CyberWire Daily - Russia’s hybrid war against Ukraine becomes more firepower intensive, but hackers make their mark. Cybercrime does business as usual.
Episode Date: March 14, 2022The situation in Russia’s war against Ukraine, and Mr. Putin’s frustration with his intelligence services. Provocations, state-hacking, and influence operations in a hybrid war. Lapsus$ hits Ubiso...ft with ransomware. LockBit hits Bridgestone America. The Escobar banking Trojan is out in the wild. Kaspersky source apparently not compromised after all. Dan Prince wonders if we are properly preparing for the roles of tomorrow? Rick Howard is pulling on the kill chain. And the wayward aim of public opinion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/49 Selected reading. After more than two weeks of war, the Russian military grinds forward at a heavy cost (Washington Post) Ukraine war latest: Talks resume as Russia strikes Kyiv (BBC News) US view of Putin: Angry, frustrated, likely to escalate war (AP NEWS) Kremlin arrests FSB chiefs in fallout from Ukraine chaos (Times) Russian Cyber Restraint in Ukraine Puzzles Experts (SecurityWeek) Russia's cyber offensive against Ukraine has been limited so far. Experts are divided on why (KESQ) ‘ Not the time to go poking around’: How former U.S. hackers view dealing with Russia (POLITICO) We're seeing 800% increase in cyberattacks, says MSP (Register) Russia makes claims of US-backed biological weapon plot at UN (the Guardian) Russian media spreading disinformation about US bioweapons as troops mass near Ukraine (Bulletin of the Atomic Scientists) Russian TikTok Influencers Are Being Paid to Spread Kremlin Propaganda (Vice) The White House is briefing TikTok stars about the war in Ukraine (Washington Post) Android malware Escobar steals your Google Authenticator MFA codes (BleepingComputer) Google Attempts to Explain Surge in Chrome Zero-Day Exploitation (SecurityWeek) Google: We're spotting more Chrome browser zero-day flaws in the wild. Here's why (ZDNet). Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit (The Verge) UPDATE 1-Japan's Denso hit by apparent ransomware attack - NHK (Reuters) LockBit ransomware group claims to have hacked Bridgestone Americas (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The situation in Russia's war against Ukraine
and Mr. Putin's frustration with his intelligence services.
Provocations, state hacking and influence operations in a hybrid war.
Lapsus hits Ubisoft with ransomware.
Lockbit hits Bridgestone America.
The Escobar banking trojan is out in the wild.
Kaspersky's source apparently not compromised after all.
Daniel Prince wonders if we're properly preparing for the roles of tomorrow.
Rick Howard is pulling on the kill chain. and the wayward aim of public opinion.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Monday, March 14, 2022.
We begin with a brief update on the Russian war against Ukraine, particularly as it's being
conducted in cyberspace.
On the ground, Russian forces continue to encounter strong resistance and self-inflicted
logistical problems. This morning's update from the UK's Ministry of Defense emphasized the plight
of refugees and the civilians who've remained in place. The MOD wrote, quote, more than 2.5 million
refugees have been forced from their homes as a result of President Putin's attack on Ukraine, The MOD wrote, quote, the Russian invasion began. As with previous such estimates, the true figures are likely to be significantly higher
and will continue to climb as long as Russian operations continue.
End quote.
Russian President Putin's increasingly extreme policies
seem to be driven, at least in part,
by his disappointment in the way the situation has developed for his forces.
The AP quotes U.S. Director of Central Intelligence William Burns,
a former U.S. ambassador to Moscow, as telling Congress, quote, I think Putin is angry and
frustrated right now. He's likely to double down and try to grind down the Ukrainian military
with no regard for civilian casualties, end quote. Burns sees Mr. Putin as living in a propaganda bubble of his own creation.
U.S. intelligence officials see few face-saving ways for the Russian president to exit what's become a costly war.
DCI Burns told Congress, quote,
He has no sustainable political endgame in the face of what is going to continue to be fierce resistance from Ukrainians.
End quote.
the face of what is going to continue to be fierce resistance from Ukrainians. Director of National Intelligence Avril Haines said Mr. Putin perceives this as a war he cannot afford to lose, but what
he might be willing to accept as a victory may change over time given the significant costs he
is incurring. Satellite internet service delivered by Viasat was interrupted on February 24th, around H-hour of Russia's invasion.
The U.S. National Security Agency, France's ANSI Cyber Security Authority, and Ukrainian intelligence services are jointly investigating whether the incident was a Russian cyber attack.
The target and the timing suggest circumstantially that it was, Reuters
reports, quote, the hackers disabled modems that communicate with Viasat's KASAT satellite,
which supplies internet access to some customers in Europe, including Ukraine.
More than two weeks later, some remain offline, end quote. The Viasat incident seems the most
serious cyber attack of the war.
Cyber incidents traceable to Russia have been observed outside the Ukrainian theater of operations,
but these seem for the most part to be familiar criminal or at worst privateering capers
that have long been run by the Russian underworld with Moscow's toleration and sometimes encouragement.
While Russia's war against Ukraine
has indeed been a hybrid war with cyber phases, those phases have been characterized by low-grade
distributed denial-of-service attacks and website defacement. An essay by Jan Kahlberg in The Cyber
Wire offers an explanation of why this might be so. Destructive attacks, once executed, are difficult to repeat,
and deploying the cyber weapons such attacks would use
should wait until it makes strategic sense to do so.
If there's no combat advantage in, for example, taking down a power grid,
it shouldn't be surprising that such attacks haven't yet materialized.
The effects of a cyber attack, however devastating, are of finite duration,
and it's difficult to repeat them at need. A similar calculus seems to be informing U.S.
restraint against Russian assets, Politico reports. The Washington Post has an account of FSB
strong-arm tactics used as early as September of last year to pressure Apple and Google to trim their policies
to accommodate official Russian sensibilities. Those tactics extended to threats of arrest made
against corporate personnel in Russia. The Post characterizes the threats as preparatory work for
the censorship the current hybrid war against Ukraine has brought in its train, and it says
the companies at the time blinked.
Influencers remain engaged in Russia's war against Ukraine, and here, as is the case with
other items influencers flack, from clothing to drinks, they're being paid for their services.
Vice reports a Russian campaign to pay influencers to retail Moscow's propaganda to their gullible followers.
The U.S. National Security Council is running a rumor control effort that specifically addresses the spread of Russian disinformation through TikTok.
Prominent TikTokers, the Washington Post says,
were given a Zoom meeting by the White House
in which the lines of Russian propaganda
and the human cost of repeating it were outlined.
Meta's platforms Facebook and Instagram have relaxed their customary strictures against hate speech
to permit stronger language about Russia's war against Ukraine to pass its filters,
and Russia has responded by adding Instagram to its blocked list.
Authorities in Moscow have also asked a court to designate Meta an extremist organization,
which Bloomberg comments would effectively criminalize all of its activities in Russia.
Meta spokesman Nick Clegg issued the company's response, which repeated familiar claims of
commitment to free speech and opposition to hate speech, and said that their relaxed rules apply
only to users in Ukraine, the expression
of whose outrage Meta is unwilling to censor. Mr. Clegg says in particular that the company on
whose behalf he speaks won't tolerate Russophobia. Meta did clarify in other communications that it
wouldn't permit people to call for the death of a head of state. Unnamed here is Mr. Putin, whose death a number of people have
publicly desired. So everybody, no more death to Putin posts. Turning elsewhere, another Toyota
supplier has been hit with a cyber attack, Reuters reports. The criminal gang Pandora claimed
responsibility for the attack on Denso, a company that manufactures a wide range of automotive parts,
including engine components. Another supplier, Koima, had come under attack at the end of last
month. That incident led Toyota to shut down domestic production for a day. The ransomware
attack on Denso's German operations have not affected manufacturing or other operations.
The Lapsus gang has racked up another victim,
Security Affairs says. This time, it's game maker Ubisoft. The company confirmed that it came under
cyber attack last week, but that its games and services were now performing normally.
The manufacturer Bridgestone Americas has confirmed that it sustained a ransomware
attack on February 27th. Bleeping Computer says the LockBit gang has claimed responsibility
and the group is threatening to release stolen data if the ransom isn't paid.
Bridgestone confirmed that the threat actors stole information from a limited number of Bridgestone systems.
Bleeping Computer reports that the Escobar Android banking trojan is able to steal Google Authenticator codes to overcome two-factor authentication.
The Trojan, which is still under development, is being offered to a maximum of five customers for $3,000 per month.
Ukrainian hacktivists claim to have obtained and released Kaspersky source code, but their caper seems at best overblown.
Computer Weekly reports that the Russian antivirus company says that its source code wasn't in fact
compromised, and that all the hacktivists obtained was material freely available from the company's
public website. And finally, to return to the war against Ukraine, the New York Times reports that
some people are shunning and denouncing companies and businesses
they misperceive as Russian.
Stolichnaya vodka, for example,
is the target of many boycott calls,
but Stolichnaya is produced in Latvia
and the distillery's corporate parent
is in deeply inoffensive Luxembourg.
And just because a restaurant
has the word Russian in its name
doesn't mean it's
actually Russian. So enjoy your meal with a clear conscience and hold the slacktivism.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's Chief Security Officer and also
our Chief Analyst. Rick, always great to have you back. Hey, Dave. So for this week's CSO Perspectives podcast, you are tackling a subject that I know you really enjoy, and that is the intrusion kill chain.
What do you have in store for us?
Indeed it is, my friend.
And, you know, I've been doing this InfoSec thing for a long time now, close to 30 years.
And I have to say I'm one of those lucky people that have found a profession that I
legitimately love. I mean, I love all the things, right? All of them, right? You know, like zero
trust and resilience and risk forecasting. But the thing that really gets my heart pumping is
adversary playbooks across the intrusion kill chain and the models we use to convey that
information to each other, to leadership, and to the world at large.
You know, I think one of the first conversations you and I ever had, it may have been the first.
It was at RSA, I want to say like 2015, something like that.
We talked about the kill chain.
What?
I'm shocked.
Shocked, I said.
I know.
You?
You?
Well, so as I understand it, you know, most folks in our space think that there are three competing models to consider if you want to deploy intrusion kill chain prevention as a strategy.
You've got the original Lockheed Martin kill chain model.
That came out right around 2010 or so.
2010, yeah.
You've got the Department of Defense Diamond model.
That came out the next year.
And you've got the ATT&CK framework,
which MITRE released in 2013. But your point of view is that these models don't compete at all,
that they're complementary. How could that possibly be, Rick?
Well, you know, I may be a contrarian. What can I tell you, right? So, but I would say that many
network defenders think you have to choose one over the other.
And from my viewpoint, that just isn't true.
Each model is trying to accomplish a different piece of the same goal.
It's all riffing off the same intrusion kill chain idea.
Like one's a strategy document, like the Lockheed Martin paper.
One's an operational construct for defensive action, MITRE.
And one's a methodology for cyber threat intelligence teams.
That's the diamond model.
For adversary playbooks, this collection of bad guy activity across the kill chain,
you don't choose one model over the other.
All of these models work in conjunction with each other.
So if the metaphor for preventing the success of cyber adversaries is an elephant,
each of these
models represent different parts of the elephant. So in this episode, we're going to explain each
model and discuss how network defenders can incorporate all three of them into their first
principles of defensive strategies. Now, isn't there a parable about blind men and an elephant?
I was trying to come up with that and I just couldn't swing it. Okay. All right. Well, I don't want to put you out on a limb here. All right. Well,
that is all part of CSO Perspectives. You can find that on our website. It's part of
CyberWire Pro at thecyberwire.com. Rick Howard, thanks for joining us.
Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Daniel Prince. He's a senior lecturer in security and protection science at Lancaster University.
Daniel, always great to have you back on the show.
You are an instructor there at Lancaster University, and I know that is part of your job that is near and dear to your heart.
I want to just check in with you on where we sort of stand right now in terms of preparing folks for those cybersecurity roles
that are coming in the future. Yeah, thanks, Dave. So I'm the program lead for our MSc at
Lancaster University. And it's really interesting talking to the students as they come in and
the types of jobs that they're thinking about going for. And that started me and others at the university thinking about how, through our courses, we're
preparing the students for the next generation of roles.
I mean, over the last 11, 10, 11, 15 years that we've been teaching comprehensive security
courses at Lancaster, the types of roles have really changed from the early concepts of trying to
focusing on information security and then it became cyber security and then then we started
to get really specialist roles like SOC analysts and you know forensics analysts and and now we're
starting to see people talking about well you know I'd like to specialize in you know the protection
of critical national infrastructure.
And so what we're starting to see really over this last decade is,
as we're seeing in the job market, is this increasing specialization from generic people
that can work across different aspects of cybersecurity now
to increasingly detailed specialization.
And so the challenge that we have as a university
and other universities have is really,
are we preparing individuals for these future roles?
Particularly as we get to the point
where we're seeing things like smart cities
and smart cars, you know,
instead of being a mechanic in the future,
do we need to have as part of the MOT
or the test that the car is fit to be on the road,
also annual penetration tests.
And so sitting alongside somebody with greasy overalls,
you've got somebody with a laptop as your car comes in,
and they run a penetration test against it
so that we know that it's also safe to be on the road from that perspective.
And so we need to really think about agile ways
in which we can respond, but still be able to teach the core knowledge which is needed for
individuals to go into the profession. Yeah, I mean, that's fascinating. The challenge that
you all face there of having those foundational things that everyone needs, but then also not being just reactive,
that you have to prepare them for a rapidly changing vertical.
Yeah, definitely. I mean, some of the students I've been talking to in our current cohort,
I'm talking to them about smart city engineering and the security there, smart home engineering, sitting alongside electricians
and making sure that you're protecting those types of systems.
And I think what's interesting is this idea that cybersecurity
as an educational pathway is not just something that happens
in large organizations, but is starting to become something
that is front and
center in consumers lives in terms of they're going to start procuring you know consumers are
going to start procuring directly cyber security services either because they want to or because
they have to because the legislation like thinking about you know you look at something like a tesla
which is you know effectively a smartphone on wheels you know it has to be safe to be on as
going back to the car analogy has to be safe to be on the road and as part of that safety you know
it's constantly getting security you know software updates how do we know that that car is okay to be
on the road from a cyber security perspective and that means that the individual who owns that car would also have to procure
directly some services to help test that especially as these facilities these pieces of infrastructure
become old you know and um you know when 10 years down the line where you know when you've got a
second second hand or 20 years down the line when you've got a second hand Tesla that may not be getting
the software updates anymore. How do we know that that is a vehicle that should be permitted on the
road? And the same can be said for smart homes that are built from the ground up to be smart or
smart cities or other facilities. How do you, you know, when you're buying a house, you have to have
a structural survey to know that it's sound to get a mortgage.
From the university's point of view, is there a push to make sure that all the students are coming out with a well-rounded understanding of cybersecurity?
I mean, I'm thinking of my own experience in college, and granted this was a long time ago.
But we took physics classes for non-majors, math classes for non-majors, just as part of creating that well-rounded student.
What is the conversation going on that, as you mentioned, you know, that students who are leaving university who may not be cybersecurity specialists, but at least having that basic understanding to head out into the world?
Yeah, I mean, that is exactly the thing that we're working on at the moment.
So how do we provide the appropriate level of education that a history grad or a law
grad needs to have to be able to do their job, given that their job is fundamentally
different and digitally enabled from, you know, several years ago.
And so sort of the approach that I'm taking and discussing, but discussing with others,
is we're never going to be able to teach, you know, history grad everything that they need to know
about security. And even if we get into specifics, the next time they upgrade their phone,
the security functionality will change. And so they'll have to learn it all over again.
And so the key thing that we want to be able to try and do with our students
is to empower them to be able to ask some questions
and then inspire them to try and go and find the answers.
And so it's really important to be able to have a community of people
going into the workplace who know the right starting point. And so often I wonder whether,
whether new grads going into, into the job roles really have that understanding of where to start
with cybersecurity. And if we can manage that, that will see a big change
in the way that students
will go into the workplace
and the way that the workplace
will respond.
All right.
Well, Daniel Prince,
thanks for joining us.
And that's The Cyber Wire. Thank you. building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Urban, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.