CyberWire Daily - Reviewing Russian cyber campaigns in the war against Ukraine. Ukraine's IT Army is a complex phenomenon. Take ICEFALL seriously. CISA has updated its cloud security guidance.
Episode Date: June 23, 2022Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Pod...cast partner Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/120 Selected reading. [Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues) [Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters) Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop) The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies) CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA) Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek) Cloud Security Technical Reference Architecture (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Reviewing Russian cyber campaigns in the war against Ukraine
and the complexity of Ukraine's IT army.
We've got advice and reactions to Icefall. Carol Terrio looks at Hollywood's relationship with VPNs.
Robert M. Lee from Dragos provides a rundown on Pipe Dream.
And CISA updates its cloud security technical reference architecture.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 23rd, 2022.
Microsoft yesterday published a long report titled Defending Ukraine, Early Lessons from the Cyber War, in which Redmond describes what it's observed so far.
The result that's been most widely reported is a significant increase in Russian cyber espionage directed against countries regarded as either friendly to Ukraine or of dubious adherence to the Russian cause.
In all, Microsoft tallies 128 organizations in 42 countries as subjected to Russian cyber espionage. The target list was concentrated on government agencies,
but it also included think tanks, humanitarian groups, and critical infrastructure providers.
The appearance of humanitarian groups seems particularly telling.
By their enemies as well as their works, shall ye know them?
We guess.
Microsoft is concerned to set the cyber phases of Russia's hybrid war into
historical context. The company's chair and president, Brad Smith, writes in his blog post
introducing the report, while no one can predict how long this war will last, it's already apparent
that it reflects a trend witnessed in other major conflicts over the past two centuries.
Countries wage wars using the latest technology, and the wars themselves accelerate technological
change. It's therefore important to continually assess the impact of the war on the development
and use of technology. The Russian invasion relies in part on a cyber strategy that includes at least
three distinct and sometimes coordinated
efforts, destructive cyber attacks within Ukraine, network penetration and espionage outside Ukraine,
and cyber influence operations targeting people around the world. Smith argues that Russia's war
against Ukraine should motivate governments, corporations, and NGOs to develop effective alliances
capable of responding to further aggression along Russian lines.
He also warns that influence operations have played a significant part in Russia's cyber campaigns,
and he cautions against letting the apparent ineffectuality of Russian cyberattacks against Ukraine,
which fell far short of consensus expectations,
lull anyone into a false sense of security. The IT army that Kyiv has summoned to its cause
has generally received favorable press in the West, although its activities have tended to
be dismissed as nuisance-level website defacements and distributed denial-of-service attacks.
level website defacements and distributed denial of service attacks. A study by the Zurich-based Center for Security Studies titled The IT Army of Ukraine, Structure, Tasking, and Ecosystem
argues that the EU in particular has failed to take proper stock of the IT army and specifically
of its implications for international norms. The group is far from being just some gaggle of hacktivist randos
totaling about a thousand hackerweight mucking around with electronic signs.
The study sees the origins of the IT army of Ukraine
in years of consideration of lessons to be learned
from the success of the Estonian Defense League's cyber unit
and other efforts around the globe to organize,
incorporate, and surge civilian IT volunteers into existing military structures in times of need.
Those efforts have generally been defensive in nature and grew in a relatively controlled and
systematic way. Whatever thought Ukraine devoted to the problem in pre-war days, the IT army itself seems a wartime improvisation,
stood up in an ad hoc manner without a clearly structured and proven plan.
It appears to have emerged as a surrogate for a Ukrainian military cyber command,
the study argues, but for all that it's been intelligently assembled
and used with greater effect than has been generally
appreciated. Born out of necessity, the IT army subsequently evolved into a hybrid construct
that is neither civilian nor military, neither public nor private, neither local nor international,
and neither lawful nor unlawful. It differs in one significant respect from the earlier Estonian model.
From the outset, the IT army has been encouraged to conduct cyber-offensive operations against Russian targets.
It has two distinct aspects.
First, a continuous global call to action that mobilizes anyone willing to participate in coordinated DDoS attacks against designated Russian infrastructure targets.
These are primarily civilian.
Second, an in-house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting ever more complex cyber operations
against specific Russian targets.
Both parts of the IT army are purely offensive in nature
and serve to bring willing amateurs and dedicated professionals into one, most likely, hierarchical organizational structure.
It's also attracted significant support from private sector companies in IT and cybersecurity, both in Ukraine and abroad.
The report concludes, The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts.
On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent DDoS activities against Russian government and company websites.
As of 7 June 2022, this includes 662 targets.
On the non-public side, the IT Army's in-house team likely maintains deep links to, or largely consists of, the Ukrainian Defense and Intelligence Services.
largely consists of the Ukrainian Defense and Intelligence Services.
The report warns that this kind of organization is unfamiliar,
especially to NATO's European members,
and that it represents a challenge to international norms of conduct in cyberspace.
That final caution seems overstated.
International law requires that armed conflict be waged by competent authority and by personnel who operate under that authority's control.
The IT Army seems, by the study's own account, to do both.
The laws of armed conflict, which are being gradually extended into cyberspace,
also requires that military operations be both discriminating, protective of civilians, and proportionate,
not productive, of excessive damage. There are no signs that the IT Army is guilty of either,
although one might wonder about operations against civilian websites. That the IT Army represents an unfamiliar kind of organization seems nonetheless to be correct and to warrant further study.
CISA yesterday noted Forescout's report of the widespread industrial control system
vulnerabilities the researchers call collectively icefall, and CISA has advised attention to the
Forescout report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues
associated with icefall, and its advisory quotes Four Scouts' primly censorious characterization
of the vulnerabilities as representing insecurity by design. Security Week has a roundup of industry
comments on icefall. In general, the experts aren't surprised that vulnerabilities
of this kind were found, and they're in agreement that icefall is to be taken seriously
and the available remediations applied. This morning, the U.S. Cybersecurity and
Infrastructure Security Agency issued version 2.0 of its cloud security technical reference
architecture. The document singles out two efforts for particular attention,
the familiar Federal Risk and Authorization Management Program,
that's FedRAMP, in place since 2011,
and a more recent program, the CloudSmart Initiative,
which succeeded the federal cloud computing strategy CloudFirst.
CloudSmart emphasizes the three pillars of security, procurement, and workforce.
While the document is addressed primarily at the U.S. federal agencies whose security
CISA oversees, others will find its recommendations of interest, especially if they do business
with the U.S. government.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
VPNs are a common and established tool for those looking to secure their online activity.
And like most tools, VPNs can be put to good use or bad.
Carol Terrio joins us with details on the growing tension between VPN providers and the entertainment industry.
So VPNs, a controversial topic, it seems.
I mean, VPNs generally claim to improve privacy by encrypting online activity
and rerouting it through a company's servers,
basically concealing the user's IP address.
And typical reasons someone might want to employ a VPN could be
to keep stuff private while surfing on a public
Wi-Fi, to keep your stuff private from your own internet service provider or from other apps and
services that you use, to better protect your sensitive work files, or to access any content
as a VPN can be particularly useful workaround to content restrictions.
And this last point continues to cause a furore down in Hollywood. A group of over two dozen film
studios has repeatedly taken popular VPN providers to court, sometimes extracting judgments worth millions of dollars in damages.
Indeed, according to Wired, filmmakers say they have clear-cut evidence that their customers
are abusing the privacy and security provided by virtual private networks.
But last month, court records show that some studios' legal teams have also accused VPN
providers of enabling illegal activity beyond
copyright infringement. And it seems that these studios might actually be challenging the notion
that VPNs should exist at all. The gist of this argument seems to be in the blatant way that
certain VPNs communicate with their audiences.
For example, there are no-log VPNs. And no-log VPNs basically advertise that they keep no logs on any of your activity.
So if someone shows up with a warrant asking to see said logs,
they say, we don't have them.
Now, it sounds like only criminals would use no log VPNs, but
indeed there are a lot of security conscious people out there who don't necessarily trust
their VPNs with all their information of where they go and what they do on their computer.
So this may be a very good option for them. And back to the studio lawsuit, they seem to intimate that not only do some of these no-log VPN VPNs openly boast in marketing campaigns that law
enforcement is unable to extract any information about their users. I am sure there are people out
there using VPNs and other jiggery-pokery to stream unavailable content or content that requires
payment, and they're doing it for free. And no wonder the studios are feeling the heat.
They, too, suffered through the pandemic.
And while it seems a large number of streaming providers, such as Amazon Prime and Netflix,
did very well while we were stuck at home,
they have recently hit a slump during the first quarter of this year.
But for me, it's kind of hard to feel sorry for Hollywood Studios in this
last quarter. I mean, consider that folk have had to rethink their spending in order to cover
inflations on basics like food, gas, and bills. Many people need to save a few pennies by quitting
a few of the streaming services they may have signed up to during the pandemic. After all,
many of them have now been mandated to go back to work and are working full-time jobs.
But what really bugs me is that the right to privacy is under threat from many, many different sides.
And maybe Hollywood fat cats and their shareholders don't need to chink away at privacy
just because their pockets aren't as overflowing as they were during
the pandemic. And besides, Microsoft is apparently banking on its free built-in VPN to get you to use
Microsoft Edge. I'm not sure I'd call Microsoft the Scourge of the Earth. This was Carol Theriault
for the Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back. I want to touch base with you today about everything going on with PipeDream,
this ICS-focused malware that you and your colleagues have had a hand in the discovery of.
But I think there's a lot to the story here.
Where's a good place to start?
Yeah, I would just give a background for folks to say that
when you look at industrial control system-focused attacks,
most of what we worry about on a day-to-day basis
is the abuse of native functionality.
It's not about some malware.
It's not about some vulnerability.
Actually, vulnerabilities tend to be a very system-based view of the world.
In the world of industrial, it's systems of systems and physics.
So it's less about what can you do to one system.
It's much more about, do you know how to operate a circuit breaker?
Do you know how to operate a gas turbine?
Do you know how to operate these different systems of systems that we have?
And if so, you can abuse that functionality to do disruptive effects.
But every now and then, you actually get ICS-focused malware.
And they largely, so far, so far have come in two flavors.
One is access.
Black Energy 2 is a great example of that.
It had exploits for internet-facing human-machine interfaces,
basically being able to get access to these industrial environments.
It in of itself couldn't disrupt or destroy anything,
but it could help you get access.
But then you also have the disruptive and destructive
type capabilities.
We had Stuxnet, we had Crashoverrider
and Destroyer, there's Indestroyer 2,
Trisis.
These ones are deployed to
do something disruptive or destructive.
And across all of those cases
and across all the time that we have,
there's only been six publicly
known ICS malware tool sets.
And most of them are really victim-specific.
They're really not going to use it somewhere else.
The playbook that they've now shown,
the tradecraft that they've shown,
can be picked up by other people,
but you're not just going to drop ship it
into another environment.
Trisis, as an example, worked against that petrochemical environment
with that safety system.
The things they exposed, anybody can now copy their playbook,
but you're not going to see Trysis in its current form
deployed somewhere else.
And that brings us to PipeDream.
So PipeDream is, in my opinion, I hate this whole,
who's the best, what's the most sophisticated malware?
I don't like that measuring contest crap, it doesn't matter.
But what we can candidly say is,
PipeDream is the most flexible
of the ICS capabilities we've seen.
So anything new, the seventh ICS malware framework,
it's going to be big news anyways,
but the fact that it can go against
such a wide variety of industries and equipment
makes it particularly dangerous.
And what's probably most interesting to people around the world
is we were able to get this information out to people
and analyze it before the adversary employed it on its target.
It's not saying they haven't deployed it anywhere in the world.
It's not out there somewhere, but it wasn't employed against their actual targets.
I'll pause there for a second, but in our view, in our assessment,
this was a capability designed to be disruptive,
if not destructive, against a set of initial targets
and then capabilities beyond that.
What I mean by that is, this looks like they were going
to deploy it against US-based energy assets,
specifically in the liquid natural gas space,
both electric and gas community.
I mean, I honestly think that they were going to use this.
And when you talk about attacks on U.S. infrastructure
in a reliable way,
I mean, that's something,
there's many people out there that were like,
oh, we're not going to get attacked,
we're not at war, blah, blah, blah.
And I was like, yeah, the adversary gets a vote in that.
And this was very, very bold and brazen.
So we're fortunate we found it beforehand,
but there's no fix to it.
It's not like there's a vulnerability they're exploiting.
It's not like there's something that you can just go patch and fix.
They're doing all the things we've been warning about for years,
using Modbus TCP, a very common ICS protocol,
using OPC, a very common ICS protocol,
exploiting Codasys functionality,
which is software in just hundreds
of different controllers out there.
So it's one of those capabilities
that if I was building an ICS security program from scratch
and you just modeled out this scenario
and protected yourself against it
from protection, detection, and response mechanisms,
you would have a world-class program.
This is a very capable framework.
I think there's been a lot of attention to the fact that your team and some other teams,
folks at Mandiant as well as your team at Dragos, were proactive on this, were able
to, as you mentioned, have the detection before it was deployed.
You went so far as to take the stage and kind of give these threat
actors, you know, a bit of the riot act about their capabilities. And you draw some attention
to that. I mean, there was attention on you because of that. Why take that approach? Is that
putting a target on your own back? Probably. And so look, I don't think anybody's above critique
or approach. And so I'm happy to have anybody try to critique me in any of my statements and actions.
Why I think you're alluding to my response on Twitter to my keynote, what I kind of push back
on is there were people that weren't in my talk that were then tweeting at me about their opinions
of what they perceived to be my stance.
And so first I was saying, hey guys, watch the video or watch the talk before you come at me.
And number two, and I don't mean this in any arrogant way,
I don't mean this to be braggadocious, I don't mean this to be a jerk,
but I have been on the offense for this country.
I have been on the defense, I have built the ICS threat discovery mission
for the government, I run the largest ICS threat discovery mission for the government.
I run the largest ICS security company
in the world right now over at Dragos.
I'm not saying I'm right,
but I think I have experience enough
to make the statements that I make.
And for people to be like,
Rob, it's bad that you're poking the adversary.
Guys, I've been there, done that.
You may not agree with me,
but I'm precise with my words and I know what I'm saying. And so why did, done that. You may not agree with me, but I'm precise
with my words and I know what I'm saying. And so why did I say that, right? At the end of the talk,
I put down the adversary. Why? To me, this community, and I love them to death and there's
plenty of reasons to do it, don't get me wrong, but this community builds up adversaries to almost
hero worship to a side for me that feels disgusting. We're so happy to talk about,
oh, this is the most sophisticated group,
and oh, these people were amazing.
Did you look at this cool hack that they pulled off?
Or let's memorialize them with statues at RSA
for the various threat groups that they represent,
and all this crap.
And it's honestly kind of disgusting to me personally,
because having been on that side of the world
and having been in the Intel community,
I know for a fact many of the developers
and operators of these campaigns
just absolutely revel in that.
It's a glorification, it's a,
hey, did you see the latest report?
They were writing about our team,
look how great and wonderful we are,
et cetera, et cetera, et cetera.
So my intent was to kind of return a little bit of normalcy
and say, you know what?
As a member of the industrial community,
out to the adversaries here,
I just wanted to let you know,
we don't think you're clever.
We don't think you're cool.
You're going after civilian targets and civilian people,
and you should feel bad.
You should be fired for your incompetent approach to this.
And I think they ought to be reminded every now and then that they're not as important or as cool as people make them out to be.
They are jerks trying to hurt people. And in any world, in any country, in any reality,
I hope all of us can agree that civilians should be off limits.
All right. Robert M. Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Heltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.