CyberWire Daily - Russian cyberespionage and influence op disrupted. RedAlpha versus Chinese minorities and (of course) Taiwan. Evil PLC proof-of-concept. Cl0p takes a poke at a water utility.
Episode Date: August 16, 2022Microsoft identifies and disrupts Russian cyberespionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized." Ben Yelin has an ...update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility (but tries to extort the wrong one–stuff happens, y’know?). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/157 Selected reading. Disrupting SEABORGIUM’s ongoing phishing operations (Microsoft Security Microsoft disrupts Russian-linked hackers targeting NATO countries (Breaking Defense) Microsoft Announces Disruption of Russian Espionage APT (SecurityWeek) Microsoft disrupts Russia-linked hacking group targeting defense and intelligence orgs (The Record by Recorded Future) Microsoft shuts down accounts linked to Russian spies (Register) RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations (Recorded Future) Hackers linked to China have been targeting human rights groups for years (MIT Technology Review) Evil PLC Attack: Using a Controller as Predator Rather than Prey (Claroty) Hackers attack UK water supplier but extort wrong victim (BleepingComputer) South Staffordshire Water victim of cyber attack, customers not at risk (Computing) South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Microsoft identifies and disrupts Russian cyber espionage activity.
An update on Red Alpha and evil PLC proof of concept shows how programmable logic controllers could be weaponized.
Ben Yellen has an update on right to repair.
Our guest is Arthur Lozinski of UMNITSA with a look at attack surface management maturity.
And the Klopp gang hits an English water utility.
One of them.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, August 16, 2022. Microsoft yesterday outlined recent activity of the Russian government threat actor Redmond
calls Cyborgium.
The company's report begins,
The Microsoft Threat Intelligence Center, Mystic, has observed and taken actions to disrupt campaigns launched by Syborgium, an actor Microsoft has tracked since 2017.
Syborgium is a threat actor that originates from Russia with objectives and victimology that align closely with Russian state interests.
Its campaigns involve persistent phishing and credential theft campaigns,
leading to intrusions and data theft. As is typically the case, different researchers
track this and possibly other related activities by different names. Microsoft says,
Cyborgium overlaps with the threat groups tracked as Callisto Group by F-Secure, TA-446 from Proofpoint,
and Cold River from Google. Security Service of Ukraine has associated Callisto with Gamerodon
Group, tracked by Microsoft as Actinium. However, Mystic has not observed technical intrusion links
to support the association. The group's targets have been found for the most part
in the U.S., the U.K., and other NATO allies who support Ukraine during the present war.
The report says, such targeting has included the government sector of Ukraine in the months
leading up to the invasion by Russia and organizations involved in supporting roles
for the war in Ukraine. The group gains access through social engineering, phishing campaigns that have targeted both organizations and specific individuals.
There's some appearance of linkage to conventional criminal activity, but this seems likely to
represent either opportunistic collaboration with gangs or deliberate misdirection. The motives
appear to be espionage and influence. The report states,
Cyborgium intrusions have also been linked to hack and leak campaigns, where stolen and leaked data
is used to shape narratives in targeted countries. While we cannot rule out that supporting elements
of the group may have current or prior affiliations with criminal or other non-state ecosystems,
affiliations with criminal or other non-state ecosystems, Mystic assesses that information collected during cyborgium intrusions likely supports traditional espionage objectives and
information operations, as opposed to financial motivations. Cyborgium's contribution to
disinformation and information operations is interesting. The report says, in late May 2022,
Reuters, along with Google Tag,
disclosed details about an information operation, specifically using hack and leak,
that they attributed to Cold River suborgium. Microsoft independently linked suborgium to the
campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation.
In the said operation, the actors leaked emails and documents from 2018 to 2022,
allegedly stolen from consumer ProtonMail accounts belonging to high-level proponents of Brexit,
to build a narrative that the participants were planning a coup. The narrative was amplified
using social media and through specific politically-themed media sources
that garnered quite a bit of reach.
Microsoft's report includes a caution
against spreading the narratives
that it links to the threat group,
saying,
While we have only observed two cases of direct involvement,
Mystic is not able to rule out
that Suborgium's intrusion operations
have yielded data used through other information outlets.
As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives
and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not be releasing the specific domain or content to avoid amplification.
What has Microsoft done to disrupt Cyborgium?
They say, as an outcome of the service abuse investigations,
Mystic partnered with the abuse teams in Microsoft to disable accounts used by the actor for reconnaissance,
phishing, and email collection. Microsoft Defender Smart Screen has also implemented
detections against the phishing domains represented in Cyborgium's activities.
We mention in disclosure that Microsoft is a CyberWire partner.
Recorded Future this morning outlined recent activity by the Chinese government threat actor Red Alpha,
an operation the company's researchers have been tracking since June of 2018.
Red Alpha has recently been observed conducting large-scale credential theft.
Its targets continue to be humanitarian, think tank, and government organizations globally.
Red Alpha's techniques involve a great deal of credential harvesting.
Recorded Future says,
Our research uncovered the suspected China state-sponsored group Red Alpha
conducting credential harvesting activity targeting individuals and organizations globally
with a particular focus on civil society and government sectors.
The group has used a consistent set of TTPs
to register and manage large clusters
of operational phishing infrastructure
using a mixture of pages impersonating
popular email provider logins
and custom webmail login pages
to mimic specific providers and organizations.
Its objectives are consonant with those common
in Chinese intelligence and security operations.
Since 2015, the group has engaged in consistent targeting of individual citizens and groups associated with minority communities,
many of which are subject to reported human rights abuses within China.
More generally, Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals,
both domestically through state surveillance and internationally through cyber-enabled intrusion activity.
This targeting of sensitive and vulnerable communities,
many of which have security budget and resource constraints, is particularly concerning.
is particularly concerning.
Clarity's Team 82 research group has developed a novel attack that weaponizes programmable logic controllers
in order to exploit engineering workstations
and further invade OT and enterprise networks.
It's a proof of concept that demonstrates what Clarity considers
a hitherto unexplored vulnerability in PLCs.
Clarity says,
This technique weaponizes the PLC with data that isn't necessarily part of a normal,
static, or offline project file,
and enables code execution upon an engineering connection and upload procedure.
Through this attack vector, the goal is not the PLC such as it was,
for example, with the notorious Stuxnet malware
that stealthily changed PLC logic to cause physical damage. Instead, we want to use the PLC
as a pivot point to attack the engineers who program and diagnose it and gain deeper access
to the OT network. The researchers emphasize that all the vulnerabilities we found were on the engineering workstation software side and not in the PLC firmware.
In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks.
Finally, the Klopp Group, after a failed extortion attempt, published stolen data from South Staffordshire Water,
a utility that supplies water to Staffordshire and the West Midlands.
Computing reports that the gang published data that included passport scans,
screenshots of user interfaces, and spreadsheets to a dark web dump site.
Klopp apparently believed it had hit Thames Water, a different utility, which may offer a partial explanation of why the ransom attempt failed.
The systems have continued to deliver water safely and reliably throughout the incident.
So, some data was lost, but the water continues to flow.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Enterprise technology management firm Umnitsa recently shared results from their 2022 Attack
Surface Management Maturity Report. I spoke with Arthur Lozinski, CEO at Umnitsa, for some of the
highlights. Let me start with the 60% of organizations who have what we're defining as low confidence in their ability to manage the attack surface, both internally and externally, showing is that the growth and the influx of technology
is creating more challenges for IT teams and security teams
when it comes to the security, of course,
the compliance, the audit of that attack surface.
And we see that problem just continuing to increase compliance, the audit of that attack surface.
And we see that problem just continuing to increase because of the proliferation of that.
With that, we found 53% of organizations are finding remote workers deviating from the security policy, which is a quite significant number.
policy, which is a quite significant number. 80% of organizations are pursuing a hybrid or multi-cloud strategy, which isn't surprising. But many of those organizations who have qualified
and experienced staff, infrastructure, and visibility, they're facing cloud protection challenges during this hybrid
or multi-cloud strategy. And we found that really interesting because that is a significant
number of the market who's going to continue spending on cloud and multi-cloud strategies.
and multi-cloud strategies,
for them to raise their hand and say,
we have misconfiguration and we have control automation protection challenges,
I think it's quite showing of the current state
of many IT teams around the world.
Now, when we look at some of these numbers,
for example, starting with the fact that so many organizations have low confidence in their ability to manage a tax
surface risk, what do you suppose is the source of that? Is it lack of funding? Is it personnel?
Where do you think that's coming from? We're facing a relatively new challenge.
The influx of technology, the way we've seen it today,
is a fairly new phenomenon. The service focus of IT professionals has really shifted. I think before
the IT CIO team was always seen as a servicer of other business units and other lines of business.
Our job was to make sure email was up and running, the CRM was up and running.
We were taking requirements from line of business and implementing them.
during this influx of technology where we've gone from simple things like servers relatively to clients, thinner clients over time, has now become all kinds of endpoints.
It can be point-of-sale systems, internal IT falls in that category.
There's a ton of new networking equipment from physical firewalls to switches to routers.
There's only more of those coming online. We're seeing the same thing with infrastructure. We talked a little bit about the
on-premise versus hybrid, but that's continuing to grow. Both the cloud infrastructure and
on-premise infrastructure, of course, is not going anywhere. And then there's an influx of
the applications, not just the installed applications, but also the applications that live in the cloud
or the SaaS applications. And with the influx of all of this technology, the way to manage
this has been from a service perspective. It's been tickets. It's been about business continuity,
understanding relationship mapping of servers. But that relationship mapping,
that business continuity process, and the products available really aren't built
to put the machines and the technology in the center of the workflow. Service management was built for humans to execute on the workflow.
And I think that's causing many companies
to have a less secure attack surface,
less compliance, most likely not audit ready.
And they're not providing a great experience
for their either internal customers,
their internal IT,
or even their external customers,
if you think of retail environments and such.
So I think it's the influx of technology
and the old way of trying to solve the problem
that's continuing to increase the challenges companies are seeing.
That's Arthur Lozinski from UMNITSA.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
Interesting story here from Wired.
This is written by Lily Hay Newman,
and it's titled,
A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave.
What's going on here, Ben?
So the right-to- to repair wave has taken off, especially at the state legislative level
and really among policymakers all across the country. You have all of these devices where
individuals who aren't affiliated with the company that created the device don't have
access to be able to make repairs. And that really hurts the consumer
because if you have a tractor from John Deere,
you can't just go to Bob's Tractor fixer guy down the street
as maybe you would have in a pre-digital age.
Right.
But you have to go back to the company itself,
which can be burdensome.
Expensive.
They can make it significantly pricey because they can, right?
Right, right.
So this story is about somebody
who has tried to hack away
out of this right to repair problem.
So it comes from a organization
called Sick Codes.
A hacker who goes by the hacker name Sick Codes.
Just an aside here,
I'm trying to think of besides hackers,
I don't know, DJs and rappers? Are those
the only two groups I can think
of that go by
these type of stage names?
That's true.
Maybe Characters on the Wire
or other police procedural shows.
They have those AKA names.
But yeah, very few of them have
names as cool as sick codes.
But this individual at a DEFCON security conference in Las Vegas presented a new jailbreak option for John Deere tractors that allows him and potentially millions of users to take control of many of their models through a touchscreen.
So that would get around at least temporarily this issue of the right to repair.
If there is a jailbreak where you don't have to go back to John Deere to repair your tractor,
farmers are going to love it because then they can repair their devices more cheaply.
There is another side to this, though, that right to repair has become more than just a kind of practical desire.
It's become a movement from a policy perspective.
People really want laws passed to give consumers the right to repair their own products with a vendor of their choice.
And something that's expressed in this article is just coming up with a hack that creates this sort of jailbreak might cut against that broader movement
because you're only freeing somebody
as it relates to this one particular device.
Yes, that might be a cyber vulnerability for John Deere,
but it is limited to John Deere.
I think what the right to repair movement really wants
is something that's more all-encompassing
where we're not hacking device by device at presentations in Las Vegas. We're actually coming up with concrete
policy changes to give people the option to have the right to repair. So I think that concern is
something that was expressed by people interviewed for this article. What about the point of view
from a manufacturer like John Deere? They can
come at this and say, look, this stuff is complicated. This software, there's a lot to it.
And we're just protecting our users from potentially bricking their own tractors by
messing around in things that they shouldn't be. Yeah, it's reasonable in one sense,
and I understand John Deere's perspective.
I think there is some truth in the fact that
if you get access to the motherboard, so to speak,
you're going to cause more harm than good anyway.
What right-to-repair advocates would say is
that should still be the choice of the consumer.
The consumer should have the choice to assume that risk.
If they know somebody who claims that they can repair software, it's the consumer's responsibility to do their research and make sure that person actually knows what they're talking about.
It's not John Deere's prerogative to close off that avenue to every single alternative vendor.
avenue to every single alternative vendor. In this particular instance, John Deere might actually be thankful because this hacker seemingly exploited some vulnerabilities that now
John Deere is promising to patch. So this might actually work out better for them in the short
run. Cat and mouse, yeah. Yeah, it is a cat and mouse game. But in the long run, I think this
illustrates, again, that we need, at least from the perspective of right to repair advocates, a broader movement where it's not some guy with an alias hacking every single company that, you know, let's be frank.
Some of them are companies more prominent than John Deere, like a certain Apple computer, which has had many of these right-to-repair issues and lawsuits.
I think the broader movement is to institute policy
that gives consumers the affirmative right to repair
so that we're not relying on people coming in
and trying to hack into these devices.
Yeah. All right.
Well, it's an interesting development for sure.
Again, this is an article over in Wired written by Lily Hay Newman.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your