CyberWire Daily - Russia and Ukraine trade cyberattacks. Chinese intelligence services look at Russian targets. Five Eyes advise on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Name that mascot.
Episode Date: April 28, 2022Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its... hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advise us on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Linda Gray-Martin and Britta Glade from RSA discuss what’s new at RSAC and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast Cyber CEOs Decoded coming to the CyberWire network. And, hey kids, name that mascot. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/82 Selected reading. Special Report: Ukraine (Microsoft) Russian Cyber Capabilities Have ‘Reached Their Full Potential,’ Ukrainian Official Says (Wall Street Journal) Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload (Nozomi Networks) Russia Is Being Hacked at an Unprecedented Scale (Wired) BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog (Secureworks) CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Vulnerabilities (National Security Agency/Central Security Service) The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot (Task & Purpose) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Microsoft summarizes the scale of Russian cyber attacks against Ukraine.
Russian cyber capabilities should be neither overestimated nor underestimated.
Russia has also come under cyber attack during its hybrid war.
Chinese intelligence services are paying close attention to Russian targets.
The Five Eyes advise us on routinely exploited vulnerabilities.
Linda Gray-Martin and Britta Glaive from RSA discuss what's new at the RSA conference and cybersecurity trends.
Mark Van Zadelhoff of Devo talks about their new podcast, Cyber CEOs Decoded, coming to the Cyber Wire network.
And hey, kids, name that mascot.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Thursday, April 28, 2022. As Russia continues its firepower-intensive assault in eastern Ukraine and supplements them with attacks farther west intended to interdict Ukrainian supply lines,
where have the cyberattacks been?
It turns out they've been made, but they haven't taken the expected form.
So Russian cyberattacks have failed to develop into either widespread pests,
like 2017's NotPetya, or locally disruptive attacks against critical infrastructure,
like Russia's cyberattacks against portions of the Ukrainian power grid in 2015 and 2016.
Both were expected, neither has materialized.
This doesn't mean, however, that Russian cyber operations have
been idle in the hybrid war against Ukraine. Yesterday, Microsoft released a detailed report
on Russian cyber attacks against Ukraine. The accompanying blog post summarizes,
quote, Starting just before the invasion, we have seen at least six separate Russia-aligned
nation-state actors launch more than 237 operations against Ukraine, including destructive attacks
that are ongoing and threaten civilian welfare. The destructive attacks have also been accompanied
by broad espionage and intelligence activities. The attacks have not only degraded the systems
of institutions in Ukraine, but have also sought to disrupt people's access to reliable information
and critical life services on which civilians depend, and have attempted to shake confidence Redmond sees them as combat support operations keyed to events on the ground.
Since the war isn't approaching its end, Microsoft argues that it's reasonable to expect
more Russian cyberattacks and that we shouldn't assume that other countries, particularly NATO
countries sympathetic to Ukraine, will continue to experience relative immunity to Russian
cyberattacks. It's worth stressing such immunity as NATO countries have enjoyed is a relative
immunity only. Russian cyberespionage and, especially,
Russian privateering against Western targets have continued at their customary, familiar levels.
Microsoft's recommendations will be familiar to any who have followed CISA's shields-up warnings.
Microsoft's report is a useful reminder that while Russia's cyber operations have enjoyed less success than had been widely expected during the run-up to the war, they've been neither completely ineffectual nor inactive. The Wall Street Journal offers a
different perspective, this one from Ukraine, which has endured a much more protracted and
intimate familiarity with Russia in the fifth domain. Viktor Zora, deputy chief of Ukraine's
State Service of Special Communication and Information Protection, said,
Russian cyber offensive
operations likely reached their full potential and we do believe the international community
will be able to keep them at bay. They did not offer anything special during these two months,
end quote. He sees this as indicating that cyber operations are difficult and take time to prepare
and that Russia has found itself unable to scale their cyber warriors. Zora acknowledged
Russian capabilities and said that Moscow's cyber operations had paid particular attention
to Ukraine's energy and telecommunication infrastructure. That attention, however,
hasn't paid off for them in a big way, as both sectors have continued to function under stress.
The most important and potentially serious threat to Ukraine infrastructure was the largely contained use of evolved Indestroyer malware against electrical power
distribution. The U.S. linked the attempt of Sandworm, that is Russia's GRU military
intelligence service, an attribution that Russia has consistently denied with some show of
indignation. Nozomi Networks yesterday published its assessment of Indestroyer 2.
Whatever else the GRU operators who ran the attack may be accused of,
shyness and reticence are not among them. It's worth noting that Russia hasn't been
immune to Ukrainian cyberattacks, particularly intelligence collection and distributed denial
of service attacks from Kiev's IT army, a largely volunteer effort that responds
to the direction of Ukrainian intelligence services. Wired reports that hacktivists,
volunteers, and intelligence services are all playing a role. Quote,
Hacktivists, Ukrainian forces, and outsiders from all around the world who are taking part in the
IT army have targeted Russia and its business. DDoS attacks make up for the bulk of the action,
but researchers have spotted ransomware that's designed to target Russia and have been hunting
for bugs in Russian systems, which could lead to more sophisticated attacks. End quote.
This kind of hostility is, for Russia, unfamiliar territory. Quote,
The attacks against Russia stand in sharp contrast to recent history. Many cyber criminals and ransomware gangs have links to Russia and don't target the nation.
Now it's being opened up.
Russia is typically considered one of those countries where cyber attacks come from and not go to,
digital shadows Stefano de Blasi told Wired.
Ukrainian countermeasures shouldn't be underestimated either.
At today's Global Cyber Innovation Summit in Baltimore, we're hearing that our Ukrainian colleagues, as Kyiv's cyber operators are being called, have been not only effective, but absolutely heroic in defense of their country's networks.
that the Chinese government threat group SecureWorks calls Bronze President,
but which is also known as Mustang Panda, Red Delta, and TA-416,
has turned its attention to Russia,
hitting russophone targets with an updated version of its Plug-X malware.
This represents a shift in targeting.
Mustang Panda had previously specialized in South Asian and especially Southeast Asian targets. The attention to collecting against Russia suggests that Beijing is closely interested in the progress of Russia's war against Ukraine.
Five Eyes Intelligence and Security Service have issued a joint cybersecurity advisory
that describes 2021's top routinely exploited vulnerabilities. Log4j, Proxyshell, ProxyLogon,
and ZeroLogon issues figure prominently in the
list. The agencies who contributed to the report include the U.S. Cybersecurity and Infrastructure
Security Agency, National Security Agency, the Federal Bureau of Investigation, the Australian
Cybersecurity Center, the Canadian Center for Cybersecurity, the New Zealand National Cybersecurity
Center, and the U.K.'s National Cybersecurity Center. Reuters reports that French authorities are investigating what appear to have
been coordinated attacks of sabotage that physically severed lines delivering internet
and telephone services in that country. Quote, the French Telecoms Federation said attacks of
vandalism had impacted telecoms networks in several regions, end quote.
And finally, Task and Purpose reports that the U.S. Air Force has a new mascot to help it with
marketing and brand awareness for its cybersecurity awareness campaign,
and that the service is asking for help from the internet to name it.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Dave sat down with Linda Gray-Martin and Britta Glade from RSA to discuss what's new at the RSA conference and cybersecurity trends.
Here's Linda to kick off the conversation.
Oh, yeah. Well, you know, first of all, we're so thrilled at the prospect of planning to be back together in person in June.
I think we're so ready for it at this point.
and in June. I think we're so ready for it at this point. And, you know, certainly with the people that we're speaking to and interacting with on a daily basis, you can feel the excitement.
It's like it's two months to go. So I just thought, you know, we'd start by giving you a
little bit of an overview of what you can expect at this year's conference, if that's okay. Maybe
look at some of the new things. So first of all,
just from a very operational point of view, when we last met in 2020 in person, the conference was
five days, but it's actually going to be four days this time. So Monday to Thursday. And we've
been thinking about shortening the event just by that one day for the last kind of two, three years.
But we started to get direct feedback from our attendees that, you know,
a lot of people leave on Thursday.
They want to be home for the weekend, which we completely understand.
And I think with the pandemic,
all the indications point to events being shorter in length.
So it's a big change for us.
But I do want to just point out to the listeners that we're not necessarily
offering less content.
We're just distributing it differently. So you're still going to get the same breadth and depth and quality,
and also most importantly, just as many opportunities to earn CPE credits. It's
very important for our community. We very consciously, as Linda mentioned,
in the shift to four days, we looked at how do we distribute time? How do we distribute engagement?
The excitement for being back together again, we really have heavily valued the interactive opportunities.
A lot of learning labs, they've always been super popular at RSA Conference.
You'll see those distributed throughout the week.
Starting bright and early, 8.30 a.m. Monday morning with our track sessions as well as
the labs. Birds of a Feather are
distributed throughout the week. Past years, we had, you know, kind of breakfast and lunch clumps.
We know that people value those small group conversations, both for the conversation as
well as meeting new people. At the end of the day, being at a conference, being physically,
you know, together eyeball to eyeball,
that's the opportunity to shine in growing that network. So you'll see birds of a feather
distributed throughout the week as well. So we've really overvalued is the wrong word,
but heavily valued the face-to-face networking, talk to people, build relationships, experiences across RSA Conference as a whole.
You know, I think one thing that I'll add for folks who are getting together is that
we've all spent so much time online together over the past couple of years.
Don't be shy about introducing yourself to some of those people that you might
know from afar or perhaps admire or look
up to or just know their name, you know, they're going to be happy to see you.
100%. I really, I think that's a really, really great point. I think, you know, we've learned
talking to, you know, some of our closest colleagues that a lot of these people want
to help others. They want to mentor people who are new to the industry or who have problems or challenges that they want to talk through. So, you know, I really believe that's a
valid point. Yeah. Or you're standing in line or you're sitting down and the session starts in five,
10 minutes. Look to your right, look to your left, strike up conversations. Again, that's the beauty and that's the secret sauce, I believe, of live events is
that opportunity to grow, develop a network, to influence, to be influenced by others. And that's
where we thrive as a community when we recognize the part that we play in the whole. Well, I know on behalf of myself
and the group of CyberWire colleagues
who are planning on being there,
I'm looking forward to seeing both of you
and all of our friends
who we have not seen in quite a while.
So we're only a few weeks away.
We'll see you all soon.
Thank you so much.
We appreciate it.
And we can't wait to see you too.
That's Linda Gray-Martin and Britta Glade from RSA.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Dave spoke with Mark Van Zadelhoff of Devo about their new podcast, Cyber CEOs Decoded,
coming to the CyberWire network.
Obviously, as a cybersecurity CEO,
I think a lot about how I do my job
and what makes it unique in terms of CEO roles.
And I love getting advice and sharing best practices
with peers in the industry,
having been in cybersecurity for over 20 years.
And that spawned the idea of let's do a podcast
where I talk to other CEOs about what it's like to be a CEO
and the nuances of that versus other CEO roles.
Yeah, it strikes me that in cybersecurity,
I think we hear a lot from the CISOs or even the CSOs, but I think the CEOs tend to sit a little more quietly behind the scenes in a lot of companies.
Are there unique stories that you're hoping to gather here from other CEOs in the field?
Yes, I think that there is a uniqueness to being a CEO in cybersecurity. In any other company, you're thinking about your customers, your competitors.
And then in the cybersecurity field, you have hackers as this total random stochastic variable that enters into your role as a CEO, navigating how you push the company forward.
And so I think there are a lot of interesting stories of the best laid plans are foiled by some new idea that a hacker came up with, a new crisis that hits, a new customer that is in trouble.
And that makes it all quite unique to manage a cybersecurity company.
What about that entrepreneurial journey itself?
I mean, everybody has their own origin story and their different pathways to being the CEO.
Is that something you're hoping to cover as well?
Yeah, exactly.
There's a lot of interesting paths that I see as I've started doing this podcast.
Some people spend their life in cybersecurity
and always wanted to solve this problem.
And others really come at it from the outside
and enter into cybersecurity mid-career
and just get a passion for it.
I think what everybody notices is once you're in cybersecurity, it's in a way like a religion. And once you enter into it as a CEO
as well, you really get this passion for solving the societal problem that's bigger than a lot of
passions that you feel in other roles. One of the things that I really enjoy about your show is that
because you are a CEO yourself, I think that leads to your guests really being
open and honest about their journeys. And that includes some of the challenges and even failures
along the way. Yeah, I think it's really important. And I think maybe that's the more contemporary CEO
that is able to be vulnerable and really upfront about what it's like to have the job. And I think that's maybe,
hopefully, maybe it's my hope as much as the reality speaking to where I think society is at,
right? We're looking for authenticity. We're looking for people that are real. We're looking
for people that don't just do their jobs, but also have families and have things to balance.
And I think all that comes out as we have these discussions on the podcast.
Can you give us a little preview of some of the conversations you're going to have?
Who are some of the folks who are representing here?
First two are, one is with Brendan Hannigan, who is the CEO of Sunrise Security.
They're in the cloud data and identity space.
And Brendan has an amazing career, immigrated to the U.S. from Ireland and has run a number of companies, including Q1 Labs, which he sold to IBM.
He was the general manager of IBM security, where he and I intersected, and then was an investor with Polaris and is now the CEO of Sonrai.
Another one is Patrick Morley, who had a similarly interesting journey, ended up as the CEO of Bit9,
which eventually became Carbon Black and went to IPO and was sold eventually to VMware.
So two really interesting stories of CEOs
that have kind of navigated companies
through various stages of fundraising,
of M&A, of IPO, and of sale.
It also strikes me that it could be helpful
for those people who are just getting
their start in the industry to have a better perspective on what's going on in the minds of
the people who are running these companies. As you're trying to make your way up the ladder,
having these behind-the-scenes insights can certainly be helpful.
No, exactly. I think it's a way of getting mentorship to people that are making their
way up into the industry. Thanks again to Mark Van Zadelhoff of Devo, who is the host of Cyber CEO's Decoded podcast, which is joining the Cyber Wire network today.
You can find the first episode of Cyber CEO's Decoded on all of your favorite podcast apps. Thank you. produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Liz Ervin,
Elliot Peltzman, Brandon Karpf,
Eliana White, Puru Prakash,
Justin Sabey, Tim Nodar,
Joe Kerrigan, Karol Theriault,
Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Trey Hester, filling in for Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.