CyberWire Daily - South Korea’s nuclear research institute discloses cyberespionage incident. Norway attributes 2018 incident to China. Poland blames Russia for email hacking as NATO clarifies alliance cyber policy.
Episode Date: June 21, 2021The South Korean nuclear research organization sustained an apparent cyberespionage incident. Norway’s investigation of its 2018 breach of government networks concludes that China’s APT31 was behi...nd it. Poland accuses Russia in a long-running email hacking case. Our guest is Mark Testoni from SAP NS2 on where the Justice Department should focus during its upcoming cyber review. Chris Novak of Verizon on financial vs. espionage breaches. NATO seeks to clarify its policies in cyberspace, including a recommitment to Article 5 and a revision of the Tallinn Manual. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/118 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The South Korean nuclear research organization sustained an apparent cyber espionage incident.
Norway's investigation of its 2018 breach of government networks concludes that China's APT31 was behind it.
Poland accuses Russia in a long-running email hacking case.
Our guest is Mark Testoni from SAP NS2 on where the Justice Department should focus during its upcoming cyber review.
Chris Novak of Verizon on financial versus espionage breaches.
And NATO seeks to clarify its policies in cyberspace, including a recommitment to Article 5 and a revision of the Talon Manual.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, June 21st, 2021. South Korea's nuclear research organization says it sustained a cyber attack and suspicions point toward North Korea.
The South Korean Atomic Energy Research Institute, CARI,
disclosed Friday that several unauthorized parties obtained access to their internal networks.
The record reports that some of the infrastructure used in the intrusion was traceable to North Korea's Kim Su-ki group.
Kerry had initially denied that the incident had occurred.
The institute apologized Friday for its earlier statements.
According to Bleeping Computer, the intrusion took place on June 14,
and the threat actor gained access through a VPN flaw. Earlier this month, Malwarebytes Lab
published a report on Kim Suk-hee, a threat actor generally believed to work for the Democratic
People's Republic of Korea's Reconnaissance General Bureau, that is, for North Korea's
intelligence service. Malwarebytes listed an extensive number
of targets, including the Ministry of Foreign Affairs, Republic of Korea First and Second
Secretaries, the Trade Minister, the Deputy Consul General at Korean Consulate General in Hong Kong,
the International Atomic Energy Agency Nuclear Security officer, the ambassador of the Embassy of Sri Lanka to the Republic of Korea,
and the Ministry of Foreign Affairs and Trade Counselor.
Norway has attributed a 2018 breach of its government IT network to China.
Specifically, the Police Security Service, known by the acronym PST,
said the cyber espionage incident was the work of APT31.
The PST stated, the country. The actor also succeeded in transferring some data from the office's
systems. No reliable technical findings have been made of what information was transferred,
but the investigation shows that there were probably usernames and passwords
associated with employees in various state administration offices.
Warsaw says its recent cyber attack was Moscow's work, or at least the work of threat actors working from Russia.
Senior members of Poland's government met last week for a closed-door discussion of an email hacking incident.
On Friday, Deputy Prime Minister Jaroslaw Kuznicki said, as Reuters quotes him,
The analysis of our services and the secret services of our allies allow us to clearly state that the cyber attack was carried out from the territory of the Russian Federation.
Its scale and range are wide.
End quote.
Emails belonging to members of parliament and government officials were accessed, as were some emails belonging to members of their families.
The incident seemed to have no particular bias for or against any political party,
as multiple parties were affected. According to Bleeping Computer, the attacks affected at least
30 members of parliament, officials, and journalists with the campaign beginning last
September. The record says that Poland's internal security agency has notified its NATO allies
of recent Russian cyber attacks, the goal of which,
Polish officials say, has been to hit Polish society and destabilize the country.
An EU diplomat familiar with the incident told Politico that, quote,
on Friday, Poland handed over to the EU member states, the European Commission,
and the Council a document on the details of cyberattacks carried out in recent days.
That diplomat also said that operational and technical analysis carried out by Polish national security incident response teams
confirmed that the infrastructure and modus operandi used during cyberattacks were the same as those used by Russian-sponsored entities.
those used by Russian-sponsored entities. Speculation in the press suggests that the email theft may have been the work of Russia's SVR. The statements by Polish authorities are
worth reviewing in the context of the communique NATO issued last week, after its Brussels summit,
and two days before Wednesday's meeting between Russian President Putin and U.S. President Biden.
The Atlantic Alliance began by reiterating its commitment to Article 5,
the collective defense agreement under which an attack on one member is regarded as an attack against all.
It also called out the increasing tempo of Russian hybrid operations,
specifically including cyber operations, disinformation, and partners, including through proxies.
This includes attempted interference in allied elections and democratic processes, political and economic pressure and
intimidation, widespread disinformation campaigns, malicious cyber activities, and turning a blind
eye to cyber criminals operating from its territory, including those who target and
disrupt critical infrastructure in NATO countries. End quote. With respect to cyber attacks in
particular, the communique said that cyber threats to the security of the alliance are complex, destructive, coercive, and becoming ever more frequent.
This has been recently illustrated by ransomware incidents and other malicious cyber activity
targeting our critical infrastructure and democratic institutions,
which might have systemic effects and cause significant harm.
In the event of a cyber attack, the North Atlantic Council would decide on a case-by-case basis whether to invoke Article 5.
NATO's comprehensive cyber defense policy promises to actively deter, defend against, and counter the full spectrum of cyber threats,
including those conducted as part of hybrid campaigns in accordance with international law.
And indeed, that international law continues to evolve,
as nations seek to achieve greater clarity over what's permissible and impermissible action in cyberspace.
The Washington Post reports that the Talon Manual on the International Law Applicable to Cyber Operations,
the NATO-sponsored document
that's occupied a leading position framing discussion of cyber conflict, will be undergoing
its third revision, the first since 2017. The revision won't come quickly. A five-year process
is envisioned. Among the aims of the revision are to clarify what commentators are calling the
red lines that nation-states would
cross at their peril and to help dampen the possibility that retaliation might lead to
uncontrolled escalation. The Economist sees this convergence of cybercrime and state-directed
hacking as a defining feature of next-gen bank robbery, whether in the form of privateering,
as observers have seen in the activities of Russian ransomware gangs,
or in state toleration of cybercrime, a more charitable reading of the Russian gang's activities,
or even in direct theft by the states themselves, as seen in the operations of North Korea's Lazarus Group,
the relationship can be close, complex, and deniable.
Close, complex, and deniable.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
On the heels of several high-impact cyber attacks, the U.S. Justice Department recently announced a 120-day review of their cybersecurity strategy. Joining me to discuss that move is Mark Testoni,
CEO of SAP's national security arm, SAP NS2, which provides cybersecurity and secure cloud solutions
to U.S. government agencies. You know, we've had a series of events,
obviously, that are pretty significant in the cyber arena in recent months.
Going back to the fall, the solar winds and hafnium situation, and most recently colonial,
and now even today we have a meatpacking company out of Brazil that's been affected, that's affecting us.
The net is, is I think there's an overall genesis or awareness of the cyber threat locations that are much broader than the average person normally sees.
And so as the new administration is coming in, many of the segments of government are looking at this problem and injustice as a very important role in cyber from a standpoint of it to play with the FBI.
And even on a broader level, there's a
large cyber division within justice. And I think they're stepping up to take a step back and a lead
to say, hey, what should we be doing inside the federal government better? And perhaps more
importantly, what should we be doing not only inside the government, but even beyond the walls
of the government to create a greater
sphere of collaboration. So I think just the nature of the threat, the evolution of the threat,
and now what's interesting in these latest attacks is they're becoming more in the face of
mainstream America. And it really shows the relationship between individuals, both as
employees in companies and in themselves,
and how they implicate this entire cyber. Where do you suppose they stand in terms of
being able to collaborate with the private sector and to really execute on the plans that they come
up with? Dave, that's a million-dollar question. I guess in the old days, they would have said it was a $64,000 question. Interestingly, there have been many calls,
a Solarian Commission, Senator King, actually, I heard him recently talking about this. He wrote
an op-ed in one of the papers talking about the need for collaboration. The problem I see
with collaboration in general is the government views it as the private sector needs to share threat information and or breach information with the government because to help the government better understand the threat profile and to, quote, get assistance.
I really think there needs to be an approach to this that's different than the past.
It needs to be true collaboration.
And that's what's missing
from even Senator King's remarks and others. It's about bringing not only the collection and sharing
of information together, but the sharing of talent and resources. To me, that's critically important.
Right now, I don't believe we have that strong forum to be able to do that.
Where do we stand right now when it comes to trust between the government and the private sector?
I mean, is that a tenuous relationship?
Is it healthy?
What's your experience there?
I mean, it's a mixed bag to some degree, Dave.
I mean, companies get leery when they open their kimonos at times to the federal government
because they feel they potentially could face some sort of prosecutorial risk or other because maybe they didn't do things correctly.
I'm not saying that companies and organizations shouldn't be pursued when they're negligent,
but we want to not make that the first thing that organizations think about when they're in a collaborative mind.
thing that organizations think about when they're in a collaborative mind.
So we've got to create a forum that allows and policies that allow to make it easier for companies to feel comfortable in that environment.
I'm confident that we will come to a place.
In America and the United States, we often explore lots of ways to solve problems, and
then we finally get around to doing the right thing, and I think we will here.
The strength of this country has always been innovation,
and the openness and freedoms that we have
are both opportunities for us and part of our greatness,
but they also make it easier for state actors and others to attack us.
I think we're beginning to recognize that,
and as a result, I think we'll do it.
I think if you and I are talking in a couple of years,
we'll see great progress in this area.
That's Mark Testoni from SAP NS2.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. And joining me once again is Chris Novak.
He's the global director of Verizon's Threat Research Advisory Center.
Chris, always great to have you back.
I want to touch today on some stuff I know you've been tracking in terms of financial versus espionage breaches,
specifically the A4 threat handbook. What are you guys working on there?
Sure. Yeah, great to be on the show again, Dave. Absolutely. Yeah, when we look at,
you know, everybody tracks on the Verizon Data Breach Investigations Report. And one of the
things that some people, if you've been tracking it since the beginning, you're familiar with the
A4 model, which was the way we classified all the four A's, actors, actions, assets, and attributes of a given
incident. And so what we've done is essentially published what we call the A4 Threat Handbook
to kind of help better put perspective on how we look at those four A's. And then also in particular,
comparing and contrasting how they relate between financially motivated breaches and espionage motivated breaches.
Well, let's dig into that some.
I mean, is there – first of all, I'm curious.
Are we seeing any sort of fuzzing between those two things?
Is the line a clear one? one. It's interesting that you ask that because when we look at it, you know, going back, you know, about 10 years at the data, we've actually kind of identified what we consider to be six different
motives to cyber attacks. You see financial motivation, espionage, fun, grudge, convenience,
and ideology. That's the way that we've grouped them. And the first two that I mentioned,
financial and espionage, really are probably the most interesting just because they make up about 94% of all of what
we see. The rest are really kind of a small, small blur in the background. But when you ask
about the line between the two, we actually see that if you look at the top targets for financially motivated breaches,
the top three are financials, not surprising there, at 29%, accommodations at 16%, and retail at 11%.
And I think a lot of that has to do with the sheer quantity of very directly related financial data that there is in those environments to steal.
Versus if you look at the top three for espionage-motivated campaigns and breaches,
you don't see those three in there at all. The top one is public sector at 29%,
manufacturing at 21%, and professional services at 10%. And I think the reason we're not seeing as much blurring between
the two is you look at espionage, it's almost entirely going after intellectual property and
trade secrets. And if you kind of look at the mishmash of all the different industries that
you're looking at, you kind of see a pocket of real deep, valuable intellectual property in the
public sector manufacturing, professional services side of things, or even in the public sector manufacturing professional
services side of things, or even on the public sector side, you get a lot of state secrets.
Whereas on the financial side, you know, that data is typically commingled in different
types of institutions.
And how does that extend to the threat actors themselves?
I mean, do they tend to silo themselves into, you know, this group is focused on financial, this group is focused on espionage?
What are you seeing there?
Yeah, interestingly enough, what we typically see there is on the financially motivated attacks, it is almost exclusively organized crime that is behind a lot of that is typically what we're seeing. And not terribly surprising organized crime since the beginning of when we were tracking probably criminal statistics, that's typically what they were
motivated by was financial gain. Whereas on the espionage side of things, typically what we see
there is it is either nation state or state affiliated is typically the leading elements
of it. And then depending on, if you kind of trail down from there, you may see some level of
kind of corporate espionage at the next rung lower, but it is, I'd say, a fairly distant
kind of second or third. Now, the A4 Threat Handbook, I mean, does this help organizations
sort of dial in their risk profile for knowing what they should suspect they should defend against?
Yeah, that's exactly right. Help them be able to do a couple of things. One is so that they can
classify and categorize their incidents in a manner that is similar to the DBIR. Because we
know a lot of organizations, whenever a new version of that report comes out, the first thing they
want to do is try to compare how do we look versus the data set as a whole? How do we look against
our industry? If we want to compare
ourselves apples to apples with our peers, how do we do that? Better understanding that A4 threat
handbook will actually help organizations kind of better characterize their own incidents and put
them into the similar kind of reporting format that we use for the DBIR. So they actually have
a better ability to compare and contrast against the
broader data set, or what we're hoping is industry groups will adopt the same thing,
and they'll be able to share and compare data as well. All right. Well, Chris Novak,
thanks for joining us. Thank you. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.