CyberWire Daily - Updates on Russia’s hybrid war, including cyber ops and influence operations. Mustang Panda focuses on Europe in its cyberespionage. Ransomware hits oil and gas sector. UPS vulnerabilities.
Episode Date: March 8, 2022Updates from the UK’s Ministry of Defense on Russia’s War in Ukraine. Influence operations: the advantage still seems to go to Ukraine, as Russian efforts look inward. Assessing the effects of hac...ktivism and cyber operations in the hybrid war. Privateering: Conti, Ragnar Locker, and (probably) others. Mustang Panda rears up in European diplomatic networks. Ransomware hits a Romanian fuel distributor. Andrea Little Limbago from Interos on data traps. Carole Theriault tracks the fight against deepfakes. Vulnerabilities found in UPS devices. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/45 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Updates from the UK's Ministry of Defence on Russia's war in Ukraine.
On influence operations, the advantage still seems to go to Ukraine as Russian efforts look inward.
Assessing the effects of hacktivism and cyber operations in the hybrid war.
Mustang Panda rears up in European diplomatic networks.
Ransomware hits a Romanian fuel distributor.
Andrea Little Limbago from Interos on data traps.
Carol Terrio tracks the fight against deepfakes.
And vulnerabilities are found in UPS devices?
From the CyberWire studios at Data Tribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, March 8th, 2022.
The Russian army continues to exhibit surprising tactical and operational shortfalls. Its road-bound heavy forces, even as slow-moving as they prove to be,
have clearly already outrun their logistic support.
Having been unable to capture key Ukrainian cities,
they've turned to heavy and indiscriminate targeting of civilians,
despite a second negotiated round of ceasefires.
The UK's Ministry of Defence yesterday afternoon tweeted an update of civilians, despite a second negotiated round of ceasefires.
The UK's Ministry of Defence yesterday afternoon tweeted an update on Russia's war against Ukraine and took particular notice of Moscow's attempts to control information.
Quote, Russia is increasingly restricting domestic social media access to limit negative
coverage of Russia's invasion of Ukraine.
This will further confine the information space and make it increasingly difficult
for the Russian population to gain access to anything other than the Russian state official view.
This indicates the Kremlin's concern over the Russian population's attitude to the conflict.
Earlier this morning, the MOD added a spot report,
Earlier this morning, the MOD added a spot report, quote, resulting in the death of several civilians whilst trying to evacuate Irpin.
Due to heavy fighting in the town, it has reportedly been without heat, water or electricity for several days.
End quote.
Moscow is recycling implausible and unsupported claims that Ukraine is attempting to create a dirty bomb that is a radiological catastrophe by mining a research reactor in Kharkiv.
Sputnik maintains that Russian forces are actually the heroes in Kharkiv,
having secured the reactor and prevented the disaster the Ukrainians had prepared.
Russian government-controlled media are also claiming that Ukraine is attempting to conceal
a large-scale biowar program it's been operating with U.S. support and collusion.
Neither of these seem to have any international legs,
but then the audience is probably a domestic one.
Russian domestic influence operations continue in other respects
to rely heavily on censorship.
There are also some signs of direct intimidation of journalists.
Reporters in Odessa say they've received menacing emails. The Atlantic Council describes what appears to be a coordinated
campaign of intimidation. Even the most assiduous propagandists seem to have trouble finding good
help nowadays. Some of the emails were sent by people who forgot to delete the instructions that had been embedded in the sample text they were given.
Things like, add here a few paragraphs on local specifics, or these emails should be disseminated every day to crush the morale,
or send emails individually, not to a list, and think about painful dots to push on.
We think painful dots are what Americans would call hot buttons.
You know, you tell them and you tell them.
The biggest obstacle to a successful Russian information campaign, however,
apart from persuasion being inherently harder to achieve than confusion,
may be the pervasive availability of social media
and a large international journalistic presence in Ukraine.
Unusual Western openness with intelligence, notably used for what some have called pre-bunking,
the anticipation of Russian disinformation themes and the release of fact-checks
before the disinformation finds its legs, seems to also have played a part.
A report late last week from Checkpoint Software gives a timely reminder that in any war,
and in a hybrid war especially, early reports and claims should be treated with cautious skepticism.
That applies to claims on behalf of both sides, which may or may not eventually be confirmed.
Who's helping Russia defend its networks networks and who's assisting them in recovering
from cyber attacks? Huawei, the Indian news service WION reports. Australian Defense Minister
Dutton, the Daily Mail says, has criticized Huawei for working on behalf of Russia and accused Moscow
and Beijing of having an unholy alliance. The Conti gang, which has publicly pledged its allegiance
to Mr. Putin's war, has shrugged off the reputational damage it sustained when it was
infiltrated by a Ukrainian hacker who released records of the gang's internal chatter. E-Sentire
has published an extensive account of Conti's history and an assessment of its current capabilities.
Attacks the group conducted
against Western targets may have represented a contribution to Russian battle space preparation.
The U.S. FBI updated its alert concerning Ragnar Lager yesterday, quote, as of January 2022,
the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware,
including entities in the critical manufacturing, energy, financial services, government, and information technology sectors.
End quote.
RagnarLocker was composed by Russophone coders,
and MITRE notes that RagnarLocker doesn't encrypt files if it determines that its target is in either Russia or the near abroad.
This makes it likely that its operators have enjoyed a privateer's immunity from Russian authorities.
Operators, we stress, is a plural here.
RagnarLocker is a tool, not a threat actor, and it's been used by various gangs.
not a threat actor, and it's been used by various gangs.
Cyber espionage will follow crisis,
and the Russian war against Ukraine is proving no exception.
Proofpoint this morning released a report on the activities of TA-416,
a Chinese APT also known as Mustang Panda.
Its current interests have obviously been shaped by the war. TA-416 is targeting European diplomatic entities,
including an individual involved in refugee and migrant services.
It uses tracking pixels to help profile targets during its reconnaissance phase.
The phishing emails that eventually deliver the payloads to TA-416's targets
have often impersonated United Nations agencies.
Quote, the multi-year campaign against diplomatic entities in Europe
suggests a consistent area of responsibility belonging to TA-416. End quote.
Bloomberg reports that re-security found that threat actors succeeded in accessing the networks
of 21 companies,
most of them in the oil and gas sector, over a two-week period in February.
ReSecurity declined to attribute the activity to any nation,
but did go so far as to say that the activity seemed to be state-sponsored.
Bloomberg notes that some of the incidents appeared to overlap those Microsoft attributed to Strontium, also known as APT-28 and Fancy Bear, that is, Russia's GRU, Military Intelligence Service.
The timing and target selection are suggestive, circumstantially, of a Russian operation.
The Hive ransomware gang has hit Romania's Rom Patrol oil company,
disrupting fuel stations throughout the
country. Leaping Computer says that the gang has demanded a $2 million ransom.
Finally, researchers at security firm Armis this morning announced that they'd found three
zero-day vulnerabilities in APC smart UPS devices. A UPS device is an uninterruptible
power supply, something that provides emergency
backup power for mission-critical assets. They're used in data centers, industrial plants, hospitals,
and other places that need reliable uninterrupted power. Until recently, UPS devices hadn't been
considered security risks, but that's changed as more of these devices have become remotely managed and so networked.
Armis calls the vulnerabilities taken together TLStorm,
and they say they could be exploited to disable, disrupt, and destroy APC smart UPS devices and attached assets.
APC is a unit of Schneider Electric.
This is a case of responsible disclosure, and Armis has worked with Schneider, which has prepared and made available patches and mitigations that address the vulnerabilities. If you use these UPS devices, be sure to patch them.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Our UK correspondent, Carol Terrio, has been tracking the growing sophistication of deepfakes and the
concerns they've triggered. Today, she files this report on a new coalition that has set their sights
on fighting deepfakes. So according to Forbes, a coalition of technology companies set up to
combat deepfakes has released the first version of its technical specification for digital provenance.
The Coalition for Content Provenance and Authority, C2PA, not exactly a name that slips off the tongue,
however. According to Forbes, C2PA counts Adobe, Microsoft, ARM, Intel, TruePic, and the BBC amongst the illustrious list of members. And the gist is this.
Platforms can define what information is associated with each type of asset. By asset,
I mean an image, a video, a podcast, a document. And they can specify how that information is presented and stored and how evidence of tampering can be
identified. In other words, it allows content creators to selectively disclose information
about who has created or changed digital content and how it's been altered. Leonard Rosenthal,
chair of C2PA's technical working group and senior principal scientist at Adobe, is quoted in Forbes saying,
As the C2PA pursues the implementation of open digital provenance standards, prototyping and communication from coalition members and other external stakeholders will be critical to establish a system of verifiable integrity on the Internet.
to establish a system of verifiable integrity on the internet.
Okay, that is a statement written by a committee if ever I saw one,
because it is nebulous at best.
But let me just distill what I think it is trying to say.
Hey guys, get on board with this, otherwise it's going to fail.
But you know, these things get complicated, they always do.
Maybe not all deepfakes are bad.
Consider the movies, for example.
According to Technical.ly, the big movie houses started using the technology that is deepfakes to reduce the cost of movie production during the Rona pandemic.
That too is a slippery slope.
How long before some actor breaks his leg and is contractually
obliged to have a deepfake play his role? Or what if an actor is bidding for a role against a
deepfake of Laurence Olivier? I mean, as the technology becomes ever more accessible,
organizations will not only be the ones creating deepfakes. Individuals creating
content on YouTube and other video platforms may well want to use deepfakes, if only just to make
their channel pop. Oh look, hey, look at the big celebrity that just popped in on my channel.
I mean, I can see it. I'm predicting it now. So as always, we want to stop deepfakes for bad intentions.
We want to regulate the use of deepfakes in good intentions.
And we want to look at how it can be used by the common person
in order to advance the technology in a safe way.
Not a big ask, right?
This was Carol Theriault for The Cyber Wire.
is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
Andrea, it is always a pleasure to welcome you back to the show.
There is a term that I saw coming out of, I believe, the UK, and it's data traps.
You being a data scientist, I thought you'd be the perfect
person to check in on what exactly this means and what the implications are. What can you
share with us today? Yeah, no, thanks for bringing this up. It really hasn't risen to a lot of
attention, but back in December of 2021, the UK Intel chief brought this notion and warned against
both debt traps and data traps. Now, debt traps have been used before, and that basically is the weaponization of debt
where countries provide other countries loans to get leverage over them.
And so we see that a lot.
And so that wasn't really what was as novel.
It's something to be concerned about for sure, but it wasn't as novel.
It's also sort of tying that into data traps.
What they noted was that if you allow another country to gain access to your data
and gain control of that data, basically it erodes your sovereignty.
And so what he really was warning about was the access that other governments are starting to have to both public and private sector data as an erosion of sovereignty and control and as a means for leverage as well.
And so what they're really looking at is looking at data as basically this resource, right, a strategic resource.
And he's framing it in that lens.
And I think for many governments, especially digital authoritarians that we've talked about for sure, really do look at data as a strategic resource.
And democracies really haven't done that as much.
That's shifting, but really haven't done that as much. And so that's where you see why it was so important for the UK intelligence chief to bring this up,
was to highlight that this should be a concern of both the private and public sector,
that knowing where your data is, making sure you're both protecting it at home,
but knowing where it is abroad and knowing what kind of access other adversaries may have to that data.
And then what would happen to government, to your society,
to your company, if that data was accessed. And I think, as we all know, within this audience,
integrating various forms of data together can really lead to useful insights. So that's great.
It also can lead to useful insights in negative ways against an entity as well. So it really is
trying to raise the alarm about the necessity to protect your data, not just at home, but, you know, abroad.
It's interesting to me you mentioned sort of the contrast between democracies and other governments.
I mean, is that a cultural thing?
Do different nations approach their attitude towards data in different ways?
Yeah, I think they definitely do.
And on the
one hand, it's kind of a spectrum, and we absolutely can point to areas where democracies
and democratic governments have overreached in areas of civil liberties and human rights. So
it's not saying that democracies are completely devoid of any kind of activity in that realm, but
the extent of which it goes on and sort of the guardrails that are in place to prevent it
are very, very different. And so you do see amongst the digital authoritarians really the quest to, I think of it as data hoarding, bring in as much data as possible.
And that's why you see everything from the OPM attack, which feels like about a decade ago at this point, through the healthcare data that's getting attacked, through airline data getting taken in, through hotel membership data.
taken in, through hotel membership data, all that different data basically can be a pattern of life when brought together and can be used for just a variety of means. And that's not even mentioning
some of the IP theft as well that we've seen. And so you see more of the authoritarians looking at
no target as being off limits. For the democracies, really it focuses much more so on
what would be like in quotes, traditional espionage, not necessarily targeting IP or the commercial entities.
It's more so for the leadership and espionage along those lines versus the theft of IP.
And so it does create a very different playing field between the two.
And that's really what I think the UK chief was really trying to highlight,
was whether it's your company or within your digital supply chain and your partners
that may have your data elsewhere, to be really concerned about that. And even in the policies that we see,
you see like the general data protection regulation, the EU is protecting data for
individual citizens, whereas elsewhere, from Russia to China, Kazakhstan, you really across
a lot of these, you know, actually Thailand, Vietnam, many, many countries increasingly
have data localization requirements. So you have to store the data there.
Additional policies and regulations then add components as far as, oh, and we can access this data if we deem it essential to national security.
And that umbrella of what is essential to national security basically is endless for them.
So there's a big risk of storing that data abroad with a government that could have easy access to it.
Well, and we're seeing, I think it's the EU that's been going head-to-head with Facebook
over data storage and being able to transfer data overseas across the ocean and trying to
keep some sovereignty to their data. I mean, is that part of what we're talking about here?
I think it is. And I think that's an additional component of it, because on the one hand,
we do see sort of this splintering of the internet and the different sovereign areas.
And so really, the challenge is how can we have the free flow of data, because that is really
essential for functioning economies, while still preserving sovereignty and individual data rights.
And I think in the Facebook case, it's especially relevant for the case of looking at the citizens' data and maintaining control over
the citizens' data. Whereas for some of the other instances, it might be that they may want more so
the free flow of data along the lines of commercial information and so forth for, you know, economic
purposes. And so, you know, not all data is the same. And I think we're starting to get into an
area as well where we'll start seeing some distinct categorizations of different kinds of data, which will then have different policies applied to them.
So, I mean, if we think we have a patchwork of policies and regulations now, I think that's just going to continue to explode.
Hopefully, it's done well in the direction of greater security.
But at the same time, there are concerns over everyone trying to create their digital fortress around the country.
Because that also leads to basically digital protectionism.
And that isn't optimal for the free flow of information and ideas either.
So there's going to have to be a balance.
Yeah.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Great. Thanks, Dave. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Dodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.