Control Loop: The OT Cybersecurity Podcast 4.3.24
Ep 47 | 4.3.24

Hunting adversaries.


Dave Bittner: It's April 3rd, 2024, and you're listening to "Control Loop." In today's OT cybersecurity briefing: Sellafield nuclear waste site to be prosecuted for alleged cybersecurity failings. CISA issues a draft proposal for cyber incident reporting by critical infrastructure entities. Threat actors targets Indian government and energy entities. A suspicious NuGet package appears to target developers in the industrial sector. Our guest is Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, sharing their latest Notice of Proposed Rulemaking. The Learning Lab returns! Dragos's Mark Urban talks with Josh Hanrahan, principal adversary hunting at Dragos in Part 1 of their discussion on adversary hunting and Voltzite, also known as Volt Typhoon. [ Music ] The UK's Office for Nuclear Regulation, the ONR, announced last week that the Sellafield nuclear waste site in Cumbria will be prosecuted over its alleged cybersecurity failings, The Guardian reports. The ONR stated these charges relate to alleged information technology security offenses during a four-year period between 2019 and early 2023. There is no suggestion that public safety has been compromised as a result of these issues. The decision to begin legal proceedings follows an investigation by ONR, the UK's independent nuclear regulator. The Guardian reported late last year that the nuclear waste site had been hacked by multiple threat actors, including groups linked to Russia and China. Sellafield is the largest nuclear site in Europe and has the largest store of plutonium in the world. The Guardian cities sources as saying it's likely that foreign hackers have accessed the highest echelons of confidential material at the site. The US Cybersecurity and Infrastructure Security Agency last week released a 447-page draft of its proposed rules governing how critical infrastructure entities will need to report cyber attacks to the federal government. According to CyberScoop, the proposed rules would require critical infrastructure entities to report incidents within 72 hours after the covered entity reasonably believes the covered cybersecurity incident has occurred. Additionally, if a company pays a ransom after being hit by ransomware, they'll need to report the payment to CISA within 24 hours. Comments will be due within 60 days after the proposal is officially published on April 4th, and the rule is expected to be finalized in about 18 months. Researchers at Eclectic IQ are tracking a malware campaign that's targeting Indian government organizations and the energy sector stating analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian companies, exfiltrated financial documents, personal details of employees, and details about drilling activities in oil and gas. In total, the actor exfiltrated 8.81 gigabytes of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government's infrastructure. The researchers don't attribute the campaign to any known threat actor, but they believe the goal of the operation is cyber espionage. The threat actor gained initial access via phishing lures that delivered a modified variant of the open source information stealer, HackBrowserData. Researchers at Reversing Labs have identified a suspicious package hosted by the open source package manager NuGet that may be tied to a malicious software supply chain campaign with the goal of conducting industrial espionage on systems equipped with cameras, machine vision, and robotic arms. The package is designed to take screenshots and send them to a remote server. The package appears to be targeting developers working with technology made by BOZHON Precision Industry Technology, a China-based firm that does industrial and digital equipment manufacturing. The researchers note that it is possible that the package is a benign tool leaked by someone working for BOZHON, but it's more likely that it's being used as part of an industrial espionage campaign. [ Music ]

Dave Bittner: I recently spoke with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Eric shared the news of CISA's most recent Notice of Proposed Rulemaking. And it is always my pleasure to welcome back to the show Eric Goldstein. He is Executive Assistant Director for Cybersecurity at CISA. Eric, welcome back.

Eric Goldstein: Thanks so much, Dave. It's great to be back on.

Dave Bittner: I want to touch today on some recent -- well, I guess a call for some rulemaking that you and your associates have put out?

Eric Goldstein: Absolutely, Dave. You know, as many in the community are well-aware, Congress gave CISA the authority last year to establish a new requirement for entities who are critical infrastructure to report their cyber incidents to CISA. And so for a number of months, we've been hard at work getting input from the community on what exactly this rule should look like. We just recently published what is called a Notice of Proposed Rulemaking for public comment. And so beginning on April 4th, members of the community will have a chance to offer their views on the rule. How we define the entities who will be required to report, how we define the incidents that are reportable, and our hope is that this process will further benefit from insights that entities across sectors large and small to ensure that the final rule gets us the information that we need to support the community's broader cybersecurity.

Dave Bittner: Can you take us through what that process looks like behind the scenes? I mean, how do you all integrate the comments that you get from the interested parties here?

Eric Goldstein: Absolutely. You know, as part of the rulemaking, you know, we are asking some fairly specific questions for input from the community. Questions like who should be required to report? What should be reported? What kind of incidents and what details about each incident? And then we review every single comment that comes in. Because we're aware that the point of this incident reporting authority isn't actually at its core to help CISA or to help the government. It is to help organizations across the country. It's to help us provide assistance more effectively. It's to help us share information that can help organizations defend against the most urgent threats, and it's to help us actually understand trends in cybersecurity risk that can help us drive adoption of the mitigations that really work against the risks that we're seeing in the real world.

Dave Bittner: Well, if we capture this point in time of what it looks like today, what does this reporting process going to look like for folks who would fall under its auspices?

Eric Goldstein: You know, we know today that the vast majority of cyber incidents are simply never reported. And that creates some really significant gaps, not just for CISA and the government, but really for every organization trying to defend the enterprise. Because if we don't know what adversaries are doing and how they are doing it, that makes it that much harder to defend against it and to drive investments in those controls that we know actually work. And so when this rulemaking goes into effect in 2025, we're for the first time going to have this rich source of data that we can then use and share to actually help organizations defend enterprises that much more effectively.

Dave Bittner: And I suppose we should say that although this is on a timeline towards 2025, CISA is looking to get information on voluntary reporting of cyber incidents from folks out in the industry today.

Eric Goldstein: That's a great point, Dave. You know, this authority is no substitute for voluntary reporting, and that's the case in two key ways. First of all, even when this rulemaking goes into full effect, it is not going to cover every organization in the country, and we still want to make sure that we are hearing about cyber incidents affecting any organization voluntarily so that we can offer assistance and share information more broadly, but also we know that incident reporting is only the first step. Incident reporting opens the door to a deeper and richer collaboration to help organizations detect, evict, recover and to glean detailed information that we need to help enterprises defend more effectively. And so although incident reporting is going to give us information that we sorely lack today, we still need that deeper post-incident collaboration to really drive the change we see.

Dave Bittner: What do you say to folks who are hesitant about engaging here? I mean, I can imagine there are folks out in our audience who are thinking, you know, I'm in the middle of a cyber incident. The last thing I need is a government agency getting all up in my business.

Eric Goldstein: We think that the opposite is really true, you know? CISA and our partners are really unique in that our only goal is to help victims and to help other organizations to not become victims. And so we are not a regulator, we are not an enforcement agency, and far from getting in the business of a victim, our goal is to figure out where the victim needs help in their response, in their recovery, and then glean information that we can share on an anonymized basis to other organizations from being similarly affected. Our core point here is, you know, if you are not a victim of a cyber incident today, you very well may be one tomorrow, and we all have a shared interest in making sure that when incidents do occur, information about them is shared widely and broadly to limit the reach of our adversaries and limit their ability to execute intrusions on other victims.

Dave Bittner: Well, the Notice of Proposed Rulemaking is available now. It's been up for a few days here at Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Thanks so much for joining us. [ Music ] On today's "Learning Lab" segment, Dragos's Mark Urban speaks with Josh Hanrahan, Principal Adversary Hunter at Dragos. They're discussing adversary hunting and Voltzite, also known as Volt Typhoon. [ Music ]

Mark Urban: And the next couple sessions of "Learning Lab" are focused on threat hunting, or adversary hunting more specifically. And this is giving a little bit of background into adversary hunters that work for Dragos, how they find the bad guys? You know, what are the techniques? How do they know when they cross into OT? And then we're going to look at a specific threat activity group, Voltzite, sometimes known as Volt Typhoon. And Josh Hanrahan is leading us through the discussion. But it's some interesting insights into that world. I'm here with Josh Hanrahan, who is one of the adversary hunters at Dragos. Welcome, Josh.

Josh Hanrahan: Hey. How you doing?

Mark Urban: Tell me a little bit about yourself. I mean, I gave you a brief intro, you know, title. But provide some context about who we are and why we're here.

Josh Hanrahan: Yes, I'm Josh Hanrahan, Principal Adversary Hunter at Dragos. I work in the adversary hunting team, where our kind of main goal is to uncover adversaries that are interested in ICS organizations or that want to do harm in some way to our community. And we use, you know, hunting methods and analysis techniques to try and, you know, expose that behavior and be able to communicate it out to the wider ICS community to defend it against these attacks, essentially.

Mark Urban: What exactly do you do in the course of being an adversary hunter?

Josh Hanrahan: So it's a lot of data analysis effectively. So what I've kind of -- expanding on known threat-hunting principles and kind of turning those up to 11 and trying to extend those techniques and analysis methods against larger data sets. So our traditional kind of threat hunting, which goes by a lot of different definitions throughout the industry and a lot of different views on what threat hunting is, and what threat hunting isn't. But effectively in my opinion from being, you know, doing threat hunting for a decent amount of time, threat hunting is a repeatable process where you are looking for unknown unknowns, and try to find the patterns to string together a chain of activity according to a hypothesis you have come up with. Now that in like a traditionally kind of corporate environment is where you'd see most kind of threat hunting activity on those roles in industry kind of sitting, where you have, you know, internal telemetry from logs or you know, EDR tools, et cetera. And you're working with inside the confines of the organization you're looking after to try and find those unknown unknowns. And really kind of driving out where you can create detections, and where you can, you know, maybe see tipoff points for certain response activities. Where kind of the concept of adversary hunting comes in, it's kind of more of a fusion role where you're taking a lot of those concepts, and you're applying it to an external data set. So whilst we still do that type of stuff within, you know, partner organizations and customer organizations, that you know, when we have the data and we're allowed to work on at the lab, we're also extending those type of principles outwards to the internets at large, effectively. So we are, you know, looking for net flow on all parts of the internet that is stringing together patterns that we can then track. And then we can justify going back to, you know, ICS organizations that we're interested in, or adversary infrastructure that's known. And then on top of that, there's also kind of a malware piece to it as well, right? So it's hunting for malware samples that may be being used and kind of doing all that kind of open source intelligence, and third-party paid service intelligence analysis as well from different [inaudible 00:15:50]. And then kind of the overlay on that is then having a sound principle in, you know, more structured CTI backgrounds, cyber threat intelligence. So being able to write reports that are timely and accurate, concise and relevant for our consumers, and you know, writing strategic reports [inaudible 00:16:10]. So we do retrospective reports. We do public blogs. We do webinars to really kind of communicate that type of stuff outwards. So it's very much a hybrid role that I don't think many organizations kind of have, or have the capability to have. So you only really see it from kind of like government and private sector, CTI shops really. But it is kind of a mashup of different disciplines. So it's always kind of really fast-paced and busy.

Mark Urban: Yes, let me put that in a little bit of context because you talked about a couple things. So in the context of Dragos where we both work, you work on the cyber threat -- on the OT cyber threat intelligence team, which is exclusively focused on, you know, finding the adversaries. Finding all the stuff that we'll get into in a minute. You do two things with that, is publish it as world-view intelligence reports, a couple of which you referenced. And then you also referenced detections, because that intelligence is also compiled into detections for the Dragos platform. Is that an accurate kind of simplified view of what you're talking about?

Josh Hanrahan: Yes, yes. That's kind of like our main outputs, like our main kind of deliverables. You know, as an employee, like I would love to go and sit there and hunt on the internet all day and, you know, not have anything relevant come out, and not have any kind of deliverables as such. But at the end of the day, we're doing it for a reason, and that is to protect he wider ISC community, or at least, you know, get ahead of the game that we can detail some of this activity and be able to use by people that need to be protected. So yes, my main outputs are [inaudible 00:17:52] bots so you know, our team is behind one of those products that come out. And then the detections piece as well. So anything that's coming out of our reports or anything we're seeing is getting fed into our detections engineering team, which goes ahead and makes those detections relevant for our OT platform. And then we also work closely with our OT watch team as well where we are feeding, you know, the hypothesis we're coming up with, where feeding more kind of intricate details about the patterns we're seeing that may not necessarily form a part of say, like, an indicator of compromise or detection and all that. You know, it's really high fidelity that we would expect to see within our platform product. But really kind of hey, this is a pattern that we've seen this adversary use, whether it's, you know, shaping of network communications that always communicate a certain way at either a certain time, or a certain amount of packets, a certain amount of bytes to a certain IP range belonging to a certain network provider. That type of stuff. Like feeding those kind of more hunting ideation ideas so they can walk across our OT watch customers to try and see something that, you know, maybe from these more advanced adversaries that are trying to hide in the noise.

Mark Urban: What happens? When do you get interested in an adversary? Like what do you come across? It's not like they're wearing signs that say, you know, I'm a bad guy. How so you get the hook?

Josh Hanrahan: It's complicated is the easy answer. It's really like, not a role for anyone that is really kind of starting off their career. It really is for someone that has kind of multi-disciplined kind of IT and cyber and OT kind of knowledge in the background to be able to kind of formulate kind of the type of hypothesis. Because it is kind of, as you said, it's not like they're waving a flag, like you know, if you're looking for adversaries from a certain nation, you can't just start looking from IPs from that nation and then, you know, see something bad, and then there you go. Like you got full attribution. That's just not how the world works. Maybe it was 30, 40 years ago, but like that's really just not how it works anymore. So it is really -- you need kind of -- like I think the people that I've worked with have been really good at this. Have been quite, you know, artistic minds or kind of very big creative thinkers that have, you know, also have that kind of statistical and analytical brain as well. Which is kind of like a really weird cross-section of people that actually fit in that category. But being able to come up with these kind of like absolutely nuts ideas is that would kind of be outside the realm of possibility and kind of challenging their biases and assumptions, but then also having that mindset to draw down into the data and be like, yes okay, I was completely off base with this. Here's the evidence that doesn't support that theory. I'm going to drop it. What's my next theory that, you know, I have some evidence for and kind of moving through. But in terms of actually finding stuff, tip-off points are, you know, known knows, I guess. Where we're looking at, you know, infrastructure or like, malware samples that we've known have been used by a certain group that we feel has, you know, the capacity to or have demonstrated an interest in ICS organizations before, and using that stuff as a tipping point to then pivot out, to then see, you know, what they're looking at, or you know, if it's a malware sample calling back to a certain domain and then, you know, doing investigations on that domain and then using OSINT methods of find out what is known about that domain, whether it's, you know, commonalities in the IPs they're resulting to, or you know, [inaudible 00:21:34] information, whatever it happens to be. In a nutshell, really kind of just finding patterns where other people may not find them. But in terms of like, finding the unknown unknowns, it is really kind of testing crazy hypotheses and hopefully it kind of pays off really.

Mark Urban: So you're half crazy and half mathematician. Got it. Or half crazy artist, half crazy mathematician or statistician rather. How do you -- you know, because you have a particular focus on operational technology, critical infrastructure, industrial -- when does it clear that those are the types of targets or those organizations are the type of targets?

Josh Hanrahan: Yes, definitely. And that's where a lot of our kind of, you know, our day-to-day decision-making kind of comes into it. Because we could track threads, you know, 24/7 with no -- you know, like, no kind of like drill-down parameters on what we're interested in. And sometimes that can be hard when you're, you know, tracking an adversary group that you think is interested in ICS because they've shown some -- you know, some of those patterns that we're looking for. And then you look at it for a week, and it's like, oh actually, they're not interested in that at all. There is enough activity out there to keep, you know, an indeterminate amount of people busy for an indeterminate amount of time. So really that's what makes a good adversary hunter, being able to stay on mission and knowing that the actions the they're taking, the time they're expending is going to be rolled into our community. So for us, there's a few different ways. Like the most common one I guess is we're looking for a victimology-centric approach. So we're looking at and identifying key resources or key critical infrastructure organizations within a certain demographic that we know that certain adversaries would be interested in to further their strategic motives, right? Now we at Dragos don't really do kind of attribution as well, because we don't think it's super helpful for defenders. But that's kind of what I'm getting at. It's like we know there's certain groups are kind of aligned to certain strategic interests. Certain victims fall within their interest categories. So we know that those places are normally a good tipoff point. But we have to be sure along the way, which is where that analytical kind of mindset comes into it, that we're not just projecting preconceived biases about you know, this is Taiwan. The only group that's ever going to target them is China. Like that is just, you know, we're paid for our biases, and having seen some of that activity before. But we can't project on every case that we investigate from here on out. Because adversary groups have various attributions, work at various amount of stuff. Like just across the world, you'll see Chinese groups looking at Eastern Europe stuff. You'll see Russian groups looking at Asia Pacific. But at the end of the day, it's really about having that, you know, mental maturity and that analytical mindset to address those biases and really get down to the core of what is happening, illustrating what those tactics, techniques, and procedures are and really kind of driving home those to, you know, our consumers to be the focus point. Because no matter where those tactics, techniques, and procedures are being used by and by whom, and what country they're attributed by and who they're going against, at the end of the day, a lot of these adversary groups are watching tradecraft from each other to then utilize those same methods. So if we focus on the TTPs, and we can get those documented and those kind of, you know, detected on or having hunting ideation come up that our consumers can use to find that activity, then you're not limiting yourself to only finding activity by adversary Group X and that use. And especially when you're, you know, mapping procedure-level stuff where it's like, you know, innate users of certain things, you can really get down into the detail. So yes. The other way that we kind of really kind of find the tipping off point, we have kind of like temporary groups. So a lot of kind of CTI shops use the methods or the kind of -- the grouping of temporary groups. We call them temporary activity threads or TATs. So that is where we are watching adversary groups defined by third parties and we are watching the definitions of those of interest. If they have, you know, some of these hallmarks of potentially being ICS interested, or you know, are linked back to a threat group that we know have the capability, we are tracking them as well. And you know, we track what they are looking at and we have that jump off point to go and look at what are they looking at? How are they doing things? And is that coming back to an ICS organization? The moment that we identify a TAT to have, you know, interest in ICS or the pure, you know, purpose of it being ICS, so we're talking about ransomware groups just, you know, going for anything like obviously there is trends of, you know, ransomware groups going off the critical infrastructure organizations, kind of rising. But we can't kind of misconstrue what the intent is there. Is it a -- they are targeting ICS because they want to cause widespread disruption and they want to, you know, potentially black out areas of interest for whatever type of military action they want to inflict? No. They're targeting because they're ICS. ICS is more critical, therefore they're more likely to hand over the cash. So there is kind of like no real intent for them to target ICS because of the ICS. They're targeting it because they're an easy target, and they're more likely to pay out. What we're looking for in these TATs are, are they targeting ICS because they are interested in a strategic objective? Are they interested in, you know, exfiltrating a bunch of data out of, you know, a market operator or electric generator for other some follow-on reason that I can do with. So when like, an attack group or a threat group we're tracking kind of reaches that threshold, that they're proven to be targeting ICS for ICS, we make them a threat group, and then we assess them into two parts of the ICS cyber kill chain. So Stage 1 is more about, you know, that IT network kind of enumeration, and kind of really kind of looking through there and doing stuff there. And then Stage 2 is when they make the jump to OT and then start to exhibit usage of, you know, an IT-specific disruptive capability, whether that's a custom malware, whether it's abusing, you know, OT protocol by their native functionality.

Mark Urban: Yes, interesting. So a lot of CTI shops track a lot of places. We -- you know, we also track a lot of potential groups and when it becomes clear that they're focused on operational technology and industrial control systems, that's what makes it -- yes, that's when we really take it serious, because that's our -- you know, that's the Dragos specialty. Then once you have someone identified, once you've figured out that they're focused on industrial, you know, what's your goal once you have them sort of identified? Where do you go from there?

Josh Hanrahan: Yes, so it really depends on kind of the manner of what's happening. As with most things within CTI, the answer to any question is normally, it depends. But I won't just leave it at that. So yes, if we saw, you know, an adversary IP or infrastructure linked to an adversary, we'd be looking -- and it was significant. Like say we're seeing something that looks like data exfiltration or you know, malware use fitting a certain profile, then we'd be working with OT CERT, which is our industry kind of engagement outreach piece to potentially notify the victims so that they can be aware of what's going on. The other thing is I would do is that, you know, this type of stuff does form the basis of our world view reporting, and you know, our detection rules, et cetera. So you have outputs going that way as well, without -- you know, we're writing about this activity. We're detailing what it looks like, how it looks like, how it can be tracked, how it can be detected, and really going from there. [ Music ]

Dave Bittner: That's Dragos's Josh Hanrahan and Mark Urban. [ Music ] And that's "Control Loop," brought to you by the CyberWire, and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliot Pelzman with mixing by Tré Hester. Our senior producer is Jennifer Eiban. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]