CyberWire Daily - US unseals cases against PRC intelligence officers. Daixin ransomware is an active threat. FBI warns of Iranian threat group. Iran’s nuclear agency discloses hack. Hybrid war and threats to infrastructure.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. In breaking news, the U.S. unseals three cases against Chinese intelligence officers. CISA says Dioxin Team ransomware is an active threat. The FBI warns of Iranian threat group's activity. Meanwhile, the Iranian nuclear agency says its email was hacked.

Starting point is 00:02:21 Norway is concerned about threats to oil and gas infrastructure. A drop in ransomware correlates with Russia's hybrid war. Ann Johnson from Afternoon Cyber T speaks with A.J. Yawn from ByteCheck about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry, and cyber offense may be proving harder than thought. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 24th, 2022. The U.S. Department of Justice this afternoon held a press conference to announce the unsealing of three cases against 13 Chinese nationals, including 10 Chinese intelligence officers. Attorney General Merrick Garland outlined the cases. The first involved charges against two Chinese intelligence officers

Starting point is 00:03:33 who allegedly bribed a U.S. citizen, an insider, to reveal sensitive and non-public information about the U.S. prosecution of a Chinese telecommunications company. In fact, the person they recruited was a double agent and not a genuine asset. The Justice Department declined to name the Chinese company involved in the prosecution. The second case involved the activities of a front Chinese academic organization, a fake think tank that had allegedly been engaged in both theft of U.S. intellectual property and in the suppression of constitutionally protected free speech regarded as embarrassing to China.

Starting point is 00:04:13 Four individuals were charged in that case. Finally, the third case, in which seven individuals were indicted, involved China's Operation Fox Hunt, a long-running program of forcibly repatriating Chinese who have emigrated to other countries and who are regarded as a threat to the reputation or security of the People's Republic. Chinese agents are alleged to have hounded victims and their families with physical intimidation, frivolous lawsuits, threats, and other harassment, promising that these would not stop until the victims returned to China. Assistant Attorney General Lisa Monaco said the cases were all prompted by China's unrestrained pursuit of world power, especially world economic power, unconstrained by international norms or respect for other nations' sovereignty.

Starting point is 00:05:04 constrained by international norms or respect for other nations' sovereignty. And FBI Director Wray said that anyone approached by Chinese intelligence services could count on the full support of the Bureau. CISA has warned that the Dioxin team, a criminal ransomware group, is currently active against U.S. organizations. The joint alert says, in part, the FBI, CISA, and HHS are releasing this joint CSA to provide information on the Dioxin team, a cybercrime group that is actively targeting U.S. businesses,

Starting point is 00:05:38 predominantly in the healthcare and public health sector, with ransomware and data extortion operations. The Dioxin team, which is believed to deploy a leaked version of the familiar Babak ransomware, is thought to gain access to its victims through vulnerable virtual private networks, that is VPN servers. They exploit either unpatched vulnerabilities in the VPN server, or they use credentials they've obtained through phishing campaigns. So, the episode reteaches two old familiar lessons,

Starting point is 00:06:12 keep your systems patched and up to date, and beware of social engineering. The FBI has warned enterprises that Iranian hacker group Emanet Passarghad, a hacker group with ties to the Iranian government that tried to interfere in the 2020 election, is currently active. The bureau says it is engaged in hack and leak operations of a kind familiar from earlier election cycles.

Starting point is 00:06:39 Decipher reports that the FBI says the group uses network intrusions along with information operations and fake personas that exaggerate and amplify the group uses network intrusions along with information operations and fake personas that exaggerate and amplify the group's operations. They have also been seen exploiting vulnerability CVE-2021-44228, or Log4Shell, to get into a U.S. organization's server, GovInfo Security reports. The threat actors use open-source penetration testing tools, look for vulnerabilities in content management systems, and websites running PHP code or those with externally accessible MySQL databases. If you think you know any of the folks involved in

Starting point is 00:07:20 Emanet Passargad, there may be a reward in it for you. The State Department has announced a reward of up to $10 million for information about members of the group. That particular reward is in addition to the cool $10 million already announced for information about two of the group's operators, who are also on the FBI's most wanted list. Iran has also been on the receiving end of a cyber attack. Radio Free Europe Radio Liberty reports that Tehran's atomic energy organization, the country's main nuclear agency, disclosed yesterday through state-run media that one of its email servers had been compromised. The disclosure came a day after Black Reward, which presents itself as a dissident Iranian hacktivist group, claimed on social media that it had gained access to the internal email system of Iran's nuclear power production and development company.

Starting point is 00:08:15 The atomic energy organization said that the motive of the hack was to attract attention. attention. In a sense, that may be correct insofar as Black Reward says it conducted the operation in solidarity with ongoing protests against the regime, doing it, the record quotes the group as saying, for women, life, and freedom. Bloomberg says that an internal investigation of the cyber attack is underway. The investigation into the Nord Stream sabotage continues, but Norway is already seeking to improve the physical security of its North Sea oil and gas production operations, and the AP reports that Oslo hasn't been shy about naming Russia as the threat. It's noteworthy that seven Russian nationals have been taken into custody by Norwegian authorities in connection with their operation of drones over Norway.

Starting point is 00:09:08 A small drone is unlikely to do much damage to oil infrastructure, but the drone activity has been so obvious that observers think the point is intimidation and not actual damage, drones having become the bugaboo of Russia's hybrid war. Norwegian authorities are also concerned, according to the record, drones having become the bugaboo of Russia's hybrid war. Norwegian authorities are also concerned, according to the record, about the risk of Russian cyber attack against its oil and gas sector, but there also seems to be a growing sense that such disruptive cyber operations may be more difficult to carry out than had been feared earlier in the war. Another piece in the record

Starting point is 00:09:45 suggests that the war so far suggests that cyber defenses are improving to the point where they're able to deny attackers success. And it may also be that Russia has so neglected its own cyber defenses in favor of developing an offensive capability that Moscow's own capabilities have been degraded by Ukrainian and possibly allied attacks. In any event, Russia has shown a willingness to hit Ukrainian infrastructure as hard as it can kinetically, but the once widely feared disabling cyber attacks against the power grid in particular have failed to materialize. That's not to say that Russian cyber operators have been completely idle or that they've been the dog that didn't bark. But their operations, those by Killnet to take

Starting point is 00:10:32 a prominent example, have tended to look more like crime than disabling nation-state operations. Distributed denial of service, that is DDoS, and ransomware have been their characteristic modes of attack, and there are some indications that they've been pulling some of the gangs away from their usual activities. Digital Shadows late last week published its regular quarterly report on the state of ransomware, and the company noticed an overall decline in the incidence of ransomware attacks. The Telegraph yesterday published an appreciation of those results, informed by conversations with Digital Shadows researchers. Part of the drop is due to the co-opting of Russian criminal gangs

Starting point is 00:11:14 into Russia's war effort, diverting them from their customary criminal activities and onto targets more likely to have a combat payoff. Digital Shadows threat intelligence analyst Rayam Kim-McLeod told The Telegraph, the war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities. Coming up after the break,

Starting point is 00:11:49 Anne Johnson from Afternoon Cyber Tea speaks with A.J. Yan from ByteCheck about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.

Starting point is 00:12:26 But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.

Starting point is 00:13:03 That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Anne Johnson is host of the afternoon Cyber Tea podcast right here on the Cyber Wire Network.

Starting point is 00:14:16 And she recently spoke with AJ Yon from ByteCheck about breaking into the cybersecurity industry. Here's an excerpt from that conversation. So can we start with a little bit of historical context? Why do you think employers have had such a high bar of entry into their cyber programs? And what was the thinking from cyber leaders on the skill sets they needed in the past? Yeah, it's a great question. And I think there's a few reasons why.

Starting point is 00:14:36 I think with the importance of cybersecurity and how cybersecurity has become so important to companies at the highest levels, where you're talking about cybersecurity at the board level. The SEC has recently mandated that companies of certain size have cyber representation on the board. I think because we're seeing that cyber is so important, companies reacted to that with, oh, we need to hire unicorns. We need to hire people that are the perfect fit to have all of these skill sets to build our cybersecurity programs, because if we don't, we're going to fail since there's so many eyes on this.

Starting point is 00:15:08 And I think that that fear seeped into the hiring process and created these really high bars of entry for folks getting into the cyberspace because of that. I think also, you know, there's a ton of gatekeeping because of the challenges that people that, you know, kind of started this whole cybersecurity thing and sector, they had to go through a lot to get into the field. And now with the advancement of certifications and the boot camps and just the many different ways that people can get into the field, I think the folks that are in position to hire people into cybersecurity are looking for folks that went down the same exact paths as them, the same exact schooling, the same exact backgrounds. So today, what do you think business leaders should be looking for if we're balancing that need for mitigating their risk, but also being more expansive and also not necessarily looking for this huge list of credentials? How do you think we can help business leaders balance that? And what skills really are important?

Starting point is 00:16:11 Yeah, I think one thing with cyber that I think is super important to look for if you're going to have a successful career in this field is you have to care. You have to actually care about this industry because it's hard. It's challenging. There's going to be things that you don't know, and you're going to have to be very comfortable being uncomfortable. So really making sure that folks care about the job, they care about the mission that you all have from a company perspective and protecting the data that's there, I think is really critical. But what programs or communities do you think that people who are trying to break into the industry should be leveraging?

Starting point is 00:16:46 How can someone who's early in career market themselves to employers and how can they get the intention of employers? First and foremost, the LinkedIn platform is probably the most underutilized social platform out there when it comes to networking and building a brand that can help. And then the other thing that I would suggest from a tactical perspective on LinkedIn is to really reach out and try to get folks on calls. People that are in roles that you think you want to be in. If you want to be a pen tester, find a pen tester to talk to about what they do.

Starting point is 00:17:15 Read their resume, read their background, and just learn from folks that have been there and done that. Josh Ray from Accenture is a regular guest here on the Cyber Wire. And I recently spoke with him about threats to the satellite industry. Here's my conversation with Josh Ray. What's the business imperative here? Why organizations should care about this topic? And I think it has a lot to do with the fact that how this satellite infrastructure can be deployed really with significantly less terrestrial investment to rural or underserved areas

Starting point is 00:18:02 across the globe. And I also kind of think that the redundancy component for companies and their communications from things like natural disasters, the ability to expand into new markets at lower cost, access to geographic regions where things may be problematic to lay fiber due to, say, natural topography or geopolitical instabilities. But also consider this. We saw cloud as the first concept of virtualization into these centralized cloud services. We can really foresee space-borne virtual visualization via, say, a satellite constellation,

Starting point is 00:18:42 which will really enable this notion of supercomputing functionality and ultimately better efficacy and transmission paths for communication media. So that's kind of the business imperative. But really with that comes this notion of an expanded attack surface. So what are some of the security concerns here? Yeah, I was speaking with a colleague of mine, Chris Hudson, Mm-hmm. So what are some of the security concerns here? I guess, Cosmos 1408. And then you have non-kinetic physical weapons, high-powered microwave, electromagnetic pulses, lasers, et cetera. And then you have this notion of cyber, of course, which I think is most applicable. But cyber really does present this lower barrier of

Starting point is 00:19:40 entry from a threat capability standpoint. And we've seen this rapid proliferation of commercial satellites and the demands for Starlink equipment and Viasat terminals, which has really given way to attacks like we saw during the Russian-Ukrainian conflict against the Viasat terminal. And this one was actually really interesting in the sense that, generally speaking, a misconfigured VPN server was exploited that allowed access to the actual management terminal. So once the actor was able to gain a foothold there, they established some malware that caused the denial of service against the satellite software. So it wasn't necessarily the design of the satellite that was the problem, but absolutely the satellite communications were affected. And this really illustrates an important point around interoperability and how this is very much a significant issue. Well, let's dig into that. I mean, where do we stand when it comes to

Starting point is 00:20:41 those sorts of interoperability standards? So you have the threat component, and then you also have this concept of ASI, or adjacent satellite interference, and also speaks to the rapid growth that we're seeing in this industry. So, for instance, as more satellites are emerging from, say, new countries, and the commercial companies are driving growth, new countries and the commercial companies are driving growth, we see the potential for, you know, confusion around how we track satellites and understand the ownership, which could also cause a significant interference in the communications piece. Is this something where we're going to have to have international agreements? Is this an area for treaties? How do we come at this? Yeah, I think that's a really important piece. I mean, there's going to need to be some things

Starting point is 00:21:31 around regulations and governance. And there are some industry standards that are being worked on and some proposed legislation, but there really are no concrete, decisive standards of interoperability between space and, say, ground systems that are in practice. And this is a major concern, especially as the commercial entities are continuing to enter into the market. Also an area where, you know, I would call for public and private sector to kind of really stack hands here so we can get the most, I'd say, commercially viable and secure outcome possible. Do you know of any specific events or incidents where an operator of satellites detects that someone is poking around, testing out to see if perhaps something might be vulnerable?

Starting point is 00:22:21 Does that sort of thing go on? Well, I think it does. And I think the Viasat piece really kind of highlights the use case that I mentioned before. But I think we're really going to start to see this blurred lines between commercial space and military space, right? So governments are already starting to seek guidance to see how they can actually get more remote sensing information from commercial suppliers. So if this happens as, say, just a matter of course, we think that the commercial satellites could be seen as potential military targets, even if its use was really purely for, say, a commercial application. Yeah, what an interesting thing to ponder just from a critical infrastructure point of view. If you have that blurring between civilian use and potential military use, that really makes things fuzzy, doesn't it?

Starting point is 00:23:13 It absolutely does. And really, you know, one of the things that we take for granted very badly is this notion of GPS, right? We all leverage that every single day, but it can be manipulated, right? And we're starting to see more smart factories where robotics are being deployed for, say, cost-cutting and for safety purpose. But imagine just rebroadcasting or spoofing GPS changes that could affect these robots or cause them to collide. So a regular, relatively straightforward attack carries with it a significant opportunity for revenue loss, property damage, and physical safety concerns. And I think that really from a cybersecurity perspective, there is a potential risk that as the application of

Starting point is 00:23:59 satellite infrastructure becomes a lot more prolific, it's not treated in the same way that, say, your terrestrial IT infrastructure will be. So what I mean by that is, you know, you think about something like a satellite terminal, which is designed to really purely communicate upstream and downstream to, say, a remote surface. And this is not something where the operators or the developers really have thought that it's going to be internet-enabled or part of that broader ecosystem. So you'll see things probably like just SSH or FTP-hosted devices, which are not properly secured or patched. And it really makes me think about kind of the early days of OT security and IoT security,

Starting point is 00:24:52 where we have to be thinking much more broadly now about not only just the communications mechanisms, but that broader supply chain and that ecosystem as well. Yeah, that's fascinating to consider. All right. Well, Josh Ray, thanks for joining us. Thank you, Dave. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,

Starting point is 00:25:24 a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Clear your schedule for you time with a handcrafted espresso beverage from Starbucks. Savor the new small and mighty Cortado.

Starting point is 00:26:04 Cozy up with the familiar flavors of pistachio or shake up your mood with an iced brown sugar oat shaken espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks. And that's the Cyber Wire.

Starting point is 00:26:29 For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester,

Starting point is 00:27:01 Brandon Karp, Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you all back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.

Starting point is 00:28:21 That's ai.domo.com.

CyberWire Daily - US unseals cases against PRC intelligence officers. Daixin ransomware is an active threat. FBI warns of Iranian threat group. Iran’s nuclear agency discloses hack. Hybrid war and threats to infrastructure.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.