The CyberWire Daily Podcast 2.1.21
Ep 1260 | 2.1.21

Solorigate: targeting, collateral damage, or staging? The Cyberspace Solarium has some advice for US President Biden. URKI breach. British Mensa thinks over a data exposure.

Transcript

Dave Bittner: Untangling Solorigate and distinguishing primary targets from collateral damage. Congress asks NSA for background on an earlier supply chain incident. The Cyberspace Solarium Commission offers the new U.S. administration some transition advice. Rick Howard hears from the Hash Table on Microsoft Azure. Andrea Little Limbago from Interos on the intersection of COVID and cyber vulnerabilities. And the week gets off to a rough start for smart Britons.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 1, 2021. 

Dave Bittner: As the US government and industry continue to untangle the effects of Solorigate, Bloomberg reports speculation that Russian intelligence services may have been especially interested in what they could glean from tech and cybersecurity firms over the course of the SolarWinds supply chain compromise. Insight into defenses and cyber tools would've been particularly valuable. 

Dave Bittner: They're valuable, as Recorded Future's Allan Liska told Bloomberg, because, quote, "if you can compromise security infrastructure, you essentially have the keys to the kingdom and can run around undetected, and we're dealing with an advanced adversary who's looking for this kind of access," end quote. Four cybersecurity companies have reported attacks - FireEye, Mimecast, Qualys and Fidelis. The threat actor is being tracked, for now, as UNC2452. 

Dave Bittner: IT and cyber firms didn't, however, comprise the entire list of private sector targets. Infosecurity Magazine notes that the Sunburst vulnerability has been determined to affect a number of manufacturing companies. Kaspersky CERT found that targeting broke down as follows - 32.4% of all victims were industrial organizations, with manufacturing 18.1 of all victims, by far the most affected. This was followed by utilities at 3.2%, construction - 3% - transportation and logistics - just under 3% - and oil and gas - 1.3%. 

Dave Bittner: Computing says that while most of these targets may well have been collateral damage from a supply chain attack whose primary interest lay elsewhere and that there are no particular signs of a secondary attack against them, Kaspersky researchers didn't rule out the possibility that such attacks might be staged. 

Dave Bittner: In any case, the industrial concerns affected by the supply chain compromise are international. The countries affected, according to Computing, are, in addition to the obvious United States, Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan and Uganda. The global spread is reminiscent of what was observed in an earlier supply chain campaign, NotPetya. The probable primary target was Ukraine, but the malware was felt around the world. 

Dave Bittner: Solorigate has provoked Congressional interest in an earlier incident, a 2015 breach of Juniper Networks' servers in which the attackers made small changes to code for the Dual_EC_DRBG encryption algorithm. NIST had promulgated the NSA-developed algorithm as a standard for encryption in 2006. Bloomberg Law reports that two Senators and eight Representatives have signed a letter asking NSA Director Nakasone to explain whether NSA, years before General Nakasone's watch, had effectively backdoored the encryption in ways that enabled a hostile intelligence service to compromise the software supply chain. 

Dave Bittner: The Cyberspace Solarium Commission has produced a Transition Book for the new US administration. They recommend three steps for immediate action. First, establish the Office of the National Cyber Director. Second, develop and promulgate a national cyber strategy. And third, improve the coherence and impact of existing government cybersecurity efforts and further strengthen partnerships with the private sector. The document also outlines several priorities for the administration to take under advisement. 

Dave Bittner: UK Research and Innovation, known by its acronym UKRI, an arm of Her Majesty's government that concerns itself with investing in British science and research, has disclosed that it's presently coping with a ransomware incident. UKRI is being tight-lipped about the incident, which it says it's referred to the National Crime Agency, the National Cyber Security Centre and Information Commissioner's Office, but it's known to have affected two services. The UK Research Office's information service portal for subscribers was hit, as was an extranet UKRI councils use for peer review of proposals. Both services have been suspended. 

Dave Bittner: UKRI is funded by the Department for Business, Energy and Industrial Strategy with a budget of more than 6 billion pounds. According to BleepingComputer, the organization says it has no evidence the compromised data was stolen before being encrypted and hasn't detailed what the nature of that data was. The incident remains under investigation. 

Dave Bittner: And finally, it's been a rough start to the week for smart people over in the UK. British Mensa, the national branch of the organization that describes itself as the "High IQ Society," has said that there has been a series of events which appear to be designed to discredit Mensa's systems. A representative of the group told the Financial Times that, as a result, we have handed details of these events to the Information Commissioner's Office with a view to pursuing a criminal investigation. 

Dave Bittner: How'd they get in? Apparently, says Forbes, they had one of the society directors' credentials. The society's webpage has been shut down, with a charmingly retro drawing of a thundercloud overtopping what may be a Bauhaus office building alongside the legend, site under maintenance. The British Mensa site website is currently undergoing maintenance. We apologize for any inconvenience. The whole thing looks circa 1998, we'd say. Not quite a guy with a shovel and a tagline, "under construction," but you get the picture.

Dave Bittner: British Mensa's former technology officer Eugene Hopkinson resigned last week in an apparent protest of the group's allegedly lax security practices. In particular, Mr. Hopkinson objected to the group's failure to salt and hash members' passwords and that it held a great deal of sensitive data about its 18,000 members, including email addresses, passwords, home addresses, instant messaging conversations and, it goes without saying, pay card details. 

Dave Bittner: Oh, and it also holds the IQ scores of not only members, but - wait for it - failed applicants as well. So whether you're in the top 2% with, say, a 174 IQ or one of the rest of us clocking in around 100, well, Mensa knows. And so, probably, does whoever hacked in. What someone would do with anyone's IQ is to us a bit of a mystery, but surely there's plenty of potential embarrassment to go around.  

Dave Bittner: And it is my pleasure to welcome back to the CyberWire daily podcast Rick Howard, our chief security officer and chief analyst. Rick, great to have you back. 

Rick Howard: Thank you, sir. 

Dave Bittner: So last week on "CSO Perspectives," you did a deep dive into Microsoft Azure, and you looked at things like zero trust, intrusion kill chains, resilience and risk assessment. For this week's show, you brought our experts to the CyberWire's Hash Table so that they could tell you what you got wrong. 

(LAUGHTER) 

Dave Bittner: How did that work out for you, my friend? 

Rick Howard: (Laughter) Well, as you can imagine, it's always humbling, OK? I'm always awed at how many smart people there are out there that really know their stuff, you know... 

Dave Bittner: Right. 

Rick Howard: ...And grateful, by the way, that they come to the Hash Table to help us understand some of these admittedly complex ideas. 

Rick Howard: In this show, I talked to Microsoft's lead cybersecurity architect, Mark Simos, about resilience in the form of DDoS protections by virtue of being part of Microsoft's very large and already protected network and ransomware protections with a mechanism called immutable storage. And we talked about a zero-trust construct called management groups. That is a very unsexy name - OK? - but it gives Azure administrators a lot of control over any zero-trust policy. 

Dave Bittner: So at the end of these two shows, what's your impression? I mean, is it - can security executives secure their cloud environments? 

Rick Howard: Well, I think the simple answer is, yeah, they can. All right? The cloud vendors don't make it easier to secure your data in their environments as compared to how we do it back at headquarters or on prem, but they do provide an equivalent set of tools. I did ask Rick Doten, the Carolina Health CISO, that very same question at the Hash Table, and he said he thought so, too. 

Rick Howard: But the one thing that still nags at him is the single-vendor problem. So once you commit to a cloud provider, Microsoft or any of them, it will be difficult to extract yourself once you have any sizable or meaningful workloads running there. It can be done, but you're not turning that tire on a dime, right? 

Rick Howard: And he told a great story. He likens the whole problem to the single cloud. Or we - he calls it the single cloud provider problem. But he thinks it's very similar to the old Jimmy Stewart Christmas movie "It's a Wonderful Life." I know you love that movie. And by the way, I love that movie, OK? I cry every single time. 

Dave Bittner: Well... 

Rick Howard: When the entire town comes in to save George Bailey at the end... 

Dave Bittner: Yeah. 

Rick Howard: ...You know, tears - tears in my eyes. 

Dave Bittner: How could you not? You're not a monster, right? I mean, how can you not? 

Rick Howard: No, I'm a human being. 

Dave Bittner: Right, right. 

(LAUGHTER) 

Rick Howard: All right, so there's a scene in the movie when the Depression is just starting, and everybody in town is trying to get their money out of the bank that George runs. And George, played by Jimmy Stewart, he says this. 

(SOUNDBITE OF FILM, "IT'S A WONDERFUL LIFE") 

Jimmy Stewart: (As George Bailey) You're thinking of this place all wrong, as if I had the money back in a safe. The money's not here. Well, your money's in Joe's house - that's right next to yours - and in the Kennedy house and Mrs. Macklin's house and a hundred others. 

Rick Howard: So Rick Doten's great Jimmy Stewart analogy is that if you decide that you don't like your current cloud provider anymore, getting your data to the new cloud provider's network will be an interesting exercise. 

Dave Bittner: I bet they don't make it any easier for you to do that. 

Rick Howard: No. 

Dave Bittner: Like - everybody likes to have that lock-in, right? 

Rick Howard: Lock-in - that's how we make our money. 

Dave Bittner: Yeah, yeah. All right, well, it is "CSO Perspectives." It is part of CyberWire Pro. You can learn all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it is always great to have you back. I wanted to touch today on a survey that I know you've been working on dealing with COVID and supply chains. What are some of the cyber-related findings that you have to share with us? 

Andrea Little Limbago: Right. And, you know, and there were a lot more cyber-related findings than I initially had anticipated. 

Andrea Little Limbago: You know, so over the summer, we surveyed 450 executives from some of the big corporations in the United States to really try and ascertain what the kind of - what kind of disruptions there were from COVID. And we heard a lot - you know, this was during the middle of the summer. We'd heard plenty of news about the food supply chain. We saw it in our grocery stores. But we wanted to get into more of a data-driven understanding of exactly what was going on. And so the survey did prove very useful in highlighting some issues that we, you know, kind of thought were there anecdotally, but, you know, it's always good to find the data actually supports it. 

Andrea Little Limbago: And so on the one hand, you know, unsurprising, you know, 98% of respondents felt that their, you know - had their supply chain disrupted, 97% felt there were some vulnerabilities that were exposed. And, you know, again, similar numbers felt that these kind of disruptions were going to continue in the future. At the time, we were talking about a second wave, and now it's just really going into, you know, this ongoing wave that, you know, just keeps escalating. So there's big concern about how that's going to be impacting. 

Andrea Little Limbago: But what really was highlighted - you know, after the disruptions from COVID, one of the big exposures for vulnerabilities was the growing concerns over cyber. And so while COVID posed the biggest threat and risk, cyber wasn't far behind. And so I thought that was interesting. 

Andrea Little Limbago: And, you know, it did change a little by - a little bit industry to industry. The aerospace and defense industry far and away were the most concerned about cyber compared to some of the other industries that we interviewed. Something like 72% noted cyber as the biggest risk they're facing right now. 

Dave Bittner: That's bigger than COVID. 

Andrea Little Limbago: Just behind COVID. They still felt COVID was large, but, you know, right on top with COVID. So and... 

Dave Bittner: I see. 

Andrea Little Limbago: Actually, in some other areas, they did, you know, rank cyber as a bigger concern than COVID. And that's just aerospace and defense. Other industries, COVID was by far and away, yeah, your No. 1, with cyber behind a bit more. And then even, you know, concerns about cyber looking to the future elevated even more as well. And so I thought those were interesting. 

Andrea Little Limbago: You know, and the concerns, one - and this is what sort of goes back to aerospace and defense - you know, a lot of the geopolitical forces that are underway were concerned, but it links directly to, you know, these concerns about basically the supply chains both - and digital supply chains being across the globe and being concerned about various kinds of data access and data and insecurity within certain countries. 

Andrea Little Limbago: And so, you know, onshoring and reshoring away from some of these countries, you know, already was kind of underway just due to security concerns and data risks. But now COVID is escalating those as well. And so I thought that was interesting. 

Andrea Little Limbago: And then other areas - really, we asked several questions about digital supply chains. You know, that's an area that keeps growing in importance. Something like - you know, there's one study last year - close to 80% increase in supply chain attacks in 2019. You know, we hear about all these - like 60% of breaches going to third-party vendors and so forth. So we know supply chain attacks are becoming more and more common. 

Andrea Little Limbago: And so we asked questions about digital supply chains. And the findings, you know, again, you know, prove that that is a growing concern. And what I thought was interesting was that the respondents were just as concerned about supply chain attacks to their direct suppliers as they were to basically junior suppliers who - like those sub-tiers that are the suppliers of your suppliers of your suppliers and so forth. 

Dave Bittner: Right, right. 

Andrea Little Limbago: And they were just as concerned about both. And again, that makes sense because, you know, these supply chains are so tightly integrated but so complex as well that it's hard to have visibility across. You know, most companies don't even know who is in their extended supply chain when you go down to those various tiers because just it's so complex. And so that also means that, you know, there are companies, you know, downstream in your supply chain ecosystem that likely have access to your data, and you don't even know how they're protecting their data. And so... 

Dave Bittner: Yeah. 

Andrea Little Limbago: ...That exposes a big vulnerability. 

Andrea Little Limbago: And, you know, one question we asked was, you know, what percentage of their own data exists external to their own networks? And, you know, on average, it was about 40% of their data exists, you know, downstream across their ecosystem. So that's a significant amount of data. And if you don't know how - if you don't know what the security postures are of companies across your ecosystem, that could be a big vulnerability. 

Dave Bittner: Is there a sense that - I'm thinking in terms of uncertainty because I think when you think about COVID, we have a lot of uncertainty right now. 

Andrea Little Limbago: Absolutely. 

Dave Bittner: We don't know the timeline for a vaccine. We don't need - we don't have a clear sense for the success of vaccines. Is there that - is there similar uncertainty on the cyber side of things? 

Andrea Little Limbago: Yeah, I think so. And I think that they're - it's almost a convergence of the two as well that makes it even more uncertain. You know, many respondents noted that the pandemic makes them more vulnerable to cyberattacks. And that gets into the area - you know, given the distributed workforce that's going on, there's such - you know, it's just - it creates something that's hard to, you know, maintain the tighter security controls. 

Andrea Little Limbago: And we know that in March in the race to remote work, you know, many security controls, you know, or many security postures, they sort of let their guard down a little bit in the race to maintain continuation of operations. And not all those companies have then reinstated them. And so it does - the pandemic has, you know, both introduced new vulnerabilities, but, you know, it increases that uncertainty as companies are trying to deal with how to respond to that and how to create and heighten their security postures, you know, in this new era that we're living in. 

Dave Bittner: Right. 

Andrea Little Limbago: And I do think it's a new era. And that's the thing. It's very much so what life was like before and what we're going to the future, at least in the realm of, you know, of business and geopolitics, our - you know, it's going to be very, very different than it was going into COVID. And I think that companies are trying to really brace for what that future will look like. 

Andrea Little Limbago: And that's what we saw a lot, too - you know, a bigger focus on resilience. And it's across the board from, you know, increasing their security posture. It's having better visibility across their supply chains, understanding the security postures of their suppliers and their suppliers' suppliers. 

Andrea Little Limbago: And so as - whereas, you know, in the past, you know, just-in-time production, which was, you know, really popularized in the '80s with Japan really, you know, with a huge focus on efficiency and optimization - you know, that, you know, coupled with these various concentration risks in regions and through vendors and just the increasing complexity of supply chains as globalization really took off, you know, increased insecurity to a point that, you know, any kind of disruption across our supply chain also leads - you know, it's not just the physical supply chain that gets disrupted. It's the digital one as well. And that's what we have seen. 

Andrea Little Limbago: And so they do - you know, companies do feel more vulnerable. And as they're looking to make their plans going forward for a post-COVID world, they're really focusing on resilience and agility. And a lot of that has to do with - not just with, you know, the reshoring and onshoring of the physical supply chain, but also how to increase greater resilience and agility, you know, across their digital supply chain ecosystem and across - you know, really protecting their data wherever it may go. 

Dave Bittner: All right, well, Andrea Little Limbago, thanks for joining us. 

Andrea Little Limbago: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Life just got a little easier. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.