CyberWire Daily - Updates on the cyber phases of Russia's hybrid war, including the role of DDoS and cyber offensive operations. Ransomware, bad and sometimes bogus
Episode Date: June 7, 2022DDoS as a weapon in a hybrid war. Resilience in the defense of critical infrastructure. Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless. ...Rick Howard joins us with thoughts on trends he’s tracking at the RSA conference. Our guest is Dr. Diane Janosek from NSA with insights on personal resilience. Effects of ransomware on businesses. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/109 Selected reading. Ukraine at D+102: Ukraine's SSSCIP on cyber war. (The CyberWire) Major DDoS attacks increasing after invasion of Ukraine (SearchSecurity) The Russia–Ukraine War: Ukraine’s resistance in the face of hybrid warfare (Observer Research Foundation) Ukraine Symposium - U.S. Offensive Cyber Operations in Support of Ukraine (Lieber Institute: Articles of War) Russia ready to cooperate with all states in cyber domain (UNI India) LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it (CyberScoop) Mandiant: “No evidence” we were hacked by LockBit ransomware (BleepingComputer) Cybereason Ransomware True Cost to Business Study Reveals Organizations Pay Multiple Ransom Demands (Cybereason) Average Ransom Payment Up 71% This Year, Approaches $1 Million (Palo Alto Networks Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
DDoS as a weapon in a hybrid war.
Resilience in the defense of critical infrastructure.
Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless.
Rick Howard joins us with thoughts on trends he's tracking at the RSA conference.
Our guest is Dr. Diane Janicek from NSA with insights on personal resilience and the effects of ransomware on business.
From the RSA Conference in San Francisco,
I'm Dave Bittner with your CyberWire summary for Tuesday, June 7th, 2022. Distributed denial of service attacks have become a defining feature of Russian cyber operations in its war against Ukraine. Search Security, quoting research by NetBlocks, notes that DDoS attacks have affected
connectivity in Ukrainian cities and have also spilled into countries sympathetic to Ukraine.
Operators sympathetic to Ukraine have also conducted DDoS operations against targets in
Belarus and Russia. In these operations, the preferred targets have been media outlets.
DDoS has been a nuisance-level threat and not a decisive or even significant weapon.
A point that SSS-CIP Deputy Director Zora made during his media call yesterday
was to credit Ukrainian defenders with having blunted the effects of Russian cyberattacks.
The Observer Research Foundation has an independent report on the
resilience Ukraine has shown in the cyber phases of the hybrid war. Among the most consequential
Russian operations was the campaign to take out ground stations essential to the operation of
the Viasat network in Ukraine. Disrupted service was either restored or replaced quickly,
and the report speculates that Russia, expecting
a swift victory, was reluctant to strike Ukrainian infrastructure in ways that would render it
inoperable after a Russian conquest. This speculation is perhaps belied by subsequent
Russian willingness to reduce entire cities and their infrastructure to rubble. The report draws
three conclusions important to the cyber phases of any hybrid war.
First, despite its impressive modernization and known capacity for electronic and cyber warfare,
the Russians have found the going in the cyber battlefield difficult.
Of course, we cannot accurately assess the extent of assistance that the Ukrainians are getting
from cyber powers like the US and the UK. The second is the importance of resiliency of the digital systems,
which means there must be sufficient redundancy built in to be able to take on a determined
cyber adversary. Associated with this is the importance of the quality of the EW personnel,
since there is little room for error in the
cyber battlefield, especially when you are seeking to advance in contested territory.
Next-gen systems will probably have to incorporate artificial intelligence and
machine learning systems to achieve some of these goals. Another important lesson is the
important role that the private sector has, especially in the area of cyber
warfare. Ukraine has acknowledged Google's contributions with a peace prize, and Starlink
made an important contribution to the quick restoration of satellite communication.
Ukraine has disclaimed any offensive cyber operations against Russia, saying they're
either the work of hacktivists or of sympathetic nation
states, effective allies. In any case, Ukraine lacked the organizational capacity to mount such
offensive operations. So if indeed the U.S. and presumably other cyber powers generally hostile
to Russia are indeed conducting offensive operations, as General Nakasone said last week, tersely and without
elaboration, does this make the U.S. a belligerent? In its journal Articles of War, the Lieber
Institute has published a thoughtful essay on the application of the laws of armed conflict
to cyberspace. It notes, first, that not enough is known yet about U.S. cyber operations to draw
an informed conclusion. From what is known, however, it seems likely about U.S. cyber operations to draw an informed conclusion.
From what is known, however, it seems likely that U.S. operations qualify as either lawful collective self-defense or qualified neutrality. For its part, Russia hasn't cared much for the
intervention General Nakasone alluded to. A report carried by UNI Sputnik quotes senior
Russian officials to the effect that
Russia is the one who's standing up for good behavior in cyberspace, that Russia is ready
to work out appropriate international legal arrangements with all states that are sober
about the threat of cyber warfare. The source quoted is Andrei Krutschek, a senior Russian
information security official.
He goes on to denounce U.S. support in cyberspace for the Zelensky regime's attacks against Russia and warns that should the U.S. continue in its policy, it should expect a firm and decisive response from Russia.
The LockBit gang version 2., claims to have successfully hit Mandiant,
but Cyberscoop and Bleeping Computer both report there seems to be nothing to those claims.
Mandiant has seen no evidence of any successful attacks,
and the purported evidence LockBit has been woofing
seems to have been called from earlier hits unrelated to Mandiant.
Mandiant suggests an explanation for the imposture.
They say, based on the data that has been released, there are no indications that Mandiant
data has been disclosed, but rather the actor appears to be trying to disprove Mandiant's
June 2, 2022 research blog on UNC-2165 and LockBit. LockBit was especially exercised by Mandiant's association of the
ransomware-as-a-service gang with Evil Corp. and by its suggestion that they operated in the
interest of the Russian government. They're apolitical, says LockBit, and they've got
affiliates all over the world. Cyber Reason has released the results of a study detailing the
effects of ransomware on business. It was found that 73% of respondents have released the results of a study detailing the effects of ransomware on business.
It was found that 73% of respondents have been the target of a ransomware attack in the last two years, up from 55% in 2021.
It was also found that paying the ransoms didn't make for better outcomes, with 80% of respondents that paid noting that they were victims of a second attack.
respondents that paid, noting that they were victims of a second attack. More than two-thirds of those surveyed report that their combined losses were between $1 and $10 million, and some
organizations reported significant boosts in their security programs and budgets as a result.
A few of the more interesting trends the study discovered were the weakest link may be in the
supply chain. They said nearly two-thirds of
companies believe the ransomware gang got into their network via one of their suppliers or
business partners. Ransomware disrupts business operations. Nearly one-third of businesses were
forced to temporarily or permanently suspend operations following a ransomware attack.
They also noted that organizations have trouble coping with double
extortion. They said 60% of organizations admitted that ransomware gangs were in their network up to
six months before they discovered them. This points to the double extortion model where attackers
first steal sensitive data, then threaten to make it public if the ransom demand is not paid.
Palo Alto Network's Unit 42 has also been looking at
trends in ransomware. They see an increase in ransom payments. They say the average ransomware
payment in cases worked by Unit 42 incident responders rose to $925,162 during the first
five months of 2022, approaching the unprecedented $1 million mark as they rose 71% from last year.
And, as Cyber Reason also found,
the damage extends beyond the direct cost of any ransom payment.
Cyber Reason says that's before additional costs incurred by victims,
including remediation expenses, downtime, reputational harm, and other damages.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. It's easy to get caught up in all of the technology on display here at the RSA Conference,
but it's just as important to focus on the human element of the industry.
Dr. Diane M. Janicek is Deputy Director of Compliance at the National Security Agency.
Her presentation here at the National Security Agency.
Her presentation here at the RSA conference is titled, Unleash Your Inner Resiliency.
It's not sustainable on a personal level to be in a constant surge.
We all have the ability to ramp up and to really charge hard.
But cybersecurity, you can't be in a sprint every day.
And because the threats are increasing in velocity, in sophistication,
cyber defenders can't sleep.
I absolutely love the cybersecurity field.
People are so committed to getting things done, to being secure,
to keeping the business running, keeping Americans secure.
But then you have to balance that.
If everyone's looking at you,
what are you doing for yourself?
Do you think that it's a particularly American problem? It strikes me that we wear exhaustion
as a badge of honor sometimes.
Look how hard I'm working.
I haven't slept in X number of days and I haven't taken a vacation of honor sometimes. You know, look how hard I'm working. I haven't slept in X number of days
and I haven't taken a vacation in two years.
But it's diminishing returns, right?
Right.
I'm so glad you mentioned that, Dave.
So people look at really hard chargers
and they realize what happens.
And a lot of times it's forced recovery.
Something happens and they have to,
you know, take a break.
You don't want to be in a position of forced recovery.
And so what you want to really make sure that you do is
don't use dedication as an excuse.
Being overworked is not healthy.
It's not a badge of honor.
It's showing that you don't trust your teammates.
You can't delegate.
People want to know that you have trust in them, that you believe in them, that you know that they've got it.
And if you're constantly there, never taking your own break, they won't feel that from you,
that you believe in them. And when people don't feel like you believe in them,
they're not willing to give their best. What about for the team leader? How does
that person go about making sure they're checking in on the folks that they work with, that they're
taking care of themselves, and also that that leader's doing everything they can to make sure
everybody's in a good place? I think saying exactly what you just said. When you start the meeting,
say, hey, I just wanted you to know that I'm here to talk.
You want to talk to me afterwards.
I do want to make sure I check in with you.
Let me know how I can help you.
Where is there, you know, can I offload something, give you more?
Are you ready for more?
You want to team more?
They may want to take more responsibility.
And so if you just say, communicate that, hey, I'm looking at this to make sure that
you're the whole person when you're here.
And when you're here, may not physically, if you're doing remote work,
you still want them to be physically present when they are there and really charged and energized and be like, hey, this is what I want to do. Yeah, I'm going to take a break to take my child to
soccer. But when I come back, I am fully present and I want to be fully present and I'm fully loyal.
fully present. And I want to be fully present and I'm fully loyal. So being loyal does not mean you have to be exhausted. It really strikes me that the leaders modeling the behavior they want to see
from the folks they work with is really key here. Because a leader can say anything they want about
taking time off, taking care of yourself. But if they're not actually doing it,
everyone else is going to interpret that
as being what the standard has been set at.
I agree.
And I'm probably not the best example, right?
Because I...
Do as I say, not as I do.
But however, you know, I don't believe in forced recovery. I want, if I feel like, oh my gosh,
I'm really kind of feel worn down or I'm getting grumpy or, um, I take a break. Right. So I really,
I mean, I am high energy and I work all the time. Um, but I have to have that insight. So the way
that I look at it is you have to have the insight into how you're physically responding and emotionally responding to the environment around you.
And if that's changing for some reason, look at yourself.
Oh, so-and-so is always giving me a hard time.
Maybe they're not.
Maybe you're the one that's actually just not having the patience
that you usually have because you're just kind of just worn out
and you have to recharge.
So having the insight into
your own reaction to people's behaviors it's not always them what are your recommendations then i
mean clearly this is a problem and my sense is that we're if we are gaining ground it's not
happening very quickly so how do we within cyber, how do we move that culture change forward?
Make a decision for yourself.
I mean, look around you.
You're going to see people that you believe have,
you know, a positive outlook.
And see what they're doing.
How are they handling their life?
Learn from them and then apply that to yourself.
There was a study done back in the
seventies on happiness and it's still true today. And it said, you know, with success doesn't come
happiness, with happiness comes success. So if you can, you know, find people that say, hey,
that person's, they're always, they're just happy to be here and they're, they always are delivering
and what's their trick? Talk with them.
If you surround yourself with people that, and then kind of say, what can I learn from that?
And then also invest in yourself.
So you're constantly having to do the job right, making sure your team is doing the job right,
making sure the company stays profitable or your business line stays up, especially with my world in the area of national security.
So doing all that, staying that,
but what are you doing for yourself for the longer term?
And setting the example.
Because at the end of the day, Dave, we all know this,
people want to work for inspiring, amazing, empowering leaders.
That's Dr. Diane Janicek from the National Security Agency. than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And joining me once again is Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, you and I are walking the floors here at the RSA conference here,
and I'm eager to check in with you to see what sort of things are catching your eye so far.
I love RSA. It's kind of like a high school reunion for cybersecurity nerds.
You see all your old friends from years gone by, and the conversations just pick up where they left off. I love RSA. It's kind of like a high school reunion for cybersecurity nerds. You see all your old friends from years gone by and the conversations just pick up where they left off.
I love coming here. Yeah, yeah. So first off, you're spending some time over at the RSA bookstore?
Absolutely, because the Cybersecurity Canon Committee is out in force at the RSA conference.
We've set up a shelf or a desk where all the Hall of Fame books are available for buying at the bookstore.
And the bookstore has arranged some of the authors to come in and sign them.
So if you're looking to get the next big read in cybersecurity, wander over to the bookstore, see the authors, shake their hands.
They would appreciate it.
And pick up the next great book in cybersecurity.
They may even see you there.
They may.
Which is different than we've done all the last two years.
Yeah, yes, absolutely.
Well, let's dig into some actual cyber topics here.
I mean, you've been having some meetings.
What are some of the things that folks have been talking about?
Well, I got to go over to the Mandiant Press Conference, right?
And Mr. Hulkwist is the VP of Threat Intelligence over there.
And he was talking about Ukraine and Russia
and why we haven't seen the giant cyber war
that we thought we were going to see
on the run-up to that effort, right?
And he made one interesting point,
is that the reason we haven't seen
a big cyber operation could be
because the Russians are having trouble
managing their infantry and artillery, right?
Coordinating what they're supposed to do
on the battlefield.
It looks like cyber might be third or fourth priority.
It's the reason we haven't seen major things going on in the country.
And I thought that was a really interesting point.
So they're just busy with the kinetic.
Yeah, more important things.
Yeah, that is a fascinating possibility.
What else?
Out on the floor here, I know you've been hearing a lot of people talking about virtual CISOs.
Yeah, you know, this is a kind of a phenomenon that's popped up in the last couple of years,
and I never really paid that much attention to it, but it looks like it's gathered some legs.
A lot of my old friends who were big time CISOs for Fortune 500 companies have decided they don't
want to be real CISOs anymore. They're going to be these virtual CISOs. And they kind of fly in and drop into an organization that needs some help and gets
everything organized. And then they get out the door. Show up like there's a hologram or something.
Yeah, that's the next thing. The next innovation. But it's a really interesting topic. And my hot
take on this is, I think that's the wrong direction. I mean, I like that my friends could do this and make some money doing that.
What's in it for the organization engaging instead of hiring, you know, a real CISO, in air quotes?
Yeah, it's a good question.
What I hear people talk about is, you know, real CISOs are expensive, you know, because they have all this experience.
And maybe they don't want to bring them on the staff.
And that's odd because they pay for want to bring them on the staff. And that's odd because
they pay for other executives to be on the staff. Why would they need to be cheap about this?
Have you looked at the cost of a data breach lately?
Yeah, you know, we've never broken through that discussion. And, you know, we were talking
earlier today with some of our customers that walked by the booth that, you know, five years
ago, we were expecting that CISOs were going to be on the senior executive team, right? And it was just a matter of time until
that was just a normal thing. And that doesn't look like it's happening. It's happening somewhere,
in some places it's like that. But if this virtual CISO thing catches on, and I think it is,
we have lowered the gravitas of that position down to a contractor who comes in and fixes some things and then leaves later.
To be optimistic about it, some of my friends say,
well, one outtake of this could be they bring in this guy or gal to fix things
and then they eventually hire the CISO because now there's a program to run.
They come in and establish a program and then go
and then they might hire that person to be the CISO or they might do something else.
But it's a new phenomenon.
We don't know how it's going to go in the future.
So it could be level setting that that person comes in
and says, hey, this is what you didn't know you didn't know.
Yeah, yeah, it could be, right?
It could be the company's or the organization's first steps
into cybersecurity.
We don't want to commit fully to an executive,
but let's bring in someone to get us
going and then we'll see where we go from there. It's an interesting idea and something I did not
see coming. Yeah, absolutely. Anything you're looking forward to out there walking the show
floor? I have yet to go around the booth to see all the new companies out there. That's my favorite
part about RSA, right? Because it's like Mardi Gras over there. And I will be doing that later
on today. So I'll tell you later.
All right.
Sounds good.
Well, Rick Howard, thanks for joining us.
Thank you, sir.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.