The CyberWire Daily Podcast 1.14.22
Ep 1495 | 1.14.22

Influence operations in the grey zone. FSB raids REvil. Open Source Software Security Summit looks to public-private cooperation. Privateering and state-sponsored cybercrime.

Transcript

Dave Bittner: A large-scale cyberattack against Ukrainian websites looks like an influence operation, and Russian intelligence services are the prime suspects. The FSB raids are evil. The White House Open Source Software Security Summit looks towards software builds of material. MuddyWater exploits Log4Shell. The DPRK is working to steal cryptocurrency. Kayla Barlow shares the consequences of the 3G network shutdown. Our guest is John Lehmann from intellectual point with programs that help military veterans transition to the cybersecurity industry. And honor among thieves and spies.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 14, 2022. 

Dave Bittner: Reuters reports that a massive cyberattack hit Ukrainian government websites yesterday. Websites operated by the Ukrainian Cabinet and at least seven ministries were affected. Some of the defacements told their Ukrainian audience to be afraid and expect the worst. The attacks seemed to be simple defacements, an influence operation, and not the data destruction and doxxing the message claims. Note the implicit attempt to suggest that Poland and Ukraine have a historical dispute over Ukraine's western territories. The Moscow Times reports that Ukraine's SBU said that services had been restored to normal within hours of the attacks. While it's impossible at this stage to rule out hacktivism or provocation by some third party, the Ukrainian foreign ministry points to the obvious suspect - Russian intelligence services. A spokesman told Reuters, quote, “it's too early to draw conclusions, but there is a long record of Russian cyber assaults against Ukraine in the past, end" quote. 

Dave Bittner: Talks between the U.S. and Russia and NATO and Russia have so far not produced public signs of progress. The Baltic Times reports that Lithuanian President Gitanas Nauseda said after a conversation on the talks with NATO Secretary General Jens Stoltenberg that successful diplomacy would require reciprocity of a kind that's not on evidence from the Russian side. Progress can, quote, "only take place on the basis of reciprocity and not in the language of demands and ultimatums, which is unacceptable," end quote. At yesterday's White House press conference addressing the talks, U.S. national security adviser Jake Sullivan said, quote, "there are no dates set for any more talks. We have to consult with allies and partners first. We are in communication with the Russians, and we'll see what comes next," end quote. 

Dave Bittner: There may, however, have been some conciliatory Russian gestures toward the West. Bloomberg notes that there seems to have been a decline, a tapering of coverage of Ukraine by Russian state media. Quote, "there is now a renewed diplomatic flurry with talks between U.S. and Russian officials, again in Geneva, followed by other discussions including a NATO-Russia council meeting. Dialing back the heat in state media could be a move to see if such talks bear fruit," end quote. Bloomberg's report reads this sign with cautious optimism, since no such quiet period was observed during the run-up to Russia's 2014 invasion of Crimea. 

Dave Bittner: More interesting is a raid Russia's FSB has conducted against the REvil ransomware gang. Russia's Interfax news agency reported this morning that the FSB has liquidated the gang in a series of arrests. An official statement said, quote, "the FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documentation of illegal activities has been carried out," end quote. The FSB said it had conducted the raids and the appeal of competent U.S. authorities. The raids netted not only 14 arrests, but $600,000 and 500,000 euros in cash, as well as computers, crypto wallets used to commit crimes and 20 luxury cars, all of which are said to be ill gotten. 

Dave Bittner: Heightened tension between Russia and NATO over the Near Abroad come during a period of heightened concern about the security of open-source software that’s been driven by discovery of Log4shell and other vulnerabilities in the Apache Software Foundation's widely used Log4j library. 

Dave Bittner: The White House offered a preliminary readout of this week's Open Source Software Security Summit, during which Government and industry officials met to discuss ways of shoring up the security of widely used open-source software. The discussion was given salience by this week's warnings from the U.S. Intelligence Community that there was a risk of nation-state attacks exploiting issues with that and other open-source products. Both Government and industry sources see cooperation on implementing an effective system of software bills of materials as an important first step in the right direction. 

Dave Bittner: As Duo Security's Decipher points out, U.S. Cyber Command's attribution Wednesday of MuddyWater to Iran's Ministry of Intelligence and Security included the posting of 17 samples of the threat actor's attack tools to VirusTotal. The comment that accompanied the samples emphasized MuddyWater's use of DLL side-loading in its operations. eSecurity Planet summarizes Check Point's conclusion that MuddyWater in its current operations is actively exploiting Log4shell. 

Dave Bittner: Lest one think that the FSB's raid on REvil means that the salad days of state-tolerated Russian cybercrime are over, consider KrebsOnSecurity's account of the work being done by the access broker known as Wazawaka, a numero in Russophone cybercrime fora. Come on, rob, and get dough, Wazawaka advertised in the Exploit forum back in 2020, inviting crooks to buy access to a big Chinese company and show them who's boss. He's still going strong, and he says he adheres to the communitarian principle that data taken in double-extortion scams shouldn't be resold. Rather, it should simply be posted for general use in the criminal-to-criminal marketplace should the victim fail to pay the ransom. 

Dave Bittner: Kaspersky reports on the activities of a group it calls BlueNoroff and identifies as a subunit of North Korea's Lazarus Group. BlueNoroff's current campaign, SnatchCrypto, is aimed at various companies that, by the nature of their work, deal with cryptocurrencies and smart contracts, DeFi, Blockchain and the FinTech industry. An NBC News report puts Pyongyang's take in cryptocurrency theft last year at almost $400 million, with Ethereum holdings particularly affected. 

Dave Bittner: We return for a moment to that FSB raid on the REvil gang. There is video being tweeted around that purports to be an FSB video press handout. It's pretty good in a "Cops-y" (ph) sort of way. 

Dave Bittner: Right, like what with the FSB muscle in windbreakers breaking down doors into some dingy looking apartments, collaring perps, some of whom are cuffed while face-down in their underwear, and who doesn’t like that? And then going through their swag - the swag seems to be mostly U.S. and Russian currency. We saw lots of pictures of Benjamin Franklin. But it was mostly cash, and it was fanned out really cinematically as they rolled the bills through automatic counters. 

Dave Bittner: We were also struck by how mingy the hoods' apartments looked. They need a makeover - gangland should watch Hillary Farr’s "Tough Love" over on HGTV. I mean, come on, hoods - put a picture on the wall. Think about going more open-concept. You’re not an undergraduate anymore, malchick. 

Dave Bittner: Anyhoo, the arrests raise interesting questions. Like, is there a reward for something in all this? Recorded Future’s Allan Liska, we hear, has wondered aloud if the FSB is going to claim a $10 million reward. So we ask you, listeners - what would you do? Should the FSB gunsels in the video hit up the U.S. State Department up under the Rewards for Justice Program, or is this all to be written off as professional courtesy? 

Dave Bittner: And to all REvil goons who may still be out there, a hearty ruki nazad on behalf of whatever Russo-American law enforcement cooperation there may be. 

Dave Bittner: Finally, you’ve probably seen the ads for TV coverage of the Beijing Winter Olympics. The Belgian Olympic and Interfederal Committee has advised athletes to leave their mobile devices and phones home, lest they be subject of cyber-espionage. 

Dave Bittner: The Chinese Embassy in Brussels has published a Q&A on the warning that reads in part, quote, "The claim that relevant Belgian personnel travelling to China may be at risk of cyber-espionage is completely unfounded and the worries are unnecessary. The Chinese government is a firm defender of cybersecurity and firmly opposes any form of cyber-espionage and cyberattack activities," end quote. 

Dave Bittner: So there you go. Nothing to see here. Move on. 

Dave Bittner: A quick program note for our listeners - this coming Monday, January 17, is Martin Luther King Day, and we'll be observing the Federal holiday with a brief hiatus from publication and podcasting. The CyberWire will be back as usual on Tuesday, January 18, and in the meantime, we offer our greetings to all on a day that commemorates the life and work of Dr. King. 

Dave Bittner: It's well-established that there's a strong demand for qualified employees in cybersecurity, with some reporting millions of open positions around the world. And every year, there are thousands of people wrapping up their service in the U.S. military, looking to transition to meaningful work in the civilian world. Seems like a potential pipeline there, right? John Lehman is senior director of veteran services at IT training company Intellectual Point. And he joins us to highlight some of the programs in place to help make that connection. 

John Lehmann: There's two programs that we primarily work with at Intellectual Point. And I'm not going to do a hard pitch on Intellectual Point, but I will discuss these two programs that deal specifically with the veteran affairs. One is the VRRAP program. And VRRAP program was originally created during the first Gulf War. And it was created to assist veterans to go into different career fields that are needed within the job sector. And most of those jobs are derived from case studies that are in the market. So truck driving is one of those careers that they were trying to get veterans to pivot into because there were so many truck drivers that had retired during the COVID event. 

John Lehmann: There's a lot of folks that are retiring out of the IT, so this is where the VRRAP program was revamped and stepped up on the federal side of the House to allow veterans to pivot into that program. And it was one of the programs that I had come through Intellectual Point originally. And I came through the DevSecOps program - or the DevOps program. And the DevOps program consists of getting a Security+, Certified Ethical Hacker and Splunk. And this allows you to kind of pivot in the marketplace if you're not familiar with IT to a point where you can step it up or you can step down, go to, like, a help desk position. Or you can go into a SOC depending on what your understanding and your skill set is. So that's a wonderful program. The other program is called VET TEC. And VET TEC was originally started in 2017, and it was designed to allow veterans to do continuing education with technology because there was such a noted loss of IT professionals over the last couple years, and there's not enough infrastructure that's there to support oncoming and upcoming IT professionals within the federal government and also in the civilian sector. Companies and also the federal government are not investing in the personnel like they should to be able to bolster our critical infrastructure. That's my personal opinion from some of the observations that I've seen. And for the most part, it's pretty successful. 

John Lehmann: The main issues that we have with it is that veterans that did have security clearances in the past are not able to retain their security clearances, say, like a senator or congressman does after they leave the uniform, which I think is another initiative that needs to be looked at on a deeper level. And two, there's going to be a backlog. We're up to 24 months to three years. And that's something that we need to look at in the cybersecurity realm because if we lack the critical infrastructure and we lack the personnel that we can possibly spin up to the point where they would be able to fill in some of the senior-level positions - because a lot of it has to deal with aptitude. You know, how hungry are you to get the job done? 

Dave Bittner: In your experience working with these folks, to what degree does the experience they had in the military, the training, the mindset that they leave the service with - how does that align to the skills and the type of thinking that's going to serve them well in an IT career? 

John Lehmann: Oh, this is such a great question. I'm glad that you asked it. OK, so each military MOS - or I'm using this because it's an Army term - and - or any Air Force AFSC - in the Navy, it's just a rating. Each of these positions has specific KSAs, or knowledge, skills and assessments that you have to be able to fulfill once you get into these positions. And when you're dealing with your junior-level military folks, your enlisted folks, they are task-orientated, and they're able to be able to take information and run with that. You know, if you tell them you need to do X, Y and Z, they're really good at taking direction and following in that direction. 

John Lehmann: And then for your officers, the officers that are getting out, they know how to multitask, and they know how to deal with a lot of stuff under stress. Soldiers in general know how to deal with information under stress. But particularly within the cyber realm, the officers are primed for this type of environment because they understand the corporate structure from the way that everybody that I work with - for the most part, everybody that I work with is truly, honestly wanting to grow in a way that is meaningful for their future. And I just enjoy that portion of working with soldiers and Marines and seamen and airmen again is because there's that sense of camaraderie. And that's also something that they - these people bring to the workplace, that if you get two or more veterans around, there's a sense of camaraderie that comes along with being somebody that's prior uniform. And at the end of the day, it's the brotherhood. You know, it's what you've taken away from the uniform that nobody can take away from you. 

Dave Bittner: That's John Lehmann from Intellectual Point. There is a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for interview selects, where you get access to this and many more extended interviews. 

Dave Bittner: And I am pleased to be joined once again by Caleb Barlow. Caleb, it is always great to have you back to the show. You know, there has been no shortage of stories about the transition to 5G and certainly lots of promotion about that. We've seen people churning up conspiracy theories about 5G. Our friends over in the U.K. have had troubles with vandalizing 5G towers and so on and so forth. You know, one of the things that I didn't realize was happening was at the beginning of this year, they were winding down 3G service, and there are some unintended consequences of that transition. What's going on here? 

Caleb Barlow: Well, I mean, like you said, you can't get past not only the 5G real information that is coming but also the misinformation that it's going to be used for government mind control and all kinds of other crazy things. 

Dave Bittner: Right. Right. 

Caleb Barlow: So the problem here is no one's paying attention to 3G. And historically, you know, this might not have meant that Grandma needed to upgrade her flip phone when, you know, it was time to transition technologies. But the difference this time is 3G is being used by a lot of things other than phones. So this was a widespread data platform used by IoT devices, including cars for things like navigation weather and traffic, as well as a whole lot of IoT remote sensors. 

Caleb Barlow: And probably the biggest thing that I'm concerned about is 3G was routinely used as a backup to traditional networks in the event of a failure. So the challenge with 3G literally being shut off in the very near future is that we are often unaware of where these devices are. They need to be upgraded, or they're simply going to stop working. And worse yet, many of them support life-safety systems, things like emergency call boxes, in-vehicle crash notification systems and burglar alarms. 

Dave Bittner: Yeah. You know, I was at my bank recently, and there was a technician there. And I - when I was waiting for the tellers, I struck up a conversation with him. And he said, you know, he was there upgrading their systems. Their alarm system backups were all 3G, and so he said he's been busier than ever going from bank to bank getting this done before they throw the switch. 

Caleb Barlow: That's right. So the FCC, if you go to their website, does have a list of products that are likely impacted by the changes, and it's all the things you could imagine - medical devices, tablets, smartwatches, home security systems. I even got a notice from a car manufacturer that a car I have that's not that old, all of its, you know, network-connected navigation, weather, it's all going to stop working here in a couple of months. And what was most interesting about that notice is there is no alternative. There's no upgrading this. It's just going to stop. 

Caleb Barlow: So I think, you know, the folks listening to this call that are in IT or security, there are a few things you really need to go look at. So if you have something that's actively being monitored, the good news there is, like, for example, your home alarm - hopefully, the alarm company is sending you notice that you're not ignoring going, hey, we got to upgrade this. 

Dave Bittner: Right. Right. 

Caleb Barlow: It's more the things you haven't thought about. Like, you know, if you've got a remote location with IoT sensors, very good chance the backup, you know, is a cellular 3G connection, and that's got to get upgraded. So when does all this go down? Well, AT&T has said that it's going to start shutting down 3G networks in February - like, next month. Verizon is going to pull the plug at the end of the year. T-Mobile and Sprint are starting around March. I don't get the impression there's going to be one day where it all goes off. So it's almost worse in that this stuff's just going to start rolling out. Various towers are going to come down. And they have to do this because they need the spectrum, and they need the space on the towers. 

Dave Bittner: Yeah. You know, I'm wondering, you know, some organizations could potentially find themselves saying, gosh, you know, we haven't had any alert signals from our devices out on the field. Things must be going great. 

Caleb Barlow: That's exactly the problem, right? I mean, a lot of these devices are in these scenarios where because - remember, when 3G was deployed, it was really expensive. And, you know, wind back almost a decade or whatever it was. 

Dave Bittner: Right. Right. 

Caleb Barlow: Right? That network time was really expensive. So the way most of these things were built is they only called if there was a problem. And you're going to be sitting there a year and a half from now going, hey, that remote sensor's working great. And maybe it is, and then maybe there's a power outage or some reason you lose traditional network connectivity. You're not going to hear from it. And I think we're going to have a lot of scenarios where the pump, the valve, the car don't work. I mean, here's the other scenario - you get in a car accident. And you used, you know, systems like OnStar or other things that would call back. It's not going to call. It's just not going to work. 

Dave Bittner: Yeah. That's interesting. I wonder if there's a market opportunity here for a 3G to 5G converter box. Get on that, Caleb. (Laughter). 

Caleb Barlow: Well, I mean, the good news, I think, for the cars is if - you know, and I'll use my car as an example, right? It's - what? - a 2014. 

Dave Bittner: Yeah. 

Caleb Barlow: The navigation system on it kind of is kind of blah now relative to what I can use on my phone, so it's not going to be the end of the world. But it is kind of a giant pain. 

Dave Bittner: Yeah. Yeah. Absolutely. All right. Well, a good reminder to go out there and check your device inventory when these sort of transitions happen. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's episode of "Research Saturday" and my conversation with researcher Alissa Knight, along with Carl Mattson from Noname Security. We're discussing Alissa's research concerning API vulnerabilities in U.S. banking applications. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.