CyberWire Daily - Pyongyang’s intelligence services have been busy in cyberspace. Hacktivists exaggerate the effects of their attacks on OT. Ghostwriter is back. A twice-told tale: ineffective cyberwar campaigns.
Episode Date: March 23, 2023DPRK threat actor Kimsuky uses a Chrome extension to exfiltrate emails, while ScarCruft prospects South Korean organizations. Hacktivists' claims of attacks on OT networks may be overstated. Ghostwrit...er remains active in social engineering attempts to target Ukrainian refugees. Joe Carrigan has cyber crime by the numbers. Our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia’s war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/56 Selected reading. North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer) Joint Cyber Security Advisory (Korean) (BundesamtfuerVerfassungsschutz) North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign (Record) ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques (The Hacker News) The Unintentional Leak: A glimpse into the attack vectors of APT37 (Zscaler) CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (ASEC BLOG) A Propaganda Group is Using Fake Emails to Target Ukrainian Refugees (Bloomberg) We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems | Mandiant (Mandiant) Fact or fiction, hacktivists' claims of industrial sabotage in Russia or Ukraine get attention online (CyberScoop) The 5×5—Conflict in Ukraine's information environment (Atlantic Council) How the Russia-Ukraine conflict has impacted cyber-warfare (teiss) CommonMagic APT gang attacking organisations in Ukraine (Tech Monitor) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DPRK threat actor Kim Suk-hee uses a Chrome extension to exfiltrate emails, while
SCARCRAFT prospects South Korean organizations.
Hacktivist claims of attacks on OT networks may be overstated.
Ghostwriter remains active in social engineering attempts to target Ukrainian refugees.
Joe Kerrigan has cybercrime by the numbers.
And our guest is Christian Sorensen from SiteGain
with analysis of the cyber effects of Russia's war.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
March 23rd, 2023.
Researchers have been flagging a great deal of North Korean cyber espionage at midweek.
Here are some of the
reports that have been coming out. The German Constitutional Protection Agency and the Republic
of Korea's National Intelligence Service have issued a joint advisory describing a spearfishing
campaign by North Korea's Kim Suk-hee threat actor, also known as Thallium or Velvet Colima.
threat actor, also known as Thallium or Velvet Colima. The threat actor is targeting experts on the Korean Peninsula and North Korea issues via a malicious Chrome extension and malware-laden
Android apps. According to Bleeping Computer, the attacks use spear phishing emails to trick
the victims into installing the Chrome extension. After it's installed, the extension can exfiltrate
emails from the victim's Gmail account. Kimsuki is also using an Android trojan called Fast Viewer,
which was first observed in October 2022. Bleeping Computer explains, the malicious app the attackers
request Google Play to install on the victim's device is submitted on the Google Play console developer site for internal testing only, and the victim's device is supposedly added as a testing target.
The advisory adds that since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world, as well as unspecified people.
In the second round of reports, researchers focus on North Korea's APT-37 threat group.
APT-37's name is, of course, Legion. It's also known as Reaper, StarCraft, and Red Eye.
Whatever the name it's being tracked under, APT-37 has been observed in action against
South Korean targets. The ONLAB Security Emergency Response Center analysis team has observed
activity from the APT-37 threat group conducting cyber espionage against individuals within South
Korean organizations in February and March of this year. Researchers from Sequoia report that
the group distributes the Chinato PowerShell-based backdoor, which gives the actors fully-fledged
capabilities to control and exfiltrate sensitive information from the victims.
Mandiant researchers have observed a trend in which hacktivist groups are increasingly claiming
to have successfully attacked operational technology, that's OT, technology that monitors or controls industrial
equipment, processes, and events. The trend crosses political commitments and allegiances,
but in general, Mandiant finds that the claims of success have been exaggerated,
as have claims on the part of hacktivists to disinterested
independence of state influence or direction. On the other hand, there do seem to be signs that
hacktivist groups are trading information on OT systems, and that they've exhibited a growing
technical familiarity with such systems' vulnerabilities. Mandiant writes,
Hacktivism leverages cyber threat activity as a means to convey political or social narratives. vulnerabilities. Mandiant writes, simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial-of-service attacks.
And attacks against OT are seen as providing the kind of high-profile,
attention-getting effect the hacktivists desire.
The report concludes and summarizes,
In 2022, Mandiant observed a significant increase in the number of instances
where hacktivists claimed to target OT, In 2022, Mandiant observed a significant increase in the number of instances where
hacktivists claimed to target OT. While we observed activity across different regions,
most of these cases were conducted by actors that have mobilized surrounding the Russian
invasion of Ukraine. The implication of this is that the increase in hacktivism activity
targeting OT may not necessarily become consistent over time.
However, it does illustrate that during political, military, or social events,
OT defenders face a heightened risk. The Ghostwriter threat group, which has specialized
in influence through impersonation, has resumed a campaign in which bogus emails misrepresenting
themselves as originating with the governments of Latvia, Lithuania, or Poland
are hitting the inboxes of organizations working with and on behalf of Ukrainian refugees.
The content of the emails warns that the Ukrainian government is about to undertake mass conscription of military-age men
with the intent of feeding the conscripts into combat against
Russia. Bloomberg writes, Ukrainian men of military age, the emails warned, were scheduled
to be rounded up and sent home. They would then be forced to fight against Russian troops,
according to a supposed agreement between Ukraine and its allies. People who received the emails
should immediately provide personal
information and any known whereabouts of Ukrainians living nearby, the messages said.
The goal is to inspire fear and mistrust, Mandiant attributes Ghostwriter to Belarus,
Russia's one reliable ally in its war against Ukraine.
The Atlantic Council convened a group of experts to assess
the cyber phases of Russia's war so far and to see what lessons might be drawn. In some respects,
the conclusion is the familiar one. Russian performance has fallen far short of pre-war
expectations. This is by now a more than twice told tale, but it's worth reviewing again, if for no other reason than how surprising it's been, not only to Russia's victims and adversaries, but to Russia herself.
Russian influence operations proved to be unprofessional, sloppy, and without much engagement on respective platforms.
Ukraine's communications infrastructure proved surprisingly resilient under cyber attack
internationally corporations have concluded that doing business in russia is a bad bet
and that seems to represent a long-term trend and western governments should trim their expectations
about how devastating offensive cyber campaigns are likely to prove
more on this topic in my conversation with
Christian Sorensen from SiteGain later in the show.
Coming up after the break, Joe Kerrigan has cybercrime by the numbers.
Our guest is Christian Sorensen from SightGain with analysis of the
cyber effects of Russia's war. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Christian Sorensen is CEO of cybersecurity firm SiteGain and previously served in the
U.S. Air Force and with U.S. Cyber Command. I checked in with him for insights on the ongoing conflict in Ukraine
and the ongoing perception that when it comes to cyber, Russia continues to underperform.
Cyber is just one part of that campaign.
And often, once you get into a fighting war, it's less applicable.
into a fighting war, it's less applicable. There's just fewer opportunities or harder opportunities to make an impact. And in terms of expectations, has Russia lived up to their
reputation and what we expected them to be capable of? I think so far it's fair to say they have not,
but it's also fair to say they probably haven't used all of their different techniques.
They've certainly focused their efforts on Ukraine.
So the larger partner community, alliance community has not generally been affected.
So that's certainly by design.
But also there may be efforts that are laying in wait.
I'm reminded of UK's warning recently or over the last six months of pre-positioning for denial of service attacks.
So they saw an uptick in preparations and ability to execute those denial-of-service attacks,
but there was not any that were actually conducted as of yet in the U.K. by Russia.
Yeah, it seems as though when it comes to the allies and folks who are supporting Ukraine
that what they've experienced hasn't really risen much
beyond the nuisance level. Yeah, that's correct. And you're seeing kind of hacktivists and
traditional or normal criminal activity. And that's probably one of the lessons that we've
seen is it's pretty hard to make tactical impacts in a fighting war or a kinetic war via cyber means.
Much more useful for espionage, for strategic efforts, and traditional criminal efforts,
as opposed to really direct battlefield contributions.
Is there anything that is surprising that we've learned from this war when it comes to cyber?
I think the fact, going back to your first question, there hasn't been as big of an impact has been surprising.
The fact that there's deployed defenders and a lot of partnership with Ukraine to prepare, right, to prepare for known techniques.
And then when something new or novel does come up, it's localized, right? It's effective in one
place or a few places. But then that intelligence of here's what happens, here's how to defend
against it is shared quickly. and then other areas are then
ready for it and prepared for it. So it doesn't spread. And that's been surprising too. Oftentimes
the defenders are not as responsive or ready for those attacks. So those preparation activities
have seemed to have paid off. And what are the lessons that nations can take from this
in terms of preparing their own defenses or even their offensive capabilities?
Yeah, let me handle that in two different answers.
So on the defensive side, it really comes down to preparation.
We know the techniques that are being used, not only in this war, but often.
And it's incumbent upon defenders to practice against those, to be ready to defend against
those and not just patch, but know that you're ready to defend against the techniques that are
coming your way. And then share intelligence. If something new happens, right, you're going to
make corrections, but other people should benefit from that insight. And then on the offensive side,
it really comes down to taking stock of what you really have in terms of capabilities and where
those capabilities could make the most impact. And knowing what that is,
you don't have to know or you don't have to let the potential adversaries know what that is. But
cyber seems to be a long game, right, where espionage really matters. The US had great
insights into what Russia was planning, where those insights came from, cyber probably contributed to that. But where it can make the most impact
has to be weighed carefully and then used wisely. Based on what we've seen over the past year or so,
how do you think that informs what we might be in for in the immediate future
as you look toward the horizon? So I think it's important to recognize we don't know everything
yet as far as the techniques that could be used, the pre-positioning that has already been
accomplished. So we don't know all of the tools that would be used, just like Russia hasn't
deployed all of their weapons or used all of their weapons. It's been pretty contained to the Ukraine battlefield, but that doesn't have to be the case, right? So we should continue to
pay attention to not escalating on the policy side and abide by what we're learning are the
red lines, abide by really what would escalate things and making sure we're being very careful
with what we do,
as well as the other side, Russia,
to be careful about what they do
vis-a-vis the rest of the world, right?
So that part is really, really important.
And then continued vigilance, right?
We have to continue to learn what's being used and respond to that, especially on the
protection of data and criminal side to protect operations from being shut down.
That's Christian Sorensen from Psych Game. And joining me once again is Joe Kerrigan.
He is from Harbor Labs and the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
This article caught my eye, written by our buddy across the Humans podcast. Hello, Joe. Hi, Dave. This article caught my eye,
written by our buddy across the pond, Graham Cluley.
Yes, Graham.
He wrote this for the Bitdefender blog,
and it's titled,
FBI reveals that more money is lost to investment fraud
than ransomware and business email compromise combined.
Let's dig in here.
Unpack what Graham is laying out here for us.
So what Graham is talking about is the,
this is a report from the Internet Crime Complaint Center, the IC3,
which is, I think, run by the FBI here in the United States.
And they have a chart of investment losses reported to the IC3.
Now, mind you, these are losses reported to the IC3.
These are not losses as a total.
Right.
But in 2021, losses were just under $1.5 million.
That's in total investment fraud.
And that includes—
$1.5 billion.
Sorry, $1.5 billion with a B.
Right.
My apologies.
And that includes almost a billion with another B in crypto investment fraud. Right. My apologies. And that includes almost a billion, with another B, in crypto investment fraud.
Okay.
Now, that fraud in 2022 jumps to a total of almost $3.5 billion.
Wow.
With crypto topping more than $2.5 billion in fraud.
Wow.
So, it's obvious that cryptocurrency fraud is the lion's share of this.
Other portions are actually real money fraud, where they're taking fiat currency that is
actually, all you need to do is launder it. And I'll bet at some point in time that involves
buying cryptocurrency. But really, there's another table in here that's really interesting about the victim losses by crime type.
It has investment fraud at $3.3 billion.
Directly below that is the old king of the hill, business email compromise, at $2.7 billion.
So still very profitable.
Wow.
And then all the way down the list, almost to the end of the list, is ransomware at $34 million.
A very small amount in ransomware is being reported to the—in ransomware losses is being reported to the IC3.
Yeah.
So even if that number is off by a factor of 10, investment scams are still 10 times higher than that.
Right. So the investment scam losses are 100 times bigger than the ransomware reported losses.
Wow. That's interesting. That surprises me. It surprises me too. This is shocking.
I don't know what's going on here. I guess, you know, we've been talking on Hacking Humans about
the pig butchering scams.
Right.
That have been happening.
These are a combination of romance scam and crypto scam.
So you start with a relationship that you build up with somebody romantically.
And then at some point in time, you introduce the idea that you're a crypto investor.
And hey, I can help make you money.
Yeah.
And even at some point in time, these guys wind up giving money back to the people who are trying to scam. And it might
not be an insignificant amount of money. Like, hey, I put $1,000 in. Hey, look at that. Your
money doubled. Yeah, let me try to withdraw that money. There you go. And they get their $2,000
back. And that costs the scammers a lot of money. But what almost invariably happens is people start
putting more money back into this thing. And then eventually they've put in a substantial
chunk of their life savings, either all of it or as much as they're willing to risk on crypto,
cryptocurrency. And these guys exit the scam. Once they think they've got all the money,
they just take the money and run. Or once you start asking back for your money back when it's more than they're willing to give you, that's when they take the money and run. Or once you start asking back for your money back
when it's more than they're willing to give you, that's when they take the money and run.
Yeah. It really seems as though this stuff continues to trend in the wrong direction also.
I mean, Graham points that out.
This chart that tracks these losses over time is like a hockey stick chart. It's scary.
In two years, this has grown 10 times bigger than it was two years ago. Yeah, there's like $10 billion lost to different cybercrimes every year.
That is according to the IC3.
This is distinctly American losses because somebody in England is not going to report losses to the FBI.
They're going to call Scotland Yard or somebody else.
And these are the
reported losses. So this is just a small fraction of the cybercrime economy. It's the reported
American crime, and it's around $10 billion. To me, I think it strikes me as being useful for
a relative comparison. Correct. Right. To see what the biggest threats are right now. Yeah, and how much bigger they are than others.
Yeah.
But once again, I say,
relative to the amount of attention it gets,
certainly in cybersecurity circles,
I'm surprised to see ransomware
as far down on the list as it is.
Perhaps it's that ransomware is underreported.
It could be that ransomware is underreported. It could be that ransomware is underreported.
It could be that ransomware is getting less effective
as our defenses get up
because this used to be a much larger problem.
We've had people over on Hacking Humans
who said that over the past couple of years,
ransomware gangs have been broken up.
The takes have been going down.
People are less willing to pay for ransom
when they have backups
and they know that you're going to sell the data anyway. It's a change in the market. And it could also be that these are the same people,
the same kinds of people, the same group of people that are out there. They're changing
their business models. They're moving away from ransomware to something that lets them do crypto
scamming. Because as many tools as we have out there for blockchain tracing,
I still think that moving money around cryptocurrency blockchains
and putting them into anonymizing blockchains like Monero or Zcash or Bitcoin Z,
those all have the capability of anonymizing the transactions with varying degrees of security.
Yeah.
But I think that's still a great way to launder money from the criminal perspective.
Mm-hmm.
It's just jumping them around.
Yeah.
All right.
Well, again, this is over on the Bitdefender blog.
Graham Cooley wrote it, and it's titled,
FBI Reveals That More Money Is Lost To Investment Fraud Than Ransomware and Business Email Compromise Combine. Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. Thank you. N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester,
with original music by Elliot Peltzman. The show was written by John Petrick. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.
That's ai.domo.com.