FBI fingers REvil as the gang behind the JBS ransomware. Privateering may come up at the US-Russian summit. Ransomware at regional transportation operations. Cyberespionage in Southeast Asia.
Elliott Peltzman: Hey, everyone. This is Elliott, the CyberWire's director of sound. I wanted to let you know that we're currently hiring. We're looking for an experienced audio editor to join our growing podcast team. This person would help me with all the interviews we take in and our expanding list of shows and audio content we produce every day. We've got so much exciting stuff in the works, I'm definitely going to need some help to make sure we continue to bring you the same high-quality content you've come to expect - just more of it. If this sounds like you or someone you know, visit thecyberwire.com/careers to learn more. That's thecyberwire.com/careers. Thanks.
Dave Bittner: Evil, your name is REvil, except when it’s Sodinokibi. The U.S. is expected to make strong objections to Russian cyber privateering in the upcoming summit. Other ransomware incidents are disclosed by regional transportation operators - a possible Mustang Panda sighting, Andrea Little Limbago from Interos on cyber-related executive orders. Our guest is Terry Halvorsen from IBM on the need for investment, research and collaboration in preventing quantum cyberattacks. And mamas, don't let your babies grow up to be DDoS jockeys.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 3, 2021.
Dave Bittner: The U.S. FBI has attributed the ransomware attack against multinational food processor JBS to the REvil criminal gang, also known as Sodinokibi. The bureau's statement reads in full, quote, "As the lead federal investigative agency fighting cyberthreats, combating cybercrime is one of the FBI's highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. We continue to focus our efforts on imposing risk and consequences and holding the responsible cyberactors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber-adversaries. A cyberattack on one is an attack on all of us. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices," end quote.
Dave Bittner: BleepingComputer notes that REvil is an affiliate operation that surfaced in April of 2019. The gang, which operates from Russia, is generally regarded as a successor to the GandCrab group, which itself nominally suspended operations in June of that year. Bear that in mind the next time a gang piously or smugly says it's either seen the error of its ways or made enough money to retire. If you are quick to believe that, we've got a nonfungible token to sell you.
Dave Bittner: This is the second major ransomware incident to disrupt a large player in a sensitive sector in as many months. May saw the DarkSide's attack on Colonial Pipeline, and now REvil has hit a major meat supplier. Reuters reports that most affected JBS plants resumed operation yesterday, but the incident, followed as closely as it did to the Colonial attack, has put a burr under American saddles as President Biden prepares for a summit with his Russian counterpart later this month. White House press secretary Jen Psaki said, quote, "We're not taking any options off the table in terms of how we may respond. But, of course, there's an internal policy review process to consider that. We're in direct touch with the Russians, as well, to convey our concerns about these reports," end quote.
Dave Bittner: The ransomware attacks are an increasingly sensitive issue in Russo-American relations because of the evidence that gangs like REvil and DarkSide - and there are many others - operate with the permission - at least tacitly - and effectively under the protection of the Russian state. The Washington Post reports that President Biden intends to hammer President Putin over the gangs during their summit, but there's general skepticism that a diplomatic protest, however starchy, will have much effect. The Russian response to complaints about its misbehavior is traditionally to demand evidence so that Russia and the complaining parties can jointly investigate and arrive at some consensus. The Post quotes Jim Lewis of the Center for Strategic and International Studies on what's likely to happen at the summit. Quote, "The president is very determined on this, but the first thing Putin will do is say, prove it. And he doesn't mean prove we did it. He means prove you'll do something back," end quote. Absent some proportional retaliation that hurts the interest of people who count, few see much prospect of a change in Russian policy with respect to cyber privateering.
Dave Bittner: Neither JBS nor Colonial, of course, have been the only victims of ransomware. New York's Metropolitan Transportation Authority also disclosed on Wednesday that it had sustained a hack in April, although the incident didn't affect transportation systems or personal data, which should count really as a kind of success. The Gothamist reports that the Cybersecurity and Infrastructure Security Agency alerted the MTA to the incident on the day it occurred and recommended some immediate responses. The MTA brought in Mandiant and IBM to help with investigation and remediation. They didn't find any evidence of data loss or compromise of systems, so MTA's defenses seem to have held. CISA seems to have been properly alert and helpful, and IBM and Mandiant came in to help investigate. MTA says it's gratified with the way things worked out, but that it's still looking into lessons learned. MTA serves some 15 million passengers in the New York area.
Dave Bittner: The Steamship Authority, which operates ferries in the U.S. state of Massachusetts, disclosed that it suffered a ransomware attack yesterday. Ferries continued to run, and there's no reported safety of navigation issue. But customers' ability to book tickets and pay for them has been disrupted. The Steamship Authority recommends using cash to ride. The Steamship Authority is best known for its runs to Nantucket and Martha's Vineyard. These aren't the sort of quick 25-minute rides you New Yorkers accustomed to using the Staten Island ferry when you're not strap-hanging on the unrelated MTA subway might have in mind. It's 45 minutes to the vineyard and 2 1/4 hours to Nantucket - or so we hear. The high-speed catamarans can make Nantucket in about an hour, but if you're bringing your car along, it's a more leisurely passage - so a longer ride, but still temporal chicken feed compared to the nine to 11 hours it'll take you to get from Melbourne to Tasmania.
Dave Bittner: Check Point describes a Chinese cyber-espionage campaign that deploys a novel Windows backdoor to gain access to a Southeast Asian government's sites. The campaign placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times. ESET researchers who've been working on the case tweeted that the affected government was Myanmar's and that the responsible threat group is Mustang Panda. The Record reports that the attack effectively transformed the country's presidential website into a watering hole.
Dave Bittner: The Wall Street Journal reports a surge this week in some meme stocks - that is, a rapid rise in share prices driven by speculative chat in various social media. AMC Entertainment and BlackBerry, both popular with individual retail investors, are among the meme movers. Also surging some 10% with Samsung Entertainment after a casual Elon Musk tweet about the kiddie song "Baby Shark," owned by Samsung Entertainment, pumped investment. Increased liquidity the U.S. Federal Reserve introduced into American markets last year is seen as the root cause of these speculative jumps with social media providing powerful amplification. GameStop's rise in January and the short squeeze it produced was the first famous instance of meme speculation.
Dave Bittner: And finally, a 17-year-old, who'd been a junior at St. Petersburg High School before his hacking got him expelled, has been arrested and charged with hacking the Pinellas County School District back in March. The Tampa Bay Times reports that the teenage boy - he remains nameless publicly on account of his tender years - organized a distributed denial of service attack that knocked the district's 145 schools offline for two days. The attack was especially inconvenient because it coincided with a period of testing. The student says he immediately regretted what he'd done, but that he found it impossible to unring that particular school bell. He's sorry and now hopes to get his GED and maybe work toward a career in cybersecurity after the felony computer crime business is resolved. Here's one more incentive for schools to up their security game - not only will it protect your systems, but it will remove what the lawyers might call an unattractive nuisance, too, helping the kids to stay honest.
Dave Bittner: Research and development on quantum computing continues in both industry and at the nation-state level. I recently spoke with Terry Halvorsen, IBM's general manager for client and solutions development for federal and the public sector. Prior to IBM, he was chief information officer for the U.S. Department of Defense. Here's Terry Halvorsen.
Terry Halvorsen: Well, I think we're probably still a ways off from true, you know, quantum computers. But we are certainly at the point where we are being able to start doing what I'll call the beginnings of quantum compute. We're doing some work in the medical area with Cleveland Computing. And on the secure side, there are two things we should talk about.
Terry Halvorsen: One is, you know, quantum-proof encryptions, which is using today's, you know, type of computers, but changing the algorithm so that when true quantum computers are out, they will still have encryption that is quantum-proof.
Terry Halvorsen: And then there is the promise of being able to use quantum computers to develop truly quantum-based encryption.
Dave Bittner: Where do we stand in terms of organizations in general putting in that effort to make sure that when the day comes, they're ready?
Terry Halvorsen: Well, I think you're seeing, you know, some work in the commercial sector. But the biggest areas that I see that are really focused on that today are governments. Certainly the U.S. government and many of its allies are spending research dollars today. There are government initiatives, you know, that are kind of funding some public sector work on the quantum-proof encryption. And certainly governments today are showing great interest in developing quantum computers and are backing some of that with research dollars.
Dave Bittner: Is there a bit of a space race going on with quantum? I mean, is this something where we should be concerned about the progress of some of our adversaries?
Terry Halvorsen: I would just say that all governments are very interested in getting to quantum, both quantum-proof encryption and to getting to true quantum as fast as possible.
Dave Bittner: Where do you see things going in the next year or so, then, in terms of the developments of these capabilities? Are we going to see them trickling down into regular use any time soon?
Terry Halvorsen: I think you're going to see them, you know, certainly start becoming more a part of government systems. I think we're probably a little bit longer, maybe a couple years, before we really see, you know, quantum-proof encryption going beyond maybe government or government-related. And I will say, you know, medical is certainly a government-related issue. So I think you'll see some interest in that area. And we're probably, you know, anywhere from three to five years away before I think we will see quantum really become - begin to become part of more of the commercial ecosystem.
Dave Bittner: That's Terry Halvorsen from IBM.
Dave Bittner: A quick note on this segment between me and Andrea Little Limbago. We recorded this segment right before the most recent presidential executive order on cyber was released, so there are a few statements in here that might sound a little bit out-of-time. The conversation is a good one, so instead of spiking the whole thing, we share it with you today and trust you can interpret it in proper context on the fly.
Dave Bittner: And joining me once again is Andrea Little Limbago. She's the vice president of research and analysis at Interos. Andrea, it is always great to have you back. As you and I record this, we are expecting some executive orders from the U.S. administration, one of them probably about supply chain. I know you're tracking these developments. What can you share with us today?
Andrea Little Limbago: Yeah, so there are two that are imminent, and one came out, but the results of it are supposed to come out in June. So the supply chain executive order came out in late February and basically required 100 days to look at various forms of building resilience across the supply chain. So that's going to come out in June. And so it's focused on a lot of things that are near and dear to, you know, cybersecurity folks, as far as a lot of the components that go into building our technologies. It's very emerging-technology-focused. It's a good part on pharmaceuticals, which, again, makes sense. But for, you know, this audience, there's a lot on emerging technologies, raw materials, semiconductors, batteries - everything that goes into the technologies that we all try and secure.
Andrea Little Limbago: And so we'll see what happens with that. And really, it's toward building greater resilience and also some level of self-sufficiency in it. And so that's - basically, the 100-day review is supposed to come back and give us some idea of what - you know, how we're going to start rethinking supply chains in the United States. And at the same time, any day now, there have been copies of a cybersecurity executive order that have been - you know, they've been starting to circulate. So we have a decent idea, unless those drafts change, of what's going to be in it. And it's basically requiring a lot of what, you know, security industry has been asking for for quite some time. You know, it's everything in multifactor authentication, you know, various kinds of security controls to be in place. There could be a software bill of materials that goes in there to ensure that you have some traceability of where the code's coming from, probably a breach notification requirement.
Andrea Little Limbago: The thing with a cybersecurity executive order, though, it is only for federal contractors and those within federal agencies. And, I mean, it's true for both these. But for the supply chain, it can expand a little bit more into other industries, as far as regulation. For cybersecurity, it really does focus only on the contractors and federal agencies, but it is a big first step. And it can be a - you know, for both cases, I'm hoping that it's up there - a forcing function for broader strategic shift as we start thinking about, you know, supply chain security and cybersecurity moving forward. And for the cybersecurity law, it really - you know, it's a focus on defensive posture. And I think that's something that has been overlooked a fair amount for quite some time. And so, you know, the interesting thing along with it is that, you know, on the one hand, you know, there's going to be - you know, for companies that fail to meet some of these requirements, you know, they'll lose the ability to work with the government. And for many, that's a large amount of money. But hopefully that spills over into other areas as well and can become - and can help inform a broader, you know - a broader technology strategy, really, across the U.S.
Dave Bittner: Could this be, hopefully, a competitive advantage for companies who are able to meet these standards? They can - you know, you see in marketing materials sometimes, you know, our product is military spec...
Andrea Little Limbago: That's right (laughter).
Dave Bittner: ...You know, that sort of thing. And, I mean, that causes a certain amount of eye-rolling, I think. But the spirit of that - you know, could that trickle down to the business-to-business and even consumer markets?
Andrea Little Limbago: Yeah, I think that's fine. For sure, you'll start seeing people with a military-grade security that's put on there. But I do. I actually 100% think it can be competitive advantage. And I think that - you know, if I was in the government, that's how I would frame it as well. I mean, it's not just your good security, but it will be a competitive advantage. And this is, again, where I look at cybersecurity and supply chains as so interconnected because, you know, as companies are looking out and they're, you know, rethinking their supply chain, who their partners are, if all else equal, one has much higher security and can demonstrate that versus another one who's pretty lackadaisical about their security, the one with the higher security, I would imagine, 9 out of 10 times, will get that contract.
Andrea Little Limbago: And so I do think that it becomes a competitive advantage, both just as far as in the selection, but then also if, you know, it should enable them to have better - to have that better security that, you know, keeps their company's name off the headlines, which also can become a competitive advantage. And so I do think it absolutely can be. And I think there's a lot that can go along with, you know - of making cybersecurity good business. And that's where hopefully it will go toward because we really do - I mean, when we look at, you know, what's going on with the oil pipeline - you know, the city of Tulsa was hit with ransomware, and we're still trying to figure out - and this executive order for cybersecurity was largely framed as a response to SolarWinds and, you know, the whole range of supply chain attacks that have been going on. You know, it's just - it's getting old hearing - seeing the headlines of, this will be the wake-up call, right? I mean, we've had wake-up calls, I would argue, for decades now.
Andrea Little Limbago: So I'm hoping - I'm cautiously optimistic that this might be, you know, a start in just reframing how we think about cybersecurity and supply chains and really preparing our federal government and our companies for, you know, this new technological competition that we're emerging into.
Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: All right, thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.