The CyberWire Daily Podcast 10.7.21
Ep 1434 | 10.7.21

Espionage, mostly cyber but also physical. DDoS in the Philippines. TSA regulations for rail and airline cybersecurity are coming. US DoJ promises civil action for cyber failures. Twitch update. And NFTs.


Dave Bittner: Cyber-espionage seems undeterred by stern warnings. DDoS hits the Philippine Senate. The U.S. Department of Homeland Security intends to issue cybersecurity regulations for passenger rail and airlines. The U.S. Department of Justice intends to use the False Claims Act to bring civil actions against government contractors who fail to follow recognized cybersecurity standards. An update on the Twitch breach. Josh Ray from Accenture looks at what's going on with Fancy Lazarus. Our guest is Sam Ingalls from eSecurityPlanet on the state of blockchain applications in cybersecurity. And what would it take to get you kids into a nice non-fungible token?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 7, 2021. 

Dave Bittner: The Russian threat group that successfully exploited vulnerabilities in SolarWinds last year - an SVR unit best known as either Cozy Bear or Berserk Bear - is said by Mandiant to again be working against Western targets. CNN quotes Mandiant's Charles Carmakal as saying, quote, "the group has compromised multiple government entities, organizations that focus on political and foreign policy matters and technology providers that provide direct or indirect access to the ultimate target organizations within North America and Europe," end quote. It would appear that U.S. warnings against bad behavior in cyberspace may have fallen on deaf ears out Moscow way. 

Dave Bittner: A second related CNN report, citing new research by Microsoft, suggests that Russian government cyber-espionage groups are enjoying satisfying levels of success against Western targets. Russia, with China running second, is, as Microsoft's Cristin Goodwin, associate general counsel and head of Microsoft's digital security unit, says, still comfortable leaning into nation-state attacks. Goodwin added, and we're seeing that increase. 

Dave Bittner: Microsoft's study - and we note in a spirit of disclosure that Microsoft is a CyberWire sponsor - covers the 12-month period running through this past June. The most heavily targeted sector is governments, coming in at 48% of the attacks observed. Non-governmental organizations and think tanks placed second at 31%. All other sectors are distant also-rans. 

Dave Bittner: Among the countries targeted by nation-state espionage services, the U.S. has a considerable lead, at 46% percent, over the country receiving the second-greatest level of attention, which would be Ukraine at 19%. 

Dave Bittner: Who's doing all the spy-land hacking? The target list suggests that it would be Russia, and that indeed is the case. In fact, more than half - a solid 59% - of the incidents tracked are attributable to a single Russian threat actor - the one Microsoft tracks as Nobelium and that others call APT29, Cozy Bear or The Dukes. Coming in second is Thallium, the boys and girls from Pyongyang, also known as Kimsuky, Black Banshee and Velvet Chollima, but they clock in with just 16%. 

Dave Bittner: There's also some old-school spy news. Yesterday, the AP reports, NATO expelled eight members of the Russian delegation to the Atlantic Alliance. Withdrawn their credentials is how Brussels describes png-ing (ph) the eight undeclared intelligence officers. NATO also cut the size of the Russian delegation in half, dropping their representation from 20 to 10. 

Dave Bittner: Russia denied that its people were up to no good. Leonid Slutsky, who chairs the Foreign Affairs Committee in the Duma's lower chamber, said the accusations were baseless and that NATO's action will strain relations with Moscow. Will Russia retaliate? Probably. Mr. Slutsky told Interfax that an asymmetric retaliation was possible, but he didn't say what such retaliation would amount to. 

Dave Bittner: The Philippine Senate is the latest high-profile organization to find its website encumbered by distributed denial-of-service attacks, the Inquirer reports. Quote, "the Senate's Electronic Data Processing-Management and Information System bureau said it's 'temporarily blocked access to the Senate website because of an ongoing distributed denial-of-service attack,'" end quote. Recovery is said to be in progress. 

Dave Bittner: The U.S. Departments of Homeland Security and Justice have announced some new regulations, or at least regulatory approaches. First, DHS, whose regulations are still coming. 

Dave Bittner: Addressing the 12th Annual Billington Cybersecurity Summit yesterday, U.S. Secretary of Homeland Security Alejandro Mayorkas said that TSA would introduce new cybersecurity requirements for rail and air transport. Reuters reported that the secretary explained that the measures would apply to higher-risk rail companies - the focus is on passenger rail, including Amtrak and commuter lines, but not on freight haulers - and critical airport and aircraft operators. They would be expected to name a chief cyber official, disclose hacks to the government and draft recovery plans for if an attack were to occur. CNN says that TSA's coming security directive would be issued before the end of this year. 

Dave Bittner: And second, Justice. The Wall Street Journal reports that Deputy Attorney General Lisa Monaco announced, in Aspen, also yesterday, that the Department of Justice intended to use the False Claims Act to levy significant fines against Federal contractors who fail to meet what she characterized as required cybersecurity standards. Those standards include prompt reporting of cyber incidents. 

Dave Bittner: Observers continue to be astonished at the extent of this week's data breach at Twitch, evidently at the hands of a hacktivist. PC Gamer leads with a representative quotation - "This is as bad as it could possibly get." 

Dave Bittner: Maybe not. In an update the company posted yesterday, Twitch said that as far as they know, no login credentials were stolen. And since Twitch doesn't store paycard data, those weren't exposed either. If the data aren't there in the first place, they're not there to be stolen. So, Twitch users, you’ve got that going for you. 

Dave Bittner: So, and finally, you’ve no doubt heard of NFTs, non-fungible tokens, which essentially create property rights to digital artefacts that can be bought and sold, saved and traded, like baseball cards for the Silicon Valley set. They’re code in a blockchain, and you gotta love that - right? - because it’s a blockchain. So maybe you got burned investing in Theranos, and you’re looking for a surer bet, a way to really make your money grow, so you can, say, retire to a yacht in the Black Sea with a snazzy track suit and an exotic cat for a pet. And these NFT things are maybe really scratching you where you itch. 

Dave Bittner: Well, not to rain on y’all’s parade, but put that pen down and step away from the checkbook, or that Apple Pay app on your phone. A project, Evolved Ape, marketed to investors as an NFT, attracted thousands of speculators. It had a website and a Twitter account and everything - even a promised game, a collection of 10,000 unique NFTs trapped inside a lawless land where they’re fighting for survival. Only the strongest ape will prevail. 

Dave Bittner: Anyhoo, as Vice reports, the whole thing turned out to be a rug-pull. The head guy in charge, who went only by the hacker name Evil Ape, disappeared, taking not only the Twitter account, but also 798 ether with him. That’s $2.7 million in Yankee greenbacks, sport. Retrospectively, some of the disappointed investors say they can see some signs that Evolved Ape was less than fully professional - maybe like the name Evil Ape. Anyhoo, Mr. Ape is now out there somewhere in the wind, footloose and fancy free, and more than 2 million bucks richer. 

Dave Bittner: John Cleese, of Monty Python fame, offered - as reported by the Verge back in May - his own investment opportunity. It was an NFT of a digital picture of a drawing he made of the Brooklyn Bridge. We especially like the two fish Mr. Cleese drew sporting beneath the bridge, and the way it’s hard to tell the seagulls from the waves. Sure it’s a quick drawing, but hey, Picasso got away with that in his Dove, right? Better than a poke in the eye with a sharp stick or thousands of NFTs trapped inside a lawless land - stupid ape. 

Dave Bittner: Sam Ingalls is a contributing writer and researcher for eSecurity Planet. His recent article, "The State of Blockchain Applications in Cybersecurity," looks at some of the challenges blockchain technology has to overcome before it's likely to see widespread adoption. 

Sam Ingalls: So blockchain technology has had a big impact on the global financial system. But what are blockchain's uses within cybersecurity? At this point, everyone and their mother has heard of blockchain technology. And starting in 2009, the still anonymous Satoshi Nakamoto developed and deployed Bitcoin using blockchain as its underlying technology. A decade later, and the applications of blockchain technology beyond an alternative to currency remain elusive and largely untested. Considering the priority that is cybersecurity today, the article looks at how blockchain and technology works and how it could be of use to organizations in preserving their network's integrity. 

Dave Bittner: Is it fair to say that because of it being so strongly associated with cryptocurrencies that, you know, blockchain technology itself has a bit of a PR problem? 

Sam Ingalls: Oh, absolutely. So the rise of blockchain technology alongside cryptocurrency has been a complicated relationship. Media coverage, passionate investors and growing recognition by traditional financial institutions all play into why blockchain's big news. But the intense focus on its financial applications also might have deterred a prompter expansion of blockchain's applications to other verticals of the digital ecosystem. Though cryptocurrency seems to gain legitimacy every day, we can't forget that for the better part of the 2010s, the industry was riddled with speculation and little respect from traditional banking. So as far as jumping to its applications within cybersecurity and beyond, yes, it has been a long time coming. 

Dave Bittner: Well, let's dig in and talk some about the applications to cybersecurity. I mean, what are some of the areas that you cover here where the blockchain and cybersecurity are a good match? 

Sam Ingalls: The cybersecurity applications of blockchain continue to be a work in progress, and the marketplace is still in its infancy. That said, some of the more useful applications we're seeing involve preserving data integrity within public or pseudo-public networks, verifying and logging business events, which include everything from patch management to supply chain logistics, and lastly, securing identity authentication, which mitigates the risk of false key propagation, identity theft and insider risk. 

Sam Ingalls: And to dive in just a little bit deeper and get more specific, a few examples of blockchain-based cybersecurity startups include Block Armour, which is a network security-focused firm using blockchain to enforce a zero trust architecture. There's Ukraine-based Hacken, focusing on contract audits for several top blockchains, helping organizations evaluate and verify protocols before deployment. There's Hyland Credentials, which was once a part of MIT Media Lab, which is building a blockchain-secured digital records platform which uses their open standard Blockcerts company. Companies can streamline identity verification in real time. And then finally, Chronicled is a blockchain platform focused on life sciences industries like pharmaceuticals, commodities and precious metals. Using blockchain-enabled IoT devices, the firm's technology tracks supply chain activity, offering more visibility into shipments, logistical challenges and counterfeiting. 

Dave Bittner: What about some of the big providers? - you know, the Amazons, the IBMs of the world. Do they have some sort of plug-and-play solutions here for people who want to dip their toes in the blockchain waters? 

Sam Ingalls: They sure do. So AWS and IBM Blockchain are both great examples of blockchain as a service options. Microsoft Azure just this - earlier this year decided that they will not continue with their blockchain initiative, and that is more of an indicator of specialization as AWS and IBM blockchain and others continue to grow and really absorb the marketplace. With that being said, though they may offer blockchain solutions, they are fairly experimental and give developers and organizations globally a chance to work with and play with blockchain in considering applications for their own organization. 

Dave Bittner: It strikes me that blockchain technology's impediment is not the technology itself. It has some very legitimate uses. And put in the right places, it is effective technology. It just - it seems like, particularly when it comes to sophisticated security people, when you even mention it, you get a lot of eye rolls. 

Sam Ingalls: Indeed. And that is simply going to have to come with time that people understand that blockchain, as a technology, is a lot more powerful, and it has a lot more use cases than just financial applications or just financial exchanges. For the meantime, while that continues to receive so much media attention and is simply worth as much of it - as it is, so it really does come with time and buy-in, as well as, you know, a market adoption. Until we start seeing organizations implementing blockchain security solutions, no other organization is going to want to take that jump. 

Dave Bittner: That's Sam Ingalls from eSecurity Planet. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyberdefense lead at Accenture Security. Josh, it's always great to have you back. I wanted to check in with you today on the Fancy Lazarus group. I know you and your team have been tracking this organization. Can you give us a little bit of background on this group and the types of things that you all are seeing from them? 

Josh Ray: Yeah, absolutely, Dave, and thanks again for having me back. So you know, the Fancy Lazarus group is a topic that's come up a lot with our clients over the last, you know, month or so. And for those that aren't familiar, from about May to July of this year, there was this group that's using this moniker, Fancy Lazarus. And they've conducted what we consider seemingly indiscriminate and opportunistic DDoS attack combined with extortion emails. And they're targeting a lot of organizations in the finance, energy and telecommunications, but also the insurance verticals. 

Josh Ray: And just so you know, I mean, this notion of Fancy Lazarus - the moniker - we think almost certainly references to the Russia-linked Fancy Bear and the North Korea-linked Lazarus Group. 

Dave Bittner: Right (laughter). 

Josh Ray: And they will use that, we think, as a means to intimidate the targeted organization. 

Dave Bittner: Can you give us some details on how they operate, what exactly they're up to? 

Josh Ray: So they start typically with a email demand ransomware payment. And then if - you know, if this is not received, the actors threaten to launch into a DDoS attack against the victim's network. The extortion amount, you know, typically changes from, you know, half a bitcoin to about four bitcoin. And they do that in increments daily until the extortion fee is actually met. But our intel team really thinks that the amount is determined according to the organizational size. So if the payment's not received, the extortion email contains threats to increase the intensity of the attack, claiming that the volumes would go all the way up to about 10 terabytes per second half. However, our team has observed actually a much lower intensity level. 

Josh Ray: From May to June, you know, we've actually seen and several DDoS protection companies have reported that they seem to be focused on discovering unprotected assets by viewing the Border Gateway Protocol routing table to ensure that - you know, they want to make sure that basically they're targeting organizations that don't have essentially, like, third-party protection or a DDoS protection vendor that could... 

Dave Bittner: Yeah. 

Josh Ray: ...That could help them. So you know, there's obviously a mitigation there (laughter) that's screaming out here. 

Dave Bittner: (Laughter) Right, at the top - top of the list of mitigations, yeah. Yeah. 

Josh Ray: And you know, we've seen - you know, our team really assesses that, you know, this is very much an opportunistic criminal group performing these attacks, rather than an organized, nation-state-affiliated organization. And you know, we really try to prescribe a list of recommendations, as you mentioned before. Having things like a third party help you with your DDoS protection is always something that's really important. Implementing things like effective traffic monitoring, intercepting and filtering, possible things like, you know, DDoS scrubbing, you know, hardware services that are out there, as I mentioned before. Using signature detection, of course, is always very useful to drive some levels of anomaly detection across your network traffic that, you know, would deviate from the norm. But you know, doing things like having endpoint security and network intrusion detection and prevention systems in place because, you know, what we're seeing here is maybe even a blended attack. 

Josh Ray: So being on the lookout for - you know, while the DDoS attack is occurring, there could be other types of, you know, exfiltration happening at the same time. So don't just be so, you know, focused on the extortion and the DDoS attempts because there may be some, you know, side, you know, third-channel type of attack that could be occurring that may be exfiltrating data from a different part of your organization. So kind of being on the lookout for that, you know, while this activity may be targeting your organization. 

Dave Bittner: Yeah, so even a little bit of misdirection thrown into the mix there. 

Josh Ray: Absolutely right. 

Dave Bittner: All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.