CyberWire Daily - Tata Power sustains cyberattack. Influence operations and battlespace prep. Ransom Cartel looks a lot like REvil. Notes from Russia’s hybrid war.
Episode Date: October 17, 2022There’s been a Cyberattack against Tata Power. The FBI warns US state political parties of Chinese scanning. Russian influence ops play defense; China’s are on the offense. Ransom Cartel and a pos...sible connection to REvil. "Prestige" ransomware is sighted in attacks on Polish and Ukrainian targets. Distributed denial-of-service attacks interfere with Bulgarian websites. Grayson Milbourne of OpenText Security Solutions on SBOMS. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of Zero Trust. And Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine (probably). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/199 Selected reading. Hackers Attack Tata Power IT Systems: All You Need To Know (IndiaTimes) Chinese hackers are scanning state political party headquarters, FBI says (Washington Post) The Defender's Advantage Cyber Snapshot Issue 2 — More Insights From the Frontlines (Mandiant) Ransom Cartel Ransomware: A Possible Connection With REvil (Unit 42) New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft Security Threat Intelligence) Bulgarian Government Hit By Cyberattack Blamed On Russian Hacking Group (RadioFreeEurope/RadioLiberty) 'The hell with it': Elon Musk tweets SpaceX will 'keep funding Ukraine govt for free' amid Starlink controversy (CNBC) Starlink isn't a charity, but the Ukraine war isn't a business opportunity (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
There's been a cyber attack against Tata Power.
The FBI warns U.S. state political parties of Chinese scanning.
Russian influence ops play defense while China's on the offense.
Ransom cartel and a possible connection to our evil.
Prestige ransomware is cited in attacks on Polish and Ukrainian targets.
DDoS attacks interfere with Bulgarian websites.
Grayson Milbourne of OpenTech Security Solutions on S-bombs. Our own Rick Howard checks in with
Brian Willett of Lexmark on implementation of Zero Trust. And Mr. Musk tweets his intention
to continue to subsidize Starlink for Ukraine? Probably. From the CyberWire studios at DataTribe, I'm Gabe Bittner with your
CyberWire summary for Monday, October 17th, 2022. In a story that's still developing, Indian energy company Tata Power
disclosed on Friday that it had been hit by a cyber attack that affected some of its IT systems, the record reports.
The nature of the attack is unclear, but the company says its operational technology is still functioning.
The Economic Times cites a senior official as saying that an intelligence input had been received
about threat to Tata Power and other electricity companies.
We'll be following the story and providing updates as
they become available. The Washington Post reports that the FBI has been alerting state Democratic
and Republican Party organizations that they're the subject of increasing scans by Chinese
intelligence services. The scanning, which the FBI was unwilling to discuss publicly,
given the sensitivity of the matter, seems to be reconnaissance and target development.
A senior U.S. official told The Post that the bureau is working to get ahead of the opposition, stating,
The FBI is being considerably more proactive. It's part of a larger move that the FBI isn't waiting for the attack to occur. They're increasingly trying to prevent.
The report follows other more recent public alerts concerning the probability of foreign influence operations directed against the U.S. midterm elections.
Mandiant has released the second issue of its Cyber Snapshot report.
Among the topics it takes up is the current state
of influence operations. The researchers note that Russian state-sponsored threat actors
are currently conducting widespread I.O. campaigns to bolster the positive perception
of the Russian invasion of Ukraine to the Russian people. Meanwhile, China-aligned actors are
carrying out information operations to sway
public opinion against the expansion of rare earth minerals mining and refining operations
in the U.S. and Canada, likely as an attempt to protect China's heavy investments in rare earth
production. The researchers add, Mandiant finds that these kinds of campaigns are happening constantly.
We regularly see new actors who operate on behalf of nation-states
that have never before demonstrated a significant cyber capability.
As usual, the most insidious lies get a bodyguard of truth.
Mandiant says the most effective information operations involve combining truth and lies,
particularly through
leaking stolen information. They state, the most concerning trends seen in the I.O. space concern
hack and leak campaigns. Hack and leak I.O. campaigns are cyber operations in which an
attacker breaks into a victim's network, steals sensitive, damaging data, and leaks it publicly to influence a given audience.
In many cases, hack and leak operators will alter the material they steal to make it seem even more
damaging. These I.O. campaigns have had significant impacts in the past, including during the 2016
presidential election in the U.S. As an increasing number of actors adopt I.O. as a
viable means to achieve their goals every year, campaigns will continue to evolve as their
capabilities improve. Palo Alto Network's Unit 42 has published a report on the ransom cartel
ransomware-as-a-service offering, finding that it has possible ties to the probably now defunct
R-Evil ransomware gang. Palo Alto states, at this time, we believe that ransom cartel operators had
access to earlier versions of R-Evil ransomware source code, but not some of the most recent
developments. This suggests there was a relationship between the groups at some point, though it may not have been recent.
Our evil went into hibernation shortly before the ransom cartel activity was observed.
The BBC reported on January 14th of this year that Russian authorities had arrested 14 members of our evil.
In an unusual gesture in the direction of international responsibility and cooperation against organized
crime. Russia's FSB said it had acted on information provided by U.S. law enforcement
agencies. Russia's cooperation stopped short of extraditing anyone to the U.S.
The U.S. at the time expressed polite, cautious optimism that perhaps Russia would begin cracking
down on some of the cyber
gangs it had long permitted to operate relatively unmolested, but few had any realistic hope that
this would happen anytime soon. It certainly hasn't inhibited other Russian criminals and
privateers. Microsoft on Friday reported detecting a novel strain of ransomware the company is calling Prestige.
The campaign deploying Prestige has afflicted organizations in Poland and Ukraine,
specifically targeting the transportation and related logistics sectors. The Microsoft
researchers state the enterprise-wide deployment of ransomware is not common in Ukraine,
and this activity was not connected to any of the 94
currently active ransomware activity groups that Microsoft tracks. The prestige ransomware had not
been observed by Microsoft prior to this deployment. Who's behind the effort is unclear,
but Microsoft sees some circumstantial signs of a connection to Russia, albeit those fall short of justifying an
attribution. They state, the activity shares victimology with recent Russian state-aligned
activity, specifically on affected geographies and countries, and overlaps with previous victims
of the Foxblade malware, also known as Hermetic Wiper. Hermetic Wiper was used in the opening days of Russia's invasion of Ukraine
against targets in that country and also in Latvia and Lithuania, Reuters observes.
Microsoft is tracking the threat actor involved as DEV0960.
The attackers used stolen credentials to gain access to the systems they hit.
There are indications that the credentials had been stolen some time ago
in advance of the ransomware's deployment,
and this suggests that the attackers were timing the attacks for unknown reasons of their own.
The ransomware infections were all accomplished within an hour.
Microsoft summarized the outlook for future attacks, stating,
The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme.
Ransomware and wiper attacks rely on many of the same security weaknesses to succeed.
In their report, Microsoft provides hardening guidance to help build more robust defenses against these threats.
In full disclosure, Microsoft is a CyberWire partner.
On Saturday, Bulgaria's prosecutor general blamed Russian operators for a DDoS attack
that distributed Bulgarian government websites.
Radio Free Europe Radio Liberty reports that prosecutor general Ivan Gesev described it as a serious
problem, calling it an attack on the Bulgarian state. In addition to the President's office,
the distributed denial-of-service attack paralyzed the websites of the Defense Ministry,
the Interior Ministry, the Justice Ministry, and the Constitutional Court. The attack traffic
appeared to originate from the Russian city of Magnitogorsk,
and the Bulgarian news service Dyevnik says that Russia's killnet threat group claimed responsibility.
Like Poland, Bulgaria has aligned itself with Ukraine during Russia's war.
And finally, SpaceX founder Elon Musk tweeted his intentions Saturday to maintain Starlink's service to Ukraine,
whether or not he gets paid to do it, stating,
The hell with it. Even though Starlink is still losing money and other companies are getting billions of taxpayer dollars,
we'll just keep funding Ukraine government for free.
CNBC cautiously mentions that it's not clear that the tweet was free of sarcasm,
and so perhaps it would be good to wait to see whether the subsidy continues.
Mr. Musk did follow his original tweet with an indelicate remark to the effect that
the comments on that particular thread amounted to a conspiracy theorist's unusually vivid erotic dream.
An essay in TechCrunch argues, under the headline, Starlink isn't a charity, but the Ukraine war
isn't a business opportunity, that the company should provide more transparency on costs,
and that governments should arrange support adequate to meet Ukraine's wartime needs.
support adequate to meet Ukraine's wartime needs. In a subsequent tweet, Mr. Musk explained his decision as coming down roughly to deciding that sometimes you just need to do the right thing.
Starlink has played a major role in sustaining Ukraine's communications during the present war.
Sometimes you've just got to do the right thing.
After the break, Grayson Milbourne of OpenTex Security Solutions talks about S-bombs.
Our own Rick Howard checks in with Brian Willett of Lexmark on implementation of Zero Trust.
Stay with us. Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
I'm joined by Brian Willett, the CISO at Lexmark.
Brian, thanks for coming on the show.
Oh, thank you for having me.
So, Brian, we're talking about zero trust today,
and zero trust has been the buzzword phrase at all the conferences for a couple of years now. And like many security terms before it, like machine learning and AI
and XDR and a bunch of others, the phrase has hit that phase in its own evolution from original
great idea to vendors trying to implement it to marketing departments flooding the zone with it
to the point where many security practitioners dismiss the entire concept as just marketing fluff.
But you guys don't agree with that, right? Just because there's a lot of vendor marketing
doesn't mean that the idea isn't sound.
I agree.
It is a sound idea.
And at Lexmark, we have been working on implementing
Zero Trust for the past six years.
When you look at Zero Trust,
it really describes the foundational principles
of a well-operating security organization.
And you combine that with other standards like ISO 27001 and CIS 20 or
18, they really get in there and define what needs to be done. And with the CIS 18, it helps provide
some priority on what you should go and tackle first in order to establish a mature security
program. And I've told my team many times, while it's a journey and it's excellent practice,
when it comes to the controls that we're going to implement, I do think it's important for them to
be specific. Don't just tell me we want to implement zero trust, but be specific about
the control that we need to implement. Well, let's talk about that because in the original
KinderVog paper, he published that in 2010. That's where most people point to from the original idea.
Although I would say that there was discussion about zero trust ideas before that.
But Kenervaugh gets the credit for it.
But in that original paper, he talks about only allowing access to the resources that the employee needs or the device needs or the application needs.
How do you guys go about doing that at Lexmark?
It first started as,
can I determine what assets are on my network? It was creating a CMDB database of all the assets on
the network and then assigning an owner to every one of those assets. Once we knew we had the owner,
then we started the process of making sure the asset was managed, making sure that we had
monitoring on every one of those assets.
And then one of the most controversial
with the user population was removing admin rights.
Indeed.
Yes.
And removing those admin rights,
that took quite the culture change
in order to make that happen.
Oh yeah, I'm one of those guys
that I don't want admin rights
because I make mistakes all the time.
I think I'm one of the only CISOs that says, you know, please take me off. I don't want the finger pointing at me,
okay, when something goes wrong. And I'm right there with you.
So Brian, now you're doing that for employees and you're doing it for devices and you're also
doing that for applications, code that Lexmark writes and then code that you guys use like
third-party vendors, those kinds of things? That's correct. So on the third-party suppliers, we've implemented a
third-party risk management program where we put our suppliers through a set of criteria and
questions to them to try and understand their risk posture, because we need them to protect the data,
much like Lexmark's required to protect the data of our customers.
And then on the products, very similar.
It is zero trust in the aspect of we implement a security development lifecycle on all of our products.
We work very hard to ensure that any software that we include in the product, we understand
the vulnerabilities in it.
We patch those on a regular cadence.
We look at the code that Lexmark develops, trying to ensure that the firmware or software in that product has been analyzed to look for vulnerabilities and address those vulnerabilities.
And that's true of our legacy products as well as any of the new products that we've developed, like our new Optra IoT platform.
So are you guys doing that in-house? Like, are you writing code to manage all those entities? Or have you found a vendor that can help you do that? Or is there some combination of all that?
It always depends on the channel that we're selling to. So we have both. We have our own software to manage the product, but we have third-party partners who may have software that they prefer to use to manage the products with
their customers. And we also support them as well. And then, you know, in these last five years,
we've all branched out and our data is everywhere. I call them data islands. We still have the data
centers. We still have mobile devices, but we're also in cloud and a lot of us are using SaaS
applications now. So you're having to manage that in all these different places.
Do you have a different zero trust solution in all those locations or is it one big one that handles everything?
What's been great over the last, it's more than 10 years, but really in the last three years at Lexmark has been a concerted effort to move us to cloud overall.
has been a concerted effort to move us to cloud overall.
And during that effort, it has been an excellent opportunity to get rid of that technical debt that we had in the data centers
to fully adopt the zero trust model,
especially from a network standpoint, as we have migrated to the cloud.
So that's been a huge part of it.
And then as you look at the risk associated with cloud,
adopting a CNAP platform has been very helpful for us as well,
where we get great visibility across all the clouds that we're in to the risks that are present
and starting to work through any of those risks to lower our overall risk in the cloud.
What does CNAP stand for?
Cloud Native Application Protection Platform. So it's a combination of your cloud security
protection platform and your cloud security protection
platform and your cloud workload protection platforms, such that you can both monitor
your active workloads and implement policy on your infrastructure as code as it's going into the cloud.
So good stuff, Brian, but we're going to have to leave it there. That's Brian Willett,
the CISO at Lexmark, a long way down the journey of a zero trust implementation.
Thanks for coming on the show, Brian.
Thanks for having me.
And I'm pleased to be joined once again by Grayson Milbourne.
He is the Security Intelligence Director at OpenText Security Solutions.
Grayson, always great to welcome you back to the show.
Hey, thanks, Dave. Glad to be here.
I want to touch today on SBOM, Software Bills of Material.
There's some kind of an interesting historical precedent here that I know you want to touch on.
Yeah, so let's just touch quickly on what the Software Bill of Materials is, Interesting historical precedent here that I know you want to touch on. Yeah.
So, well, let's just touch quickly on what the software bill of materials is.
And then I think my analogy will make a little bit more sense.
Right?
I mean, today what happens with software development is that a lot of times you don't want to develop something new if somebody has already done the work.
And so we see a lot of code reuse, and especially within the open source code community.
we see a lot of code reuse, and especially within the open source code community.
What this means is that my software, maybe I'm a business and I sell a solution. If that solution is partially my own ingredients and also several other developers' ingredients from different open
source communities, or maybe it's a partnership. Now it's not really just my project, it's really
the combination of what I've put in,
plus what I've put in from other pieces to support the overall solution. And so the idea is that a
software bill of materials is something that a potential purchaser of your solution could look
at and say, ah, this is what goes into it. Or if you think about vulnerabilities that often can
happen, this is a way that you can then track and understand what has been impacted because
the idea is to get everybody to do this. But right now, not very many people do.
And I think this is kind of where my analogy started off that I wanted to talk about is
the history of food labels. And I think today, everything has a label on it. I don't think you
can go into a supermarket here and outside of maybe the produce section,
everything else that comes in a box has, you know, its own, its box of materials.
Right.
Or what we call just like the food label, the ingredients.
But apparently, you know, the food label industry or like food labels as a whole is a relatively
recent addition to how we purchase food and really didn't come up until, I guess, the late to mid
60s. And this is sort of in that transitionary period where we had more prepackaged food and
there was more, perhaps not the healthiest food, but a lot more food was coming in packages that
was confusing to consumers. They didn't want to know what's in it. And hence, the FDA creates
this new mandate. And now manufacturers have to list, hey, this is what's inside of it.
And consumers get to then evaluate that and make the right decision for themselves.
So, I mean, using your analogy, extending your analogy, if you look at a food label,
sometimes it'll have things on there like artificial and natural ingredients,
it'll have things on there like artificial and natural ingredients, you know, where a manufacturer doesn't want to give up the secret formula for Coca-Cola or something like that. I mean, are we
allowing for that with SBOMs, where perhaps there are some trade secrets within the way people are
putting together their software? So I think, I mean, the goal of this is certainly not to
give away core IP of your technology. It's really more to expose when additional components that aren't your own have been added.
So if it's something that I've developed entirely and my software company is the sole proprietor of all of the intellectual property,
and we've reused no other code, then the bill of ingredients is my software.
But if I've included third-party libraries But if I've included third-party libraries
or if I've included third-party components
or open source components,
I should list that and also version track that
so that I know if, for example,
I'm using a specific version of DirectX in my video game
and now I've seen that there's an exploit
for an older version,
it just really helps us understand what's impacted.
And it creates a solution to this knowledge that more vulnerabilities are going to be encountered.
And we need a better way to react to it, especially if it's something very massive like log4j was.
We're still not really seeing the entirety of the impacts of that vulnerability and how easy it is to exploit,
largely because we don't have a great index of all the things that are using it or that were compiled using that Java library.
So it's one of these things that if we knew, we could then more easily go after the implementations of software that are most vulnerable
and reduce the overall risk associated when these inevitabilities happen.
Now, here in the U.S., my perception is that the federal government is really leading the way when
it comes to mandating that. Is that a proper perception on my part?
Well, so I would say they're using their oversized influence. And, you know, the United States
government is one of the largest software purchasers and has the largest buying power. And so they can start to say,
we don't want to buy your software unless it comes with a software bill of materials.
And so I think what we're starting to see, and this is largely driven by CISA,
and CISA has really looked also at the log4j nightmare of a vulnerability, and how are they
able to help businesses identify their risks?
How are they able to help people update and address this vulnerability?
If we had SBOMs, it would be a much easier thing to do.
But they know that there's not a mandatory regulatory agency or anything like that that mandates it.
From what I've understood, the government's really looking at changing their purchasing process and trying to work with vendors
and encourage software vendors to use SBOMs as a way to mitigate risk
and to be more transparent about what's actually inside of your application.
So more of a, I guess, a soft mandate in that it's not necessarily regulatory,
but if you want to do business with
the biggest customer, you're going to have to do this. Yeah. And then, you know, my hope is that
it kind of flows beyond that and it could potentially be a competitive advantage, right?
You know, a possible customer might be looking at my solution. They might be looking at somebody
else's solution. If I say, well, yeah, I mean, we have very comparable things, but we also track our versioning and provide this
additional telemetry about how our app is built. Let me tell you why that's important and you have
some peace of mind from your SOC team now can say, oh, hey, this new thing was released. Let's look
through the SBOM index of software used in our business. And all of a sudden, in a very short amount of time,
you can discover which may have been impossible to know before.
Yeah. All right. Well, interesting insights.
Grayson Milbourne, thanks for joining us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio
or shake up your mood
with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Up.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Maria Varmatsis,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Catherine Murphy, Janine Daly, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. Gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.