CyberWire Daily - That crane might know what you’re shipping. Addressing the cybersecurity of water systems. Oakland’s ransomware incident is now a breach. Hybrid war. Investment scams.
Episode Date: March 6, 2023Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in the Russian underworld. Sandworm's record in... Russia's war. Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data-wiping malware last year than anywhere, ever. Dave Bittner speaks with Kathleen Smith of ClearedJobs.Net to talk about hiring veterans and setting them (and yourself) up for success. And AI’s latest misuse: bogus investment schemes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/43 Selected reading. WSJ News Exclusive | Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools (Wall Street Journal) EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA) EPA presses states to include cybersecurity in water safety reviews (SC Media) EPA Calls on States to Improve Public Water Systems’ Cybersecurity (Meritalk) EPA issues water cybersecurity mandates, concerning industry and experts (CyberScoop) City of Oakland Targeted by Ransomware Attack, Work Continues to… (City of Oakland). Ransomware gang leaks data stolen from City of Oakland (BleepingComputer) Ransomware hackers release some stolen Oakland data (CBS News) Oakland officials say ransomware group may release personal data on Saturday (The Record from Recorded Future News) Cybercrime site shows off with a free leak of 2 million stolen card numbers (The Record from Recorded Future News) A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war (The Record from Recorded Future News) Bitdefender Labs warns of fresh phishing campaign that uses copycat ChatGPT platform to swindle eager investors (Hot for Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in Russian underworld. Sandworms record in Russia's war. Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data wiping malware last year than anywhere ever.
anywhere, ever. Dave Bittner speaks with Kathleen Smith of ClearJobs.net to talk about hiring veterans and setting them and yourself up for success. And AI's latest misuse, bogus investment
schemes. From the CyberWire studios at DataTribe, I'm Trey Hester, filling in for Dave Vittner with your CyberWire summary for Monday, March 6th, 2023.
The U.S. government is concerned that Chinese-made ship-to-shore cranes could pose a national security threat, the Wall Street Journal reports.
The cranes in question are manufactured by the Chinese company ZPMC,
which a U.S. official said makes around 80% of ship-to-shore cranes used at U.S. ports.
The journal explains that these cranes contain sophisticated sensors that
can register and track the provenance and destination of containers, prompting concerns
that China could capture information about material being shipped in and out of the country.
The government doesn't point to any instances of cranes actually being used for these purposes,
but the defense policy bill passed by the U.S. Congress at the end of last year
requires the Transportation Department's maritimeitime Administrator to conduct a study
to determine whether these cranes could pose cybersecurity threats.
Note that the immediate risk being reported is the threat of information security,
not necessarily the operation of the cranes themselves.
The U.S. Environmental Protection Agency on Friday issued a memorandum
stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water.
The memorandum requires that states include cybersecurity when they conduct audits of water systems.
The agency said in a statement, quote,
While some public water systems have taken important steps to improve their cybersecurity,
a recent survey and reports of cyberattacks show that many have not adopted basic cybersecurity best practices and are at risk of cyberattacks, whether from an individual, criminal collective, or a sophisticated state or state-sponsored actor.
This memorandum requires states to survey cybersecurity best practices at public water systems.
requires states to survey cybersecurity best practices at public water systems.
A ransomware attack last month on the city of Oakland, California,
may have resulted in a data leak of stolen information.
The Play ransomware group, who have staked their claim to the attack,
shared Thursday on their leak site plans to release the stolen data on Saturday, the Record reports.
The group now seems to have made good on that threat.
Bleeping Computer wrote Saturday that Play was releasing the stolen data,
and this morning San Francisco Chronicle says that the gang has in fact dumped some of the data online.
Following the initial ransomware attack,
Oakland decided to declare a state of emergency, InfoSecurity magazine wrote this morning.
The February attack was set to impact payment of fees and taxes online within the city,
as well as phone connections with city agencies, the San Francisco Standard reported Friday.
Info Security Magazine aptly observes that the city's disruptions from the attack,
as well as its engagement in workstation restoration efforts,
indicate that the gang probably hasn't received any ransomware payments.
A free leak of some 2 million paycard numbers on the Russophone dark web criminal souk cheekily named Biding Cash seems to be a loss leader intended to draw
attention to its wares. Many of the cards are nearing their expiration date, but there's still
time for the criminals to use them. The record notes that stolen cards are often used to buy
goods for subsequent resale, an activity that has grown increasingly attractive as the Russian economy has labored under the twin burdens of war and international sanctions. The record reviews
a year's worth of action by Sandworm, the familiar GRU-run threat actor. Sandworm's most prominent
contribution to the cyber phases of Russia's war against Ukraine has been deployment of wiper
malware, which has challenged Ukraine's defenses but fallen short of expectations. Sandworm has not carried out attacks against infrastructure,
particularly Ukraine's power grid, that had been widely expected. The group has used ransomware
against targets of interest to Russia, notably in reprisal against organizations that have rendered
material assistance to Ukraine. And finally, much of the security concern about chat GPT
and other advanced natural language artificial intelligence
has concerned itself with the possibility of malign influence,
as in chat becoming a deep fake, able to impersonate convincingly at scale.
There are some signs of this happening, as the familiar grandchild scam,
someone calls a grandparent, pretending to be a grandchild in trouble
and needing cash, for example, may be getting an AI upgrade. The Washington Post wrote
yesterday that some scammers are using voice impersonation to make their imposters more
convincing. That kind of impersonation was foreseeable, of course, and it appears to have
arrived. What's also foreseeable is that opportunities to invest in the brave new world
of AI chatbots would be offered by investment scammers.
Bitdefender this morning released a study of a recent scam in which the possibilities of passive income offered by an investment in a chatbot app were dangled in front of someone who's presumably a weary working stiff.
The email subject lines are ones that you would expect.
ChatGPT, new AI bot that has everybody going
crazy about it. Or, a little less idiomatically, ChatGPT, new AI bot that has everyone in shock
from it. Or, a bit more reflectively, new ChatGPT chatbot is making everyone crazy now,
but it'll very soon be as mundane a tool as Google. None of this, of course, is connected
with the actual ChatG GPT, but the
come-ons offer all kinds of investment advice. Bitdefender explains what's going on. Quote,
The phony platform's chatbot begins with a short intro to its role in analyzing financial markets
that can allow anyone to become a successful investor in global stocks. We agreed to play
along and allow the automatic robot created by Elon Musk to help us get rich.
Before we begin any investment journey, the chat needs to calculate our daily income.
End quote.
And from there, of course, there's the usual attempt to set the hook and reel in the fish.
That fish would be regular Janes and Joes like you and me, friend.
Take Bitdefender's advice on this one and spit the hook.
Coming up after the break, Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data-wiping malware last year than anywhere. Dave Bittner speaks with
Kathleen Smith of ClearedJobs.net to talk about hiring veterans
and setting them and yourself up for success. Stick around.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
I'm joined by Andy Greenberg. He's the senior writer at Wired and a cybersecurity canon Hall
of Fame book author for Sandworm, A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous
Hackers, and his most recent book, Tracers in the Dark, The Global Hunt for the Crime
Lords of Cryptocurrency, is a Canon Hall of Fame candidate, which I highly recommend,
by the way.
It's the best cybercrime book of the last decade, in my opinion.
Andy, welcome back to the Cyberwire.
Thank you, Rick.
Glad to be here again, and thank you for those kind, very kind plugs.
You're quite welcome.
So it's been a year since Russian leadership decided to invade Ukraine.
And based on previous success stories that you documented so well in your book, Sandworm,
most of us thought that with this invasion, we were going to see the state-of-the-art Russian
offensive cyber operations.
But that's not really what we've been seeing over the last year.
And you wrote this fantastic Wired article called Ukraine suffered more wiper malware in 2022 than anywhere.
So what's going on over there?
Well, you know, I think you're right. Many of us expected, anyway, a kind of NotPetya 2 or like a Bad Rabbit or Olympic Destroyer, these GRU self-replicating forms of malware that have caused just true digital devastation in the past.
I mean, NotPetya is the worst cyber attack in history, caused $10 billion worldwide.
And before spreading beyond Ukraine's borders, you know, truly carpet bombed the entire Ukrainian internet.
But instead, I feel like what we're seeing
is the Russian military's hackers
just trying to keep up with the pace
of a new kind of cyber war,
one that is really like a true tandem
cyber and physical war.
I mean, I think that, you know,
there has in fact been a real cyber war unfolding in Ukraine by some measures, you know, the most active in history in terms of like the sheer number of data destroying malware samples.
But they've been like really simple, repetitive, kind of relentless short term attacks rather than these kind of masterpieces of code that we saw from hacker groups like Sandworm targeting Ukraine
in the past. You mentioned in the article that it felt like they were prepared for the line of
departure. They went after the satellite comms and that looked mature and well thought out,
but it felt like they weren't ready. They thought it was going to be over after that. And now they're
just kind of making stuff up as they go. Is that a fair assessment of what they've been doing?
That's a particularly fair and ungenerous way to put it, I think, which is, you know, but true.
I mean, yes, in the first weeks of the war, they did carry out this attack on satellite modems, VSA modems,
that required some knowledge, some specific knowledge of the embedded form of Linux
that these modems used.
It seems to have been prepared well in advance.
They also used a wiper tool, Hermetic Wiper,
that had a stolen certificate to make it harder
to detect and defend against.
But even then, with some of the hermetic family of wipers,
we saw some really serious problems in their code.
ESET told me that Hermetic Ransom,
which was a similar tool designed to look like ransomware,
was really sloppily coded.
And Hermetic Wizard, this spreading tool that was designed
to automatically spread Hermetic Wiper,
was just really shoddily written
in a way that even I can detect.
I mean, it only tried three different
super simple hard-coded passwords
in its attempts to spread from one machine to the next.
I mean, that's just not the same level of care
that we saw with these previous GRU Russian hacker worms.
I know, and the way you described it, I loved it.
Like we've seen so many versions of it. I mean, it's a volume of wiper attacks. And I love the phrase the way you described it, I loved it. Like, we've seen so many versions
of the, I mean, it's a volume of wiper attacks. And I love the phrase you used in the article,
Andy, the Cambrian explosion of wipers. What does that mean? I'd love that line.
Yeah. Well, it's like, you know, these Russian hackers have been slowly evolving their tools.
And then, you know, in this sort of evolution, I'm not, like, great at this biology stuff, but
there was the Cambrian explosion where suddenly there were, instead of just this slow evolution, there was this
explosion of thousands and thousands of new species. And we're seeing, in fact,
dozens of new species of destructive malware hit Ukraine.
But they are not, I was just describing the kind of somewhat
sophisticated attacks that they launched in the first weeks of the war. But very quickly,
they kind of evolved into these just uh you know a plethora of super simple wipers kind of more simple over time
even and at times they just kind of used um just tweaks to the one of the simplest wipers called
caddy wiper and just use it repeatedly but in this kind of relentless fashion i mean mandiant
described to me how they are sometimes hitting the same organization more than once
or doing espionage on one network and then coming back and wiping it or wiping it once
sitting on the edge of the network on a firewall or a router or something, and then hitting
it again with another wiper later. I mean, so these are still impactful attacks,
but they're just kind of brutal, relentless, repetitive, simple attacks
rather than these years-long planned pieces.
Take down the entire infrastructure attacks.
It's not what those are.
They're nuisance attacks.
They're annoyance attacks, right?
I think that they're more than nuisances.
I mean, they're true disruption, but they're just like a different pace.
And it does seem like Russian hackers are kind of just struggling in a way to write malware fast enough to keep up with the pace of a physical war, which is very different from the Russian-Ukrainian cyber war that lasted from 2014 to 2022.
that lasted from 2014 to 2022.
So the big question in my mind then,
the Russians aren't having a lot of success in the cyber land in this war.
They've had a little bit of success at the beginning,
but not that much.
So the question on my mind is,
is that because the Russians suddenly became incompetent
or the Ukrainians are so good at this
that they're stopping everything or somewhere in the middle.
What do you think, Andy?
I think, you know, it's not even in the middle.
It's just both.
I mean, it's it's it's and it's not exactly that, like Russia's cyber attacks are failing.
They're just simple and a little less interesting than they used to be from a journalistic perspective.
a little less interesting than they used to be from a journalistic perspective, at least.
They're just these kind of blunt force objects designed to destroy computers in one target network, and sometimes not even that many computers, but just as many as they can in
the short timeframe that they're given as the war evolves and as their targeting kind
of constantly changes.
But yes, I think you also have to give credit to the Ukrainian defenders
who have really seemed,
they seem to have risen to the occasion
and evolved themselves,
maybe learned from being Russia's petri dish
for cyber attacks for eight, nine years now.
And also I think they've gotten serious help
from the West.
I mean, we know that US intelligence agencies
have kind of parachuted in, in some cases, not necessarily to
Ukraine, but into Europe to train Ukrainian defenders. I mean, Nakasone at NSA and Cyber
Command has said that. Well, I hate to say this, but in this horrible war with all the people dying
on both sides, here's a ray of sunshine is that it looks like it's possible to defeat the Russians
in cyberspace. That's what it looks like to me. So am I wrong about that? I'm not sure that they're being
defeated. I mean, I think that they're being countered and the, you know, the, the extent
of their damage is being limited, but it's a kind of grinding war of attrition. And to be clear,
it's like in the midst of a much worse, larger scale, physical grinding war of attrition that is truly tragic.
So I think in its kind of physical and human toll, I mean, I think that that has caused people to treat this cyber war as a kind of sideshow, rightfully, I think.
But it doesn't mean that if it were taking place somewhere else, I mean, if a different country was launching this volume of destructive malware
against another country, it would still be perhaps like an unprecedented event in the history of
cybersecurity. It's just kind of getting lost in, rightfully so, I think, in the context of this
hugely catastrophic and tragic physical war that's happening in Ukraine.
hugely catastrophic and tragic physical war that's happening in Ukraine.
Well, it's good stuff, Andy. And your article is entitled,
Ukraine suffered more wiper malware in 2022 than anywhere. Thanks for doing it. I recommend everybody go read it over on the Wired website. It's fantastic. Andy, thanks for coming on the
show. Thank you, Rick. Glad to talk. and joining me once again is kathleen smith she's the chief outreach officer at clearjobs.net
kathleen it's always great to welcome you back to the show. I want to touch today on the idea of hiring veterans. I know this is something that is near and dear to your heart and that you take very seriously. Where do we stand today when it comes to opportunities for veterans? We have lots of programs that support veterans finding corporate opportunities, either in the commercial space or in the government contracting space.
I think we still have a lot farther to go in making sure that the transition from working in the military to working in the corporate world is a lot more smoother.
from working in the military to working in the corporate world is a lot more smoother. There's always been this statistic from the Department of Labor, which does not change and has not changed in 20 years, which is that 80% of veterans, when they transitioned, changed jobs within the first year, meaning that they found a job immediately after they were on terminal leave from the military, that there were not all of the questions asked or answered
during the recruiting process to make sure that both parties, the veteran and the company,
knew exactly what they were getting in for. And it's also just
understanding the mindset of a veteran. We talk about frequently the skill sets, the training,
the certification, the leadership, the fact that they'll get the job done, that they'll show up.
Right. So many good things, so many good attributes that come out of that experience
that these folks can lead with coming into an opportunity, right?
Right. But at the same time, they're used to having somebody, they're used to having a sense
of community, a sense of serving the mission, and always having somebody watch their back. And they know where they fit within the organization.
And those are four key things that I don't see happen
for many of the veterans I see transition into a new company.
There are several programs out there that sort of help a veteran fit in,
but these are the requirements I believe
that an employer really needs to look at. And they're not things that require a lot of
investment of resources. It's, you know, interviewing and finding out how many veterans
you already have in your employ and finding out how they can support your veterans coming in.
It's also finding out from them how the work that you're doing, how does that translate into
the MOS, the way that the military categorizes specific kind of work. So there's a lot of work that I find that companies can do that's very
easy to do and they don't do it. And that's my biggest frustration is that, you know, there are
so many easy things that a company can do to make sure that they're hiring this talent, that they're
retaining this talent, and they're not doing.
And I'm not trying to beat employers up, but I'm trying to say you have an access to phenomenal
talent that can do an amazing amount of work for you, either if you're in the government space,
if you're in the commercial space, especially in the cybersecurity space, you can definitely have somebody who
is used to working on the front lines, who actually knows how to protect assets,
knows how to pull together a team, knows how to assess and take responsibility and lead the team.
You know, one of my dear friends, Matt DeVoe, he and I talked years ago about if you took somebody who was a veteran and didn't know cybersecurity but knew a variety of other things and put them in the front lines of cybersecurity, would they work well?
And hands down, they would because they know how to do incident response.
They know how to react.
They know how to develop an action plan
once they see an incident happening. I'm constantly frustrated when I hear of a veteran who's trying
to find a job, has all these skill sets, has all the certifications, but just can't get a company
to talk to him or her. Are there resources that you can recommend for
companies who want to get this right? Are there sources to help walk them through that, make sure
that they have the things they need to not drop the ball here? I think, as I said earlier, the
biggest resource that they would have is look internally and ask the question, how many of you that work here are veterans? And what are we doing right and what are we doing wrong? Because I can point you to a variety of programs hiring our heroes and corporate partners and a variety of others, but that's not going to be specific to each company.
And you have the resource within you, within your company to be able to say,
do we have 10 people from the Navy? Do we have eight people from the Army?
You know, why did 10 people from the Navy who retired from the Navy come to work for us?
Okay. Obviously we have an affinity to these specific people. We
have an affinity to their specific kind of work skills and then have them reach out through their
networks and like, I really like working here and this is what they've done. And being able to ask
the veterans, what could we do better? You know, what are we doing wrong? Because you can go and
buy a training program and, or you can hire a consultant, but you'd still have to customize it to your particular company.
So I'm always amazed when someone says, gosh, I don't even know how many veterans work for us. And then they turn around and they find out that 40% of their workforce is military and most of them are from the Marine
Corps. And all of a sudden, you know, okay, we have a solution here. All we have to do is have
a conversation. Yeah. Yeah. All right. Well, interesting insights as always. Kathleen Smith,
thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is me, with original music by Elliot Peltzman.
The show was written by John Petrick, our executive editor is Peter Kilpie. And I'm Trey Hester, filling in for Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.