The CyberWire Daily Podcast 11.5.21
Ep 1454 | 11.5.21

$10 million reward for DarkSide info. BlackMatter members expected to resurface. Ukraine outlines Russia’s FSB cyber ops. Persistent engagement as deterrence. Arrest in Crossfire Hurricane inquiry.


Dave Bittner: The U.S. offers a reward of up to $10 million for information leading to the identification or location of the leaders of the DarkSide ransomware gang. Researchers expect BlackMatter's nominally retired operators to resurface in other criminal organizations. Ukraine outlines Russian FSB cyber operations during the hybrid war that's been waged since 2014. Deterrence in cyberspace. Carole Theriault takes on high-value targets. Our guest is Bill Mann of Styra on rising compliance regulations and security drift. And an arrest is made in special counsel Durham's investigation.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 5, 2021. 

Dave Bittner: The DarkSide gang may have announced their retirement from cybercrime, but the authorities don't seem willing to let them quietly disappear. The U.S. Department of State announced "a reward offer of up to $10 million for information leading to the identification or location of any individuals who hold a key leadership position in the DarkSide ransomware variant transnational organized crime group. In addition, the department is also offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident," end quote. 

Dave Bittner: Ransomware has become a serious pest and has begun this year to infest targets that obviously constitute critical infrastructure. State is clear on this point. They're offering the big reward because of DarkSide's disruptive attack against Colonial Pipeline, which disrupted fuel deliveries through much of the eastern United States this past May. 

Dave Bittner: State's announcement adds, quote, "in offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cybercriminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware." 

Dave Bittner: So if you know anything about the DarkSide, call the State Department. If you need your identity protected, State promises to keep it on the QT. 

Dave Bittner: There's no mention of DarkSide's presumptive successor, BlackMatter, or, for that matter, it's apparent parent, FIN7. But since the reward is for information about the natural persons behind the keyboards, the omission probably doesn't matter. 

Dave Bittner: Flashpoint looks at BlackMatter and predicts those natural persons will be back. For one thing, they've already received a standing job offer. Flashpoint explains, quote, "notably, the spokesperson of the LockBit ransomware group took to XSS and used the opportunity to invite BlackMatter members and affiliates to live in China, where the threat actor claimed to live," end quote. So, OK, it's not the Riviera but still probably better than Chelyabinsk. 

Dave Bittner: Ukraine's security service, the SSU, has identified five Russian FSB officers as operators behind the Gamaredon threat actor, also known as Primitive Bear. As is often the case, the threat actor has been tracked under a number of other names, including Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, Sector C08 and Callisto. The group has specialized in targeting Ukrainian critical infrastructure and classified networks. 

Dave Bittner: The inquiry was an interagency one. Quote, "the SSU Cyber Security Department, the SSU investigators carried out the operation jointly with the Main Intelligence Directorate of the Ministry of Defence of Ukraine and under the supervision of the Prosecutor General's Office," end quote. 

Dave Bittner: Bleeping Computer has sifted through the SSU's technical report, available in several languages, and find some of their conclusions noteworthy. Gamaredon uses Outlook macros and the EvilGnome backdoor to compromise the systems it targets. The group has used well-known, often targeted vulnerabilities, including the two-decades-old WinRAR CVE-2018-20250 bug and the CVE 2017-0199 remote code execution flaw in Microsoft Office. 

Dave Bittner: They've used removable media to stage attack code in offline systems and subsequently move laterally through the isolated networks those systems connect to. 

Dave Bittner: The SSU describes Pteranodon, which is a modular RAT sporting good anti-analysis and information collection capabilities. Pteranodon is an evolved version of Pterodo, a malware strain that's circulated in the criminal underworld since 2016. 

Dave Bittner: The Ukrainian report offers some background on what it characterizes as a hybrid war Russia's been waging since its seizure of Crimea in 2014. In the SSU's account, Russian Federation Special Services have been running intelligence and sabotage against Ukraine ever since. The Russian services have beefed up their cyber capabilities and not hesitated to use them. 

Dave Bittner: Among the groups the SSU lists are a number of familiar names - APT28, also known as Sofacy or Fancy Bear; SNAKE, Terla; and APT29, Cozy Bear, The Dukes. They also note that particular operations, including BlackEnergy, Industroyer and NotPetya, have been mounted by those same services. 

Dave Bittner: Gameradon, or Armagedon, is relatively young, having flown under the radar for a few years after its founding. They hope researchers and law enforcement organizations around the world will take note and up their guard. 

Dave Bittner: Some of that guard will no doubt take the form of deterrence, which is a natural concept to reach for. It kept the great powers out of the full-on nuclear exchange that was widely feared in the mid-20th century, after all - or so far, anyhoo. So why not try it out in cyberspace? 

Dave Bittner: It might not be so easy. General Paul Nakasone, director, NSA and commanding general of U.S. Cyber Command, told an Aspen Institute session this week that he doubted whether traditional deterrence could easily be applied to cyber operations. 

Dave Bittner: Breaking Defense reports that the general said something other than familiar Cold War deterrence might be needed. Nakasone said, quote, "strategic competition is alive and well in cyberspace, and we're doing it every day with persistent engagement. We're in competition every day. We've got to somehow impact adversaries who don't get the message. We've got to impose costs. The important thing to emphasize here is we have the capabilities, we have a process to enable capabilities, and we have the people to carry out the capabilities," end quote. 

Dave Bittner: So his advocacy of persistent engagement and the ongoing imposition of costs, which are more appropriate in a gray zone of cyber operations than Cold War massive retaliation would be. 

Dave Bittner: To return to the Ukrainian report, FSB units the SSU describes are centered geographically in Russian-occupied Ukraine, specifically in Sevastopol. And the FSB voice chatter the SSU intercepted includes a lot of whining about getting shafted out of awards and bonuses, recognition going to the undeserving and everybody having to get tested for COVID at work, which is an awful lot of pissing and moaning from the sword and shield of the Russian Federation - kind of sad. 

Dave Bittner: Still, as Dmitri Alperovitch tweeted out, bureaucrats are bureaucrats. Brothers and sisters under the skin may be like Kipling's Rosie O'Grady and the colonel's lady. If they'd been American phone calls that had been monitored, we imagine there would have been more wolfing about parking than about awards and recognition. 

Dave Bittner: But these things are local variations. People familiar with concerns that gurgle around other offices worldwide, feel free to send them our way. Do they complain about the cafeteria in Cheltenham, about not being able to listen to hockey games during work hours in Ottawa, all that irrational red tape from other offices in Paris, procedural inequity in Berlin? You get the picture. Inquiring minds want to know. 

Dave Bittner: Finally, there's been a development in the complex, long-running U.S. investigation into influence operations during the 2016 election cycle. In this case, an arrest has been made pursuant to special counsel John Durham's investigation of the Steele dossier and its place in the FBI's Operation Crossfire Hurricane, a bureau inquiry into whether the Trump campaign had been improperly coordinating with Russian operators. 

Dave Bittner: Igor Danchenko, one of the sources of the Steele dossier, has been arrested and charged with five counts of making false statements to the FBI about where he got the material that passed into the Steele dossier. It now seems that some of that material at least came from operators associated with the Democratic Party, chatter and gossip associated with opposition research, as opposed to sources inside Russian intelligence services. 

Dave Bittner: The Steele dossier is important not because it was the sole source of the information the FBI collected during Crossfire Hurricane, but rather, as The Washington Post points out, that it was the principal source the FBI relied upon to obtain warrants it would go on to use in its investigation. 

Dave Bittner: Bill Mann is CEO at Styra, an organization focused on Kubernetes policy and compliance. They are also creators of an open-source project they've named Open Policy Agent, which aims to help organizations resist the pull of security drift by making it easier to track updates, discover vulnerabilities and complete patches. I caught up with Bill Mann for his insights on security drift and the Open Policy Agent project. 

Bill Mann: Yeah, security drift is all about consequences of change that are made by various organizations within the software development life cycle. And when you have a change, it has significant repercussions to an organization's security posture. Some of them are manageable risks, and some of them are not. And the ones which are not manageable risk is what's called security drift, right? 

Dave Bittner: And so what are your recommendations, then? How can organizations get this under control? 

Bill Mann: Sure. Well, there's a massive change happening in the industry today. I mentioned before there's an application stack called modern applications or what's called cloud-native application stack. So most organizations are now implementing applications with that form factor. For the audience, you know, it used to be client/server once upon a time. Now it's called cloud native. 

Bill Mann: And cloud native means that there's multiple changes happening with the way applications are being built. One is the way applications are being deployed. They're being deployed in an automated way. No. 2, the actual application stack is fundamentally changing as well. So we're moving towards technologies like Kubernetes, service mesh, and developers are trying to decouple as much of the core or common components of an application to be common services. 

Bill Mann: So to address the question of what can be done, Styra is the creator of an open-source project called Open Policy Agent, which is now the de facto policy-as-code solution for this modern application stack. And briefly, let me give you an example of policy and control within an organization. 

Bill Mann: Authentication - we all are, you know, very familiar with that term. It's who a person is. Authorization is what a person or service can do. And if you think of authorization, authorization is defined with policies. And the way they're being defined in policies from (unintelligible) the software industry has been very proprietary. You know, you typically, you know, use some sort of user interface or some sort of proprietary way of defining what a service can do or what service can talk to another service. Even can this user have access to a particular resource has been defined in a proprietary way. That is not going to work in the modern application architecture. 

Bill Mann: So Styra invented this project called Open Policy Agent. It's an open-source project. It's got a lot of following in the developer and DevOps community now. It's a graduated project within CNCF. And this project is really about changing the way we think about policy. 

Bill Mann: One of the fundamental cores of it is to think about policy as code, just like we think of application code, which has to be put into Git and managed and change management of that code and so forth. So this is what we've invented for the industry, and, like I said, it's got a big following out there, and a lot of organizations implementing cloud-native applications are using OPA as part of the stack. 

Bill Mann: Now, to give you an example - back to security drift - of how OPA can be used to reduce the risk of security drift, here's an example for you. So within an organization, when a DevOps engineer makes a change, within Kubernetes, there's something called the admission controller. But essentially, what happens is OPA can be used to define a set of guardrail policies. So if the application change actually is outside of those policies that have been defined by the security and risk team, then the app developer or the DevOps engineer would receive feedback from the system, saying, this is not going to be able to go forward throughout the life cycle because you're violating, let's say, a PCI regulation or a HIPAA regulation and so forth. 

Bill Mann: So these are now new ways of limiting, you know, security drift for organizations by actually implementing policies and controls at different levels of their workflow using technologies like OPA, which itself is an open-source, policy-as-code solution, and it really fits into the way that the new modern application stack is built as well. 

Bill Mann: One, you know, point for you in terms of how it's relevant for the application stack is you've probably heard the term infrastructure as code, which is a way you describe an infrastructure, you know, object before it can be implemented in the runtime environment. That is - has code as well. So this is now the natural extension for how we manage policy within an organization. 

Dave Bittner: That's Bill Mann from Styra. 

Dave Bittner: There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: Our U.K. correspondent Carole Theriault brings us this report on the increased targeting of high-value individuals and what that means for organizations. Here's Carole Theriault. 

Carole Theriault: Recently, I was asked to be part of a panel, and the audience were mostly made up of law firms - more specifically, people that work at law firms that are looking to protect the information, the systems, the network, clients, the boss. And in speaking to a few people, they talked about a stress that I think we're feeling across all industries, and that is having to manage this hybrid environment where workers want to be able to work from anywhere anytime and still have a streamlined access to all the files, documents, services that they require. 

Carole Theriault: And it's interesting because law firms are an ideal target for criminals for a number of reasons. One, they are perceived as wealthy. Two, law firms control tons of money, often on behalf of clients. And if you target the right law firm, you're more than likely to have rich, rich clients. So being able to also access information on those clients could be lucrative. For example, it could be used for ransomware, blackmail, phishing. I mean, take your pick. 

Carole Theriault: And so it's no surprise that the most prestigious law firms that control tons of cash and have lots of wealthy clients also operate with high cybersecurity and, indeed, physical security in order to keep their clients' information and the company secure. 

Carole Theriault: So how is a fraudster going to get in? I can see two approaches being used most often. One - try and take advantage of a zero-day vulnerability. So for example, if Microsoft announced that there's a critical vulnerability in Teams or a piece of software that is used by a law firm and they are working on a patch, that is an opportune time for a fraudster to try and attack the systems. And, two, try and dupe a person, either someone in the supply chain, an employee, to part with snippets of information that, once all gathered together, would allow them to break in undetected. 

Carole Theriault: So the latter could prove easier to pull off, especially if someone has an up-to-date and deliciously detailed, rich LinkedIn profile or other social media profile. Perhaps their CV is online as well, or they have a website with loads of information. All these tidbits can help grease the wheels on the first interaction. The name of the game is gain trust and get information. You see, if you're a high-value target, you're worth the time and investment, especially from someone who's got nothing to lose. Be safe out there. 

Carole Theriault: This is Carole Theriault for the CyberWire. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: Don't miss this weekend's "Research Saturday" and my conversation with Mor Levi from Cybereason. We're going to be discussing Operation GhostShell, a novel RAT that targets global aerospace and telecoms firms. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.