Ransomware and privateering. A call for clarity with respect to cyber deterrence. Reaction to coming TSA cybersecurity regulations.

Summary

By the CyberWire staff

At a glance.

Ransomware and privateering.
A call for clarity with respect to cyber deterrence.
Reaction to coming TSA cybersecurity regulations.

Privateering with ransomware?

Flashpoint researchers are tracking the resurgence of the well-known REvil ransomware gang, which is making an attempt at a comeback in the Groove collective's criminal RAMP forum:

“The ‘REvil’ profile on RAMP was created on October 6. In a post underneath its profile, REvil advertised their affiliate program in detail and claimed that their practices are anonymous and secure. REvil followed up their post with a claim that it will wait until November to begin actively recruiting affiliates on RAMP. Cybersecurity analysts note that this post follows a report that REvil was scamming their affiliates through a backdoor in their ransom code."

Security firm Mandiant yesterday released a report on FIN12, an "aggressive, financially motivated" ransomware gang noteworthy for its concentration on healthcare organizations. FIN12 appears to be a Russophone group, and is in all probably based in Russia. Its victims have been concentrated in North America, but there are recent signs that the gang is branching out to Europe and Asia. It doesn’t hit Russia or, usually, the former Soviet Republics in the Near Abroad, a group of countries sometimes known by the name of the moribund association that connected them--the Commonwealth of Independent States. Circumstantially, at least, it looks like privateering.

FIN12 also isn't the only group operating against targets where a reasonable person would see a direct human cost. In the case of FIN12, it's healthcare. In the case of BlackMatter, it's agriculture. NBC News reviews BlackMatter's recent attacks against grain cooperatives in the American farm belt. The timing of the attacks is troubling, coming as they do around the time of the harvest.

Roger Grimes, data-driven defense evangelist at KnowBe4, points out that it's no accident (as we remember Pravda saying, back in the day) that so many of the ransomware gangs operate from Russia (or for that matter, from North Korea):

"If it isn't nation-states directly supporting malicious hackers and actively providing a cybercriminal safehaven, then they are at least knowingly allowing it. In Russia, it is widely believed that its law enforcement and government officials are personally and directly profiting off of cybercriminal activity, actively taking bribes to overlook criminal activity. I am not sure if that is true, but it often appears that way. One of the top Russian cybercriminals who is sought under warrant by the U.S. government drives an expensive sports car with the license plate that says thief and he tells anyone who listens how he is friends with Russian senior law enforcement and government officials. He is not hiding. He is bragging. And it is unfortunate that many countries allow it or even seem to encourage it. All capable nations hack each other. It is just life. But there is a difference between the normal intelligence operations being conducted by most countries and a country actively encouraging its hackers to lock up the data of any company it wants and ask for an illicit ransom to be paid to unlock it. North Korea actively steals from bank and cryptocurrency accounts. It is like they are allowing cybercriminals to be a legitimate way their country is funded. It is unfortunate. The question is what will it take, how bad will it get, to make it stop?"

A call for an articulated deterrence policy.

State-tolerated or state-sponsored ransomware attacks have proven, so far, resistant to effective deterrence. Members of the Cyberspace Solarium Commission speaking this week in Aspen called upon the US Administration to articulate a clear, publicly stated deterrence policy. Senator Angus King (Independent, Maine) said:

“I think the most important thing is for the administration and the President to develop a clearly articulated declaratory deterrent policy, a deterrence doctrine to put our adversaries on notice that they will pay a price for attacking us in cyberspace. I think one of the great gaps in our national response has been a tepid or non-response to these series of attacks that we’ve seen over the past 15 or 20 years.”

More reaction to anticipated US TSA regulation.

This week's announcement of the US Transportation Security Administration's plans to establish cybersecurity regulations for passenger railroads and airlines continues to prompt reaction from industry. Some, notably representatives of the railroads, think the regulations unnecessary, as they steps the regulations will mandate are already well-established, and being followed. Others have expressed concern about unintended consequences. Still others wonder how piecemeal regulation of different sectors will fit into the sort of whole-of-nation approach Homeland Security Secretary Mayorkas espoused, according to the Federal News Network, at the Billington Cybersecurity Summit. Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon PPM, likes the concern for critical infrastructure, but would like to see more commonality across sectors:

“I am pleased to see any action that improves cyber security for critical infrastructure. With that said, I am concerned with the disjointed approach of going from one industry to the next defining standards and or mandates. It’s time to take a step back and define a single critical infrastructure cyber security standard. If your industry is defined as critical infrastructure, then by definition it requires protection. Again, I am pleased to see movement and action, but I don’t think we need to wait for the next critical infrastructure attack to decide that we need another mandate to cover that specific industry. Let’s define a singular critical infrastructure cyber security standard now and start enforcing protection for everyone.”

Notes.

A note to our readers. We'll be observing Columbus Day this Monday, and won't be publishing. Enjoy the Federal holiday, and we'll be back again as usual on Tuesday.

Selected Reading

Google warns 14,000 Gmail users targeted by Russian hackers (BleepingComputer) Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia.

FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets (Mandiant) Today, Mandiant Intelligence is releasing a comprehensive report detailing FIN12, an aggressive, financially motivated threat actor behind prolific ransomware attacks since at least October 2018. FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector.

No honor among thieves: One in five targets of FIN12 hacking group is in healthcare (ZDNet) The group strikes big game targets with annual revenues of over $6 billion.

REvil Continues Its Reemergence, Joins Groove-led RAMP Forum | Flashpoint (Flashpoint) REvil has joined RAMP, a illicit forum operated by the Groove threat actor collective. Flashpoint cybersecurity analysts detail what this means for the underground community and the threat actors that operate within it.

Ransomware hackers find vulnerable target in U.S. grain supply (NBC News) At least three U.S. grain distributors’ systems have been infected with ransomware in recent weeks, raising concerns that hackers have found an easy target in

Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes (Reuters) The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters.

Government introduces guidelines for cybersecurity in power sector (The Hindu) The guideline lays down actions required to ramp up security measures across various utilities to raise preparedness in power sector.

India's new power sector infosec policy eschews air gaps (Register) Calls for anything connected to the Internet to live in a room controlled by the CISO

Netherlands can use intelligence or armed forces to respond to ransomware attacks (The Record by Recorded Future) The Dutch government said it would use its intelligence or military services to counter cyber-attacks, including ransomware attacks, that threaten its national security.

The Pandora Papers should reinvigorate Biden's anti-corruption push (Atlantic Council) An anti-corruption campaign appeals to disparate domestic groups but also is bound up in many of the core objectives Biden has staked out for the United States in the world.

Cybersecurity bills advance in U.S. Senate - Homeland Preparedness News (Homeland Preparedness News) Two bipartisan bills from U.S. Sens. Gary Peters (D-MI) and Rob Portman (R-OH) on cybersecurity and infrastructure were approved by the U.S. Senate Homeland Security and Government Affairs Committee and now head to the full Senate for a vote. The … Read More »

Bill seeks to address critical infrastructure cyber attacks - Homeland Preparedness News (Homeland Preparedness News) A pair of lawmakers have introduced a measure they said is designed to protect systemically important critical infrastructure (SICI) from cyber attacks. Reps. John Katko (R-NY) and Abigail Spanberger (D-VA) recently detailed the the Securing Systemically Important Critical Infrastructure Act, … Read More »

Lawmakers Call for Definitive Cyber Deterrence Policy (MeriTalk) With an increased focus on cybersecurity after a spate of high-profile cyberattacks on U.S. government and business organizations since late last year, members of Congress are continuing to call for a clearly defined national cyber deterrent policy. Three prime movers on cybersecurity legislation Congress – Sen. Angus King, I-Maine, and Reps. John Katko, R-N.Y., and Yvette Clarke, D-N.Y. – explained the need to codify a cyber deterrence policy at the Aspen Cyber Summit Oct. 6.

Mayorkas outlines whole-of-DHS response behind latest cyber sprint | Federal News Network (Federal News Network) DHS is putting the collective force of its component agencies behind its latest 60-day cyber sprint focused on transportation security.

Railroads say they don't need cybersecurity mandates (Washington Post) The Biden administration plans to impose new cybersecurity mandates on railroad and rail transit systems.

NSA Renews Focus On Securing Military Weapons Systems Against 'Capable' Rivals - Breaking Defense (Breaking Defense) "In terms of weapons systems, we have computers on wings, at sea, and on land. We don't think of [weapons systems] that way, but none of them work without computers," NSA's Joyce said.

Rob Joyce: Weapons Systems Security, Post-Quantum Encryption Among NSA’s Near-Term Priorities - Executive Gov (Executive Gov) Rob Joyce, cybersecurity director at the National Security Agency (NSA) and a previous Wash100 Award

Facebook and Big Tech Are Facing Their ‘Big Tobacco’ Moment (World Politics Review) This week, Frances Haugen, a former Facebook data scientist, openly accused the social media company of misleading the public about what it knows about the harm its products cause. Her impact on the regulation of Big Tech will likely be as significant as that of the whistleblowers who ended Big Tobacco’s era of impunity.

U.S. Set Out to Hobble China’s Huawei, and So It Has (Wall Street Journal) The big maker of telecom gear and phones is short of advanced chips, and it faces customers who heed U.S. sanctions or doubt the company’s technical reliability. It is diving into new ventures, aiming “to seek survival.”