CyberWire Daily - Updates on the cyber phases of a hybrid war. Alleged booters busted. Progress report from the US anti-ransomware task force. Suspicion in AIIMS hack turns toward China.
Episode Date: December 15, 2022Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared, and their sites disabled. A progress report on US anti-ransomware efforts. Suspicion in a cyberattack... against India turns toward China. Bryan Vorndran from the FBI’s Cyber Division talks about deep fakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance (NCA) on the launch of their Historically Black Colleges and Universities Career Program. And hybrid war and fissures in the underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/239 Selected reading. Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government (Mandiant) Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services (US Department of Justice) Global crackdown against DDoS services shuts down most popular platforms | Europol (Europol) Readout of Second Joint Ransomware Task Force Meeting (Cybersecurity and Infrastructure Security Agency) US finds its ‘center of gravity’ in the fight against ransomware (The Record by Recorded Future) AIIMS cyber attack may have originated in China, Hong Kong (The Times of India) AIIMS Delhi Servers Were Hacked By Chinese, Damage Contained: Sources (NDTV.com) Russia-Ukraine war reaches dark side of the internet (Al Jazeera) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Trojanized Windows 10 installers are deployed against Ukraine.
Alleged booters have been collared and their sites disabled.
A progress report on U.S. anti-ransomware efforts.
Suspicion in a cyber attack against India turns toward China.
Brian Vordren from the FBI's Cyber Division talks about deepfakes.
Our guest is Lisa Plagemeyer from the National Cybersecurity Alliance
on their launch of the Historically Black Colleges and Universities Career Program and the Hybrid War and Fishers in the Underworld.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 15, 2022. Mandiant this morning issued a report on activity it was observing in Russia's hybrid war against Ukraine.
It's a supply chain attack in which Trojanized Windows 10 installers are being distributed to Ukrainian targets.
The researchers track the activity as UNC-4166, and while they're commendably cautious in attribution, they do note that,
significantly, there seems to be an overlap between this round of attacks and the target list of Ukrainian organizations against which the GRU deployed wipers early in the war.
Mandiant says, while our analysts do not have enough info to attribute this operation to a previously
tracked group, it has been active at organizations that were previously targeted by GRU-related
clusters with wipers at the outset of the war. Of note, UNC-4166 has actively targeted
organizations that were historically victims of disruptive wiper attacks that Mandiant associates with APT-28.
APT-28, of course, is our old familiar friend, Fancy Bear.
As Mandiant observes, that's a GRU crew.
This current round looks like cyber espionage,
as the activity observed appears to involve information theft.
But, of course, information can be stolen for other purposes as well.
Sabotage, battle space preparation, and so forth.
John Holtquist, head of intelligence analysis at Mandiant,
emphasizes that this is a supply chain attack,
and in that respect, at least reminiscent of the SolarWinds operation.
He said in emailed comments, though it's hardly as technically sophisticated the SolarWinds operation. He said in emailed comments,
though it's hardly as technically sophisticated as SolarWinds,
this operation is similar in that it appears to be designed
to compromise a large set of potential targets
who can then be winnowed down for targets of interest.
In this case, those targets are the Ukrainian government.
We can't afford to ignore the supply chain.
It can be used like a sledgehammer, or it can be used like a scalpel.
U.S. federal prosecutors in California and Alaska have charged six people with crimes involving booter services, that is, offers of DDoS attacks for hire. The charges allege violations or aiding and abetting such violations
of the Computer Fraud and Abuse Act and conspiracy to operate a booter service.
In addition to the indictments, the FBI also seized 48 domains allegedly used in the crimes
charged. The takedown was an international operation. Europol announced that the action was part of Operation Power Off,
a cooperative effort by U.S., British, Dutch, Polish, and German law enforcement agencies
against this particular segment of the C2C market.
Europol also reports that a seventh arrest in the case has been made in the U.K.
The U.S. Justice Department notes that there's a public outreach
component to the operation. Justice says, in conjunction with the website seizures, the FBI,
the United Kingdom's National Crime Agency, and the Netherlands police have launched an
advertising campaign using targeted placement ads in search engines, which are triggered by
keywords associated with DDoS
activities. The purpose of the ads is to deter potential cyber criminals searching for DDoS
services in the United States and around the globe, as well as to educate the public on the
illegality of DDoS activities. CISA yesterday published a readout of the second meeting of
the Joint Ransomware Task Force.
Six working groups have taken up various aspects of the ransomware challenge,
and they're worth quoting as they offer some insight into how the task force sees its mission.
First, victim support.
That's standardizing and synchronizing federal engagement with ransomware victims
to offer services and assess any gaps to ensure that engagement with ransomware victims to offer services and assess
any gaps to ensure that victims of ransomware incidents receive the necessary support to
restore services and minimize damage. Second, measurement. That's collecting data and metrics
that will improve the cybersecurity community's collective understanding of ransomware affecting
U.S. organizations and trends associated with actors, victims,
and impacts, which will in turn inform U.S. government action to counter the threat,
provide more actionable guidance, and evaluate progress. Third, partner engagement. That's
expanding operational collaboration and multi-directional intelligence sharing between
JRTF members and non-governmental partners,
including the private sector and the international community,
to more effectively prevent, detect, and respond to evolving ransomware campaigns.
Fourth, continuous improvement, examining and compiling lessons learned from recent ransomware incidents in key sectors
to address gaps in coordination, increase effectiveness
of information sharing, and improve the federal government's response and preparedness posture.
Fifth, intelligence integration, leveraging the intelligence collection capabilities of all
partners, process intelligence community analysis, and manage intelligence engagement with international partners to drive the planning and execution of synchronized JRTF operations.
And finally, campaign coordination,
organizing existing interagency campaigns to disrupt ransomware actors
and strengthen national cyber defense against ransomware operations,
while also collaborating with relevant partners on new campaign efforts.
The record cites comments by various officials to the effect that the task force is becoming
the center of gravity of U.S. anti-ransomware efforts. Redacted's Director of Threat Intelligence,
Adam Flatley, gave the task force good reviews in emailed comments. He said,
gave the task force good reviews and emailed comments.
He said,
It's good to see that the JRTF continues to solidify its mission and build processes to support the mission.
Both CISA and the FBI are well positioned to do great things in the cyber defense space
and important parts of the ransomware actor disruption space.
Of course, a lot of gangland isn't easily within reach,
Flatley observes. What remains to
be seen is whether or not the JRTF will be properly empowered to truly leverage the whole of the U.S.
government intelligence community to counter ransomware actors who operate from sanctuary
in countries like Russia, where many ransomware gangs reside. The Times of India reports that official opinion is turning toward Chinese operators
as the leading suspects in the cyber attack recently sustained
by the All India Institute of Medical Sciences.
A source told the press,
as of now, the server attack is suspected to have originated from a location in China
and a location in Hong Kong.
Theft of personal information has been the principal concern since the attacks began
on November 23, NDTV writes. Finally, it's well known that there had at one time been close
relations among Russian and Ukrainian cyber criminals, geographically close and linguistically related as they are.
Al Jazeera, however, describes the ways in which the war has broken many of those connections.
Russia's war has moved its security and intelligence services
to push for closer cooperation from the cybergangs the Russian state had long tolerated.
This has gone beyond privateering and advice on permissible
targets. Many of the criminal organizations have been diverted from what had formerly been their
money-making rackets and into making themselves a nuisance for Ukraine and its supporters.
This trend has been clearest in the rise of distributed denial of service attacks.
It's not entirely patriotic side-taking, however, although that
certainly plays a part. There's also a sense in Russian criminal circles that they can now expect
Kiev's law enforcement and intelligence organizations to give them more hostile
scrutiny than they receive from Moscow. Whatever they're up to, we say, shields up, everyone.
Coming up after the break, Brian Vordren from the FBI's Cyber Division talks about deep fakes.
Our guest, Lisa Plagemeyer from the National Cybersecurity Alliance, on the launch of their historicallyically Black Colleges and Universities Career Program. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The National Cybersecurity Alliance is a non-profit organization that promotes
cybersecurity education and awareness. They recently launched the
Historically Black Colleges and Universities Career Program, which aims to equip students
with the necessary skills to navigate the search process for positions in security, privacy, and
risk, helping to build a pipeline of black professionals to fill the cyber workforce gap.
Lisa Plagemeyer is executive director
at the National Cybersecurity Alliance. What we kept hearing over and over and over again,
the constant theme, it wasn't like, oh, I really struggled with the academics or
things like that. It was, you know, somebody said my dad couldn't tell me not to wear an
orange blazer to an interview. I didn't know what to expect in the interview process.
I'd never written a resume before.
I had imposter syndrome walking in the door of a career fair at my school.
I didn't understand time zones.
So when I got an invite for an interview from another time zone,
I hadn't really kept a digital calendar before.
I missed the interview.
It was life skill things. It was things that, it was confidence. It was networking and having
somebody to talk to. You know, a lot of us who were blessed with parents that went to college,
it's kind of dinner table conversation. How you might conduct yourself in an interview,
how you write a resume, how you write a LinkedIn profile, like what kind of dinner table conversation. How you might conduct yourself in an interview, how you write a resume,
how you write a LinkedIn profile,
like what kind of questions you might get asked
and what your answers might be
to those questions in an interview.
And so if you think about people who grew up without that,
then there's a void there.
And that's not necessarily a problem that you solve in some,
you know, it's hard to wave the magic wand and in some scalable way fix that overnight.
Those are one-on-one relationships.
So that's what led us to the mentorship program, to offering the mentorship program.
And then just as far as the workforce problem, attracting more kids to the, and I'll say kids because I've got kids college age, there just isn't enough visibility of these careers.
What they know is what they see on TV and the movies when it comes to cybersecurity.
So how do we make it more real?
How do we show them that there are people just like them, who look like them, working in these jobs?
And that there's a lot of job satisfaction working in cybersecurity. I know we all focus on the burnout, everything,
but at the end of the day, we're helping people. We're protecting assets and people. So a lot of
that can be really rewarding for folks. So we have sort of mini career fairs, cybersecurity career fairs that we hold on campus.
And those are the two main tactics of the program right now are those in-person on-campus events
where we have a series of speakers that are people of color who work in security and privacy,
talking about their jobs, talking about what recruiters are looking for, what kind of skills
they're looking for, you know, how are they hiring? And then the other tactic is that mentorship program that anybody can sign up
to be a part of. What has been the response so far from those historically Black colleges
and universities that you've reached out to? Well, to be really honest, in some cases, it can be really challenging to work with them because they are so under-resourced and understaffed.
Just having an on-campus event, you know, when you have a career placement or career services office that only has one or two people in it, staff members, then I'm glad that we have the staff available to do, of the heavy lifting there because you're holding an event.
So there's work to get done there.
Generally, they've all been really, really positive.
But when it comes to the logistics, we're there to help because a lot of them aren't super well staffed.
That's part of the problem is a lot of these schools don't get the resources that other schools get. So hopefully by driving this kind of engagement, you know,
we've had employers take tours of some of the schools. We've had a few schools that have opened
new cyber labs and they're excited to show those off to the sponsors. And so hopefully we're doing
more good beyond just the immediate interaction with the students. So far, we've been to Prairie View
A&M, St. Phillips College in Texas Southern, all in Texas, and then Southern University A&M in
Louisiana. And next semester, we'll be going to North and South Carolina. We'll be going to
NC Central, South Carolina State, Winston-Salem State, Fayetteville State, and Colaflo.
I think it'll be the end of February, early March when we do our North and South Carolina road trip.
For our own listeners, you know, folks who are out there and are inspired by what you're up to here, are there opportunities for people to contribute?
Yeah, absolutely.
If you have an hour a week or an hour a month per student, you can be a mentor.
We've got a software program that runs the whole mentorship program.
Not completely hands-off, but it's pretty helpful.
So we've got, if you go to staysafeonline.org and click on events and programs and scroll down, you'll see the HBCU program.
And all of it is explained there, including there's a box for mentors.
If you fill out that form on our website, that'll get you in our communication flow.
And we'll send you information on how to register in the mentorship platform itself.
And we'll send you information on how to register in the mentorship platform itself.
And then once you're in there, there's training on being a mentor.
There's 12 different agendas that we've sketched out to guide your meetings with your mentor just to act as a guideline. But you can really do whatever you want with your time if your mentee has specific requests.
And so we've got over 100 people in there now that are actively having regular meetings.
And some of the testimonial statements we've gotten from both mentors and mentees have been
super encouraging. So hopefully those students who are getting the confidence they need to at least attend job fairs and put themselves out there.
For a lot of them, just getting themselves into the room is a little bit of a challenge.
It's just about confidence and their comfort level. And so having a mentor to help you through all that,
and we're allowing the students to stay in there
through their first year of their job
if they want to have a mentor.
Because who amongst us did not have a whole bunch of questions
that first year in our new job?
So yeah, we would love to see people sign up to be mentors.
The more schools we go to, the more kids are going to sign up.
And it's great to have people who are there waiting to be matched with a student.
You fill out a profile and then an algorithm matches you.
Or if you have a specific request, we can do that manually as well.
Like you want somebody in a particular stage or somebody that has a certain major or something like that, we can help with that.
That's Lisa Plagemeyer from the National Cybersecurity Alliance.
And it's my pleasure to welcome back to the show FBI Cyber Assistant Director Brian Vordren.
Director Vordren, welcome back. I want to touch base today on deepfakes.
Certainly been getting a lot of attention in the news lately.
And your take on this from your position
there at the FBI. Hey, Dave, it's good to be with you today. Deep fakes are part of our normal
dialogue here, and we actually refer to them as synthetic content. But at the end of the day,
what they are are artificial intelligence, machine learning-enabled synthetic content
that realistically depicts something that did not happen.
The advances in AI and machine learning techniques will improve the speed, the believability, the scale, the ease of use, and the automation and the creation of that synthetic content or these deepfakes.
And it's really replicated in high-quality videos, certainly pictures,
audio, and texts of events, right? And it's becoming more and more of a prevalent conversation.
And when we look at it from a traditional rule of law perspective, if we think about how we
authenticate voices, obviously a deepfake voice and the need to authenticate that in real life
for evidentiary purposes in the rule
of law is becoming more and more of a prevalent conversation. I think most concerning to us is
that the barriers to entry are decreasing rapidly for the creation of synthetic content and deepfakes.
And so certainly your average person could use it for nefarious purposes, but also nation-state actors could use it to conduct
malign foreign influence campaigns, or a cyber criminal could use it to carry out a social
engineering campaign. As these barriers do decrease, right, we will likely see or hear
much more realistic audio and video that will truly be indiscernible to you or me. So, Dave, I'm also
prepared if you want to talk about kind of what is the FBI doing about it, what can the FBI do about
it, and what should the public look out for, but certainly can go back to you for any questions you
have. No, I think that's a great place to go here. I mean, what are some of the practical ramifications and your guidance?
So from an FBI perspective, the First Amendment gives all of us as Americans broad
protections in terms of speech, right? So while creating a deepfake video is not in itself
illegal, the creation of those videos or voices by a foreign power to influence American people is something we would definitely investigate.
But again, because of the First Amendment, we are limited in what I would refer to as, quote unquote, stopping it.
But we do partner up with other government organizations, researchers and technology companies to develop ways to detect the deepfake content.
And that's really an area we're collectively
focused on. You know, in terms of guidance for your listeners and what the public should look
out for, you know, when you look at deepfake videos, and there are some on the internet,
there will be visual anomalies, there will be discrepancies, there will be desyncing during
the video, there will be tearaways between the audio and video where there is not
syncing. There's also the ability to look at metadata to find out how the files were created
and where they were created. But the concern with metadata is it also can be manipulated,
so it's not a reliable indicator. So, you know, just one quick example that we could give you,
and it's an anonymized example, is, for example, a bank manager would receive a call from a director of a company that is a regular client and whose voice the bank manager recognizes quite well.
acquisition and that he needed the bank to authorize a large transfer, the bank manager would believe that the voice was authentic and speaking to the director of the company
and subsequently authorize the transfer.
So this is just one example how these deepfakes and these synthetic content can play out and
pose a number of threats to whether it's private business or whether it's the democracy of
America.
So certainly happy to take additional questions, Dave.
So is this the matter that this new technology, this rapidly evolving technology,
demands a higher level of scrutiny?
In other words, that bank manager that you're talking about might not be able to rely on
knowing the familiar voice of a
colleague or a client or something like that. They have to respectfully ask for additional verification.
Correct. And there will undoubtedly need to be evolutions in the due diligence processes for
authentication, whether it's photographs, whether it's audio, whether it's video, inclusive of audio,
photographs, whether it's audio, whether it's video, inclusive of audio, across the business sectors, but also across the national security and traditional rule of law spectrum, to your point,
because we'll need additional due diligence variables to make sure that what we think
we're seeing or hearing is actually what we're seeing or hearing. At what level do you all at
the FBI want to be informed about this sort of thing?
If I, again, I'm that bank manager and I get a call and I think it may be a deep fake,
should I make a call to my local FBI field office?
Yeah, we would encourage you to do so.
These threats are going to continue to grow.
We're not saying that they're going to grow at the same exponential curve that the cyber threats have certainly targeted the United States and its
equities. But they are going to continue to grow over time as the barriers to entry
decrease and as the speed of the technology improves in terms of creation to deployment
of the deepfake. And so we would encourage engagement with the FBI because we never know
who is behind the point of creation. And that could lead us to a nation state actor that is conducting other far maligned influence campaigns.
And that's something very important to us.
All right. Well, FBI Cyber Assistant Director Brian Vordren, thanks so much for joining us. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that
means for you and for Canada. This situation has changed very quickly. Helping make sense of the
world when it matters most. Stay in the know. Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana White, Kuru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Maria Varmatsis, Ben Yellen, Nick Vilecki, Millie Lardy, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly, Jim Hochheit, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Simone Petrella,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Leave alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.