The CyberWire Daily Podcast 6.21.21
Ep 1358 | 6.21.21

South Korea’s nuclear research institute discloses cyberespionage incident. Norway attributes 2018 incident to China. Poland blames Russia for email hacking as NATO clarifies alliance cyber policy.


Dave Bittner: The South Korean nuclear research organization sustained an apparent cyber-espionage incident. Norway's investigation of its 2018 breach of government networks concludes that China's APT31 was behind it. Poland accuses Russia in a long-running email hacking case. Our guest is Mark Testoni from SAP NS2 on where the Justice Department should focus during its upcoming cyber review. Chris Novak of Verizon on financial versus espionage breaches. And NATO seeks to clarify its policies in cyberspace, including a recommitment to Article 5 and a revision of the Tallinn Manual.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 21, 2021. 

Dave Bittner: South Korea's nuclear research organization says it sustained a cyberattack, and suspicions point toward North Korea. The South Korean Atomic Energy Research Institute, KAERI, disclosed Friday that several unauthorized parties obtained access to their internal networks. The Record reports that some of the infrastructure used in the intrusion was traceable to North Korea's Kimsuky group. KAERI had initially denied that the incident had occurred. The institute apologized Friday for its earlier statements. According to BleepingComputer, the intrusion took place on June 14, and the threat actor gained access through a VPN flaw. 

Dave Bittner: Earlier this month, Malwarebytes Lab published a report on Kimsuky, a threat actor generally believed to work for the Democratic People's Republic of Korea's Reconnaissance General Bureau - that is, for North Korea's intelligence service. Malwarebytes listed an extensive number of targets, including the Ministry of Foreign Affairs, Republic of Korea first and second secretaries, the trade minister, the deputy consul general at Korean Consulate General in Hong Kong, the International Atomic Energy Agency nuclear security officer, the ambassador of the Embassy of Sri Lanka to the Republic of Korea and the Ministry of Foreign Affairs and Trade counselor. 

Dave Bittner: Norway has attributed a 2018 breach of its government IT network to China. Specifically, the Police Security Service, known by the acronym PST, said the cyber-espionage incident was the work of APT31. The PST stated, quote, "the investigation revealed that the actor succeeded in acquiring administrator rights that gave it access to centralized computer systems used by all state administration offices in the country. The actor also succeeded in transferring some data from the offices' systems. No reliable technical findings have been made of what information was transferred, but the investigation shows that there were probably usernames and passwords associated with employees in various state administration offices," end quote. 

Dave Bittner: Warsaw says its recent cyberattack was Moscow's work, or at least the work of threat actors working from Russia. Senior members of Poland's government met last week for a closed-door discussion of an email-hacking incident. On Friday, Deputy Prime Minister Jaroslaw Kaczynski said, as Reuters quotes him, "the analysis of our services and the secret services of our allies allow us to clearly state that the cyberattack was carried out from the territory of the Russian Federation. Its scale and range are wide," end quote. 

Dave Bittner: Emails belonging to members of parliament and government officials were accessed, as were some emails belonging to members of their families. The incident seemed to have no particular bias for or against any political party, as multiple parties were affected. According to BleepingComputer, the attacks affected at least 30 members of parliament, officials and journalists, with the campaign beginning last September. The Record says that Poland's Internal Security Agency has notified its NATO allies of recent Russian cyberattacks, the goal of which, Polish officials say, has been to hit Polish society and destabilize the country. 

Dave Bittner: An EU diplomat familiar with the incident told Politico that, quote, "on Friday, Poland handed over to the EU member states, the European Commission and the Council a document on the details of cyberattacks carried out in recent days." That diplomat also said that "operational and technical analysis carried out by Polish national security incident response teams confirmed that the infrastructure and modus operandi used during cyberattacks were the same as those used by Russian-sponsored entities," end quote. 

Dave Bittner: Speculation in the press suggests that the email theft may have been the work of Russia's SVR. 

Dave Bittner: The statements by Polish authorities are worth reviewing in the context of the communique NATO issued last week after its Brussels summit and two days before Wednesday's meeting between Russian President Putin and U.S. President Biden. The Atlantic Alliance began by reiterating its commitment to Article 5, the collective defense agreement under which an attack on one member is regarded as an attack against all. It also called out the increasing tempo of Russian hybrid operations, specifically including cyber operations, disinformation and the toleration of cybercrime. 

Dave Bittner: The communique said, quote, "in addition to its military activities, Russia has also intensified its hybrid actions against NATO allies and partners, including through proxies. This includes attempted interference in allied elections and democratic processes, political and economic pressure and intimidation, widespread disinformation campaigns, malicious cyberactivities and turning a blind eye to cybercriminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries," end quote. 

Dave Bittner: With respect to cyberattacks in particular, the communique said that cyberthreats to the security of the alliance are complex, destructive, coercive and becoming ever more frequent. This has been recently illustrated by ransomware incidents and other malicious cyberactivity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm. 

Dave Bittner: In the event of a cyberattack, the North Atlantic Council would decide on a case-by-case basis whether to invoke Article 5. NATO's comprehensive cyber defense policy promises to actively deter, defend against and counter the full spectrum of cyberthreats, including those conducted as part of hybrid campaigns, in accordance with international law. 

Dave Bittner: And indeed, that international law continues to evolve as nations seek to achieve greater clarity over what's permissible and impermissible action in cyberspace. The Washington Post reports that the "Tallinn Manual on the International Law Applicable to Cyber Operations," the NATO-sponsored document that's occupied a leading position framing discussion of cyber conflict, will be undergoing its third revision, the first since 2017. 

Dave Bittner: The revision won't come quickly. A five-year process is envisioned. Among the aims of the revision are to clarify what commentators are calling the red lines that nation-states would cross at their peril and to help dampen the possibility that retaliation might lead to uncontrolled escalation. 

Dave Bittner: The Economist sees this convergence of cybercrime and state-directed hacking as a defining feature of next-gen bank robbery. Whether in the form of privateering, as observers have seen in the activities of Russian ransomware gangs, or in state toleration of cybercrime, a more charitable reading of the Russian gangs' activities, or even in direct theft by the states themselves, as seen in the operations of North Korea's Lazarus Group, the relationship can be close, complex and deniable. 

Dave Bittner: On the heels of several high-impact cyberattacks, the U.S. Justice Department recently announced a 120-day review of their cybersecurity strategy. Joining me to discuss that move is Mark Testoni, CEO of SAP's national security arm, SAP NS2, which provides cybersecurity and secure cloud solutions to U.S. government agencies. 

Mark Testoni: You know, we've had a series of events and - obviously, that are pretty significant in the cyber arena in recent months - going back to the fall, the SolarWinds and Hafnium situation, and then most recently Colonial. And now, even today, we have a meat-packing company out of Brazil that's been affected that's affecting us. The net is (ph) that I think there's an overall genesis or awareness of the cyberthreat indications that are much broader than the average person normally sees. 

Mark Testoni: And so as the new administration's coming in, many of the segments of government are looking at this problem and injustice as a very important role in cyber from a standpoint of the FBI. And even on a broader level, there's a cyber - a large cyber division within Justice. And I think they're stepping up to take a step back and a lead to say, hey, what should we be doing inside the federal government better and, perhaps more importantly, what should we be doing not only inside the government, but even beyond the walls of the government to create a greater sphere of collaboration? 

Mark Testoni: So I think it's just the nature of the threat, the evolution of the threat. And now it's - what's interesting in these latest attacks is they're becoming more on the - in the face of mainstream America. And it really shows the relationship between individuals, both as employees and companies and in themselves, and how they implicate this entire cyber. 

Dave Bittner: Where do you suppose they stand in terms of being able to collaborate with the private sector and to really execute on the plans that they come up with? 

Mark Testoni: Dave, that's a million-dollar question, or I guess in the old days, they would've said it was a $64,000 question. Interestingly, there have been many calls - Solarium Commission, Senator King - actually, I heard him recently talking about this. He wrote an op-ed in one of the papers talking about the need for collaboration. 

Mark Testoni: The problem I see with collaboration in general is the government views it as the private sector needs to share threat information and/or breach information with the government because - to help the government better understand the threat profile and to, quote, "get assistance." 

Mark Testoni: I really think there needs to be an approach that's different than the past. It needs to be true collaboration. And that's what's missing from even Senator King's remarks and others. It's about bringing not only the collection and sharing of information together, but the sharing of talent and resources. To me, that's critically important. Right now, I don't believe we have that strong form to be able to do that. 

Dave Bittner: Where do we stand right now when it comes to trust between the government and the private sector? I mean, is that a tenuous relationship? Is it healthy? What's your experience there? 

Mark Testoni: I mean, it's a mixed bag to some degree, Dave. I mean, companies get leery when they open their (unintelligible) at times to the federal government because they feel they potentially could face some sort of prosecutorial risk or other because maybe they didn't do things correctly. I'm not saying that companies and organizations shouldn't be pursued when they're negligent, but we want to not make that the first thing that organizations think about when they're in a collaborative mind. So we've got to create a forum that allows and policies that allow to make it easier for companies to feel comfortable in an environment. 

Mark Testoni: I'm confident that we will come to a place. In the America and United States, we often explore lots of ways to solve problems, and then we finally get around to doing the right thing, and I think we will here. The strength of this country has always been innovation. And the openness and freedoms that we have are both opportunities for us and part of our greatness, but they also make it easier for state actors and others to attack us. I think we're beginning to recognize that. As a result, I think we'll - I think if you and I are talking in a couple of years, we'll have seen great progress in this area. 

Dave Bittner: That's Mark Testoni from SAP NS2. 

Dave Bittner: And joining me once again is Chris Novak. He's the global director of Verizon's Threat Research Advisory Center. Chris, always great to have you back. I want to touch today on some stuff I know you've been tracking in terms of financial versus espionage breaches, specifically the A4 threat handbook. What are you guys working on there? 

Chris Novak: Sure, yeah. Great to be on the show again, Dave. Absolutely. Yeah, when we look at - you know, everybody tracks on the Verizon Data Breach Investigations Report. And one of the things that some people, if you've been tracking it since the beginning, you're familiar with the A4 model, which was the way we classified all the four As - actors, actions, assets and attributes - of a given incident. And so what we've done is essentially published what we call the A4 threat handbook to kind of help better put perspective on how we look at those four As, and then also in particular, comparing and contrasting how they relate between financially motivated breaches and espionage-motivated breaches. 

Dave Bittner: Well, let's dig into that some. I mean, is there - first of all, I'm curious. Is - are we seeing any sort of fuzzing between those two things? Is the line a clear one? 

Chris Novak: It's interesting that you ask that because when we look at it, you know, going back, you know, about 10 years at the data, we've actually kind of identified what we consider to be six different motives to cyberattacks. You see financial motivation, espionage, fun, grudge, convenience and ideology. That's the way that we've grouped them. 

Chris Novak: And the first two that I mentioned, financial and espionage, really are probably the most interesting just because they make up about 94% of all of what we see. The rest are really kind of a small, small blur in the background. 

Chris Novak: But when you ask about the line between the two, we actually see that if you look at the top targets for financially motivated breaches, the top three are financials - not surprising there - at 29%, accommodations at 16% and retail at 11%. And I think a lot of that has to do with the sheer quantity of very directly related financial data that there is in those environments to steal. 

Chris Novak: Versus if you look at the top three for espionage-motivated campaigns and breaches, you don't see those three in there at all. The top one is public sector at 29%, manufacturing at 21% and professional services at 10%. 

Chris Novak: And I think the reason we're not seeing as much blurring between the two is you look at espionage, it's almost entirely going after intellectual property and trade secrets. And if you kind of look at the mishmash of all the different industries that you're looking at, you know, you kind of see a pocket of real deep, valuable intellectual property in the public sector, manufacturing, professional services side of things. Or even on the public sector side, you got a lot of state secrets, whereas on the financial side, you know, that data is typically commingled in different types of institutions. 

Dave Bittner: And how does that extend to the threat actors themselves? I mean, do they tend to silo themselves into, you know, this group is focused on financial; this group is focused on espionage? What are you seeing there? 

Chris Novak: Yeah. Interestingly enough, what we typically see there is on the financially motivated attacks, it is almost exclusively organized crime that is behind a lot of that - is typically what we're seeing, and not terribly surprising. Organized crime, since the beginning of when we were tracking, probably, you know, criminal statistics - that's typically what they were motivated by was, you know, financial gain. 

Chris Novak: Whereas on the espionage side of things, typically what we see there is it is either nation-state or state affiliated is typically the leading elements of it. And then depending on, you know, if you kind of trail down from there, you may see some level of kind of corporate espionage at the next rung lower. But it is, I'd say, a fairly distant kind of second or third. 

Dave Bittner: Now, the A4 threat handbook - I mean, does this help organizations, you know, sort of dial in their risk profile for knowing what they should suspect they should defend against? 

Chris Novak: Yeah, that's exactly right - help them be able to do a couple things. One is so that they can classify and categorize their incidents in a manner that is similar to the DBIR because we know a lot of organizations, whenever a new version of that report comes out, the first thing they want to do is try to compare, how do we look versus the dataset as a whole? How do we look against our industry? If we want to compare ourselves apples to apples with our peers, how do we do that? Better understanding that A4 threat handbook will actually help organizations kind of better characterize their own incidents and put them into the similar kind of reporting format that we use for the DBIR so they actually have a better ability to compare and contrast against the broader dataset. Or what we're hoping is industry groups will adopt the same thing, and they'll be able to share and compare data as well. 

Dave Bittner: All right. Well, Chris Novak, thanks for joining us. 

Chris Novak: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.