CyberWire Daily - Ukraine goes to a higher state of cyber alert. Chinese cyberespionage hits financial services in Taiwan. Arid Viper is back, and so is Adalat Ali. BlackCat disrupts fuel distro in Germany. Hacking the DPRK.
Episode Date: February 3, 2022Ukraine and NATO increase their cyber readiness. Chinese cyberespionage has been looking closely at financial services in Taiwan. Hacktivists hit Iranian state television. Arid Viper is phishing for t...argets in the Palestinian Territories, and apparently doesn’t care who knows it. BlackCat ransomware implicated in attacks on German fuel distribution firms. Verizon’s Chris Novak shares his thoughts on the cyber talent pool. Our guest is Torin Sandall from Styra on Open Policy Agent. And, Bro, treat yourself to a pair of Vans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/23 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukraine and NATO increase their cyber readiness.
Chinese cyber espionage has been looking closely at financial services in Taiwan.
Activists hit Iranian state television.
Arid Viper is fishing for targets in the Palestinian territories.
Verizon's Chris Novak shares his thoughts on the cyber talent pool.
Our guest is Torin Sandal from Styra on Open Policy Agent.
And dude, treat yourself to a pair of Vans.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Thursday, February 3rd, 2022.
Ukraine has officially increased its state of cybersecurity readiness. President Zelensky has enacted the National
Security and Defense Council's decision of December 30, 2021, titled On the Plan for
Implementing the Cybersecurity Strategy of Ukraine. U.S. Deputy National Security Advisor
for Cybersecurity and Emerging Technologies Ann Neuber, continues her discussions with NATO allies. LRT reports that
she's warning that Russian cyberattacks during Moscow's ongoing campaign of pressure on Kiev
should be expected. Quote, Russia has used cyber as a key component of their force,
so this is a proactive trip both to talk about improving resilience and to highlight overall
NATO's commitment to
NATO members' cyber resilience in that way, end quote. According to Ukrinform, the Netherlands
has promised Ukraine technical assistance for its cyber defense and has declared an interest
in closer cooperation with Ukraine on cyber security. In a joint statement issued by Ukrainian
President Volodymyr Zelensky and Netherlands Prime Minister Mark Rutte, the two countries with Ukraine on cyber security. In a joint statement issued by Ukrainian President
Volodymyr Zelensky and Netherlands Prime Minister Mark Rutte, the two countries said,
following the cyber attack against Ukraine on 14 January, the Netherlands stands ready to provide
technical cyber assistance to Ukraine. The two leaders expressed their interest in advancing
cooperation on cyber issues as well as on other
matters of mutual concern in the face of the contemporary challenges, including hybrid threats
and fight against disinformation, end quote. Critical infrastructure is expected to figure
largely on Russian targets lists should the ongoing conflict escalate. An essay in The
Conversation argues that the metaphorical first shots against Ukraine
have already been fired in cyberspace,
and that this is entirely consistent with the Gerasimov doctrine
that has shaped Russia's approach to hybrid war.
The sector generally regarded as providing both high-value and high-payoff targets
is electrical power generation and distribution.
While Ukraine has sought to improve the security of its grid since Russian disruptive attacks in 2016,
that effort remains a work in progress and won't be completed in the near term.
One of the challenges Ukrainian authorities face are the remaining connections of its power grid with Russia's.
Kiev has sought to decouple itself from the Russian grid, but again, the Kiev Post points out,
that's not something done overnight. As an aside, it's not unusual for power grids to cross
international borders, even uneasy ones. During the Cold War, for example, there were electrical
power distribution connections across the inner German border.
As to the form such cyberattacks might take, most of the press is betting on form.
Since Russian operators have used pseudo-ransomware in past attacks, many are looking for a repetition of that method.
It's tried, it's deniable, although more implausibly than plausibly given recent events,
and it's available. The Christian Science Monitor describes the ways in which NATO's
understanding of cyber conflict has evolved. In particular, the threshold for the invocation of
Article 5, the alliance's provision for collective defense, has gotten lower. Part of the motivation for this is to improve deterrence,
where uncertainty can sometimes make an adversary more reluctant to move.
The Monitor quotes David VanWiel,
NATO Assistant Secretary General for Emerging Security Challenges,
who told journalists in December,
quote,
Up until now, the idea among cyber adversaries was, if we don't completely
disable a full country's infrastructure, it'll probably be okay. With the new policy, we're
saying, well, that's not necessarily true. I'm making it less defined. Sorry for that, end quote.
So, sorry, not sorry, as they say. The U.S. in particular is interested in cooperating on what U.S. Cyber
Command calls hunting forward, a more assertive doctrine that was on display in last year's
incursion into the Internet Research Agency, a Russian organization closely associated with
that country's offensive cyber and influence operations. Symantec researchers this morning released a report on the recent activities of
Antlion, a Chinese government-directed advanced persistent threat that's been working against
financial services in Taiwan over the past 18 months. Its attacks are marked by the installation
of the XPAC backdoor. It's an espionage operation, and Symantec thinks the duration of Antlion's persistence in the networks it targets notable.
It's been able to spend months inside its targets, giving it ample time to survey and collect information.
Adelat Ali, a dissident Iranian hacktivist group known for defacing websites and rail transit message boards late last year,
has resurfaced and hijacked
Iranian state television streams, the record reports. Cisco's Talos research unit describes
renewed activity by Arid Viper, now conducting politically-themed phishing against Palestinian
targets. Arid Viper strikes Talos as technically unsophisticated, but also as indifferent to stealth or misdirection,
which suggests the group doesn't worry about public exposure.
Arid Viper has been thought to be based in Gaza,
which suggests that it's a party to intra-Palestinian disputes.
As the effects of a cyber attack on two German petroleum distribution firms continues to disrupt operations, the nature of the attack has become clearer.
According to ZDNet, Germany's BSI has determined that it was a ransomware attack and that the Black Cat group was behind the incident.
Reuters reports that Belgian prosecutors have opened an investigation into a cyber incident that hit the port of Antwerp on Friday.
The attack seems to have centered on the port operator SeaTank, but few details are publicly available and the story is still developing.
story that, among other things, points out not only the difficulty of attribution, but also the surprising vulnerability of big organizations to small and determined threat actors. Over the past
two weeks, North Korea's access to the internet has been largely disrupted. Admittedly, North
Korea's internet access is already tightly controlled and centrally monitored from Pyongyang.
is already tightly controlled and centrally monitored from Pyongyang.
You don't casually log on to TikTok or Windows shop for vans or follow clickbait about what the stars of Friends look like today.
It's simply not done.
But some organizations in the DPRK do enjoy regular Internet access,
maintain pages, and so on.
Those include the Air Koryo National Airline and the official
portal of the dear successor's government. But these sites and others like them have been up
and down for a good fortnight. It's got to be the U.S. Cyber Command, right? Leaning forward in the
foxhole because of the DPRK's recent missile tests, right? Well, not so fast. Wired says it knows what's actually going
on and they seem to have the goods. In fact, Wired writes, it was the work of one American man in a
t-shirt, pajama pants, and slippers, sitting in his living room night after night, watching alien
movies and eating spicy corn snacks, and periodically walking over to his home office
to check on the progress of the programs he was running to disrupt the internet of an entire
country. Wired identifies the gentleman by his hacker name P4X and describes him as a security
researcher, in fact one of the security researchers whom the North Korean intelligence organs pestered in late 2020 and early 2021, attempting to steal the tools they used in their work.
Even though he prevented Pyongyang's goons from getting any of his goods,
Mr. 4X was aggrieved by the effrontery. He let his resentment simmer for a year,
as Wired puts it, and then decided to take matters into his own hands.
P4X told Wired, quote, for me, this is like the size of a small to medium pen test.
It's pretty interesting how easy it was to actually have some effect in there, end quote.
Given the way North Korea is and isn't online, his operation probably had little effect on daily
life. And given that North Korean
intelligence organs, like elements of the Lazarus Group, probably work from offshore,
where the connectivity and no doubt the shopping are better, it's unlikely that he had much effect
on them. Still, he counted coup. Martin Williams, a researcher for the Stimson Center's 38 North Project, said,
If he's going after those people, that is Pyongyang's intelligence services,
he's probably directing his attentions to the wrong place.
But if he just wants to annoy North Korea, then he's probably being annoying.
Anywho, Mr. Forex isn't necessarily done.
He's organizing Project Funk for FU North Korea,
to which he hopes to recruit like-minded hacktivists.
In the meantime, he surely merits congratulations for being annoying
and for avoiding harm to regular people.
So, nicely done, and we wouldn't say that if it involved any other country than the DPRK.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Open Policy Agent is a project that came out of the Cloud Native Computing Foundation,
and it aims to provide policy-based control for cloud-native environments.
The Cyber Wire's Rick Howard has more of the details, and he files this report.
I'm joined by Torin Sandell. He's the VP of open source at Styra,
and you are here to explain a relatively new open source project called Open Policy Agent,
or OPA, as the cool kids say. So can you describe the problem that OPA solves and how Styra decided to initiate the project? OPA is an open source project. We donated it to the CNCF, the Cloud
Native Computing Foundation, and what Open Policy Agent, or OPA, as open source project. We donated it to the CNCF, the Cloud Native
Computing Foundation. And what Open Policy Engineer, OPA, as we like to call it, does
is it helps organizations, large enterprises, basically unify authorization or who can do what
across the stack. So it provides a way for security engineers, DevOps engineers, software developers,
basically anyone involved with security in an organization
to codify the rules that control who can access what resources in the organization
across the entire stack. So whether you're talking about applications or data or APIs or CICD pipelines
or container platforms or the cloud, Opus is sort of a one-stop shop for
expressing rules that govern access. So I'm familiar with the idea of infrastructure as code,
but OPA is more policy as code. That's kind of the phrase you hear. Can you describe the difference
there? Infrastructure as code is sort of this idea of basically specifying the configuration
that defines your compute network and storage resources
as code or as data. Policy as code is sort of a similar idea, right? I think in the past,
a lot of the time policy was implemented and enforced and monitored by humans through tribal
knowledge in the organization or through spreadsheets and PDFs and wikis and stuff like
that. And so this idea about policy as code is to say that modern systems
can't really be managed that way.
And so you really need more of an automated approach.
And so policy as code is basically taking
best practices from software development
and applying them to the implementation,
monitoring, and enforcement of policy in an organization.
So how does OPA solve that problem?
I mean, I understand what you're saying,
that there's between deploying architecture, like, you know, servers and workloads and things,
but this is policy about who has access and who should have access, right? Is that correct?
The fundamental thing that OPA gives you is a high level declarative language that you can use
to express rules that govern access to the system. You know,
if you have a service that is exposing salary data, you might write some rules for OPA that say
that only employees can see their own salary data as well as anybody in their management chain.
Their subordinates or their peers are not allowed to see their salary, right? So you can basically
take that logic and you can express it in OPA's policy language.
And then you can have that logic distributed out to your OPAs by a system you build or that you buy.
And then it can get enforced inside of the system through an integration between salary application and OPA.
So here at the CyberWire, we are all learning do zero trust, you have to know precisely who is logging into your systems and what system they are authorized to access across all data islands like cloud services, both SaaS and IaaS cloud services, mobile devices and data centers.
So could OPA be used as a zero trust engine or a platform to control that across all those workloads?
across all those workloads? So OPA helps you implement zero trust because it provides this lightweight engine that you can deploy next to each and every piece of software. The way that
we think about it is that it's sort of like a host local cache for policy decision making.
So you take it and you can literally run it on the same server as the other piece of software
that requires decision making or the same in Kubernetes, it's the same pod or on Amazon,
it would be within the same instance. So OPA is really designed and implemented
for these highly kind of like distributed environments where zero trust is a really
important architectural concept. And so we see, you know, lots of organizations using OPA to
implement all kinds of like East-West, you know, security controls in microservice environments,
as well as North-South and so on. So yes yes, OPA is definitely kind of a key building block for a modern cloud-native zero-trust architecture.
Well, Torin, this is really exciting stuff.
I've been looking for this kind of thing for a long time.
Thanks for coming on and explaining it for us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Chris Novak.
He is the Global Director of the Threat Research Advisory Center at Verizon.
Chris, it is always great to have you back.
I want to touch base with you about where we stand right now when it comes to our cybersecurity talent pool.
You hear a lot of things about this, depending on who you ask.
What are you seeing these days?
Yeah, it's a pleasure to be here, Dave.
And I think the talent pool is a hot topic everywhere you go. Nobody,
when it comes to cyber, nobody has enough. Nobody has what they want. Everybody has,
everybody wants more. And I think there's a lot of things that go into it. I think to some degree,
you know, we've seen, I don't know if I want to say we've been a little bit spoiled in the past.
You know, you'd go out and open up a job role and you'd say you want a candidate that's got
all these different things and you might very well find it.
But now I think the demand on the talent pool has dramatically increased for a variety of reasons.
And then you also have kind of, you know, maybe I might say turmoil in the broader labor market combined with the fact that the pandemic has changed either who wants to work, where they want to work, and how they want to work.
So, you know, any kind of stability that we had in terms of how we pursued new talent, that is all kind of thrown up in the air and mixed around.
So our approach to the whole model has to change.
You know, I've seen criticism that people want to hire cybersecurity folks, but they want them to walk in fully baked.
And they're not willing, you know, they're not willing to do the training to hire that entry-level person and nurture them for however long it takes to get them to that level.
Do you find that's a fair criticism?
Actually, I do.
And I think, you know, even ourselves, I think, you know,
we've all been guilty of that a little bit, but I think it's important for us to look at it and say,
we can't expect that, right? I mean, I started in cybersecurity before there was an opportunity for
anybody to even be fully baked, as you said. And so, you know, you had to learn, you had to be
trained, you had to be mentored, you had on-the-job training. There might not have even been, you know, universities you could go to to get a degree in it. And I think
we need to kind of look at the industry kind of almost through that same lens and say, look,
we need to invest in our talent. We also need to embrace diversity. And, you know, I look at that
as we need to pull in people from all different backgrounds, not even necessarily cyber, right?
Because if we are all trying to pull from cyber,
we're still all pulling from that same pool.
But I'll tell you that I've got some great people
on my team that they have law degrees,
they have chemistry degrees, biology degrees.
They come from all different walks of life.
They didn't necessarily study and start in cyber.
It was just something that was really attractive to them.
They kind of got sucked in. And then from there, you know, they were, they were invested in,
they were grown, they were trained and they became phenomenal talent. And I think that's
why we need to look at some of these kind of adjacent talent pools and opportunities for us
to kind of go beyond the, let's find the unicorn that's got 10 years of experience and everything
to, you know, let's find someone who's got the passion, the interest, and the excitement, and let's make that investment.
You know, like at Verizon, we've done a lot in terms of developing our internship and new college
hire programs, recognizing that, you know what, someone coming to us with little to no experience,
but the passion and the interest and the fire in their belly to learn, that is very valuable. We can
mold them, we can train them, and we can grow them to be what we need them to be.
What about that person who has that fire, who has that passion, but they find themselves up against
HR departments where, you know, they can't get past that gate. They can't get their resume
in front of the people
who may see them for the potential that they have.
That's a great point.
And I'm sure there's gonna be a lot of HR people out there
that are gonna hate me for what I'll say to that.
But I'll say it anyways.
And what I would say is, persistence pays off.
I think there are a lot of places
where you will encounter that problem.
There's automated screening and all sorts of other things that will trip up people. And this is an area where I think
that, you know, going back to kind of the roots of the industry is kind of helpful in my own
mindset and recognizing that some of the best people we've ever picked up didn't start in or
have any background in cyber, but they reached out and they said, I'd like to do it. And these
are the ways that I can show that I have that passion, that fire in my belly. So what I would encourage people to do is find those people
that you think are either looking for the talent. Maybe they've indicated on LinkedIn that they're
hiring or they're part of an organization that's hiring, or they're part of an organization that
you know you'd be excited to work for. Send them a direct message. I get a lot of these on LinkedIn,
a lot of these on Twitter, and I answer every single one of them. And God knows how many I will get after I just said that.
But nonetheless, I think it's a great thing. And I've mentored and helped a lot of people,
you know, if they don't have the background and they're looking to understand what should I have
as a good base, what will help me open the door either with a Verizon or anyone else? And
I'll sit down with them and even have a call with them and say, look, let's talk about what you're
doing, where you're at, what are your interests? Here are maybe some trainings or some certifications
or some free and available resources out there. There is a tremendous amount of knowledge and
educational material that is freely available. And I think, again, the persistence piece is key.
If you can't get in through that front door with the typical HR and recruiting screenings,
kind of take that side door route
and try to contact people through social media.
Let them know you're interested.
You know, I can't guarantee
everyone's going to be responsive to that,
but I know my team, we're always looking for good talent
and we're always trying to diversify
where we pull that talent from. So, you know, we're always looking for good talent and we're always trying to diversify where we pull that talent from.
So, you know, we're, we're typically very eager to speak to people who are excited about
the field.
And I think also, you know, to that point, it's also important when we're focusing on
how we invest and grow the talent, you know, from, from our standpoint, you know, every
now and then I'll hear criticism from people who will say, look, it's expensive to invest and train people.
And then at the end of the day, that only may get them to a certification and then they go get a job somewhere else.
I'm like, look, that's just business, right?
That's just the way the world works.
At any point, I could go get another degree, get another certificate and leave and go work somewhere else.
degree, get another certificate and leave and go work somewhere else. But at the same time, I also look at it and say, every single person that we've hired, we've hired them away from
somewhere else too. Right. And that business has probably invested in them and train them as well.
And so I look at it as kind of a, not so much about kind of being, you know, selfish and how
do I grow my piece of the pie, but how do we be kind of more selfless and say, how do we just grow the whole pie for all of us?
And in turn, you will be rewarded
with your piece of the pie respectively gets bigger.
All right.
Well, Chris Novak, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Volecky,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.