CyberWire Daily - Unrest in Iran finds expression in cyberspace. Cyber conflict and diplomacy. Cybercrime in the hybrid war. And there seems to have been an arrest in the Uber and Rockstar breaches.
Episode Date: September 26, 2022Unrest in Iran finds expression in cyberspace. Albania explains its reasons for severing relations with Iran. Cybercrime in the hybrid war. Rick Howard on risk forecasting with data scientists. Dave B...ittner sits down with Dr. Bilyana Lilly to discuss her new book: "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."And there seems to have been an arrest in the Uber and Rockstar breaches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/185 Selected reading. Iran’s War Within (Foreign Affairs) Iran’s Hijab Protests Have Lit a Fire the Regime Can’t Put Out (World Politics Review) ‘Something big is happening’: the Iranians risking everything to protest (the Guardian) Dissident: 'Iranian women are furious' over headscarf death (AP NEWS) OpIran: Anonymous declares war on Teheran amid Mahsa Amini’s death (Security Affairs) IDF official says military foiled ‘dozens’ of Iran cyberattacks on civilian sites (Times of Israel) Analysis | 'Our Conflict With Iran Is Unparalleled', Say Israel's Elite Cyber Unit Commanders (Haaretz) US Issues License to Expand Internet Access for Iranians (VOA) US Treasury carves out Iran sanctions exceptions for internet providers (The Record by Recorded Future) Iran and Albania: diplomacy and cyber operations (CyberWire) Ukraine dismantles hacker gang that stole 30 million accounts (BleepingComputer) The SBU neutralized a hacker group that "hacked" almost 30 million accounts of Ukrainian and EU citizens (SSU) Les détails personnels de stars, dont Sir David Attenborough et Sarah Ferguson, ont été divulgués après le piratage d'un magasin bio par des escrocs russes (News 24) London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (The Hacker News) UK teen suspected of Uber and Rockstar hacks arrested (Computing) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Unrest in Iran finds expression in cyberspace.
Albania explains its reasons for severing relations with Iran.
Cybercrime in the hybrid war.
Rick Howard on risk forecasting with data scientists.
Dave Bittner sits down with Dr. Biliana Lilly to discuss her new book,
Russian Information Warfare, Assault on Democracies in the Cyber Wild West.
And there seems to have been arrest in the cyber wild west, and there seems to
have been arrest in the Uber and Rockstar breaches.
From the Cyber Wire studios at Data Tribe, I'm Trey Hester filling in for Dave Bittner
with your Cyber Wire summary for Monday, September 26th, 2022.
Protests in Iran continue, the New York Times and others report, and they've been particularly
sharp in Kurdish regions. The proximate cause of the unrest was the death of a young woman in the custody of
the Morality Police. Masa Amini, 22, had been arrested on charges for violating hijab regulations.
Many of the protests have been led by women and some smaller cities are said to be outside of
effective government control.
The Washington Post's coverage include video of street violence.
Tehran has responded with force, but also by imposing sharp restrictions on online activity.
The record reports that the government has organized outages of mobile networks,
WhatsApp, and Instagram. The record also reports that the anonymous hacktivist collective last week disrupted some Iranian government websites.
On Friday, in a gesture intended to offer support to Iran's dissidents,
the U.S. Treasury Department relaxed sanctions in ways calculated to make it easier for U.S. tech firms
to offer Iranians greater access to online communication.
Iran's Green Movement of 2009 and 2010, which shook the regime,
although it ultimately fell short of revolutionary success, is instructive here. That movement took
place when Twitter was relatively young, and the dissenters made innovative and effective use of
what was still a new and unfamiliar platform. It seems likely that Treasury hopes to remove
any barriers sanctions might impose on such self-organizing opposition to the rulers of Tehran. The Washington Post this week interviewed Albania's Prime Minister Edi Rama
on his government's decision to sever diplomatic relations with Iran
over Tehran's large-scale cyber attack against Albanian IT infrastructure.
Rama told the Post,
Based on the investigation, the scale of the attack
was such that the aim behind it was to completely destroy our infrastructure back to the full paper
age, and at the same time, wipe out all of our data. Our sense now is first, that they didn't
succeed in destroying infrastructure. Services are back. Second, data. Yes, they took some,
but practically not of any particular relevance, end quote.
He characterized the cyberattacks as aggression, not as destructive, of course, as bombing,
but of comparable intent, incomparably inadmissible under international norms.
Observers continue to expect a renewed offensive from Russia in cyberspace, but so far,
that hasn't materialized. What is being seen,
News24 and others report, is some apparently financially motivated celebrity doxing by
russophone gangs. In Ukraine itself, the Security Service of Ukraine reports having taken down a
gang that was responsible for compromising almost 30 million accounts and earning roughly $380,000
in the process. Bleeping Computer reads this as accounts belonging to 30 million individuals.
The SBU says the hoods it took down were working for the Russians.
On Friday, the City of London Police tweeted,
On the evening of Thursday, September 22, 2022,
the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking as part of an investigation supported by the NCA UK's National Cybercrime Unit.
End quote.
The police have been relatively closed-mouthed about the arrest
and haven't publicly connected it with either the Uber or the Rockstar Games incident.
As The Verge points out, however,
circumstantially the alleged crime looks like the Uber and Rockstar hacks, and the suspect looks like a lapsus operator.
The Hacker News offers some informed speculation that the youth arrested was responsible for
the Uber and Rockstar incidents.
Without revealing the hacker's real identity, Flashpoint reports that the hacker, known
as Teapot Uber Hacker, was outed in an underground online forum, but the security firm urges caution in accepting the doxing at face value.
Flashpoint reviewed what it found in the, quote, online illicit forum, end quote,
and reported evidence that the person responsible for the Uber and Grand Theft Auto hacks, quote.
On the day that the original post was made, Flashpoint analysts found the Teapot Uber
hacker's real-world identity had
been outed on an online illicit forum, and that thread titled, The person who hacked GTA 6 and
Uber is Orion. The administrator for that forum claimed that Teapot Uber hacker was the same
individual who had allegedly hacked Microsoft and owned Doxbin. Additionally, the administrator
linked Teapot Uber hacker to other aliases likeases like white and breach base and stated he was a member of Lapsus.
While the tactics, techniques, and procedures employed by Teapot Uberhacker are consistent with Lapsus, these communities will often make false claims against one another.
Flashpoint analysts identified previous doxes where the content may vary on the same individual.
identified previous doxes where the content may vary on the same individual.
These are typically curated by individuals within these communities and should be treated with a healthy degree of skepticism.
End quote.
Well, if it is the same young person, a youthful recidivist,
we'll repeat the same thing we said in the spring.
Child, child, these wild ways of yours will break your mother's heart. Coming up after the break, Rick Howard on risk
forecasting with data scientists, and Dave Bittner sits down with Dr. Biljana Lilley to discuss her
new book, Russian Information Warfare, Assault on Democracies in the Cyber wild west. Stick around. Do you know the status of your compliance controls
right now? Like right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Dr. Biliana Lili is Director of Security Intelligence and Geostrategy at Krebs Stamos Group.
She's author of the newly released book Russian Information Warfare,
Assault on Democracies in the Cyber Wild West.
The elections in 2016 happened and we saw Russia's interference in the elections and we started to learn more and more about the different activities that
were associated with Russia's interference during the elections. And we saw, if you remember, Dave,
there were two APTs, APT28 and APT29. They bridged the networks of the DNC, the Democratic National
Committee. They exfiltrated data strategically as the election season was unfolding.
And at that time, it seemed to me like the U.S. government was not prepared to address
that particular interference in the Hackenleak operation.
That's how we learned to call it afterwards.
And we were rather reactive in our responses and in our management of the situation.
And what's even more interesting is before the
elections and after the elections, we learned a lot more about the other activities that the
Russian government has been sponsoring, like the disinformation operations, the trolls and bots on
social media, the troll farms in St. Petersburg and other locations. We also learned that the
Russian government has sponsored rallies in different states throughout the United States for and
against the different candidates. So the range of activities was vast, and we didn't have a clear
picture as we were going into the election season in 2016. So I wanted to understand after that
experience, where else has the Russian government used similar tactics to interfere in democratic
processes? And what can we learn from them so that next time this happens in the U.S., we can be better prepared to address it?
Well, how do you describe the current state of Russian information warfare? I mean,
how do they go about doing the things they do? That's a great question. So it's definitely
evolved. When I discuss what information warfare is in essence, I always refer to the
Russian doctrine of information warfare. They published a document in 2011 where they provided
an official definition of what information war or information warfare is. The term, which
roughly translated as information warfare, but in Russian, the term also may mean information struggle.
It's информационное противоборство.
And it is described as constant confrontation between states.
And that confrontation is conducted during war and peace for the purposes of eroding the decision-making apparatus of the adversary and eroding its capacity to conduct command and control operations. And it's also conducted for the purposes of inflicting damage on information systems.
So there is an element of using cyber operations to inflict damage on your networks and your systems,
but also using psychological operations to inflict damage on the mind of your adversary,
on the decision-making apparatus, but also on the
population. So those are the elements of information warfare that the Russian, that are
the core in Russia's modern version of warfare. But then in addition to that, there are a lot of
Russian military scholars that have tried to describe, okay, how do we really operationalize
this theoretical concept on the ground. And in addition to psychological operations
and cyber operations, some scholars argue that to conduct information warfare, we have to also
consider the associated operations such as sponsoring of protests, coup d'etats, assassinations,
economic sanctions, political pressure, and all of those activities together are associated with
information warfare and help the Russian government to conduct it. So this is how I would describe
the term. And how do they compare to their peers? When we look around the globe, other folks who
are engaged in these sorts of things, how does Russia rank? I think Russia has a very good
culture of already conducting specifically the types of
hacking leak operations that we saw in 2016. And the point where in the way they integrate
cyber operations and strategic messaging campaigns or disinformation, because they have units that
do this together, like for example, the GER, your Russian military intelligence. And they are very good at doing that.
And we have some examples in Ukraine.
We have other examples in countries outside of the United States as well.
And in comparison to other nation states, from what I have read,
the Russian government tends to use cyber operations and information
and disinformation, altogether as information warfare,
to try to inflict damage on the adversary, while other threat actors or other states use similar techniques
like cognitive warfare in the Chinese case and others to conduct damage or to influence more regional actors,
regional actors, while the Russian government uses its tools to exert pressure on or influence on actors that are much farther away from its territory. And in the Russian case, they use it
a lot for political purposes, while in other cases, we have political purposes, also economic
espionage that is linked to those particular campaigns. I would say the Russians so far
are probably the best at conducting this type of modern version of warfare.
In the book, you introduce a framework that you refer to as the chaos model.
Can you describe to us what goes into that?
Sure. So chaos stands for cyber, hype in media, and associated operations. And with that model, I wanted to visualize in one simple figure
all the different activities that the Russian government conducts during one information
warfare campaign. And the purpose was so that we have a template that we can use to record each
information warfare campaign and to compare and contrast between the different
campaigns that the Russian government is involved in.
And in this way, we can see whether there are any patterns, whether there are any deficiencies,
and we can be able to address them better as we build Russia's playbook across different
cases.
So with cyber, with the first two letters, cyber and basically the first two letters
of chaos, cyber and hype, that stand for cyber and hype.
I'm trying to capture chronologically all the cyber operations that have taken place during one information warfare campaign.
And with hype, I'm trying to capture the volume of media articles in Russian state-sponsored media outlets that are available to the targeted population through which the Russian government is conducting
its strategic messaging operations.
So I try to basically assess whether that volume changes as the information warfare
campaign progresses.
And then the associated operations are political, military, social, and economic activities
that the Russian government has supported to achieve the same objectives
in the general information warfare campaign. So that's what CAL stands for.
You know, since the Russian invasion of Ukraine and the war there, I think folks who keep an eye
on these things have certainly felt like they've learned a lot about Russia's capabilities or
shortcomings when it comes to that. Have there been any revelations when it
comes to information warfare, things that we've learned from what they have and have not been able
to do in this particular campaign? Absolutely. There is a lot that's coming out of the past six
months. And I would say, first of all, I don't think cyber operations have been ineffective.
We have some reports that suggest that. I think cyber operations have been ineffective. We have some reports that suggest that.
I think cyber operations have been very effective in achieving some of the strategic objectives that I was set to achieve.
In the beginning, there were two massive waves of GDOS attacks against banks in Ukraine, as well as government structures.
as well as government structures.
We have Viasat technologies that were rendered inoperable for a certain period of time that affected the command and control of the Ukrainian military.
We have Industrior 2 that could have wreaked a lot of havoc.
We have a lot of new Wiper malware that still there is a risk of it spilling across the borders.
It's not as bad as NotPetya in 2017, but we're still facing a risk of it spilling across the borders. It's not as bad as NotPetya in 2017,
but we're still facing a risk of this spilling out of Ukraine's borders
and affecting other industries and other countries.
So I would say in many ways,
we have seen a range of cyber operations that have been quite significant.
I believe Viktor Zhora, Ukraine's cyber czar,
one of the Ukrainian officials who is telling us a lot about the situation on the ground
and specifically how warfare is conducted in cyberspace in Ukraine at the moment, he said
that there were about 1,600 significant cyber operations that have taken place so far. And
I think what we have to remember is that information warfare, very roughly defined as strategic messaging and cyber operations, it's only one component of warfare.
And right now what we are seeing in Ukraine is a large-scale war on the territory of a European country, and this hasn't happened since the Second World War.
We have tanks, we have artillery, we have soldiers, we have massive
battles happening. This is where the focus should be, not so much on cyber. And cyber is,
in this particular case, it plays a supportive function. And so far, I believe it has showed
that it has been effective where it's been needed. Dr. Biliana Lili is Director of Security Intelligence and Geostrategy at Krebs Stamos Group.
Her latest book is titled Russian Information Warfare, Assault on Democracies in the Cyber Wild West.
And it is always my pleasure to welcome back to the show Rick Howard.
He is the CyberWire's Chief Security Officer, also our Chief Analyst and Bottle Washer.
And Rick, I was looking at the call sheet this morning and I discovered that Season 10 of CSO Perspectives Pro is coming to an end this week.
It is.
There's much wailing and gnashing of teeth about that.
We're going to have to wait an entire month for Season 11 to start, and that is a shame because you and your army of interns have really hit your stride this season, in my opinion.
I appreciate that, Dave. Yes, and we may have to double the interns' bread and water rations down in the underwater sanctum sanctorum, okay?
Because, you know, they deserve it.
Okay.
So this season, we kind of blew by our 100th episode.
We covered another tool from the MITRE ATT&CK folks called ATT&CK Flow,
which I really like.
We talked about the fintech ecosystem,
and then we had a detailed discussion about two first principles,
zero-trust tactics, privileged access management, and crisis planning.
And we finished up with a mini four-episode series
on forecasting cyber risk that I'm really proud of, right?
And this last episode in the series,
I talked with two
data scientists from a company called Scientia about the current state of cyber risk forecasting.
Their names are David Siversky and Wade Baker, who, Dave, I think you may know him. He was one
of the founders of the Verizon DataBridge report many years ago. And so these two guys have some risk forecasting cred, as they say. So it's a good
interview. Well, I see the name of this episode is Two Risk Forecasting Data Scientists and Rick
Walk Into a Bar. That seems appropriate. Perfect title there. I appreciate that. Exactly what it
is. Well, congratulations on putting to bed another season of CSO Perspectives Pro.
What is going on on the public version this week?
Yeah, this episode is from the November of last year,
and it's the inaugural episode of the Rick the Toolman series,
where I explain in simple terms
that even senior security executives like me can understand
the tools that their InfoSec teams are using
on a regular basis. I just want to note here that Rick the Toolman sounds suspiciously like
Tim the Toolman Taylor from the long-running 90s TV show Home Improvement. Is that what we're going
for here? Yeah, it looks like I've been had. Yes, I myself was also a big fan of the series. And the way the show star Tim Allen used
his ape-like grunts to express his confusion or joy or whatever he's talking about, that kind of
appealed to me. And I'll just say that I may appropriate those grunts in the Rick the Toolman
series, you know, just saying. And so for this episode, we're explaining one of my favorite tools, the MITRE ATT&CK framework.
Well, lastly, what is the phrase of the week on your WordNotes podcast?
We're covering a little InfoSec meat and potatoes.
Nothing sexy here, but this week the phrase is intrusion detection systems.
This device has been a staple of the security stack since the 1990s, and it was
invented by the great computer scientist and cybersecurity pioneer, Dr. Dorothy Denning,
back in the 1980s. So you don't want to miss that. All right. Well, we can check it all out.
CyberWire Pro is on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Thank you, sir. challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing Cyber Wire team is Elliot Peltzman,
Brandon Karp, Eliana White,
Guru Prakash, Liz Irvin,
Rachel Gelfand, Kim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.