Cyberespionage in Germany. Australian network knocked off the air by a cyberattack. PHP shuts backdoor. Apple fixes a browser bug. FatFace pays up. Criminal charges: espionage and fraud.

Dave Bittner: Looking to enhance your cybersecurity awareness? We're kicking off our first quarterly analyst call of 2021 tomorrow afternoon at 2 p.m. Eastern. Join our team of experts on this live broadcast where they'll discuss crucial cybersecurity events of the last 90 days. This quarter's call is hosted by Rick Howard, and he'll be joined by Bobbie Stempfley from Dell Technologies and Joe Carrigan from the Johns Hopkins University Information Security Institute - he's also co-host of the "Hacking Humans" podcast. This event is exclusively for CyberWire Pro subscribers, so now is the perfect time to take advantage of that $99 annual subscription deal we have on our website. To learn more or to register, visit thecyberwire.com/analystcall. That's thecyberwire.com/analystcall.

Dave Bittner: German politicians' emails are under attack, and the GRU is the prime suspect. Australia's Nine Network was knocked off the air by a cyberattack, and a nation-state operator is suspected. PHP takes steps to protect itself from an attempt to insert a backdoor in its source code. Apple fixes browser engine bugs. FatFace pays the ransom. Project Zero caught a Western counterterror operation. Betsy Carmelite from Booz Allen Hamilton on Zero Trust. Our guest is Tal Zamir of Hysolate on CISA's new ransomware guidelines. And a guilty plea for one, and almost 500 indictments for others. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 29, 2021. 

Dave Bittner: Several members of Germany's Bundestag have had their personal email accounts breached, CyberScoop says. The BFW and BSI security services have briefed the federal legislative body and contacted affected members. German officials have provided few details, but Tageschau reports the compromise was the work of Ghostwriter, a threat actor associated with Russian interests, and that spearphishing was the attack vector. It also suggests that Russia's GRU was responsible. 

Dave Bittner: Der Spiegel is calling it a Russian operation and also specifically attributing it to the GRU, the Russian military intelligence agency. Seven members of the Bundestag were affected, as were 31 members of Land parliaments - that is, parliaments belonging to the federal republic's constituent states, roughly the equivalent of U.S. state legislatures. Several dozen other political figures were also affected. Most of the targets were members of the two largest German political parties, the center-right CDU/CSU and the center-left SPD. 

Dave Bittner: Security firm FireEye's 2020 account of Ghostwriter described it as a disinformation peddler. Quote, "The operations have primarily targeted audiences in Lithuania, Latvia and Poland, with narratives critical of the North Atlantic Treaty Organization's presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda," end quote. FireEye didn't go so far as to identify the group as a unit of the Russian government, but objectively, as people say, Ghostwriter acted in the Russian interest. German security services have warned that follow-on operations should be expected. 

Dave Bittner: Channel Nine Australia sustained a cyberattack yesterday that knocked some programming off the air. The Sydney Morning Herald describes the attack as some kind of ransomware likely created by a state-based actor, with speculation suggesting either China or Russia as the country of origin - that is, the attack looks like ransomware, but it may have been a simple destructive attack, like NotPetya, especially since no ransom demand has been received. Sino-Australian relations have grown frostier over the past year, and Russia has a more proximate motive to hit Nine. They may not care for some of the outlet's reporting. 

Dave Bittner: In any case, TVBlackBox is calling the attack for Moscow and says it appears to have been an attempt to disrupt the broadcast of a Nine investigative report on Russia's use of Novichok nerve agent against dissidents, spies and other undesirables. Novichok also killed at least one entirely uninvolved person in the U.K. as sad collateral damage in an unusually reckless and ruthless GRU operation. 

Dave Bittner: Nine seems to think it was the Russians, too, or at least some of its on-air talent does. When Nine got back on the air this morning, albeit in a somewhat degraded form - they were using hand-drawn graphics, for example, their regular computers being unavailable, and they experienced some brief dead air. Their weekend host, Karl Stefanovic, asked for the audience's understanding and indulgence. Quote, "Bear with us as we try and work around these technical issues caused by Vladimir. We're not blaming anybody in particular," end quote. The Australian Cyber Security Centre is helping Nine. The Australian Financial Review quotes the agency as saying, "The ACSC is aware of a cyber incident impacting the Nine Network and has offered technical assistance," end quote. 

Dave Bittner: The Record by Recorded Future says that the programming language's internal Git repository was compromised over the weekend with the insertion of a backdoor into its source code. PHP changed its Git commit workflow to preclude the possibility that the software supply chain might be corrupted by propagation of the backdoor into production systems. 

Dave Bittner: Apple issued three patches late Friday. The vulnerability, found by Google's Project Zero, affects Webkit, the browser engine behind Safari. TechCrunch reports that the bug may be under active exploitation in the wild by unidentified actors. 

Dave Bittner: Computing reports that lifestyle retailer FatFace has paid the Conti ransomware gang $2 million in Bitcoin, knocked down from an original ransom of $8 million. Conti's operators said they didn't want to bankrupt FatFace. Part of what Conti gave the retailer in exchange for the payment was advice, mostly bromides, quote, "implementing email filtering, reviewing active directory password policy, conducting employee phishing tests and investing in better endpoint detection and response technology." Sure, good enough advice, albeit probably not worth 2 million bucks. Whether the Conti gang will be as good as its word and refrain from dumping or selling the data they stole remains to be seen. 

Dave Bittner: A flaw in the website established by the new Scottish independence party Alba leaked personal data of some 4,000 people who had registered for party-sponsored events over the weekend. The exposure occurred within hours of the new party's formation, ITPro reports. 

Dave Bittner: Google's Project Zero on March 18 announced that it had discovered and responsibly disclosed 11 zero-days being actively exploited in the wild by an unknown actor. It turns out, MIT Technology Review reports, that the unknown actor was an unspecified Western security service engaged in an unspecified counterterrorist operation. A former senior US intelligence official told Technology Review that, quote, "There are certain hallmarks in Western operations that are not present in other entities. You can see it translate down into the code. And this is where I think one of the key ethical dimensions comes in. How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime," end quote. So the stigmata of oversight are visible all the way down to the software level. 

Dave Bittner: A former contract linguist for the US Department of Defense has taken a guilty plea to a single count of delivering national defense information to aid a foreign government. The US Justice Department said on Friday that Mariam Taha Thompson admitted in her allocution that she shared names of US government assets with a Lebanese man who had connections to Hezbollah. She was arrested by the FBI in February of 2020 and will be sentenced this summer. The maximum sentence she faces is life in prison. The story is a sad one, because she was recruited in a romance scam. The Justice Department said Friday, quote, "During today's plea hearing, Thompson admitted that beginning in 2017, she started communicating with her unindicted co-conspirator using a video chat feature on a secure text and voice messaging application. Over time, Thompson developed a romantic interest in her co-conspirator," end quote. Her continuing cooperation with the officer who was running her as an agent were driven, Military Times reports, by her hope of an eventual marriage and by her fear that her contact would end the relationship should she have stopped providing information. 

Dave Bittner: And finally, in other news out of the US Justice Department, COVID-19 scammers are being vigorously prosecuted. As of Friday, Justice said that it had publicly charged 474 defendants with crimes related to COVID-19 fraud. The cases represent, in the aggregate, an attempt to fraudulently obtain some $569 million. The three biggest classes of scam Justice has taken action against are schemes targeting the Paycheck Protection Program, PPP, the Economic Injury Disaster Loan program and, of course, unemployment insurance fraud. It's a safe bet that there are more than 474 scammers out and about. So stay safe and wary out there. 

Dave Bittner: Ransomware continues to be on the rise, and in response, the U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - launched a campaign to reduce the risk of ransomware, including tips for best practices for home users, organizations and technical staff. Tal Zamir is founder and CTO at Hysolate, a provider of secure workspace products. And he joins us with reactions to CISA's guidance. 

Tal Zamir: So they practically started a campaign to raise the awareness to ransomware and kind of a guide, a detailed guide on what to do around the ransomware in certain aspects - right? - things like reducing the probability to get infected by malware, like, ransomware to begin with and how to respond when an incident happens. And I think that while the guide provides and this campaign provides good basic tips and basic cyber hygiene, which is, of course, welcome in kind of a concentrated way, I think it misses some, you know, aspects that are beyond just preparing for an incident and what to do when you get hit or how to kind of back up your systems in case you get hit or, you know, hardening your end points to prevent users from making mistakes. I think what it's missing is talking about how to reduce the impacts when you get it so that you don't need to do all of those, you know, after-the-fact mitigations. So I think how you isolate the problem, how you make sure that the blast radius is limited - when you will get hit - and you'll probably get hit - I think that that's a very important aspect that is, I think, to some extent missing in the campaign. 

Dave Bittner: Well, let's go through that together. I mean, what what are some of the specific things that you recommend? 

Tal Zamir: Sure. So first, just to extend what I mean, you know, but, you know, how the advice that they give there is limited because, you know, if you're kind of a midsize organization and the advice there is, OK, you need to patch all of your software immediately as soon as you can. That advice that's for nonhuge organizations is tough to follow, right? Patching everything on your machine immediately across the operating system and applications and agents and drivers and what have you is tough, right? Other than that, you know, training users not to make mistakes. It's good to - good best practice, but it's - you know, we're all human. We make mistakes. So it's kind of not very practical to really close the gaps there. And hardening the endpoints and, you know, limiting what users can do will - from what we know from our prospects, is limiting business productivity. So you close the endpoint. You can't do that and that and that. You can't browse the web. You can't, you know, install applications. And you end up with very frustrated users, especially when those are knowledge workers and the likes. 

Dave Bittner: That's Tal Zamir from Hysolate. 

Dave Bittner: And joining me once again is Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it's always great to have you back. I want to touch base with you today on zero-trust architecture, the types of things that you and your team are tracking when it comes to that. 

Betsy Carmelite: Let's start, Dave, with some conceptual definitions around zero-trust approach or architecture, as we hear this term more and more, particularly in relation to protection against a future SolarWinds or a similar supply chain attack scenario. This is where we see organizations we work with show interest in zero trust, the need to change how we view proactive risk reduction. We've also seen the recommendation for adoption of zero-trust concepts that NSA published last month. And it's been described as a security model. So let's take that a little further and how we've been talking to our organizations about it. 

Dave Bittner: OK. 

Betsy Carmelite: There are three ways to look at zero trust as a mindset to adopt. First, the mindset builds off three key concepts - assume breach, never trust, always verify and, finally, use least-privilege access. So this can be a real mindset shift for those enterprises who are working merely towards security compliance. Secondly, changing the mindset of an organization to assume bad actors have already breached your network changes how you apply security controls. Keeping up your defensive guard is important, but we need to also apply security controls to reduce the impact with the they're-already-in-our-network mentality. So we need to think lateral movement, pivoting, privilege escalation, credential hijacking. And finally, it's about the data. Zero trust places focus on data and helps organizations focus on controls and steps needed to protect the most sensitive data on their networks. Risk-based decisions are paramount to ensure the right level of rigor is applied based on the inherent sensitivity and value of that data being protected. 

Dave Bittner: Now, in terms of that mindset shift, I mean, is there a hurdle when it comes to - I don't know - I guess the best word for it is ego - with some organizations? You know, if you say to them, assume that you've been breached, are there's some people who have a problem with that mindset on principle? 

Betsy Carmelite: No, I don't think we're necessarily seeing that hurdle. One of the questions we see most often is, where do we start? And maybe more on the ego, like, does my organization have what it takes to start adopting zero trust? We get right down to these questions in workshops and try to understand the organization's maturity and describe the use cases that will resonate with them. So first, we like to convey that breaking down barriers is probably the first thing that they need to consider if - you know, am I ready to start this? The heart of that is clear communication strategies at all levels for adopting zero trust. I mentioned all these levels because zero trust is looking at cybersecurity as a whole, not in silos or in cybersecurity functions individually. It requires a lot of coordination between infrastructure and engineering, security and all of the implementation teams. And, sometimes, we have to orchestrate that participation as Booz Allen to get the information flowing and be very intentional about prompting for information. You'll always have the people who respond and don't respond and the people who like to talk. And we really need everybody talking to get that that full participation. Secondly, gaining and maintaining leadership engagement, finding that champion, finding the advocate - we see that need at, really, the highest levels for successful implementation. Even in highly effective or mature organizations, the move to zero trust is a multi-year journey requiring upfront and continuous commitments from current and future leadership. And finally, we do say a process designed and adhered to conduct discovery, baseline existing capabilities, mitigate critical gaps and design solutions for long-term sustainability. That process is really key to establishing that early. 

Dave Bittner: So it really is a culture shift but also a long-term journey that organizations have to go on. 

Betsy Carmelite: It is. It is. And this shift really has been triggered by the industry mindset for many years that perimeter security provided organizations a level of protection to keep threats out of the network. There is the trusted domain, the untrusted domain, the DMZ. And if you were on the trusted side of that perimeter, there is a sense of comfort to communicate, exchange and access information freely. Basically, we're good, we're secure. And over the years, we've seen organizations' perimeters continue to lose their value in providing that overall security. Technologies and human behaviors are testing those boundaries. And the perimeter is becoming nonexistent as organizations adopt software-as-a-service technologies or remote users as the norm. And in the case of the insider threat, the threat's already inside the perimeter. So, again, changing environments require changing mindsets. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Anytime, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. People can see the difference. Listen for us on your Alexa smart speaker, two. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.