In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times) Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek) Russia’s display of military might sent the West a strong message – just not the one Putin intended (The Telegraph) Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead) Russian TV hacked to say ‘blood of Ukrainians is on your hands’ (The Telegraph) Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russian television schedules were hacked to display anti-war messages.
A phishing campaign distributes Jester Steeler in Ukraine.
The European Council formally attributes the cyber attack on Viasat.
Costa Rica declares a state of emergency as Conti ransomware cripples government sites.
DC rat in the C2C markets.
The gang behind R-Evil does indeed seem to be back.
More Joker-infested apps are found in Google Play.
Ben Yellen looks at digital privacy concerns
in the aftermath of the potential overturn
of Roe versus Wade.
Our guest is Nick Adams from Differential Ventures
with a VC's perspective on what will drive
continued growth in cybersecurity.
And Spain's spyware scandal takes down an intelligence chief.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 10th, 2022. We begin with a quick note on Russia's hybrid war against Ukraine. For useful context,
more analysts see a growing possibility of outright Russian military defeat, even with Russia's war aims having contracted to the conquest of the Donbass.
It's worth remembering that only 75 days ago,
Moscow was demanding demilitarization and denazification,
effectively unconditional surrender, as a precondition for negotiations with Kiev.
The post-mortems on President Putin's Victory Day speech agree that it suggested a continuation of current war policy,
a reluctance to ask more sacrifice from Russians,
and an insistence on NATO's ultimate responsibility for Russia's invasion of Ukraine.
The big parade itself received indifferent reviews as a spectacle of menace,
especially from the more gung-ho British tabloids, like The Sun, which packed as much derision as we
think it humanly possible to achieve in its screamer headline, Vlad-tastrophe, inside Putin's
damp squib victory day parade from tyrant's feeble speech and hacked live feed to slimmed-down military.
All that's missing is the cover version of Sweet Caroline.
Hackreed reports that yesterday, as the big victory parade was about to begin in Moscow,
Russian television schedules were disrupted to display an anti-war message.
The message said, Russian television schedules were disrupted to display an anti-war message.
The message said,
On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children.
TV and the authorities are lying. No to war.
Children's television programs flashed shorter messages, No to war and the authorities lie.
The messaging was fairly widespread.
Most major Russian TV outlets were affected.
There's no attribution yet.
It could be hacktivism, it could be Ukraine's IT army,
or it could be a nation-state operation.
CERT-UA warns that a social engineering campaign
distributing Jester-Steeler malware is in progress.
The fish bait used to induce Ukrainian targets to bite is a warning of a chemical attack.
The fish hook is an XLS document with a malicious macro.
Bank Info Security points out that one unusual feature of Jester Steeler is that it uses a telegram channel
as opposed to more conventional command and
control infrastructure to deliver the information it collects. The malware itself is a commodity
product freely traded in the criminal-to-criminal market. Again, there's no attribution yet. It
could be state-directed or it could simply be criminals seeking to profit from the unsettled
state of a country under attack by a bigger neighbor.
The European Council today formally attributed the February 24 cyber attack against Viasat's
KASAT network to Russia. The attribution was laced with condemnation. Interference with the
KASAT network was one of the few Russian cyber operations of the war to, first, enjoy a measure of success.
It was also, as the EU communique notes, one of the attacks that spilled over to nations other than Ukraine.
The attack's timing suggests it was intended to serve as preparation for Russia's invasion.
for Russia's invasion.
Reuters reports in an exclusive that the U.S. administration is increasing its scrutiny of Kaspersky amid concerns that the security firm's widely used tools, already restricted from use within the U.S. government,
could be exploited by Russia for intelligence and cyber operations during Russia's war against Ukraine.
The Departments of Justice and Commerce
are said to be considering using national security measures put in place during the previous
administration against the Russian software company. Kaspersky has long denied that it's
susceptible to the kind of pressure from Moscow that Western governments have feared. Those
skeptical of the company point to an obvious reading of Russian domestic law
that requires companies to cooperate with the government in precisely the ways that have aroused concern.
Neither Kaspersky nor the U.S. Departments of Justice or the Treasury replied to Reuters' requests for comment.
President Rodrigo Chavez of Costa Rica has declared a state of emergency as the government works to recover from a Conti ransomware attack.
According to Bleeping Computer, Conti claims to have hit and taken data from the Costa Rican Finance Ministry,
the Ministry of Labor and Social Security, and the Social Development and Family Allowances Fund.
Other agencies whose operations are reported to have been affected
include the Administrative Board of the Electrical Service of the Province of Cartago,
the Ministry of Science, Innovation, Technology, and Telecommunications, the Ministry of Labor and
Social Security, the Social Development and Family Allowances Fund, as well as a variety of other
government agencies. Conti is a privateering gang that says it hacks in the Russian, as well as a variety of other government agencies. Conti is a privateering gang
that says it hacks in the Russian interest as well as its own, but this particular campaign
seems primarily financially motivated. BlackBerry has released a report on DCRAT,
also known as Dark Crystal Rat, a discount commodity malware tool offered in russophone criminal-to-criminal
markets. It is, according to BlackBerry's researchers, the work of a lone actor,
offering a surprisingly effective homemade tool for opening back doors on a budget.
It can be had for as little as six bucks, and even less when it's on special. Why it's so
inexpensive is unclear.
BlackBerry speculates that the developer may be more interested now in market share than immediate profit,
or perhaps the work is more hobby than livelihood.
In any case, DC Rat is under active development and still on offer.
Dirt cheap.
The gang behind R-Evil is likely to be back.
That's SecureWorks' conclusion.
Their researchers have found that samples of R-Evil obtained since the Gold Southfield Group resumed operation last month
strongly suggest access to the ransomware's source code.
The malware also seems to be under active development.
The Hacker News reports that more Trojanized apps have been found in the Google Play Store,
where they're seeking to spread to compromised Android devices.
Joker has been used in apparently legitimate apps for billing and SMS fraud,
while also performing a number of actions of a malicious hacker's choice,
such as stealing text messages, contact lists,
and device information. And finally, the long-running spyware scandal in Spain has taken
down one of that country's senior intelligence officials. The Washington Post reports that
Paz Esteban is to be relieved as the director of the National Intelligence Center, familiarly known by the acronym CNI.
The scandal is twofold, with both an intelligence and counterintelligence aspect.
On the intelligence side, CNI has been criticized for its role in installing spyware
in the devices of Catalan separatists.
On the counterintelligence side, similar spyware was found in senior government officials' phones, including those used by Prime Minister Pedro Sanchez, Interior Minister Fernando Grande Marlaska, and Defense Minister Margarita Robles.
That spyware, NSO Group's Pegasus tool, had been placed there by an unknown party, probably foreign.
tool had been placed there by an unknown party, probably foreign. The first offense was illicit surveillance. The second offense was, why did it take CNI a year to realize that some parties
unknown had access to senior officials' phones?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know
the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
2021 saw record levels of venture capital investment in cybersecurity, with Crunchbase reporting over $20 billion poured into the sector globally.
We are well into 2022, of course, and for a reality check on VC activity, I checked in with Nick Adams, founding partner at Differential Ventures, a seed-stage VC fund that invests in B2B data-oriented technology.
Things are definitely cooling down, especially at the later stage of venture capital.
As capital markets come down, certainly private market valuations are quick to follow at the late stage of venture.
Definitely seeing that in certain sectors like e-commerce and fintech.
At the earlier stages, it's not quite there yet.
We invested the seed in in series a
stage um there's definitely been a cool down in activity um but valuations are still relatively
high but in the cyber world things are definitely marching on at a pretty steady pace and there's
probably a few drivers of that just in terms of industry adoption historically.
So catching up a bit, but also just some healthier market dynamics, again, in terms of the available capital still in the venture ecosystem.
pending challenges that remain just in the overall cybersecurity ecosystem bode pretty well for cyber to continue on at a stronger pace relative to some other industries.
Is it fair to say that there's an adequate level of funding available
for those who are out there trying to make their mark in cyber?
There definitely is, no question.
The good thing about venture capital, good or bad thing about venture capital, depending on your perspective, is that the capital is pretty well committed. So it's still out there for VC funds. So, you know, angel investors, family offices, some corporates may pull back. But VC funds, for the most part, their capital is pretty predictable.
for the most part. Their capital is pretty predictable. And frankly, I think a lot of money has been sitting on the sidelines waiting for a bit of a market correction to pour into
some of the more favorable spaces at better valuations than we've seen over the last few
years. So I think there's plenty of money out there, and especially for some of these sectors
that are still growing pretty drastically in terms of their actual business need in the enterprise and consumer markets.
Are there any common mistakes that you see, any pitfalls that people experience regularly?
You know, I think one of the areas that we've seen from a technology perspective,
particularly with our thesis around data, is kind of the unfulfilled promise of data-driven solutions and cybersecurity.
around data is kind of the unfulfilled promise of data-driven solutions in cybersecurity.
It really hasn't come to fruition
given the number of challenges just around data sets
and the possibility for actually creating
more cybersecurity risk
with AI-oriented security solutions.
So I'd be careful about how you position
and go about building any cybersecurity solution that promises
to be AI-oriented, machine learning-oriented, because there are still a lot of complex
challenges that haven't come to fruition around just the overall data set and the risks that can
come from how you train an algorithm down the road. What is your advice for the folks who are
out there looking for funding? What sort
of words of wisdom do you have for them? Stay with it. I would definitely, cybersecurity is a unique
beast in a lot of ways in that historically, most funds that are going to be comfortable in this
space investing at the seed or pre-seed stage have more of a technical background. So certainly seek out those VC funds that understand cybersecurity technology more broadly,
more in-depth, I should say.
If you're later stage at the growth phase of an organization,
so you're going out for Series A and Series B,
there's always growth stage capital out there.
Historically, Series A and beyond capital
and cybersecurity in particular
has been pretty heavily concentrated
for some of the more focused and larger funds
like Excel or NEA.
But I think at the pre-seed and seed stage,
there are some more technical funds like ours
that are interested in looking at technology
and the team behind it that can build great solutions,
maybe in advance of a whole lot of
product market fit proof points.
So I'd definitely look for funds that understand technology
and have good connections into go-to-market strategy
in the cybersecurity world.
Again, a space that has largely worked on partnerships
with a lot of the larger OEMs and resellers in this space.
But increasingly seeing CISOs branching out
and looking for more innovative early-stage technology on their own.
So I do think there's an opportunity to sell more directly
before embarking on a well-informed partnership strategy in this space as well.
That's Nick Adams, founding partner at Differential Ventures.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more importantly than that, he is my co-host over on the Caveat podcast.
Ben, it's great to have you back.
Good to be with you, Dave. You know, you and I have talked about some of the, you know, digital exhaust that we leave when we're using our mobile devices
and the ability for folks to de-anonymize that and track us and the policy implications of that.
You know, in the news right now is this very important and big story about the leak of a Supreme Court draft,
potentially overturning Roe versus Wade.
And this has created a strong response from a lot of folks on the privacy side of things,
worried that if someone were to get an abortion,
that perhaps their phone would know that they did that,
even if they wanted to keep that private.
Right. So this is less of an issue about the underlying substance of whether you believe in
the right to choose or not. This is a story about data collection. And a lot of privacy
and civil liberties advocates are worried that in states where abortion is going to be criminalized,
there's going to be an effort to obtain
very private and personal data from people
in order to prosecute individuals
for obtaining illegal abortions.
It looks like with this Dobbs decision
that's going to come down probably in June,
Roe v. Wade will be overturned.
Abortion will be left up to the states.
And states can criminalize abortion,
at least according to the draft of this decision, in a variety of ways.
And depending on the individual state, there are going to be some enforcement mechanisms in trying to figure out people who have had abortions or are planning on getting abortions for the purposes of criminal prosecutions. So there are a few very specific concerns about data collection related to abortions.
The first is location data.
So there's going to be a movement in states
that outlaw abortions for individuals
to go to other states to obtain abortions.
So far, there aren't laws on the books
restricting people from this type of interstate travel,
but there very well could be.
And there's a lot of information about our whereabouts
that's stored on our devices,
whether it's powering Google Maps
or any other Maps application or many other services.
And the fine print in those EULAs that none of us read
allow companies to sell that information to other companies.
Those companies can make that information available to advertisers or whoever wants to pay for it.
And maybe a state law enforcement agency or a local law enforcement agency would want to pay for that data to identify women who have traveled across state lines to obtain an abortion.
to identify women who have traveled across state lines to obtain an abortion.
Of course, the companies will say all of this data is anonymized,
but we've talked a million times about how
you can really develop a dossier on an individual person
if their device is always at the same address at night
and always at the same address during the day.
You can pretty easily figure out who that person is.
Second concern is about search and chat histories. So companies like Google keep records of your
Google chats. If you're having a conversation in one of these applications about getting an abortion,
prosecutors could use these types of searches as evidence in a criminal trial. And this isn't entirely theoretical.
In 2017, prosecutors used internet searches in the state of Mississippi
to find out whether somebody was searching for abortion drugs.
So they put that in their search bar.
That was evidence that was obtainable with a subpoena.
That was evidence that was obtainable with a subpoena.
And prosecutors used that data as evidence of a fetal homicide in the state of Mississippi.
So this is definitely something that does happen. I think the creepiest in terms of invasions of privacy are these so-called reproductive health apps, which largely track menstrual cycles.
Right. I've seen a lot of call on social media of people saying, you know,
delete your period tracking apps. Yeah. I honestly think that would be a wise move if this is
something that you're concerned about. There have been a couple of these applications who have
already gotten pushback for playing fast and loose with this data. One of these companies, Ovia, was sharing aggregate data on some
of their users' family planning with their employers. That happened in 2019. The FTC had to settle with
an app, Flow. That app promised to keep users' data private, but then shared it with marketing firms,
including Facebook and Google. You know, some people would say, how is this not covered by HIPAA? It is private health
information. Well, these applications don't count as covered entities under HIPAA. Right. So they
are not obligated to follow the terms of that law. So if you have that application downloaded,
you use it, and you've accepted the terms and conditions,
state prosecutors in some of these states that are going to outlaw abortion might use the data on these applications as evidence in a criminal trial based on whether you've missed
certain menstrual cycles. This sounds very 1984. It is. I think this is why it's of such great concern. So I think regardless of how you
feel on the underlying policy issue here, I think this is about an invasion of digital privacy
for companies and law enforcement agencies collecting information that's just extremely
personal. And all of this is legal and is a practice that's relatively common.
Yeah, I mean, I think that's a really interesting point
because the law enforcement in the states
who are, we presume, going to outlaw abortion
would say, well, we're just making use of the tools
that are available to us to enforce the laws
that are on our books,
and that is our responsibility to do so.
So to me, part of what this sort of shines a light on is that everyone needs to take a personal responsibility for their own digital privacy.
You can't just rely on regulation to, if this is something that's important to you, to potentially keep you safe from the type of surveillance that we're going to see out there, right?
Right.
I mean, I think not just in this area, but in every other area, people have to be cognizant of the information they're storing on their personal devices and recognize how easy it is for that data to get into the wrong hands. Whether that's data brokers who are going to exploit your personal information to try
to sell you stuff, or that's the government who's going to use some of the most intimate data
imaginable to prosecute you under these new state laws. I think everybody has to take stock of
exactly what they're sharing on these devices and on these applications. I mean, I think everybody has to take stock of exactly what they're sharing on these devices
and on these applications. I mean, I think the legal system is not going to do it for us. There
are very few protections against this type of mass data collection. So it really is up to
individuals. And I think that's a message that privacy advocates are trying to get out there,
that it is incumbent upon all of us to make those
decisions for ourselves and for our loved ones all right well ben yellen thanks for joining us thank you
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin,
Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White,
Puru Prakash, Justin Sebi,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.