Japan calls out China for cyberespionage. Colonial Pipeline restores service. Wither the DarkSide? Conti hits Irish health organizations, and Avaddon strikes AXA.
Dave Bittner: Hi, everybody. We're excited to let you know that we're adding an incredible new show to the CyberWire podcast network. It's Microsoft's "Security Unlocked: CISO Series with Bret Arsenault." Listen in as Microsoft's chief information security officer, Bret Arsenault, talks one-on-one with the industry's leading CISOs as well as technology leaders at Microsoft. In each episode, Bret and his guests will dive into the biggest challenges in cybersecurity, sharing new ideas and perspectives and provide practical guidance based on the actual strategies implemented by Microsoft and Microsoft's biggest customers. You're not going to want to miss this one. Check it out on our website at thecyberwire.com/ciso. That's thecyberwire.com/ciso. And be sure to subscribe wherever you get your favorite podcasts. A big welcome to Microsoft to the CyberWire podcast network.
Dave Bittner: Japan calls out China for cyber-espionage. Colonial Pipeline restores service as organizations look to their own vulnerability to ransomware. The DarkSide gang may have said it's going out of business, but it's likely that they're either rebranding or absconding. Two other gangs or in business. Conti is hitting Irish health organizations, and Avaddon says it compromised insurer AXA. Rick Howard looks at new responsibilities for CISOs. Our guest is Samantha Madrid of Juniper Networks on establishing automation and security integrations seamlessly. And a spy gets 15 years in a U.S. prison.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 17, 2021.
Dave Bittner: Japan has publicly identified the Chinese government as responsible for recent cyberattacks, Nikkei Asia reports. It's an unusual move for Japan, which has normally been circumspect in its attributions of hostile activity in cyberspace. Japanese police chief Mitsuhiro Matsumoto officially identified China as responsible for an attack for which the Tokyo Metropolitan Police Department filed a case on April 20. According to Yahoo News, the suspect is a Chinese systems engineer who is also a member of the Chinese Communist Party. He's alleged to have participated in cyberattacks against JAXA, the Japan Aerospace Exploration Agency, and some 200 other Japanese companies and research institutions in 2016 and 2017. Zee News reports that the suspect has now fled Japan.
Dave Bittner: Japanese police were specific in their attribution. Quote, "It's highly likely that the PLA's Unit 61419, a strategic support unit operating from the Chinese city of Qingdao in Shandong province, was involved in the cyber-espionage," end quote. China's government has dismissed the attribution with indignation. Quote, "China is firmly opposed to any country or institution using allegations of cyberattacks to throw mud at China," a foreign ministry representative said. The reliably Beijing-aligned Global Times asks if Japan is about to, quote, "fumble policy to behave like Australia in confronting China," end quote, which suggests that both Tokyo and Canberra are on to something.
Dave Bittner: Colonial Pipeline tweeted Saturday that its service had returned to normal. The company's decision to pay the extortionists ransom has drawn generally adverse comment, ironic given that paying $5 million to DarkSide, the gang responsible, apparently didn't aid the recovery, which Colonial Pipeline had to do in the end from its own resources. Some, like the U.S. National Security Council's Anne Neuberger, expressed some sympathy for organizations caught in a tough spot. CNBC quoted her as saying, "We recognize that victims of cyberattacks often face a very difficult situation, and they often have to just balance the cost-benefit when they have no choice with regards to paying a ransom. Colonial is a private company, and we'll defer information regarding their decision on paying a ransom to them," end quote. This is not by any means an endorsement of giving into extortionists. She pointed to the FBI's unambiguous advice against paying ransom. And overall, the consensus is with CISA, whose advice is summarized by SIGNAL: paying the ransom isn't a good practice. WIRED offers a long summary of the ways in which payment perpetuates a vicious cycle and fuels a bandit economy.
Dave Bittner: The consensus is also that ransomware attacks against critical infrastructure are likely to be attempted again. An op-ed published by the Australian Broadcasting Corporation frames the incident as a warning that there's worse to come unless the major cyber powers can arrive at some international norms that would produce an effective arrangement in cyberspace. The New York Times, in a piece that accepts DarkSide's self-presentation as a group of apolitical criminals, argues that the incident should be assessed in terms of the vulnerabilities it exposed.
Dave Bittner: The DarkSide ransomware gang, which has said that it lost control of both servers and at least some of the money it had extorted from victims, said late last week it was closing down, going out of business. The Wall Street Journal has an update on this particular going-out-of-business announcement. And they note that cybercriminal gangs have been known to announce their ride into the sunset, only to reappear again after a decent interval, usually under a new name. So it could be, as Security Week puts it, that the DarkSide operators are running scared. It's also possible, as FireEye tweeted, that the hoods are simply taking advantage of an opportunity to abscond with their criminal affiliates' money in an exit scam. That's happened before, too. But it's a bit too early to tell exactly what's going on with them. It would be naive to think that the people behind the scam have retired, gone straight or moved on to another criminal line.
Dave Bittner: DarkSide isn't the only ransomware gang to make news. Ireland's Health Service Executive has come under a ransomware attack that's interfered with scheduling care. And that may, The Wall Street Journal reports, end up costing the public health care organization tens of millions of euros to remediate. The Irish Times says the country's Department of Health has also come under attack, probably by the same gang. Sources in the Irish government indicate that the victims do not intend to pay the ransom.
Dave Bittner: Bleeping Computer identifies Conti as responsible. Conti's technique is usually to breach a network and move laterally until it obtains domain admin credentials. At that point, the operators use reflective DLL injection to deploy fileless ransomware payloads. Conti is described as a private ransomware-as-a-service operation. It recruits hoods to deploy its malware in exchange for a share of any ransom the victims might be induced to pay. The government of Ireland said in an official statement issued by the Department of Environment, Climate and Communications, quote, "The HSC became aware of a significant ransomware attack on some of its systems overnight. The National Cybersecurity Center was informed of the issue and immediately activated its crisis response plan."
Dave Bittner: Insurer AXA, last week, took a strong line about ransomware payments, saying that it would no longer cover them. Over the weekend, the underwriter's business units in Thailand, Malaysia, Hong Kong and the Philippines were themselves hit by ransomware. Bleeping Computer reports that the Avaddon gang has claimed responsibility and says they've taken some three terabytes of sensitive data from the company's networks. Coincidentally or not, AXA was also subjected to some distributed denial of service activity.
Dave Bittner: And finally, on Friday, Peter Dzibinski Debbins, the former U.S. Army Special Forces officer convicted of spying for the Russians, was sentenced to 15 years imprisonment by the U.S. district judge Claude Hilton. That's two years shy of the 17 years prosecutors had asked, but a lot more than the five years his defense attorneys had recommended. The case touched on all four of the traditional motivations for espionage expressed in the acronym MICE - M for money, I for ideology, C for compromise and E for ego. Mr. Debbins received a little bit of direct compensation of some monetary value, apparently not much, from the GRU for information he provided them. He also had conceived a quasi-patriotic attachment to Russia, at least as far back as his days in ROTC at the University of Minnesota, characterizing himself as a loyal son of Russia, whether that involved serving the Kremlin or freeing Russia from the Kremlin's boot apparently varied from time to time.
Dave Bittner: According to the Army Times, Debbins wrote, quote, "I had a messianic vision for myself in Russia, that I was going to free them from their oppressive government, so I was flattered when they reached out to me," end quote. He also said he was being blackmailed by the GRU who were threatening to either expose him for same-sex attraction or kill him or both should he fail to play ball. The prosecutors said at the sentencing hearing that claims of extortion were news to them, that Mr. Debbins hadn't mentioned that to investigators. And finally, Mr. Debbins seemed to have felt a sense of ill use and injured merit that turned him against the United States Army.
Dave Bittner: At any rate, it's an old story. Change Russia to His Majesty King George III, and take out the same-sex attraction stuff, and it all could have been said by Benedict Arnold.
Dave Bittner: There is a tension that often occurs when configuring a data center. Focusing on agility helps make operations fast and productive, but a focus on security infrastructure can establish protected networks. This can create a type of seesaw effect as operators split their resources between these two priorities. Samantha Madrid is vice president of security business and strategy at Juniper Networks, and she joins us with insights on how intent-based networking can help put data centers in proper balance.
Samantha Madrid: There are traditional data centers. I know when people think of it, I think they think that - of the centralized racks of servers, which most people think of when you think of data center. But there is an emerging model in distributed compute nodes deployed deep in a network and close to end users. And so when you think about what a data center is, all of this, in my view, is a data center. And so it's about really strengthening that posture and bridging both operational efficiencies with security. And I think the seesaw effect is really kind of shining a light on trade-off decisions that have been made in years past and teams being put in that position. And I think, organizationally, companies need to think about security more holistically, taking the step back and thinking about what security needs to look like in terms of business outcomes. And I think that one of the challenges has been, historically, is decisions have been made in a very siloed way, meaning we see a problem; let's address that specific problem - instead of taking a step back and asking a very fundamental question, what is it we're trying to protect?
Dave Bittner: So then what is to be done here? What do you recommend?
Samantha Madrid: So you know, I really recommend - when you're kind of - like with anything, whatever the security or initiative is, what is the business outcome you're trying to drive towards? - and bringing in security at the start of that from the forefront. In terms of security specifically, I think we have to shy away from, as an industry, this brand bias, if I will be is as bold to say where I think a lot of times there's a level of comfort that gives way to a popularity contest about a lot of vendors with respect to security. And we're not making the actual security decisions, which, in my view, what needs to happen is you need to have validated security efficacy. You need to understand and continuously monitor the ability to evolve with the threat landscape. What's the threat coverage? What's the catch rate? What's the false positive, false negative rate? Are you bringing security to every point of connection, you know, from your gateways, between your servers, each application and between data center locations and the workload itself?
Samantha Madrid: I mean, the goal at the end of the day of a security team should be to be able to expand their aperture to see and detect as much as they possibly can and know that false positives will cause a team to turn off protections because it then starts to impede the business outcome. So to me, one of the most important things is maintaining high-level efficacy in evaluating technologies and of validating your proposed architectures against them versus what I personally see a lot of times, a popularity-driven decision based on a given vendor du jour.
Dave Bittner: That's Samantha Madrid from Juniper Networks.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, it's great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So on your "CSO Perspectives" podcast, which is over on the CyberWire's Pro side, you are on Part 2 of a three-part series on new CISO responsibilities. What do you have lined up for us this week?
Rick Howard: Well, that's right, Dave. We are looking at potential new CISO tasks that have emerged in the last five years or so that have not traditionally been given to the CISO before. Like, when I had my first CISO gig - jeez - over 10 years ago, I don't like to admit that number, OK - but...
Rick Howard: ...I pretty much only had to worry about the firewall, the intrusion detection system and the endpoint antivirus system.
Dave Bittner: There was a lot less to secure back then, right?
Rick Howard: Yeah, you know. It was a lot easier, OK.
Rick Howard: But that was it. OK? That was all we had to worry about. But today, these modern CISOs, they have so many more things on their plate. They still have to do all the things that I had to do, you know, a decade ago. But they also have securing internal data centers and mobile endpoints and multiple clouds. And that's not even including the OT environments and the supply chain that have been in the news of - you know, of these last few weeks. So last week, we indeed took a look at operational technology and industrial control systems and whether or not the CISOs of the world had been formally given the responsibility to secure those environments. But in this week's show, we're talking about identity.
Dave Bittner: All right. Well, I like the sound of that. You know, one of the things that it strikes me that, you know, identity is more complicated than it used to be. It used to be just user ID and password. But now, with the hotness being zero trust, seems to me like it's more complicated than that.
Rick Howard: Yeah. In the old days, identity was essentially managing user ID and passwords in active directory. And so that task generally fell to the CIO. But in today's complex environments, like you said, as we all try to implement the zero-trust stuff, a robust - and I mean robust - identity management system is an essential first step. So the question we try to answer this week is, if that is true - and I think both you and I think it is - if identity is the most important thing that CISOs have and their utility belt to build zero trust, shouldn't they own the responsibility to design it and maintain it?
Dave Bittner: Well, "CSO Perspectives" is in Season 5 over on the CyberWire Pro side. But you've also been releasing your Season 1 episode to the public at the same time. What are you talking about there this week?
Rick Howard: Yeah. We've been trying to give the general public a taste of what the "CSO Perspectives" podcast is all about in a brazen attempt to show everybody what they're missing on the pro side.
Dave Bittner: (Laughter) Right.
Rick Howard: (Laughter) Right. And as you know, Dave, since you are an internet celebrity yourself, you don't come cheap. Right? So we have to pay the bills somehow. Right?
Dave Bittner: Yes. OK. (Laughter) Right.
Rick Howard: It may be my salary, too. So this week's episode is a fun one. We talk about what exactly is the dark web and how does Tor, or the Onion Router, fit into it and the fact that Tor started out as a U.S. Navy research project. And finally we get to the meat of the matter, which is we address whether or not you should be paying commercial intelligence companies for intelligence products that focus on that world.
Dave Bittner: All right. Well, there's plenty to check out. We've got "CSO Perspectives" over on the pro side and earlier episodes from "CSO Perspectives" on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team Is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.