CyberWire Daily - The optempo of a hybrid war's cyber phase. Hacktivists as cyber partisans. Zeppelin ransomware alert. DoNot Team update. Rewards for Justice offers $10 million for info on Russian bad actors.
Episode Date: August 12, 2022The optempo of the war's cyber phase, and Ukraine’s response. Organizing and equipping hacktivists. Joint warning on Zeppelin ransomware. Update on the DoNot Team, APT-C-35. Rewards for Justice offe...rs $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And, hey, Mr. Target: pick one, OK? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/155 Selected reading. Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) #StopRansomware: Zeppelin Ransomware (CISA) APT-C-35: New Windows Framework Revealed (Morphisec) The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The uptempo of the war's cyber phase and Ukraine's response,
organizing and equipping hacktivists,
a joint warning on Zeppelin ransomware,
an update on the Do Not Team,
Rewards for Justice offers $10 million for information on Conti operators,
Rob Boyce from Accenture shares insights from Black Hat,
Caleb Barlow ponders closing the skills gap while shifting to remote work.
And hey, Mr. Target, pick one, okay?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, August 12, 2022.
The cyber phases of Russia's hybrid war continue, and attendees at Black Hat received a glimpse of how it's proceeding
from a senior Ukrainian official who made a surprise appearance. Reuters reports on remarks
delivered at the Black Hat conference in Las Vegas this Wednesday by Viktor Zora, deputy head
of Ukraine's state special communications service. He said that detection of cyber attacks had more than tripled since the war began in February
and that they became particularly intense in late March and early April.
Reuters summarizes Zora as saying,
Ukraine faced a number of huge incidents in cyberspace from the end of March to the beginning of April,
including the discovery of the Indestroyer-2 malware,
which could manipulate equipment in electrical utilities to control the discovery of the Indestroyer 2 malware, which could manipulate
equipment in electrical utilities to control the flow of power. Zora also acknowledged the
pro bono cloud services provided by Microsoft, Amazon, and Google, which have helped the
Ukrainian government back data up in physically safe servers abroad. Partisans have been increasingly active against Russia during its war in Ukraine,
and they've been working in both physical and cyberspace.
The record has an account of the work of Nikita Nish,
an alumnus of Ukraine's security service
and founder of the cybersecurity consultancy HackControl.
Nish took it upon himself to support hacktivists, cyberpartisans,
who wish to hit Russian interests and assets in cyberspace. He sees cyberpartisans as filling
a Ukrainian capability gap. Nish told the Record, I realized that we should take control of the
situation. Our government didn't have a cyber army, so we built it ourselves.
Part of enabling the partisans to take effective action is training them.
A website, niche established, Hack Your Mom Academy,
offers a kind of handbook through cyber conflict,
and it's available in Ukrainian, Russian, and English.
The record writes, Some lessons are simple, how to install an antivirus program,
connect to a VPN, or use a
virtual machine. Others are more advanced, such as how to conduct distributed denial of service
attacks or hack Russian cameras and Wi-Fi routers. Hacktivists and cyberpartisans occupy a gray area
similar to one their kinetic counterparts live in. Just conduct of a war generally requires that
combatants use proper
discrimination in their selection of targets and that they operate under some form of responsible
command. In the loosey-goosey hacktivist world, it's not clear that these conditions are always
or even generally met. Still, Nish seems clearly right to maintain that enemy assets in cyberspace represent legitimate potential targets.
He said,
The US FBI and CISA have released a joint advisory on Zeppelin ransomware.
Developed from the Delphi-based Vega malware family,
Zeppelin is a ransomware-as-a-service offering
that's used to target a wide range of businesses and critical infrastructure organizations,
including defense contractors, educational institutions, manufacturers,
technology companies, and especially organizations in the healthcare
and medical industries. It gains access to its victims either through phishing or by RDP
exploitation of known sonic wall firewall vulnerabilities. Zeppelin is typically used
in double extortion attacks, exfiltrating files before encrypting them, and so adding the threat
of doxing to the denial of
access to data. The advisory includes a comprehensive list of indicators of compromise,
as well as recommended mitigations. Morphosec researchers have published an updated and
detailed account of the tactics, techniques, and procedures of the Do Not Team, or APTC35, a cyber espionage operation that concentrates on military,
government, and diplomatic targets in South Asia, and especially in India, Pakistan, Sri Lanka,
and Bangladesh. The researchers say, for initial infection, the Do Not Team uses spear phishing
emails containing malicious attachments. To load the next stage, they leverage
Microsoft Office macros and RTF files, exploiting equation editor vulnerability and remote template
injection. The group has recently added new modules to its Windows framework. The DoNot team is also
known as Viceroy Tiger and has, as CrowdStrike and others have pointed out,
an ambiguous connection with India.
CrowdStrike's entry on the threat group says,
Viceroy Tiger is an adversary with a nexus to India
with a long history of targeted intrusion activity,
targeting entities in a range of geographies and sectors.
Industry reporting from 2013 linked the adversary
to an India-based security company.
Since that time, Viceroy Tiger operations have continued
with the use of custom malware families,
with a heavy focus on targeting Pakistan,
other countries in the South Asia region, and China.
And finally, the U.S. Rewards for Justice program has offered a reward of up to
$10 million for information on a variety of bad actors, some of them connected with the
Conti ransomware and privateering operation, or Conti alumni, depending on how you read the gang's
present hibernation. In any case, it's the natural person and not the organization that's the target.
The U.S. Department of State has tweeted its offer in both Russian and English, saying,
the U.S. government reveals the face of a Conti associate for the first time. We're trying to put
a name with the face. To the guy in the photo, imagine how many cool hats you could buy with
$10 million. Write to us via our Tor-based tip line.
The alleged Conti hoods who go by the hacker name Tramp,
Dandis, Professor, Rashave, and Target
are specifically mentioned and invited to turn their coats.
Target is the one with the taste in hats Foggy Bottom admires.
They say, if you have guy shown wearing the hat.
There are no pictures of the other four.
To judge from his picture, Mr. Target is a belt and suspenders kind of guy. In addition to the
cool hat, he seems to be wearing the obligatory hoodie. Now relax, Target. You can chill, wear a
chapeau, or pull up the hood. Either one works, so don't be so nervous. The $10 million reward is twice what the Rewards for Justice program
offered Monday for information on North Korean operators
using cryptocurrency mixers like Tornado Cash to launder money.
So that's twice the reward, which could buy twice as many hats.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And it is my pleasure to welcome back to the show Robert Boyce.
He is the global lead of cyber crisis and incident response services at Accenture.
Rob, it's always great to welcome you back.
Hi, Dave. It's great to be back. Thank you.
So you are coming to us from the Black Hat conference there.
And I wanted to check in on a couple of things.
First of all, just your overall take of that conference this year. But then let's touch on some of the things you and your colleagues are up
to from Accenture there. Sure. Great. Well, I guess first, my first impression is it's really great to
be back. So we've missed this show for the last few years at its full capacity. And it seems like,
you know, we have great attendance this year. A lot of people and, you know, the sessions have been really fascinating.
So it's been, it's been just great to be back. You know, my, my impressions so far of, you know,
things, I think there's a lot of things that we've seen are, you know, pretty similar to what you
would expect. A lot of new vendors, a lot of emerging technologies in the security space,
in the vendor hall and business hall. You know, but one thing that I find a little interesting
to me is we're still, and I feel like we're still
solving problems that exist today. You know, like we're, there's a lot of, you know, new companies
emerging around ransomware resiliency and data protection and all of the, you know, the threats
that we've seen over the last year and addressing that. And I've seen, you know, very few think
forward looking on, you know, what are the next level of threats? What do we need to be solving
next? And so I find that a little fascinating. Yeah, but it's been, it's been,
yeah, it's just, as I said, it's just great to be back. Yeah. One of the things I enjoy about
a conference like that is kind of walking around those booths that are at the far edges where you
have, you know, the smallest booth where somebody has an idea that they think they're going to
change the world with. And I know Black Hat has that innovation section. Have you been through there? I mean, is that the place where you'd
expect to see some of these emerging ideas? Yeah, for sure. It's almost like, you know,
going to a grocery store, staying on the aisles on the outside as opposed to going through the
middle. Because I do find that, you know, the vendors who are well-placed in the market already
are the ones who have the big exhibitions in the front, right? And then the ones who are well-placed in the market already are the ones who have the big exhibitions in the front.
And then the ones who are just emerging without the money behind them yet on the outside are really, I think, the most fascinating ones to me.
We're going to spend some time and just learning about what they're all about.
And so, yeah, I've seen a few that are thinking about things a little differently.
We're seeing a lot of uptick,
I think, with ICS security, OT security. A lot of vendors, I mean, there's a couple well-placed
in the market, but there's so much work to do there that, you know, there's a pretty good
focus on that, I would say, from some of the emerging vendors. Yeah.
What is your strategy coming at a conference like this?
You know, you've got a limited amount of time, so much to see, people you want to see.
How do you juggle a schedule?
Yeah, it's funny.
We were just joking about this earlier.
It's pretty impossible.
So my strategy is there's always a few individuals that or organizations or partners that I want
to make sure I spend time with because they're super meaningful to us as a partner
and they're leading the market and what they're doing.
And then I always save time, a few hours a day,
to just, as you were saying earlier,
walk the floor and talk to the emerging vendors.
Because I think, again, that's the space
that interests me a lot of things
that maybe I'm not thinking about right now
or we're not thinking about as a community
that there's a couple of smart people just putting together a really
interesting concept and interesting idea. So making sure you save time for them is really
important. And just, you know, just going and seeing their booth where it is. And, you know,
they have no idea who I am and I don't know who they are, but it's exciting to just to get to,
you know, meet them and learn about what they're, what they're doing. And, you know, always,
again, the thing that's most important to me being here
is just a personal connection. It's just so nice to see people in person again. And you can learn
a lot more about not just them, but what they're doing and where they think there's issues and the
problems they're trying to solve just with a 10 minute conversation as opposed to a 40 minute,
an hour long demo or something that's all virtual. So the high touch is really, really great.
Is there anything particular that's caught your eye
as you've been walking around and meeting with people?
Any surprises or particularly interesting developments?
Yeah, I think, you know, again, as I was saying earlier,
I think the biggest surprise to me is
we're still a lot of people dealing with known problems, right?
I haven't really seen a lot of companies emerging
that are dealing with problems that really don't exist yet
or thinking about what might be next around maybe personal data sovereignty
or privacy or whatever the next big thing is going to be.
So that was a bit of a surprise to me personally.
Yeah, and I think the other thing is I think clearly it's maybe not a surprise.
It probably makes a lot of sense with all of the focus that we've seen around critical infrastructure
and a lot of the systems that are going to be supporting critical infrastructure,
a lot of focus on how do we do that better as a community.
So I thought that was really interesting to see, again, a number of different players emerging in that space
and really putting a lot more focus on how we can better protect national security and critical infrastructure. I thought
that was fascinating. All right. Well, Robert Boyce is Global Lead for Cyber Crisis and Incident
Response Services with Accenture. Rob, thanks so much for taking the time for us. Of course.
Always happy to be here, Dave. Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And joining me once again is Caleb Barlow. He is the CEO of Silete.
Caleb, always great to welcome you back to the show.
I want to touch base today on the ongoing skills gap.
You know, obviously we've been through a lot with the pandemic the past couple years, remote work and all that good stuff.
Where do you think we stand right now?
Well, the easiest way to get a benchmark on this, and by the way, I'm just a fanboy of this website that I'm going to mention, is called CyberSeek. And they've got this really cool map that tracks
where there are open, unfilled cybersecurity jobs. You can even drill down into an individual state.
And from their April 2022 heat map, they show we've got 700,000 open cybersecurity jobs in the US
and just under 1.1 million that are filled. So the net of this
is we're only filling about 60% of the openings that we have in the cybersecurity space. But Dave,
I think this is even more nuanced in that prior to the pandemic, there were several kind of cyber
cities, right? San Francisco, Boston, Tel Aviv, Washington, D.C. And, you know, you found smaller clusters in places like Atlanta, Austin, New York,
where prior to the pandemic, big security companies, big security operations, defense
contractors typically only hired high talent in those cities in an in-office work environment.
Right.
And we, you know, we all kind of know this.
So if you were an employer in, let's say, Peoria or Rochester, you were able to hire locally and you were probably able to get security resources at a significant discount over their Boston, D.C., and San Francisco counterparts.
So this is what we would call a regional model where cyber cities were driving a big part of the skills issue.
Cyber cities were driving a big part of this skills issue.
Pandemic hits, work from home opens up, and the whole thing starts to change. And now we've moved to a more national model, Dave, with some interesting implications.
Hmm. Well, let's dig in there.
I mean, what does that mean for organizations these days?
Well, this has been a big windfall for big employers
as they can suddenly get access to talent and a greater number of resources from anywhere. Because all of a sudden, if you're at a work-from-home culture,
that security researcher in Rochester, New York is viewed equally as that security researcher in
San Francisco, because nobody cares where they live. It's also been a, you know, a windfall for
the talent living in these places, because they can go from working in an IT department at, let's say,
a local hospital to working for a Palo Alto or a CrowdStrike or a Google and probably see a pretty significant bump in pay. But it's a huge problem for local employers looking to hire. And it's
moved a lot of resources out of critical infrastructure companies where we badly need them
and into security vendors that are willing to pay regardless of where people live. So what's to be done then? I mean, how do we close
that gap? Well, we've got this new problem, right? Cybersecurity skills are now being hired on a
national model versus a regional model. Everyone's competing with everybody else equally on talent.
And that talent, by the way, doesn't care where they live anymore. So they're all,
you know, moving to the beach, right? Or wherever they want to live. So, you know, if you're not a
large vendor with big pockets, I think one of the things you've got to recognize is top skills like
threat hunt and IR, you may need to outsource those skills because you simply may not be able
to hire them regardless of what you're willing to pay or do. Highly experienced resources are simply
going to cost more. But this also means that we have to start recruiting differently. And in
particular, Dave, we've got to move from trying to recruit highly skilled talent to moving towards
re-skilling people. And I think a re-skilling initiative is absolutely critical moving forward.
And I think a reskilling initiative is absolutely critical moving forward.
Yeah, you know, I hear that a lot, the cybersecurity space, we have a demographics challenge that
we're always working on. I think we're making progress on in terms of bringing more diversity
into this workspace. But, you know, what I'm effectively saying here is, in a lot of ways,
we need to go out and hire some older talent, right? That, you know, might have more experience,
but not necessarily directly in cybersecurity.
Maybe their IT resources.
I will tell you, I have personally had a lot of great luck with military veterans,
older individuals, musicians.
Oddly enough, musicians make amazing SOC resources
because they know how to operate with precision, right?
But we're going to have to really take all of that time and effort that we spend right now
on, you know, on recruiters and, you know, just crazy amounts of money to try to bring people in
and start to maybe put that into training and upskilling people that
aren't the normal demographic of what we would hire.
Do you think we're headed towards a new equilibrium here?
Like how, any sense for our timeline?
Oh, I think we're already in it.
There's no question in my mind that we are already in it.
And, you know, what I hear oddly enough every day
is the, you know, people reaching out in my network saying,
hey, do you know anybody that fits this mold?
And, you know, the funny thing with it is, Dave, a you know anybody that fits this mold? And, you know,
the funny thing with it is, Dave, a lot of times that mold is, you know, hey, I'm looking for top talent. You know, have they worked in one of these Silicon Valley companies, you know, a Facebook,
a CrowdStrike, a Palo Alto? Do they have 20 plus more years of experience? I'm like, you can't
afford that person. Even if you can find them, you're not going to be able to afford them.
Like, how about you take a portion of that money and upskill either some of the people you already
have, or go look in your local community and find some people that, you know, maybe if they take a
class or they're coming out of a class, you can give them six months of on-the-job training and
then upskill them into these roles. The beauty there is they're probably going to cost you a whole lot less. They're going to be much more loyal employees and have far less
retention issues than the others. And you might be able to solve some of the other challenges of,
you know, the demographics and diversity of what you're bringing into your workplace.
All right. Well, interesting insights as always. Caleb Barlow, thanks for joining us.
As always, Caleb Barlow, thanks for joining us. or shake up your mood with an iced brown sugar oat shake and espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Ashley Taylor.
She's a graduate student at the Sands Technology Institute, and the research is titled Doppelgangers, Finding Job Scammers Who Steal Brand Identities.
That's Research Saturday. Check it out. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Savy, Liz Ervin, Rachel Gelfand,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here next week. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.