Evil Corp identified as the threat actor behind ransomware attacks on Sinclair and Olympus. Privateering. Fin7’s front company. Sentencing in a bulletproof hosting case.
Elliott Peltzman: Evil Corp is identified as the operator behind the ransomware that hit the Sinclair Broadcast Group and Olympus. The U.S. Defense Department complains of Russian toleration for ransomware gangs. The FIN7 gang has set up a front company to recruit talent. Betsy Carmelite from Booz Allen Hamilton on building mission-driven 5G security with zero trust, our guest is Robert Carolina on ethics, and sentences are handed down in a bulletproof hosting case.
Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman, filling in for Dave Bittner, with your CyberWire summary for Thursday, October 21, 2021.
Elliott Peltzman: A familiar name has cropped up in connection with the ransomware attacks against the Sinclair Broadcast Group and the multinational imaging firm Olympus – Evil Corp. Bloomberg reports that the Sinclair Broadcast Group was hit by the Russian cybercriminal organization usually known as Evil Corp. The attackers are said to have used the Macaw strain of WastedLocker ransomware. In a tweet, Emsisoft threat analyst Brett Callow calls Macaw simply a rebranded version of WastedLocker. Sinclair is still working on its recovery from the attack. According to The Daily Beast, disruptions to businesses and production systems, phones and imagery systems have continued into the week.
Elliott Peltzman: Macaw ransomware - and thus, by implication, its proprietor, Evil Corp - is also said by TechCrunch to be responsible for ongoing attacks against Olympus. Olympus confirmed in a Tuesday statement that its operations in the Americas had indeed sustained a ransomware attack and that the company was investigating the possibility that the attackers had exfiltrated data. Olympus was hit in September by BlackMatter, and this latest attack on operations in the Americas is said to have deployed Macaw.
Elliott Peltzman: Evil Corp has been under U.S. sanctions since December of 2019, which would complicate any attempt to buy back access to infected systems by paying the ransom. One purpose of adopting rebranded malware strains may be obscuring the fact that payment of ransom to the sanctioned entity amounts to a violation of U.S. law. You may want to pay them. And, indeed, recent surveys suggest that many victims remain willing, in principle at least, to pay the ransom demanded. But actually handing over the money would, in this case, put you on the wrong side of U.S. sanctions.
Elliott Peltzman: The gangs' two alleged leaders, Maksim Yakubets and Igor Turashev, were also indicted by the U.S. at the time sanctions were imposed. U.S. Attorney Scott W. Brady said, quote, "for over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world," end quote. Brady characterized them as international cybercriminals of the sort that should expect no indulgence from U.S. law enforcement authorities. Be that as it may, Messrs. Yakubets and Turashev remain at large and living it up back in Russia, where they're regarded as enjoying the protection of that country's FSB security service.
Elliott Peltzman: International efforts to curb ransomware thus find themselves up against persuasive corruption in Russia. As Mieke Eoyang, U.S. deputy assistant defense secretary for cyber policy, told DefenseOne. She said, quote, "one of the challenges we in the department see - and then you see this in the indictments against some of these actors - some of them have connections to the Russian state. They use their skills that they've developed for their own personal enrichment. And that is something the United States would never do. Anyone at Cyber Command or NSA who thinks that they're going to go home and, like, conduct a ransomware attack against the city in Russia, the FBI would like to have words with them because that is just not something that we would view as acceptable in the United States. And we would take law enforcement action against those individuals. We believe that responsible states should take responsibility for the actions of their forces," end quote.
Elliott Peltzman: Don't believe the deputy assistant secretary? Well, disbelieve at your peril should you be an American government operator thinking about a post-government career as a mercenary or privateer. Lawfare takes a look at the recent case of three former U.S. personnel who undertook to do just that while working for the Emirati firm DarkMatter. Under a deferred prosecution agreement, they'll stay out of jail, and if they keep their noses clean for three years in strict accordance with the terms of the agreement, the government will drop the charges. But one of the terms of the agreement is that they'll forfeit money they made during the incident. So there's a degree of seriousness in the U.S. about cybercrime that seems to be lacking in Russia.
Elliott Peltzman: In the criminal-to-criminal malware supply chain, one key player, the Russian gang FIN7, is representing itself online as a legitimate company, the Wall Street Journal reports in an exclusive. Bastion Secure - which, the Journal archly notes, uses the letters BS as its logo - claims to be a provider of cybersecurity services. The point of their online presence appears to be recruiting. As the Journal writes, quote, "the Bastion Secure website, which uses the logo BS, has listed jobs that are technical in nature and appear similar to work that would be performed at any security company - programmers, system administrators and people who are good at finding bugs in software. Prospective hires will work nine-hour days on a predictable schedule - Monday to Friday, according to the company website. Lunch breaks are provided, the site says," end quote.
Elliott Peltzman: Much of the Journal's story is sourced to Recorded Future, who posted their analysis to their company blog this morning. One bit of information they shared is that this isn't the first time FIN7 has put up a front company. In 2018, the U.S. Justice Department determined that Combi Security, another bogus cybersecurity shop, was in fact functioning as a public, innocent-seeming face of FIN7. FIN7 has historically been known for a range of financial crimes, especially carding operations. Its latest solicitations suggest that the gang is not only organizing itself as if it were a startup, with all the business functions and division of labor that suggests, but that it may be branching out into the lucrative ransomware market.
Elliott Peltzman: And finally, two operators of a bulletproof hosting service widely used by cybercriminals have been sentenced to terms in prison by the U.S. District Court for the Eastern District of Michigan. Pavel Stassi of Estonia received 24 months in prison. His colleague, Aleksandr Skorodumov, a Lithuanian national, got 48.
Elliott Peltzman: The U.S. Justice Department worked for a bulletproof hosting organization founded and led by two co-defendants, Aleksandr Grichishkin and Andrei Skvortsov, both Russian nationals. Their service played a significant role in that C2C underworld market, renting IP addresses, servers and domains to crooks that used them in various capers. Some of the malware the service provided have names that will be familiar - Zeus, SpyEye, Citadel and the BlackHole Exploit Kit, active against U.S. victims between 2009 and 2015. The Justice Department hopes, among other things, that the case will serve as a deterrent to other cyber criminals. So don't sign up with the gangs, kids, no matter how good those lunch breaks might sound.
Dave Bittner: Robert Carolina is a lawyer at U.K. law firm Origin Ltd., where he specializes in technology and cybersecurity. I recently spoke with Robert Carolina on the "Caveat" podcast about ethics in cybersecurity. Here are some highlights from that conversation.
Robert Carolina: Any kind of guidance material that would really help a cybersecurity practitioner answer really difficult questions - and frankly, there wasn't really very much at all that I thought was valuable. Now, don't get me wrong. There were a lot of ethics statements out there that - because for some reason, there seem to be - there's not just one organization that purports to represent security practitioners. There seem to be lots and lots of them. They just grow up like - they sprout up like weeds in the back garden or something like that. But most of them that had ethics statements, the ethics statements, they had, these, you know, these kind of, like, bromides like, you know, all right, well, principle one - first, do no wrong or don't be evil. Or, you know, your job is to protect this or, you know, protect - it's like, but nothing in there that you could really use as a teaching tool, certainly nothing in there that I could use to advise someone who was trying to figure out what's the ethical thing to do in an a certain circumstance, you know, things like comply with the law, be aware of all legal obligations. And that was the other - and of course, some of the older codes, that's all they focused on was the law.
Dave Bittner: Right.
Robert Carolina: They weren't focusing on ethics. They were focusing on the law. If you go to even older codes, the law that they're most focused on is copyright. Don't steal software. So the oldest ones were don't steal software. Then the more recent ones were don't spy on people because data protection and then comply with law. Well, great. How do I navigate some really difficult problems on that answer? You don't. And that really concerned me. Let me tell you the reason I'm concerned. I'm concerned because security practitioners live in a world - cybersecurity practitioners live in a world where they operate using a special set of skills. And, no, that's not a callback to Liam Neeson.
Dave Bittner: (Laughter).
Robert Carolina: I mean, it's just - it's like being an airline pilot or a physician or a surgeon. You know, it's a very special set of technical skills. Secondly, people work outside the glare of public supervision. If you're going to do a job as a cybersecurity professional, you're very often in a dark room someplace without anyone looking over your shoulder. Your client might not even see what you're doing or whatever you're doing is invisible, and there's no one in the community who can see you as you do it. Third thing - people who do cybersecurity are placed in a really unique position of trust. Very often a security practitioner, especially if they're working in-house, will be given privileged access to a whole lot of systems. And once that happens, a very uncomfortable thing begins to happen. And that is, the practitioner is put in a position of asymmetric power with respect to their client, with respect to their employer. And that's just a fancy way of saying, if you've got the keys to the kingdom and someone honks you off, you can say, well, you know, if you don't do what I say, I'll delete all your stuff or you'll never find it again.
Dave Bittner: Right.
Robert Carolina: You know, there's two ways to have - there's two ways to get yourself in a situation of ransomware. One is to be hit with, you know, a Trojan horse that comes onto your machine. The other is to have an unethical cybersecurity practitioner who decides they're going to hold all your data for ransom.
Dave Bittner: Before we had cybersecurity people, were there other people in organizations who were in a similar sort of situation, someone whose capabilities, perhaps, you know, outstripped what they should have been?
Robert Carolina: Well, it's not so much outstripped what they should have been. I mean, because there's a lot of people who work in society who are in a position where they could have asymmetric power over clients. You look at any of the traditional professions - lawyers, medical doctors, for that matter, electricians. You know, what - I mean, what do all these groups have in common? And that is they're doing something, they're providing a service to people who don't really understand how the service works. You're dealing with clients who don't necessarily know a good practitioner from a bad practitioner. And you're dealing with a circumstance - if somebody doesn't have a strong ethical compass, they can really do a lot of harm to members of the public. But it's a terrible spot for people to be in. Now, again, the practitioners that I've dealt with over the years, the cybersecurity practitioners that I've dealt with over the years have almost universally been good people. I've been happy to deal with them, I've been proud to work with them and just - it's been wonderful to support them. I think a lot of people perceive ethics as a threat to their ability to provide services, because everyone says, oh, do you want this to be an ethical profession? Oh, yes, yes. We'll vote for ethics. OK, well, let's sit down and actually write very specific rules about what's allowed and what's not. Ooh, well, you see, now people start to get a little bit nervous. Why? A code of ethics reduces degrees of freedom.
Dave Bittner: That's lawyer Robert Carolina. You can hear the rest of our conversation over on the "Caveat" podcast.
Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She's a senior associate at Booz Allen Hamilton. Betsy, it is always great to have you back. Today, you and I are talking about building mission-driven 5G security with zero trust. And I have to say, I'm going to count on you to save us from falling into a game of buzzword bingo here (laughter).
Betsy Carmelite: No problem.
Dave Bittner: Where are we going to start here, Betsy?
Betsy Carmelite: Yeah. And this is not the first time that you and I have spoken about 5G security and zero trust.
Dave Bittner: Right.
Betsy Carmelite: And we did talk about it earlier with a focused view on the aspect of least privilege access and a specific use case around a DOD logistics warehouse and the compromise of that. But I did want to talk a little bit more broadly because we see agencies now working to meet the executive order 14028's mandates to implement zero trust. And they're currently reviewing and commenting on the draft OMB guidance. That gives agencies until the end of September 2024 to meet specific zero trust goals and provide deliverables. So we're getting closer to the realities and the applicability of zero trust among these organizations.
Betsy Carmelite: So first, zero trust is, as you know, not a new concept. It's never been more vital for national defense and critical infrastructure. And embracing zero trust now is about stepping up and owning the risks that threats can emerge inside, not just outside the perimeter, and traditional network boundaries. And it's also about proactively countering these risks by design. So that's where 5G comes in. And we're looking at how the 5G application, still in its nascent development phase, really needs to take on the zero trust model to really question the premise that user's devices and network components deserve to be trusted just because they're in the network.
Dave Bittner: So help me understand that. I mean, why 5G specifically? What is the security concern there?
Betsy Carmelite: When you add in the layer of 5G to the application of the zero trust mindset, embracing zero trust in this setting is uniquely challenging because 5G will usher in so much change. Fifth-generation technology will completely transform global communication networks. We're looking at billions more devices, sensors and systems connected worldwide. Downloads will be faster, latency lower, and the capacity to connect more devices to the network will skyrocket. And committing to zero trust in the 5G setting now could help organizations get ahead of challenges that could rapidly mount as 5G rolls out or find organizations left behind in the years to come. So again, in looking at practical applicability, let's stay a little bit with the use case of the DOD because the DOD does have a 5G strategy implementation plan in which it declared that zero trust, quote, "is ideally suited for the emerging 5G network infrastructure," end quote. DOD is now exploring how to use 5G for autonomous vehicles, intelligence, surveillance and reconnaissance, command and control and training systems featuring augmented and virtual reality. So all of this is now being developed. So to your point around buzzwords and where we go, this is a reality of where we're going in the future.
Dave Bittner: So is this a matter of, you know, it's time to get on board here that organizations need to be really focusing on this?
Betsy Carmelite: Yeah, as innovation around 5G is ongoing, improves, increases, we should be thinking about the adoption of zero trust and data protection strategies. And there is that risk that comes with innovation. 5G technology could increase the attack surface for malicious actors by introducing new vulnerabilities and expanding the number of potential targets. This is really par for the course with the introduction of new technology. Also, to operate through existing 5G infrastructure worldwide, the DOD will need to overcome significant security vulnerabilities that adversaries could exploit on a global scale. So in some cases, operating through 5G will mean relying on public and untrusted telecommunications infrastructure both in the United States or in coalition partner countries. And more risky operations might depend on those gray zone network infrastructures controlled by organizations that don't share DOD mission goals. And operations in contested areas would face the toughest security risks.
Dave Bittner: So 5G giveth, and 5G taketh away, right?
Betsy Carmelite: Right. Right.
Dave Bittner: So where is a good place to start here? I mean, how do organizations get going?
Betsy Carmelite: We look at four steps to realize zero trust for 5G and the adoption of the pillars around zero trust. And then I want to talk a little bit about some of the requirements that helped start those steps down the path to implementing 5G and zero trust. So first, diagnose - it starts with taking stock of your current capabilities, evaluating the maturity and the effectiveness relative to the threats you face and looking at critical gaps. Next, we look at design. So if you're armed with a threat-centric understanding of where you are, look for a target for where you need to be and then align that target to your zero trust strategy. Third, develop support strategies with a zero trust architecture and technical design - so security by design. And we recommend using vendor assessments to identify the right solutions for your needs. And then finally, deploy - operationalize your design by configuring and integrating solutions that do close those gaps identified in the diagnose phase.
Betsy Carmelite: And one of the areas where we talk about requirements to really build this out in an enterprise - operators of 5G ecosystems need to combine zero trust architecture, 5G DevSecOps in a 5G workforce, as well as vulnerability research and embedded security. So there are lots of components to consider putting in that roadmap to make this a longer journey. And we know zero trust is a longer journey that you need to spread throughout the entire 5G architecture.
Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us.
Betsy Carmelite: Thanks, Dave.
Elliott Peltzman: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Elliott Peltzman filling in for Dave Bittner. Thanks for listening.