CyberWire Daily - Updates on Russia’s invasion of Ukraine, and the cyber phases of a hybrid war. Hacktivists and privateers. New Chinese malware described. Registration-bombing.
Episode Date: March 1, 2022Stalled columns, rocket fire, and negotiation over Ukraine. Two new pieces of malware found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWip...er. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic "war of attrition." Daxin: a backdoor that hides in normal network traffic. Registration-bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And Razzlekhan talking a deal? Resources Ukraine Fighting Overshadows Chance of Russia Talks’ Success (Bloomberg) Both sides agree to second set of talks even as fighting rages. Russia suffers market seizure as ruble plunges on sanctions. After a Fumbled Start, Russian Forces Hit Harder in Ukraine (New York Times) After days of miscalculation about Ukraine’s resolve to fight, Russian forces are turning toward an old pattern of opening fire on cities and mounting sieges. The dire predictions about a Russian cyber onslaught haven’t come true in Ukraine. At least not yet. (Washington Post) For more than a decade, military commanders and outside experts have laid out blueprints for how cyberwar would unfold: military and civilian networks would be knocked offline, cutting-edge software would sabotage power plants, and whole populations would be unable to get money, gas or refrigerated food. A Free-for-All But No Crippling Cyberattacks in Ukraine War (SecurityWeek) In the early days of the war in Ukraine, Russia's ability to create mayhem through malware hasn’t had much of a noticeable impact CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (SecurityWeek) The two U.S. agencies warn that both malware families were used in destructive cyberattacks targeting organizations in Ukraine. Anonymous Hacker Group Targets Russian State Media (SecurityWeek) Hacker group Anonymous claimed responsibility on for disrupting the work of websites of pro-Kremlin Russian media in protest of the invasion of Ukraine. Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory (Wired) The country has enlisted thousands of cybersecurity professionals in the war effort against Russia. After Conti backs war, ransomware gangs realize peril of patriotism amid infighting (SC Magazine) Ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians. And like in any business, there is peril in angering the consumer. A ransomware group paid the price for backing Russia (The Verge) Is proximity to the Putin regime becoming a liability? U.N. General Assembly set to isolate Russia over Ukraine invasion (Reuters) The 193-member United Nations General Assembly began meeting on the crisis in Ukraine on Monday ahead of a vote this week to isolate Russia by deploring its "aggression against Ukraine" and demanding Russian troops stop fighting and withdraw. Russia defends invasion during emergency UN General Assembly (Deutsche Welle) A clear majority of UN member states are expected to vote to condemn Russia's actions as Moscow becomes increasingly isolated internationally. The New Russian Sanctions Playbook (Foreign Affairs) Deterrence is out, and economic attrition is in. Russia seeks to halt investor stampede as sanctions hammer economy (Reuters) Russia said it was placing temporary curbs on foreigners seeking to exit Russian assets on Tuesday, putting the brakes on an accelerating investor exodus driven by crippling Western sanctions imposed over the invasion of Ukraine. For links to all of today's stories check out CyberWire daily news briefing for March 1, 2022. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Stalled columns, rocket fire, and negotiation over Ukraine.
Two new pieces of malware are found in use against Ukrainian targets.
Ben Yellen joins us with analysis.
Dealing with Whispergate and Hermetic Wiper.
The muted cyber phases of a hybrid war.
Leaked files reveal Conti as a privateer.
Sanctions move from deterrence to economic war of attrition.
Daxon is a backdoor that hides in normal network traffic. Registration
bombing lets fraud hide in the weeds. Our guest is Teresa Stevens from Allianz Global
Corporate and Specialty on the elevated concern for cyber risk among business leaders. And
is RazzleCon taking a deal?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 1st, 2022. A few preliminary notes on the Russian invasion of Ukraine and how it's proceeding on the ground.
Commercial overhead imagery shows a very large convoy of Russian military vehicles headed for Kyiv.
Both Kyiv and Kharkiv are under attack, with heavier artillery fire reported in Kharkiv. The New York Times reports an increase in civilian casualties. Yesterday's talks between
Russian and Ukrainian representatives, held at a checkpoint in Ukraine near the Belarusian border,
concluded without any result beyond an agreement to hold further meetings later this week, the New York Times reports.
That had been generally expected.
It's noteworthy that Russia is negotiating at all,
since Moscow's going-in position had been that it would have nothing whatsoever to say to Kyiv
until Ukraine laid down its weapons.
A Russian spokesman did say he saw some possibility for both sides to find
common ground. The UN General Assembly's emergency session opened in New York yesterday afternoon.
According to Reuters, sentiment is running heavily against the Russian war.
Secretary General Antonio Guterres denounced the Russian invasion. Deutsche Welle reports that Russian Ambassador Nebensia defended his country's actions
by characterizing them as self-defense against Ukrainian aggression
and its alleged violations of the Minsk Accords, and therefore legitimate under the UN Charter.
He has also indulged in some utterly unconvincing statements, saying that, quote,
the Russian army does not pose a threat to the civilians of Ukraine,
is not shelling civilian areas, end quote,
when of course the Russian army is obviously doing both.
The Russian denials seem almost pro forma,
offered without much serious intention of convincing anyone.
The General Assembly is expected to vote on Russia's war tomorrow.
Cuba, Nicaragua, Iran, Syria, China, and possibly India
are expected to either refuse to condemn Russia or at least abstain.
Belarus, of course, is a docile appendage of Moscow
and will surely vote with its masters.
Moscow and will surely vote with its masters. An op-ed in Izvestia offers some insight into the developing Russian line about negotiations with Ukraine. The war is very complex, Russia's
needs and concerns are very real, and the world should look beyond shallow Ukrainian grandstanding
and lazy internet memes and come to grips with the, again, very complicated realities
underlying Russia's security concerns. And a Ukrainian negotiator's deliberate breaches of
protocol—he was wearing a t-shirt and a baseball cap and was photogenically glaring at the Russian
side—shouldn't sway a sober and realistic appreciation of those complicated and difficult realities,
all of which is one way of framing brutal and unprovoked aggression.
What's particularly interesting is the Russian turn to complexity as a theme,
which suggests that there's a growing realization that the line asserting that Ukraine is the aggressor
and is led to boot by a neo-Nazi junta,
isn't finding legs.
Contrast that with an assessment of Ukrainian President Zelensky's messaging,
which has largely succeeded in presenting the war in clear, simple terms,
all the more successful for being basically true.
The Telegram quotes social media observers as noting that binary narratives, good versus evil,
and not the inside baseball of the Minsk Accords and the allegedly recent provenance of an
artificial nation, always do well in social media. ESET describes two new tools in use against
Ukrainian targets, Isaac Wiper and Hermetic Wizard.
The former is a distinct strain of wiper,
the latter a worm that spreads Hermetic Wiper.
ESET is circumspect about attribution, writing,
quote, ESET research has not yet been able to attribute
these attacks to a known threat actor, end quote,
but circumstantially all signs point to Russia.
The use of the malware coincided with the Russian invasion, and so far only infestations in Ukraine have been reported.
CISA and its FBI partners have continued to update the guidance they've issued on the
wiper malware that's been observed in sporadic use against Ukrainian targets.
The Globe and Mail reports that Canadian authorities are offering
comparable advice to their country's own businesses. Russia has shown in attacks on
sections of the Ukrainian power grid going back to 2015 the ability to mount large-scale and
destructive operations against its neighbor, but so far the cyber war has been limited to
relatively confined wiper attacks, which are cyber attacks proper, and influence operations, which are disinformation and trolling.
The Washington Post describes the relatively quiet cyber front and notes Columbia University's Jason Healy is saying,
quote,
We imagined this orchestrated unleashing of violence in cyberspace,
this ballet of attacks striking Ukraine in waves.
And instead of that, we have a brawl, and not even a very consequential brawl just yet.
End quote.
That, of course, could change.
Influence operations have been more extensive.
Activists claiming to be adherents of the Anonymous Collective, have taken down or defaced Russian
media and government websites. Ukraine has also recruited an online IT army of volunteer
hacktivists to take action against Russian interests. Some of the response to both cyber
attacks and influence operations has involved a public-private partnership, the New York Times
reports, as companies follow government's lead in opposing
Russian operations against Ukraine. Microsoft has been openly rendering assistance to the
Ukrainian government. Such cooperation isn't confined to the U.S. Bitdefender is working
closely with Romania's National Cybersecurity Directorate to help Ukraine against the Russian
cyber threat, and CyberScoop summarizes the ways in which security companies
are offering assistance to those threatened in Ukraine and elsewhere.
Social media companies have also moved to restrict Russian access
to their platforms, the AP reports,
and to label material that can be traced to the Kremlin
as deriving from Russian government sources.
For its part, Russia has had the aid of some criminal gangs.
The Verge, speaking with Hold Security, reports that the chat logs leaked from the Conti ransomware gang
shortly after the Hoods pledged allegiance to the Kremlin
were obtained by a legitimate Ukrainian researcher who infiltrated the gang
and not by a disaffected, if patriotic, criminal.
Among the more interesting revelations in the chat logs are indications that Russia's FSB security service
had Conti go after the muckraking news service Bellingcat.
Russian toleration and protection of cybercriminal gangs has played an important role in the gang's success and survival, but Conti's experience may
have moved other crews to trim in the direction of apolitical neutrality. SC Magazine reports,
quoting the newly high-minded criminals of Conti rival Lockbitt, who published a commitment to
inclusion and good behavior that could have come out of any dean of students' office.
Our community consists of many nationalities of the world.
Most of our pen testers are from the CIS, including Russians and Ukrainians.
But we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others on our team.
Our programmers and developers live permanently around the world in China the United States Canada Russia and
Switzerland our servers are located in the Netherlands and the Seychelles we are simple
and peaceful people we are all Earthlings for us it is just business and we are all a political we
are only interested in money for our harmless and useful work end quote so there you have it
it seems as if lock bit is unsure of continued Russian protection.
The organs, after all, have their hands full nowadays.
Foreign policy reviews the current state of sanctions against Russia.
They're along the lines of those the U.S. has levied against Iran, but less comprehensive.
On the other hand, there's a great deal more international unanimity on the measures imposed against Russia.
Even traditionally and proverbially neutral Switzerland has sanctioned Moscow over its invasion of Ukraine.
The International Institute of Finance predicts Russian default on its international debt unless the crisis in Ukraine is resolved soon. Should Russia default, as seems likely, the IIF sees a double-digit
contraction in the country's economy as a likely result. Symantec describes a sophisticated hacking
tool it's calling Daxin and attributed to China. Quote, the most recent known attacks involving
Daxin occurred in November 2021. Daxin's summary is a stealthy backdoor designed for use against hardened networks.
The warning has also been distributed through the Joint Cyber Defense Collaborative.
The JCDC is an information-sharing organization whose members include CISA, the FBI, NSA, and 21 U.S. technology companies, in addition to Symantec.
Black Cloak describes registration bombing attacks that are serving as misdirection for financial fraud. Victims receive a very large number, often measuring in the hundreds, of emails
confirming their registration to sites they may never have even visited, still less signed up for.
The intent is to push emails that might alert the victims to financial fraud
to the bottom of the inbox, where the criminals hope they'll be overlooked in the clutter.
the bottom of the inbox, where the criminals hope they'll be overlooked in the clutter.
And finally, CNBC reports that Heather Razelkhan Morgan, sometime rapper, self-proclaimed crocodile of Wall Street and accused altcoin launderer, may be working out a plea deal with prosecutors.
We hope her musical stylings are part of that deal in some way, right?
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
Allianz Global Corporate and Specialty Thank you. risk topped the list, right up there with business interruption and natural disasters. Teresa Stevens is regional product leader and the deputy head of cyber for the U.S.
for Allianz Global Corporate and Specialty. So I think that cyber has become the most feared
cause of business interruption in this year's survey because it's not really as well understood
as traditional business interruption triggers like, you know, natural
catastrophes or fires. And therefore, sort of that mitigation plan isn't really as well developed
as for some of those traditional BI loss causes. We're looking through some of the other items on
your list here that folks are concerned about when it comes to risk. I mean, as you say, there's
things like natural catastrophes, pandemic outbreak. It makes sense that that's on the top of people's minds.
Changes in legislation and regulation. You know, it strikes me that a lot of this does sort of
cross paths with cyber, that it seems like, you know, cyber has its tentacles in so many
different things these days.
I mean, absolutely.
Especially when you're talking about changes in legislation and regulation.
I mean, it's sort of the technology evolves and then we regulate it on the back end.
So there's always sort of this game of catch up that you're playing in order to prepare yourself for kind of the oncoming sea changes in the way that, you know, regulations like GDPR might, you know, be deployed and then your business has to respond
to it. Was there anything in the data you gathered this time around that was particularly surprising?
So there was an interesting new entrant this year into the top 10,
and that was the shortage of the skilled workforce. So that's obviously specific to this year, given the sea change we've had with the great
resignation.
I'm actually a longtime listener of your show.
I'm a big fan.
And I think actually a couple of weeks ago, you interviewed Kevin McGee, and he also mentioned
something he called defender fatigue.
We have a situation where machines just can't do threat hunting as well as individuals.
So you've got these people sort of like manning defenses, you know, and they're eventually going to fall asleep behind the parapet because we're in a situation where you have this lack of a skilled workforce.
You're kind of relying on fewer people to do more.
And it's just a recipe for disaster when it comes to IT security.
disaster when it comes to IT security. You know, it seems to me like particularly like in the insurance arena, we're seeing a lot of volatility where the insurance companies are
seeing things like ransomware. And so they're adjusting how they approach this. You know,
the cost of policies are going up and what they cover is going down. Do you anticipate that this volatility is going to continue for some time now?
Or do you suspect that we'll settle into a little more of an equilibrium?
My sincere hope is that we settle into an equilibrium.
At the moment, it's a hard market for cyber insurance.
The policy prices are obviously going up because the claims that we're paying out have significantly increased.
are obviously going up because the claims that we're paying out have significantly increased.
I think in the last three years, the costs related to ransomware incidents have more than doubled.
I mean, it has a lot to do with sort of the commercialization of ransomware as a service.
You know, it's like cybercrime is, it's business, big business now. My hope is that, you know, we start going after the attackers more aggressively. So we're reducing the number of,
you know, individuals out there who are actively engaging in this kind of criminal activity.
But I mean, you know, there are regulatory, like OFAC now is suggesting that you shouldn't,
you know, give in to these cyber terrorists. You know, different countries are kind of
choosing their tack on how they want to address paying cyber criminals.
And in the wake of sort of those changes, we might see the market shift.
There might be some more stabilization in terms of rates or coverage that's available.
But right now, it's really an inflection point for our industry.
really an inflection point for our industry. If I'm the person who's in charge of managing these sort of risks in my organization, turning the dials, setting the various types of resources,
how do you recommend I make this case to the powers that be? If I have to walk into the boardroom and
make my case for the types of things we need to defend against, do you have any words of wisdom
there? I mean, I would say you could look at the data if you're trying to convince somebody that
it's a problem, especially when you look at just the last year. I mean, we've had these big kind
of milestone cyber events and attacks. We've got Kaseya, we've got Accelion, we've got SolarWinds,
we've got this log4j vulnerability, you know,
that was discovered last year in December. I mean, it's hard to ignore that the problem is pervasive.
And I think it's a foolhardy endeavor not to invest in shoring up your defenses against
those inevitable problems. That's Teresa Stevens from Allianz Global Corporate and Specialty.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you, Dave.
So we would be remiss if we did not talk about the situation going on in Ukraine right now.
Certainly lots of policy implications for tech companies and
cybersecurity as well. Give us your overview. What are you tracking?
Yeah, I mean, there's so much that's involved in this rapidly developing story that relates
to what we talked about on this podcast and on Caveat. I mean, we've never seen this type
of hybrid warfare where there's kinetic action happening on the ground in Ukraine.
And then there's this cyber warfare, whether it's active cyber measures on the part of the Russian government, which we really haven't seen to the extent that I think we expected, or information warfare.
In that realm of information warfare, there is an article that caught my interest from Ars Technica entitled, Big Tech Spent Decades Skirting Geopolitical Issues. That is No Longer an Option.
And this theme has been echoed in other publications as well. All of the big tech
companies are interested in preserving their bottom line. They don't want to get involved
in geopolitical conflicts. They want to be neutral platforms where you can have users
with a variety of political viewpoints from all over the world.
You want the biggest market possible.
Just by the nature of what's happened over the past several days in Ukraine, they've been forced to make some decisions that go against that practice of neutrality.
Meta, the parent company of Facebook, has restricted accounts from Russian troll farms,
pretending to be Ukrainian citizens, you know, bloggers per se,
criticizing the Ukrainian government and praising the Putin government in Russia. Twitter has started labeling tweets from Russian state media sources
as tweets from Russian state media sources.
They've never engaged in that before.
A really interesting example to me is Google
obviously runs probably the first or second
most popular Maps application out there.
And they generally collect real-time traffic data.
So using their magic formulas,
they can figure out where traffic is bad,
which roads are clogged, which places in a given city are busy, or we could expect to be busy at
a given time. And because that information could be so useful to people who are fighting this war,
you know, people who have instigated this invasion, Google has gone to the extraordinary step of shutting down maps through Ukraine
so that Russian military forces
don't have access to real-time traffic data
about which roads are clogged,
where the refugees are trying to leave,
and, you know, information about
what parts of a given city are busy
because that could indicate, you know,
for example, where civilians are sheltering
or where civilians are planning counterattacks.
So I just think it's really interesting that we finally have a scenario here where tech
companies can't just sit on the sidelines.
I think they've seen what other international institutions have done and, you know, have
taken what's happened in Ukraine so seriously that they feel like they have to step up as well.
So I found that very interesting.
Yeah. Where do you suppose this goes?
I mean, do we ultimately, is this a case, we've seen, for example, oil companies divesting themselves from Russia.
Could we see similar things with the tech companies?
Simply, you know, could Twitter or Meta say, we're just not going to do business in Russia anymore?
Could Twitter or Meta say, we're just not going to do business in Russia anymore?
See, that has its own drawbacks as well because, you know, all of these tech companies run platforms where there is at least theoretically the free flow of information.
Right.
And that free flow of information is critical at a time like this where if you're in Russia, the alternative is state-run media sources, which, to put it mildly, aren't always on the up and up in terms of telling the truth.
So if you shut down Twitter, that cuts off an avenue for Russian citizens to get actually accurate information.
Yeah.
Now, they might not get it anyway because of censorship and Russian government actions. But it's not as easy as just saying, you know,
for the betterment of Russian citizenry and for Ukraine, we're just going to get out of that market entirely. So it really is a difficult decision for these companies. You know, we've
seen rather large protests in the streets of some major Russian cities, Moscow, St. Petersburg, that probably
wouldn't happen if, you know, some type of free-flowing information had not made it into
the Russian populace, where they had some degree of information as to what was happening in Ukraine
and, you know, who was morally culpable. You know, it's certainly not as easy as just saying,
if you want us, you know to step out of the Russian problem,
just get out of the country entirely.
I don't think that's an adequate solution.
Right, right.
All right, well, we will keep an eye on it.
Time will tell, as they say.
Ben Yellen, thanks for joining us.
Thank you. CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.