The CyberWire Daily Podcast 1.19.22
Ep 1497 | 1.19.22

Updates on what Ukraine is now calling “BleedingBear.” CISA advises organizations to prepare for Russian cyberattacks. Other cyberespionage campaigns, and a new ransomware strain.

Transcript

Dave Bittner: Ukraine confirms that it was hit by wiper malware last week as tension between Moscow and Kyiv remains high. Russia continues marshaling conventional forces around Ukraine. CISA advises organizations to prepare to withstand Russian cyberattacks. Other cyber espionage campaigns are reported, as is a new strain of ransomware. Microsoft's Kevin Magee provides friendly counsel for CISOs and boards. Our guest is Clar Rosso from (ISC)2 on the communications gap between cybersecurity teams and executive leaders when it comes to ransomware. And the natural disaster in Tonga may offer lessons in resilience and recovery.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 19, 2022. 

Dave Bittner: Ukraine has confirmed, according to The Washington Post, that last week's WhisperGate cyberattacks were indeed destructive and represented neither the hacktivist defacement nor the ransomware crimes they misrepresented themselves as. Ukraine's State Service of Special Communications and Information Protection said, quote, "thus, with a high probability, it can be argued that the defacement of the websites of the attacked government agencies and the destruction of the data using a wiper are components of one cyberattack aimed at as much damage as possible to the infrastructure of state electronic resources," end quote. Ukraine is calling the campaign Bleeding Bear and attributed it to Russia. 

Dave Bittner: Security firm ESET has tweeted its take on how WhisperGate used third-party criminal services to help stage the attacks. These tools are useful in themselves, and they also lend further verisimilitude to the pretense that the whole campaign was conventionally criminal as opposed to state-directed. The selection of ransomware as cover for the attacks is unsurprising. Ransomware is not only a commonplace criminal activity, but it can also be, as CyberScoop observes, highly disruptive. The pretense of ransomware is not only useful for misdirection and concealing an incipient cyberattack, but the tools used by ransomware gangs are readily repurposed for espionage and sabotage. 

Dave Bittner: Concern that the crisis could escalate remains high. Over the weekend, reports from Ukraine said that Russia had begun withdrawing personnel from its embassy in Kyiv. U.S. White House Press Secretary Psaki commented on the withdrawal in yesterday's media briefing, seeing it as a significant harbinger of increased tension. C-SPAN has the recording. 

Jen Psaki: I think, as I noted a few minutes ago, we believe we're now at a stage where Russia could, at any point, launch an attack on Ukraine. I would say that's more stark than we have been. In terms of the decision to move - to evacuate their embassy or to move personnel out of their embassy, we have information that indicates the Russian government was preparing to evacuate their family members from the Russian Embassy in Ukraine in late December and early January. We certainly would refer you to them for more specifics about what their decision is. But we don't have an assessment on why and the meaning. 

Dave Bittner: Initial reports held that the embassy staff in Kyiv was being drawn down, and subsequent reports claimed that Russian diplomats were being repatriated from western Ukraine. For its part, according to Newsweek, Russia has said the reports are all nonsense, that it hasn't pulled any of its diplomats from Ukraine. 

Dave Bittner: Aware of heightened tensions and with vivid memories of NotPetya and WannaCry, governments are preparing for subsequent waves of cyberattacks. The deputy secretary of Ukraine's National Security and Defense Council described the steps Kyiv is taking to protect the country from further cyberattack in an interview with The Record. The U.S. Cybersecurity and Infrastructure Security Agency yesterday published advice on how organizations can protect themselves against cyberattacks of the kind Ukraine sustained last week. The advisory is designed to help organizations defend against, detect, respond to and ride out destructive cyberattacks. Poland has also raised its level of cyber alert, Reuters reports. 

Dave Bittner: Russia has consistently represented NATO and the U.S. as aggressors interested in using Ukraine to hold Russia at risk. But it's fair to say that this is a minority view. NATO wants further talks with Russia over the crisis, but Moscow says it won't consider renewed talks until it receives responses to the proposals it put on the table last week. Those answers are expected sometime tomorrow, and it seems unlikely that they'll be the answers Moscow says it wants, since that would amount to NATO unraveling more than two decades of alliance building. The CyberWire's current coverage of the crisis in Ukraine can be found on our website. 

Dave Bittner: Security firm ESET has offered an account of an APT, the Donot Team, which it regards as unsophisticated but highly focused and tenacious. The researchers describe two malware strains the Donot Team uses - DarkMusical and Gedit. The spear-phishing emails were sent in persistent waves, and the emails didn't use spoofing. Many of them bore email addresses associated with the targeted organizations, which suggests that some of the accounts had been successfully compromised. The researchers make no attribution, but the Donot team's focused list of targeted countries is perhaps suggestive - Pakistan, Bangladesh, Nepal and Sri Lanka. So too are the file names the coders used in preparing their malware. A lot of them reference characters in the movie "High School Musical." Who knew that spies or crooks would be fans of Disney adaptations of "Romeo And Juliet"? We didn't, but, oh, you think about it, it's kind of sweet. Next time, kids, try "Lady And The Tramp," a flick that's worth an homage or two. 

Dave Bittner: A post at BushidoToken Threat Intel describes what appears to be a cyber-espionage campaign against industrial control system vendors, government agencies, non-governmental organizations and university researchers in several countries. The campaign itself proceeded through phishing. A familiar mailbox phishing kit is being used to harvest usernames and passwords. The list of targets is a long one, and you can find that list on our website. Attribution is unclear beyond some circumstantial code similarities to tools used by Russian and North Korean intelligence services. 

Dave Bittner: The researcher speculates about a possible motive. Quote, "Supplemental targets such as ICS, OT organizations and educational institutions would complement this intelligence-gathering campaign, if access could be obtained at these entities. From this, it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income," end quote. 

Dave Bittner: FIN8, a financially motivated threat actor that's been active against the retail and hospitality sectors since 2016, at least, is apparently responsible for using a new, relatively evasive ransomware strain, White Rabbit, against a U.S. bank last month. Trend Micro researchers, who yesterday published a description of the attack, write, quote, "Its payload binary requires a specific command line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis," end quote. The malicious payload is small - about 100 kilobytes - and appears inactive and innocuous until it's activated. 

Dave Bittner: Saturday's eruption of the Hunga Tonga-Hunga Ha'apai Volcano disrupted Tonga's internet connection and many other modes of communication, providing an extreme test of response, resilience and recovery. Apparently, the nation's undersea cable was severed. MIT Technology Review has an account of what will need to be done to reconnect the Pacific nation with the rest of the world. And as we look for lessons to be learned in resilience and recovery, let's not forget the immediate human toll of the disaster. Our best hopes for recovery and consolation to everyone in Tonga, and best wishes to the international relief efforts underway. 

Dave Bittner: The team at cybersecurity non-profit association (ISC)2 recently polled 750 C-level executives in the U.S. and U.K. to gauge how they're communicating with stakeholders in their organizations about ransomware. Some of the results were surprising. Clar Rosso is CEO at (ISC)2. 

Clar Rosso: Well, I'd have to say that, first and foremost, what stops me in my track is hearing that 70% of C-level executives believe that they are confident in their cyberdefensives. 

Dave Bittner: That's interesting. Does that come in higher or lower than you thought it would be? 

Clar Rosso: I think it's a little higher than I expected. And part of the reason I say that is 60%. There's several reports that say 6 in 10, 60% of organizations will be hit by ransomware. And of those that hit - are hit by ransomware, only about 50% are going to be able to effectively restore their data. So hearing 70% of C-suite folks say we got it covered doesn't line up for me. There might be a little bit of overconfidence there. 

Dave Bittner: Where do you suppose that overconfidence might be coming from? 

Clar Rosso: Well, I think one of the things that we're seeing and we're hearing a lot is that in the C-suite, in the boardroom, individuals need to build their cyberliteracy. We've talked about this around financials for years and years and years, but now it's time that we need to talk about it about cybersecurity. What do they understand, and what do they need to understand? And there's a role that the cybersecurity professional can play in helping elevate that cyberliteracy within the C-suite. 

Dave Bittner: Let's talk about some of the other findings of the report. I mean, communications was one of the things that you highlighted here. 

Clar Rosso: Right. We think the report identifies that there is an opportunity to increase communications and reporting to leadership. The cybersecurity team within organizations should think about how can I increase the frequency and the appropriate level of detail that I'm giving to the C-suite to help instill confidence in the security of their operations and facilitate more informed decisions, as well as support the calls for more investment in cybersecurity, both people and technology? 

Dave Bittner: Was there anything in the report that was particularly surprising to you? 

Clar Rosso: One of the things that I would say wasn't surprising but that I was actually pleased by is when we asked what the top areas of concern for the C-suite were, I think people were asking the right questions. They wanted to know is our security function working with IT to ensure our backups and restoration plans will be able to work, right? They won't be adversely - if we do have a ransomware attack, we can back up our data and get back running. I like the fact that they were knowledgeable enough to understand that they need to be prepared to engage with law enforcement in the event of a ransomware attack. They ask questions like, are we prepared to engage with a cybersecurity firm to help us investigate and respond to a cyber incident? Where we most vulnerable? Things like that - those are the questions that the C-suite is asking, and those are good questions to be asking. 

Dave Bittner: You know, this report focuses on those executives in the C-suite. For the folks who are doing the work in the cybersecurity department, what are your recommendations for them? What should be their approach to best communicating their needs to the folks up in the C-suite? 

Clar Rosso: Right. I would take advantage of the headlines that we're seeing in the news every day. The next time you see a major headline about a cyber breach - when the Log4j happened in December, when something like that happens, use that as an opportunity to speak to the executives in your organization. Talk about how you're prepared to address these cyber risks, and talk about what you need to be better prepared to address future cyber risk. 

Dave Bittner: That's Clar Rosso from (ISC)2. 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security officer at Microsoft Canada. Kevin, always great to have you back. You know, I want to touch today on the relationship between CISOs and their boards of directors. At times, this can be a challenging relationship. And I know this is something that you have spent some time working on. I wanted to touch base with you for your specific insights here. 

Kevin Magee: Yeah. Thanks for having me again, Dave. Having sat on a lot of boards and having been a cybersecurity professional, I've got a foot in each camp. And there's a lot of articles and whatnot published on, you know, how best to talk to boards. But what happens when it goes wrong when you present to the board as a CISO, and how do you rebuild that relationship? Or how can you, you know, re-approach the board if, you know, you have a misaligned - a set of missed expectations? And so I do a lot of what I call CISO therapy sessions after they've been savaged by the board or had bad encounters and just trying to reset those relationships. And I've developed sort of a seven-step program to help them that's been super-effective. 

Dave Bittner: All right. Well, let's go through it together. Walk us through the steps. 

Kevin Magee: First is employ empathy. It's really understanding, you know, what their situation is. I call it the current ratio epiphany. When I was sitting on an audit committee, we were talking about the current ratio for about half an hour, and everyone seemed really concerned about it. But it had been 20 years since I took financial accounting. And finally, I raised my hand and said, I don't know what a current ratio is, or should it be bigger or smaller? And it turned out a lot of people around the table didn't know, either. And then it dawned on me that that's how folks must feel around the boardroom table when they talk about cybersecurity, when they don't understand the topic. They don't want to look like they don't understand from their peers. 

Kevin Magee: So employing empathy, really understanding their role and what their challenges are is sort of step one. And then along with that is confirming altitude. The board should have their noses in and fingers out, figuratively. But if you come to the board as a CISO with operational information or indicators, expect operational questions to go - to come back. Then we're going to get into the fingers and to your business instead of where they should be at the proper altitude, which is noses out - or noses in - sorry - fingers out. So making sure you confirm that altitude and stay at the proper altitude is sort of step two. 

Kevin Magee: The next three are sort of teach, tailor and take control, really teaching the board about their own personal awareness and understanding their role in the organization and the unintended consequences of their decisions to create a compensation plan for a CEO to drive growth and what that can have effect. Tailoring the message, making sure that you're, again, communicating at the right level. And then taking control of the metrics they're using, such as a MIS maturity level, to manage your growth of a security program as opposed to a number of attacks on the website or whatnot can really change the discussion. And the last two are just partner and build trust. You know, really get them engaged in tabletop exercise and build consistency and relations with individuals. And ultimately, you know, never surprise the board. You should really - when you come to that board, they should be fully aware of what they're going to talk about, what that will look like, and there's no surprises. And that's sort of the rehabilitation program that I use with CISOs. 

Dave Bittner: And I suppose, I mean, it's going to be easier to establish these things off the bat in a positive way than try to do damage control after you've had a bad encounter. 

Kevin Magee: I think too often CISOs wait till they're summoned to the board, and then they throw together what they think the board wants to see or again overload them with information. The average board's package can be 300 to 500 pages of material. You know, get to the point, summarize. Again, employ some empathy. What are the things that they're going to want to learn? What do they know? What do they know? What do they don't know? And give them the benefit of the doubt in terms of their ability to understand the information, but then also, you know, summarize in ways that are easily digestible and not using big words or industry words or whatnot as well, too. So taking a very proactive approach to that relationship is ultimately the key. 

Dave Bittner: You know, I've heard lots of folks say that you're much better off communicating with them in the language they understand, which quite often is that of risk. 

Kevin Magee: And we talk about, you know, protecting the crown jewels. It's one of the examples I use all the time. Well, telling IT or security to protect the crown jewels - what are the crown jewels? I'm not really sure what they are. And walking through a business process and understanding where the critical aspects of the organization's, you know, data really is developed, maintained and whatnot may throw some surprises. And that can't be done in a vacuum. That really needs to be defined by the senior levels of the organization, including the board, what the risk tolerance is. And IT and security need to be a partner, not driving that overall discussion. So again, often the board doesn't know how to approach the subject. But we assume that they're on the board - they must know what they're doing. So employing empathy, understanding that they may not understand the basics we do. And, you know, teaching them how we go about evaluating risk, what - how we identify data in the business process, how we protect it and whatnot is not talking down to them. It's really empowering them to make better decisions, ask better questions and provide better oversight. 

Dave Bittner: All right. Well, good insights for sure. Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brendan Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.