CyberWire Daily - Updates on the crisis over Ukraine, as Russian cyber operations continue. Ransomware threatens OT. Ramnit remains a leading banking Trojan. Bots infesting some NFT markets. Agencies advise opsec.
Episode Date: February 1, 2022No progress so far in talks over the Ukraine crisis, as Moscow’s diplomacy and influence operations merge in a narrative of a Russia beset by armed Nazis, goaded on by a greedy America that doesn’...t want Russia competing in world markets. Ransomware and cyberthreats to OT systems. Ramnit is still up and at em in the banking Trojan world. Bots are following big brands in NFT markets, with predictable effects. Ben Yelin has an update on NSO Groups’s marketing attempts to the FBI. An introduction to Dr. Andrew Hammond and the SpyCast podcast. And sending that sample in for your doctor? Bro, buy locally. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/21 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
No progress so far in talks over the Ukraine crisis
as Moscow's diplomacy and influence operations merge in a narrative of a Russia beset by armed Nazis.
Ransomware and cyber threats to OT systems.
Ramnet is still up and at them in the banking Trojan world.
Bots are following big brands in NFT markets.
Ben Yellen has an update on NSO Group's marketing attempts to the FBI.
An introduction to Dr. Andrew Hammond and the Spycast podcast,
and sending that sample in for your doctor? Maybe best to buy locally.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 1st, 2022.
Yesterday's UN Security Council meeting over the Russian threat to Ukraine was marked by acrimony and small progress toward any resolution.
A brief portion of the exchange between the Russian and American ambassadors
is up on the New York Times' website.
A simultaneous translation of Russian Representative Vasily Nebensia remarks is up first,
accusing the Americans of playing to the crowd and making the world uncomfortable.
We are being asked to convene a Security Council meeting
on unfounded accusations that we have refuted frequently. Furthermore, the open format for discussion proposed by the U.S. on this extremely sensitive topic
is making this a classic example of megaphone diplomacy and working in public for the public
rather we do not think that this will help to bring this council together. Rather, we fully understand that the desire of our American colleagues
to whip up hysterics.
U.S. Ambassador Linda Thomas-Greenfield answered
that nothing makes someone feel uncomfortable more
than a few divisions assembled on their border.
You've heard from our Russian colleagues
that we're calling for this meeting to make you all feel uncomfortable.
Imagine how uncomfortable you would be if you had 100,000 troops sitting on your border in the way
that these troops are sitting on the border with Ukraine. Colleagues, the situation we're facing
in Europe is urgent and dangerous, and the stakes for Ukraine and for every UN member state could not
be higher. Russia's actions strike at the very heart of the UN Charter. This is as clear and
consequential a threat to peace and security as anyone can imagine. The Washington Post describes the sharp exchanges,
but negotiations over the crisis continued today
on a bilateral basis,
as U.S. Secretary of State Blinken
talks with Russian Foreign Minister Lavrov.
The Washington Post describes the sharp exchanges,
which include a Russian accusation,
probably intended more for domestic
than international consumption,
that NATO was deliberately marshalling actual literal Nazis, by which they mean Ukrainians
unfriendly to Russia, on Russia's borders. Ukraine, Russian representatives argued,
is on a path to self-destruction through its alleged abrogation of the Minsk Agreements,
to self-destruction through its alleged abrogation of the Minsk agreements,
which Russia sees as having effectively placed areas of the Donbass under Russian protection.
Russia's permanent representative at the UN said, If our Western partners push Kiev to sabotage the Minsk agreements,
something that Ukraine is willingly doing,
then that might end in the absolute worst way for Ukraine,
and not because somebody has destroyed it, but because it would have destroyed itself,
and Russia has absolutely nothing to do with this.
U.S. President Biden has already issued his own statement on the crisis,
warning yesterday that while the U.S. and its allies will continue to negotiate in good faith,
if instead Russia chooses to walk away from diplomacy and attack Ukraine, day that while the U.S. and its allies will continue to negotiate in good faith, quote,
if instead Russia chooses to walk away from diplomacy and attack Ukraine, Russia will bear
the responsibility and it will face swift and severe consequences, end quote. Swift and severe
consequences would include as a minimum sanctions designed to hobble the Russian economy and exact a personal cost from Russian leaders.
Russian President Putin held his own news conference earlier today, the New York Times
reports. He was no more ironic than were his ambassadors, although his tone was marginally
more moderate than it was when he last spoke publicly about the crisis back in December.
The whole crisis over Ukraine,
he said, is a provocation entirely made in America. Quote, their most important task is to contain
Russia's development. Ukraine is just an instrument of achieving this goal. It can be done in different
ways, such as pulling us into some armed conflict and then forcing their allies in Europe to enact those
harsh sanctions against us that are being discussed today in the United States, end quote.
Ukraine's accession to NATO would amount not only to a threat to Russian interests,
but a threat to world peace, because, Mr. Putin said, a well-armed and supported Ukraine
would find the temptation to invade and retake Crimea irresistible,
and that would draw the NATO alliance in, and that would produce a global war.
So, as Edward Lutwak once remarked, the aggressor is always on the side of peace,
he seeks only to advance. War is the responsibility of an invaded party that has the effrontery to resist.
U.S. Deputy National Security Advisor for Cyber and Emerging Technologies Ann Neuberger
is in Europe for talks with NATO and EU counterparts
on a coordinated response to the cyber dimensions of the Russian threat to Ukraine.
CNN quotes an unnamed official as saying the purpose of her trip is to discuss, quote,
ways to enhance national and alliance resilience in cyberspace, including deterring, disrupting, and responding to further Russian aggression against Ukraine, neighboring states, and in our respective countries, end quote.
Security Week and CyberScoop both summarize recent reports of ongoing Russian cyber action against Ukrainian targets.
Russia's FSB and GRU have both been implicated in the cyber attacks by Ukrainian intelligence and security services.
Computing reports that the FSB's Gamerodon group is using eight novel payloads in its operations against Ukraine. The attacks are apparently intended both to
influence Ukrainian society, sowing mistrust and exacerbating fissures in civil society,
and to destroy data. Amid general expressions of European support, Ukraine is increasing the size
and capability of its army, announcing plans to increase its military end strength by 100,000
troops over the next three years, Reuters reports. In the nearer term, according to the AP,
Ukraine's military is constructing field fortifications and organizing irregular
formations to prolong resistance and exact a heavy human toll on an invasion force.
President Zelensky hopes for peace and urges calm,
but as the Military Times says,
the country as a whole seems to be preparing for the worst.
Some of the Russian cyber operations against Ukraine were pseudo-ransomware,
deploying destructive wipers that masqueraded as ransomware proper.
But actual ransomware remains a large and growing threat.
Such attacks pose a threat not just to data security and availability,
but to operational technology as well.
Mandiant reports that one in seven ransomware attacks
compromises sensitive information about operational technology.
Security Week reports that such information
could be exploited in cyber-physical attacks. Mandiant observed, quote,
access to this type of data can enable threat actors to learn about an industrial environment,
identify paths of least resistance, and engineer cyber-physical attacks. On top of this,
other data also included in the leaks about employees,
processes, projects, and so on, can provide an actor with a very accurate picture of the target's
culture, plans, and operations. Even if the exposed OT data is relatively old, the typical
lifespan of cyber physical systems ranges from 20 to 30 years, resulting in leaks being relevant for reconnaissance efforts
for decades, much longer than exposed information on IT infrastructure.
Much concern about the possible attacks on infrastructure during the ongoing conflict
between Russia and Ukraine focuses on oil and gas delivery, since Western Europe and Germany in particular are heavily
dependent on Russian natural gas. Should sanctions affect the Nord Stream 2 pipeline,
or should Russia decide to interrupt deliveries of natural gas, shortages would weigh heavily
on NATO and the EU. The U.S. has been seeking to find alternative sources of natural gas for its allies,
but that's not a trivial task.
Coincidentally or not, but probably coincidentally,
the German business publication Handelsblatt reports that the gasoline distribution firm
Oil Tanking Deutschland says that it's come under an unspecified but disruptive cyberattack
that the firm is working to contain and resolve.
IBM has released a study of the well-known Ramnet banking trojan,
finding that it led its category of crimeware and paycard theft during 2021.
By malware standards, Ramnet is positively venerable, having been in circulation for more than a decade.
The top brands that have recently been targeted are in the travel and lodging sectors,
but Ramnet's operators have been widely active.
It's not just Grinch bots buying all the candy before Halloween, all the toys before Christmas,
or for that matter, all the chocolate and lingerie before Valentine's Day.
or, for that matter, all the chocolate and lingerie before Valentine's Day.
Scalping bots are now after NFTs as well as the old familiar tangible gigas and baubles.
Perimeter X reports that bots are following major brands into the NFT markets.
Some of their activity is fraudulent in that attenuated sense in which a scammy non-fungible token can be said to be inauthentic,
as opposed to merely competing.
But much of it is proceeding along the familiar lines of market manipulation,
sometimes driving prices down, at other times driving them up.
Three U.S. federal agencies have issued alerts this week.
The FBI warns, largely on grounds of a priori probability, that the
Olympic Games will afford hackers of many kinds attractive targets. More pointedly, the Bureau
also advises those traveling to the Games that foreign intelligence services can be expected
to attempt to compromise any devices the travelers bring with them. The Federal Trade Commission,
according to the Wall Street Journal,
reports that ad fraud in social media is a growing threat.
Scammers use the tools available to advertisers on social media platforms
to systematically target people with bogus ads based on personal details,
such as their age, interests, or past purchases, the FTC says.
such as their age, interests, or past purchases, the FTC says.
And finally, the National Counterintelligence and Security Center warns that foreign intelligence services are attempting to gain access
to individuals' medical information by requiring providers of diagnostic services
to share such information with their governments.
So if you're in the market for a mail-order colonoscopy,
and you know who you are, best to buy American.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. Learn more at blackcloak.io.
And I'm pleased to welcome back to the Cyber Wire podcast, Andrew Hammond.
He is a historian and curator at the International Spy Museum,
also a public policy fellow at the Wilson Center.
Andrew, great to have you back.
It's great to be back.
Today we are celebrating the fact that the official podcast of the International Spy Museum called Spycast is joining the Cyber Wire Network.
So excited to have that happen. Welcome aboard.
Thank you. I felt like a cousin, but now I feel like a sibling.
Well, before we dig into some of the details about to start is we have an Aladdin's cave of artifacts.
We have, and this is in the Guinness Records book, if you don't believe me,
we have the world's preeminent collection of intelligence and espionage related artifacts.
So we showcase that in a series of exhibits.
And then like most museums, we have programs that augment and extend the work that we do and the exhibits.
So SpyCast, our long-running podcast, is an example of that.
And that's been around for 16 years.
We've got over 500 episodes.
So we've been around for quite a while, but I'm excited by this new chapter with Cyberwire.
And so the Spycast podcast itself, can you give us an overview of the type of things
folks might expect to hear? Absolutely. One of the ways that I like to think about it is
intelligence and espionage is like an ecosystem. It's like a huge coral reef. And what we try to do on the show is I put on my
scuba equipment and I go to the places where the show-stopping main draw fish are, but I also go
looking for the weird-looking eels and the other things. So every week we explore some part of that
coral reef. So in the past, you know, just some of
the headlines that I could share with your listeners, we've had on CIA directors, NSA, GCHQ,
MI6. But it's not just about the past. In their first month with Cyber Wire, we're going to have
the NATO intelligence chief on. We're going to have Joe Weisberg, the creator of the Americans on the show. Further down the pipeline, a couple that I'm particularly interested in is El Chapo and intelligence and the IRA and intelligence. So the Irish Republican Army.
Republican Army. And for your listeners, they may also be interested in some of the other stuff that we have coming up. There's one that's a former CIA case officer who became a cyber entrepreneur.
And there's another one with another CIA case officer who's involved in strategic cyber. So
I think that there's, what we try to do is just look at the past, present, and future
of intelligence and espionage
and all of its dimensions.
One of the things I really enjoy about a visit to the Spy Museum,
and we should say it's right down in the middle of everything down in Washington, D.C.,
is the combination of the artifacts themselves with the rich, deep storytelling
that you all put into the exhibits. And I think
that extends to the podcast as well, that, you know, the rich history of the things that you
all have collected, but put into context with the stories from around the world.
Absolutely. We should get you over here, Dave.
We should get you over here, Dave.
I mean, I think you're absolutely right.
It's the stories that bring the artifacts alive, right?
So we've got great artifacts,
but we've got just incredible stories attached to them.
And that does transfer over to the podcast.
So for example, last year year I interviewed a 100 year old
lady who was in Los Angeles but during the third reich she was a young Jewish woman that went
undercover in Nazi Germany that's like one of those doozy stories that comes along every now
and again so there's just incredible stories
that are attached to the artifacts and you're right our location is amazing we're between the
mall and the river if anybody wants to come to the spy museum it's really nice down by the wharf now
yeah the location I mean another interesting thing about the location is, you know, maybe New York could also be a contender, but
this is one of the global epicenters of intelligence and espionage. This is a city of spies,
and it wasn't just during the Cold War, it's happening now. So we're really at the center
of the action in many respects. Yeah, there's really something for, I'd say, you know, kids
of all ages, folks interested in this sort of thing. If you do make it to DC, there's really something for, I'd say, kids of all ages, folks interested in this sort of thing.
If you do make it to D.C., it's on my list of must-visit places.
And as I said, we are excited to welcome the Spycast to our network of shows.
Excited to have you aboard.
So we encourage everyone who's listening to this podcast to check it out.
It's Spycast.
Andrew Hammond, thanks for joining us. every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast,
which if you have not yet checked out, what are you waiting for?
It's a great show.
You should check it out.
It's a lot of fun.
Do it.
Ben, good to have you back, Ben.
I will endorse that view. It is a great show.
And good to be back with you, Dave. Yeah, absolutely. I want to touch base with you
because the ongoing saga of NSO Group and their Pegasus spyware continues and had some interesting
reporting from the folks at the New York Times Magazine about this. What's the latest, Ben?
Yeah, so we found out some new, really interesting information.
We have covered the NSO story on this podcast and on the Caveat podcast for a long time.
This is the world's most potent spyware, as the New York Times calls it, Pegasus, made by the Israeli company NSO.
It's been used for beneficial purposes by countries all around the world to track terrorists,
drug cartels. It was the
technology used to obtain the
drug cartel ringleader
El Chapo in Mexico. But it's
also been used for ill. So many
countries who have purchased
this Pegasus spyware have used
it to spy on journalists,
dissidents, etc. So that's why it's particularly
controversial.
This investigation by the New York Times Magazine
uncovered a couple of pieces of really interesting information.
The first is that our own FBI was interested
in purchasing this Pegasus spyware,
even though the NSO has been blacklisted by the American government.
And they wanted to use the spyware for domestic surveillance purposes.
We don't know exactly what that would have entailed or what sort of criminal investigations
the FBI thought would justify the use of this type of spyware. But nevertheless, we find out
in this investigation that the FBI abandoned plans to purchase the spyware in the middle of 2021.
plans to purchase the spyware in the middle of 2021.
So it was interested, but it ultimately decided against it.
Notable that it happened six months into a new presidential administration.
The other key piece of information here is that Pegasus and the spyware itself,
and also NSO, has been a key part of the diplomatic strategy for the Israeli government. So they've used this spyware as sort of a key component of their diplomatic negotiations. Particularly in 2020,
they came to these series of agreements with countries across the Arab world,
these so-called Abraham Accords. And as part of those accords, they offered to provide this
spyware for these governments. Some of these governments,
you know, particularly countries like Saudi Arabia, are using them for nefarious purposes,
you know, spying on journalists, spying on political dissidents. But Israel sees this
spyware and this company as one of its assets in diplomatic negotiations. This is something it can
offer its partners in diplomatic negotiations. So those something it can offer its partners in diplomatic
negotiations. So those two pieces of information, I think, were the new nuggets to come out of this
investigation. And then there's, of course, the fact that this was all leaked to the New York
Times magazine. They said that they obtained this information. So I'm certainly interested in,
you know, who's doing the leaking and what their motivation is for leaking this information.
It's interesting that the FBI ultimately thought better of it.
Have to wonder if the fact that it was banned and so much controversy about it, a general knowledge about it in the public, you know, was it too hot to handle or whatever was behind their decision-making process?
But suppose, I mean, hypothetically, if we went down that path and the FBI decided to use something like this, is this the kind of tool that's normally inbounds for them, that this is the kind of thing they would use regularly?
Yeah, I mean, so there's no limit on surveillance technology just based on the nature of the technology itself.
It depends on whether the people who are allegedly being spied on have a reasonable expectation of privacy.
Then if they have that reasonable expectation of privacy, you have a Fourth Amendment search.
And then those searches have to be reasonable. And one way you can determine reasonableness if there's no warrant is weighing the security interests of the government or the government's, whatever the
government's interests are, against the potential invasion of privacy. But there's nothing, you know,
in our Fourth Amendment jurisprudence that says, per se, once you get a technology that, say,
breaks, you know, end-to-end encrypted applications, that is illegal.
The government can't use it.
That's just not the way our Fourth Amendment jurisprudence works. It really depends on how that technology is being deployed.
So domestic agencies certainly could have used Pegasus spyware.
They use all different types of, as we've talked about on this podcast in Caveat,
whether it's state law enforcement agencies or the FBI,
they use illicit surveillance methods all the time in a variety of realms.
So this certainly would have been,
depending on how they used it, inbounds for law enforcement.
Now it's a little complicated when you're talking about encrypted applications
because people are trying to conceal their communications.
They do have a subjective expectation
of privacy.
I think that expectation is reasonable
given how robust
end-to-end encryption is.
Maybe the
assumption that your communications are going to
stay private might change
if people realize that this technology
exists.
A company, NSO,
is advertising that this can be a valuable intelligence tool
into the window of a person who is using
this type of technology.
Yeah, it's fascinating. Well, interesting developments for sure.
Ben Yellen, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Thanks for listening. We'll see you back here tomorrow. Thank you. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.