CyberWire Daily - Russian research institute sanctioned for its role in Triton/Trisis. Coordinated inauthenticity in Myanmar. Clean Network program update. Major data breach in Finland.
Episode Date: October 26, 2020The US Treasury Department sanctions a Russian research institute for its role in the Triton/Trisis ICS malware attacks. Coordinated inauthenticity with a commercial as well as a political purpose. Th...e Clean Network project gains ground in Central and Eastern Europe. Rob Lee from Dragos on insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign. Rick Howard explores SD-WANs. Data breaches afflict a large Finnish psychiatric institute. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/207 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Treasury Department sanctions a Russian research institute for its role in the Triton-Trisis ICS malware attacks.
Coordinated in authenticity with a commercial as well as a political purpose,
the Clean Network project gains ground in Central and Eastern Europe.
Robert M. Lee from Dragos shares insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign.
Rick Howard explores SD-WANs,
and data breaches afflict a large Finnish psychiatric institute.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, October 26, 2020.
Friday, the U.S. Treasury Department's Office of Foreign Assets Control announced sanctions against the State Research Center of the Russian Federation's Central Scientific Research Institute of Chemistry and Mechanics for, quote,
knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution or government on behalf of the government of the Russian Federation, end quote.
Specifically, this comes down to the Institute's role in developing the Trisys Triton malware.
Trisys Triton was designed to disable industrial safety systems,
obviously a dangerous and unusually aggressive design,
one more suited to the production of hazardous kinetic effects than to the simple compromise of IT systems.
It was used against a Saudi petrochemical plant in 2017 but misfired.
Had it functioned as intended, its effects could have been potentially lethal.
As Treasury explained the incident, The Triton malware was designed to target a specific industrial control system controller used in some critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency.
The malware was initially deployed through phishing that targeted the petrochemical facility.
Once the malware gained a foothold, its operators attempted to manipulate the facility's ICS controllers. During the attack, the facility automatically shut down
after several of the ICS controllers entered into a failed safe state,
preventing the malware's full functionality from being deployed
and prompting an investigation that ultimately led to the discovery of the malware.
Researchers who investigated the cyber attack and the malware
reported that Triton was designed to give the attackers complete control of infected systems and had the capability to cause significant physical damage and loss of life.
In 2019, the attackers behind the Triton malware were also reported to be scanning and probing at least 20 electric utilities in the United States for vulnerabilities.
End quote.
electric utilities in the United States for vulnerabilities, end quote.
The Treasury Department's sanctions are noteworthy in that they're being directed against a nominally disinterested scientific research organization. The authority for the
sanctions is Section 224 of the Countering America's Adversaries Through Sanctions Act,
known as CATSA. The specific measures resemble those taken against other organizations
the Office of Foreign Assets Control has placed on the specially designated nationals list.
Quote,
All property and interests in property of the Institute that are in or come within the possession of U.S. persons are blocked,
and U.S. persons are generally prohibited from engaging in transactions with them.
and U.S. persons are generally prohibited from engaging in transactions with them.
Additionally, any entities 50% or more owned by one or more designated persons are also blocked.
Moreover, non-U.S. persons who engage in certain transactions with the Institute may themselves be exposed to sanctions.
Not all coordinated and authenticity is state-sponsored,
or even directed toward primarily political ends.
Late Friday, Grafika described inauthentic networks based in Myanmar that Facebook took down on October 21.
Grafika says they contain a mix of clickbait, much of it involving celebrity news and gossip,
and political content, much of it pro-army and anti-Muslim.
celebrity news and gossip, and political content, much of it pro-army and anti-Muslim.
The clickbait apparently predominated.
The motivation for the operation, Grafika concluded, was more commercial than political.
ZDNet reports that four more European governments have signed on to the U.S.-led Clean Networks program,
Slovakia, Bulgaria, North Macedonia, and Kosovo. They join the U.S., Canada, the U.K., Denmark, Norway, Sweden, Finland, Latvia, Lithuania, Estonia, Serbia,
Slovenia, Albania, Greece, Poland, Ukraine, Romania, and the Czech Republic in agreeing
in principle on the threat Chinese companies, like Huawei, but not only Huawei, potentially
pose to 5G security.
Much of Europe and North America, whether they've signed on to clean networks or not,
now have expressed official skepticism about the wisdom of allowing Chinese hardware
into their 5G infrastructure.
The U.S. is currently in talks with both Brazil and India about 5G security.
talks with both Brazil and India about 5G security.
Finnish psychotherapy center Vastamo has sustained a data breach with loss of patient information,
and individual patients have begun receiving extortion demands
asking for €300 to €500 to keep their clinical details quiet.
The story first began to appear in tabloids last Wednesday as victims complained
of the extortion notes they'd begun receiving. Details remained sparse and Vestamo seems to have
been slow to recognize that it had been breached. A press release from the company yesterday said
that it believes it sustained two separate attacks, one in November of 2018 and another between December 2018 and March of 2019.
Information belonging to some 300 patients is believed to have been published online.
Computing reports that overall some 40,000 patients' data were compromised.
Thousands of victims have already filed criminal reports.
The incident has received attention at the highest levels of Finland's government. President Salli Ninisto called the attacks especially cruel, insofar as they
constituted an assault on the victims' inner selves. National authorities are investigating
and have said they're determined to bring the criminals responsible to justice. customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show the CyberWire's Chief Analyst and Chief Security Officer, Rick Howard.
Rick, great to talk to you again.
Thank you, sir.
On this week's CSO Perspectives, you are talking about SD-WAN.
And I have an admission to make that before we're going to meet here today,
I am not really up to speed on exactly what an SD-WAN is and how it could be important for security.
So before we dig in here, why don't you just take a minute and bring me up to speed?
Well, let me tell you, you're not alone, my friend.
There's a lot of people in the same boat. And so was I, okay, when I started working on this episode.
And by the way, as many of our hash table experts were too. So don't feel bad. Okay. All right. So here's what I learned. The first thing you have to know is that the way we are building our internal
enterprise networks is going through a revolution. You may not even known that.
The old way, starting, say, in the early 2000s,
was that we needed to connect our data centers that we
managed and our other remote sites together.
And we did that by installing expensive but fast and reliable
MPLS circuits between the sites that we leased
from the telecommunications companies.
And by the way, I know you're reaching for the Google machine
to look up what MPLS stands for.
Let me just stop you there.
It is multi-protocol label switching.
All right, so put that in your nerd basket.
I was just going to guess that, actually, yeah.
So it's just a dedicated, for the time, high-speed connection
between the mothership and all the remote offices.
Is that a fair way to describe it?
Yeah, dedicated hardware, dedicated software to establish those connections.
Okay.
And for security, we would backhaul the traffic destined for the Internet to a data center that housed the security stack.
So, Internet inbound and outbound traffic had to go through the security stack, and that's
how we protected our environments.
So fast forward to today, enterprises of all sizes, as you know, are moving their workloads
out of their data centers and into the cloud somewhere, either through SaaS services or
IaaS and PAS services from big providers like Microsoft, Google, or Amazon.
Because of that, it is making less and less sense to maintain these expensive internal MPLS circuits,
when mostly what each site needs is an internet connection to the local cloud provider.
Now, you do that through cheap and less reliable broadband connections.
And in the very near future, I mean, you know, a couple years probably,
you might be doing this through 5G connections.
But remember when I said these connections were unreliable?
Yeah.
Well, the way we compensate for that is to install not one broadband connection,
but many at each site, depending on how big your organization is.
So remember that.
Belt and suspenders.
Say that again?
Belt and suspenders. Belt and suspenders. Say that again? Belt and suspenders.
Belt and suspenders. That's right. Okay. And so you got to remember that broadband connections
are way cheaper compared to MPLS circuits. So it kind of makes sense. Yeah. All that is great,
but now the complexity for managing all those internet connections in terms of data flow
priority and choosing the fastest internet connection,
not to mention ensuring that all that traffic
goes through a security stack somewhere
has exponentially grown.
This is where SD-WAN comes in.
It is a software networking abstraction layer
that manages all those connections.
So to help me explain this,
I was talking to Paul Kalatud.
He came to the hash table this week to talk about it. He is the Palo Alto Network's chief security officer for
the Americas, and he came up with a fantastic analogy to describe what is going on here.
Resilience essentially makes up for the lack of dedication and lack of reliability,
because now I have many, many unreliable options to get back home. And eventually,
some of those paths, it's like Waze, right?
Like the maps, you know, all of a sudden it's telling you to go a different path.
But ultimately it's looking and going, yeah, we'll get you there eventually, right?
Like on time.
And you're going back neighborhoods and going through dirt trails.
And you're like, well, this is efficient.
But that's kind of the way SD-WAN works.
Like the big visualization here is SD-WAN is the Waze for networking.
All right.
Well, so I get it now.
I mean, it's what we're talking about.
This is basically as if we had for our WAN, we had a version of Waze to just make it all
right, to make it easy, just in one place, right?
It's guiding us from point A to point B, the way we didn't even know that existed.
That's exactly what the way it is. And I took this quote from the Google website,
because it will help, right? It says, here it is, quote, knowing what's happening on the road with
Waze, even if you know the way, Waze tells you about traffic, construction, crashes, and more
in real time. If traffic is bad on your route, Waze will change it to save you time, end quote.
That is exactly what SD-WAN does for you on your network.
You know, it's funny.
I've come to believe that you don't believe Waze
at your own peril, right?
Because time and time again,
Waze has been telling me to go somewhere
or any of these GPS, you know, smart GPS apps,
and I'm going, this isn't right.
This isn't right.
This can't be right.
I've never gone this way before.
This is a completely, and then all of a sudden, bam, I'm there.
I'm at my destination.
I'm like, wait a minute.
How did that happen?
I didn't even know that that connection was possible.
Well, you look at what those guys do.
They're not going to get you where the best way, but they're going to get you there a way.
All right.
So that's kind of what SD-WAN is,
because you're going to have this myriad of connections of ways to get to the internet
and back and forth through your own enterprise. It's going to find the way to get your packets
to where they need to go. Yeah. All right. Well, there's a lot more to learn about this,
and I know you all will dig deep into it. It's CSO Perspectives. It's over on CyberWire Pro.
Do check it out.
Rick Howard, thanks for joining us. Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is robert m lee he is the ceo at dragos uh rob it's always great to have you back um we just had the you know the recent news that uh half a dozen russian military
officers were charged in a hacking campaign this This is the the sandworm campaign, the Justice
Department going after them. I wanted to check in with you. What is your take on this?
I mean, overall, I thought this was a really good and strong move, especially ahead of the election.
I think the Department of Justice and FBI as a whole have a bit of a credibility problem
walking into election cybersecurity discussions, right or wrong, and coming out ahead of the election with a really detailed indictment with some really
significant access. I mean, there's components of this that definitely came from either allied
intelligence or NSA and CIA supporting these when you're actually getting into individual operator
names and really core details of what they were doing on the adversary side,
not just on the victim side. So by and large, real strong messaging. I think the message is
pretty clear on we're willing to burn our resources to burn your resources. And that's
a really significant thing for any government to say to an adversary state. The two kind of
critiques that I had, and so I don't want this to get taken into
context that I'm critiquing the report as a whole. Again, overall, well done to the folks that put
this together. The two critiques, and I'd say one may be a hilarious thing. Number one on the
critique, I do think the 2015-2016 Ukraine attacks deserved a standalone sort of admonishment.
I've been pretty critical of that when they happened as well,
that we did not have any Western leaders come out and even condemn the attacks.
Forget the attribution, forget any aspect of that.
But even coming out and saying, look, a cyber attack that caused electric power outages
on civilian infrastructure is exactly what we said for years.
We don't want to see.
Let's set the precedent that we're going to come out and condemn this. And I've been fairly critical over the years
that we never saw that. And I think that was a mistake. And so it's good to see it in the report
as part of the history of this threat, if you will. But seeing it called out by the DOJ and
see it called out five years later, I would have liked to have seen
a larger state sooner kind of effort. The other critique I have, and I'll have this critique
forever, which I fully understand its place in the strategy. I fully understand the opposing
viewpoints here. I'm not saying they're not without value, but I just generally do not like
the name and shame strategy of individuals, especially when they're in the military.
I mean two of those individuals in the one in Wild Wild West poster-styled appendix they had were in military uniform even in the pictures.
And I just think it sets an extraordinarily bad precedent that we are going to not only name and shame, but do indictments
and hold accountable the individuals more than the state themselves. Those individuals now have
restrictions on them and have been publicly called out in ways that we'll never be able to go back
to normal life. And yet we don't see a lot of sanctions or actions against the GRU or the
Russian state themselves. And I think as the United States, where we have a really active cyber command,
a really active national security agency,
it is a mistake to put the focus on military and individuals.
And I really, really abhor the day that we're going to see U.S. enlisted members
or similar on Wild Wild West
posters in Russia or China or Iran. Why do you suppose they're coming at it this way? What do
you suppose the intelligence community sees as the advantage of naming and shaming that way?
Yeah, I think, yeah, so the opposing views I've heard before, one which is an opposing view,
it's just the reality, is in the DOJ's lane,
specifically as criminal indictments. And to do that, you've got to name people. So if you're
going to invoke the strategy of using the Department of Justice against these cyber threats,
the naming of individual victims and the naming of individual adversaries makes a lot of sense in an indictment.
So I don't think this is a critique on the DOJ. I think from a U.S. government strategy, they have used the DOJ multiple times now in this way. And I would advise elevating the discussion
beyond the DOJ to be more about the states themselves and not the actors. As it relates to the counterpoints I've heard,
one of them very clearly, I think a number of people think,
oh, well, they're not going to get arrested.
This doesn't matter.
It is actually really impactful.
Those indictments also carry over to allied states
and states that honor sort of the indictments themselves
and making it difficult for those individuals to travel,
makes it difficult for them to go on holiday,
could be implications for their financials and bank accounts and similar.
So the naming and shaming aspect does have impact to those individuals.
And again, the counterpoints I've heard before are
it does actually deter potentially the individuals
from ever taking those actions in the first place.
I don't really buy that.
And obviously I'm very biased here.
But having been in the U.S. military
and served in the National Security Agency,
if my commander were to tell me to go do a mission
supported by the president or whatever else
and there was a fear of retribution
or being named and sh shame by a foreign state,
that probably would have emboldened me, not deterred me.
It was this aspect of, ah, well, I'm here to serve the cause.
You know, if something goes wrong, consequences be damned.
You know, support the Constitution of the United States.
And so I don't want to mirror image the adversary too much here,
but I do question that the deterrence on individuals is real or impactful.
And moreover, I do think the broader United States strategy against cyber threats
has to take into consideration stronger positions of condemnation,
norm-setting, sanctions, economic sort of tools that we have,
diplomatic tools that we have.
And it seems that the DOJ is doing a really good job, but it's kind of, you know, one
one stool of the strategy or one leg of the strategy.
And I think there's a couple other pieces missing right now.
All right.
Well, Robert M. Lee, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
Save you time
and keep you informed.
It's good to the last drop.
Listen for us
on your Alexa smart speaker, too.
Don't forget to check out
the Grumpy Old Geeks podcast
where I contribute
to a regular segment
called Security Hop.
I join Jason and Brian
on their show
for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks Thank you. That's at recordedfuture.com slash podcast. Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen, Nick Vilecki, Dina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you.