Updates on the crisis over Ukraine, as Russian cyber operations continue. Ransomware threatens OT. Ramnit remains a leading banking Trojan. Bots infesting some NFT markets. Agencies advise opsec.

Show Notes

Transcript

Dave Bittner: No progress so far in talks over the Ukraine crisis, as Moscow's diplomacy and influence operations merge in the narrative of a Russia beset by armed Nazis. Ransomware and cyberthreats to OT systems. Ramnit is still up and at 'em in the banking Trojan world. Bots are following big brands in NFT markets. Ben Yelin has an update on NSO Group's marketing attempts to the FBI. An introduction to Dr. Andrew Hammond and the SpyCast podcast. And sending that sample in for your doctor? It may be best to buy it locally.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 1, 2022.

Dave Bittner: Yesterday's U.N. Security Council meeting over the Russian threat to Ukraine was marked by acrimony and small progress toward any resolution. A brief portion of the exchange between the Russian and American ambassadors is up on the New York Times' website. A simultaneous translation of Russian Representative Vassily Nebenzia remarks is up first, accusing the Americans of playing to the crowd and making the world uncomfortable.

>>VASSILY NEBENZIA: (Through interpreter) We are being asked to convene a Security Council meeting on unfounded accusations that we have refuted frequently. Furthermore, the open format for discussion proposed by the U.S. on this extremely sensitive topic is making this a classic example of megaphone diplomacy, working in public - for the public, rather. We do not think that this will help to bring this council together. Rather, we fully understand that the desire of our American colleagues to whip up hysterics.

Dave Bittner: U.S. Ambassador Linda Thomas-Greenfield answered that nothing makes someone feel uncomfortable more than a few divisions assembled on their border.

>>LINDA THOMAS-GREENFIELD: You've heard from our Russian colleagues that we're calling for this meeting to make you all feel uncomfortable. Imagine how uncomfortable you would be if you had 100,000 troops sitting on your border in the way that these troops are sitting on the border with Ukraine. Colleagues, the situation we're facing in Europe is urgent and dangerous, and the stakes for Ukraine and for every U.N. member state could not be higher. Russia's actions strike at the very heart of the U.N. charter. This is as clear and consequential a threat to peace and security as anyone can imagine.

Dave Bittner: The Washington Post describes the sharp exchanges, but negotiations over the crisis continued today on a bilateral basis as U.S. Secretary of State Blinken talks with Russian Foreign Minister Lavrov. The Washington Post describes the sharp exchanges, which include a Russian accusation probably intended more for domestic than international consumption, that NATO was deliberately marshaling actual, literal Nazis - by which they mean Ukrainians unfriendly to Russia - on Russia's borders. Ukraine, Russian representatives argued, is on a path to self-destruction through its alleged abrogation of the Minsk agreements, which Russia sees as having effectively placed areas of the Donbas under Russian protection. Russia's permanent representative at the U.N. said, quote, "if our Western partners push Kyiv to sabotage the Minsk agreements, something that Ukraine is willingly doing, then that might end in the absolute worst way for Ukraine - and not because somebody has destroyed it, but because it would have destroyed itself, and Russia has absolutely nothing to do with this," end quote.

Dave Bittner: U.S. President Biden has already issued his own statement on the crisis, warning yesterday that while the U.S. and its allies will continue to negotiate in good faith, quote, "if instead Russia chooses to walk away from diplomacy and attack Ukraine, Russia will bear the responsibility, and it will face swift and severe consequences," end quote. Swift and severe consequences would include, as a minimum, sanctions designed to hobble the Russian economy and exact a personal cost from Russian leaders.

Dave Bittner: Russia's permanent representative at the U.N. said, quote, "if our Western partners push Kyiv to sabotage the Minsk agreements, something that Ukraine is willingly doing, then that might end in the absolute worst way for Ukraine and not because somebody has destroyed it but because it would have destroyed itself. And Russia has absolutely nothing to do with this," end quote.

Dave Bittner: Russian President Putin held his own news conference earlier today, the New York Times reports. He was no more irenic than were his ambassadors, although his tone was marginally more moderate than it was when he last spoke publicly about the crisis back in December. The whole crisis over Ukraine, he said, is a provocation entirely made in America. Quote, "their most important task is to contain Russia's development. Ukraine is just an instrument of achieving this goal. It can be done in different ways, such as pulling us into some armed conflict and then forcing their allies in Europe to enact those harsh sanctions against us that are being discussed today in the United States," end quote.

Dave Bittner: Ukraine's accession to NATO's would amount not only to a threat to Russian interests but a threat to world peace because, Mr. Putin said, a well-armed and supported Ukraine would find the temptation to invade and retake Crimea irresistible. And that would draw the NATO alliance in, and that would produce a global war. So, as Edward Luttwak once remarked, the aggressor is always on the side of peace. He seeks only to advance. War is the responsibility of an invaded party that has the effrontery to resist.

Dave Bittner: U.S. Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger is in Europe for talks with NATO and EU counterparts on a coordinated response to the cyber dimensions of the Russian threat to Ukraine. CNN quotes an unnamed official as saying the purpose of her trip is to discuss, quote, "ways to enhance national and alliance resilience in cyberspace, including deterring, disrupting and responding to further Russian aggression against Ukraine, neighboring states and in our respective countries," end quote.

Dave Bittner: SecurityWeek and CyberScoop both summarize recent reports of ongoing Russian cyber action against Ukrainian targets. Russia's FSB and GRU have both been implicated in the cyberattacks by Ukrainian intelligence and security services. Computing reports that the FSB's Gameradon group is using eight novel payloads in its operations against Ukraine. The attacks are apparently intended both to influence Ukrainian society, sowing mistrust and exacerbating fissures in civil society, and to destroy data.

Dave Bittner: Amid general expressions of European support, Ukraine is increasing the size and capability of its army, announcing plans to increase its military end strength by 100,000 troops over the next three years, Reuters reports. In the nearer term, according to the AP, Ukraine's military is constructing field fortifications and organizing irregular formations to prolong resistance and exact a heavy human toll on an invasion force. President Zelenskyy hopes for peace and urges calm. But as the Military Times says, the country as a whole seems to be preparing for the worst.

Dave Bittner: Some of the Russian cyber operations against Ukraine were pseudoransomware, deploying destructive wipers that masqueraded as ransomware proper, but actual ransomware remains a large and growing threat. Such attacks pose a threat not just to data security and availability but to operational technology as well. Mandiant reports that 1 in 7 ransomware attacks compromises sensitive information about operational technology.

Dave Bittner: SecurityWeek reports that such information could be exploited in cyber physical attacks. Mandiant observed, quote, "access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance and engineer cyber physical attacks. On top of this, other data also included in the leaks about employees, processes, projects and so on can provide an actor with a very accurate picture of the target's culture, plans and operations. Even if the exposed data is relatively old, the typical lifespan of cyber physical systems ranges from 20 to 30 years, resulting in leaks being relevant for reconnaissance efforts for decades, much longer than exposed information on IT infrastructure," end quote.

Dave Bittner: Much concern about the possible attacks on infrastructure during the ongoing conflict between Russia and Ukraine focuses on oil and gas delivery since Western Europe and Germany in particular are heavily dependent on Russian natural gas. Should sanctions affect the Nord Stream 2 pipeline or should Russia decide to interrupt deliveries of natural gas, shortages would weigh heavily on NATO and the EU. The U.S. has been seeking to find alternative sources of natural gas for its allies, but that's not a trivial task. Coincidentally or not but probably coincidentally, the German business publication Handelsblatt reports that the gasoline distribution firm Oiltanking Deutschland says that it's come under an unspecified but disruptive cyberattack that the firm is working to contain and resolve.

Dave Bittner: IBM has released a study of the well-known Ramnit banking Trojan, finding that it led its category of crimeware and pay card theft during 2021. By malware standards, Ramnit is positively venerable, having been in circulation for more than a decade. The top brands that have recently been targeted are in the travel and lodging sectors, but Ramnit's operators have been widely active.

Dave Bittner: It's not just grinchbots buying all the candy before Halloween, all the toys before Christmas or, for that matter, all the chocolate and lingerie before Valentine's Day. Scalping bots are now after NFTs as well as the old familiar tangible geegaws and baubles. PerimeterX reports that bots are following major brands into the NFT markets. Some of their activity is fraudulent in that attenuated sense in which a scammy non-fungible token can be said to be inauthentic as opposed to merely competing. But much of it is proceeding along the familiar lines of market manipulation, sometimes driving prices down, at other times driving them up.

Dave Bittner: Three U.S. Federal agencies have issued alerts this week. The FBI warns, largely on grounds of a priori probability, that the Olympic Games will afford hackers of many kinds attractive targets. More pointedly, the Bureau also advises those traveling to the Games that foreign intelligence services can be expected to attempt to compromise any devices the travelers bring with them.

Dave Bittner: The Federal Trade Commission, according to the Wall Street Journal, reports that ad fraud in social media is a growing threat. Scammers use the tools available to advertisers on social media platforms to systematically target people with bogus ads based on personal details such as their age, interests, or past purchases, the FTC says.

Dave Bittner: And finally, the National Counterintelligence and Security Center warns that foreign intelligence services are attempting to gain access to individuals' medical information by requiring providers of diagnostic services to share such information with their governments. So if you’re in the market for a mail-order colonoscopy - and you know who you are - best to buy American.

Dave Bittner: And I'm pleased to welcome back to the CyberWire podcast Andrew Hammond. He is a historian and curator at the International Spy Museum, also a public policy fellow at the Wilson Center. Andrew, great to have you back.

Andrew Hammond: It's great to be back.

Dave Bittner: Today, we are celebrating the fact that the official podcast of the International Spy Museum called SpyCast is joining the CyberWire network. So excited to have that happen. Welcome aboard.

Andrew Hammond: Thank you. I felt like a cousin, but now I feel like a sibling.

(LAUGHTER)

Dave Bittner: Well, before we dig into some of the details about SpyCast itself, for folks who may not be familiar with the International Spy Museum, what it's all about and its mission, can you give us a little description of what it is you all do?

Andrew Hammond: Absolutely. So we have - I think the best place to start is we have an Aladdin's cave of artifacts. We have - and this is in the Guinness Records book if you don't believe me. We have the world's preeminent collection of intelligence and espionage-related artifacts. So we showcase that in a series of exhibits. And like most museums, we have programs that augment and extend the work that we do and the exhibits. So SpyCast, our long-running podcast, is an example of that. And that's been around for 16 years. We've got over 500 episodes. So we've been around for quite a while, but I'm excited by this new chapter with CyberWire.

Dave Bittner: And so the SpyCast podcast itself - can you give us an overview of the type of things folks might expect to hear?

Andrew Hammond: Absolutely. One of the ways that I like to think about it is intelligence and espionage is like an ecosystem. It's like a huge coral reef. And what we try to do on the show is I put on my scuba equipment and I go to the places where the showstopping main draw fish are, but I also go looking for the weird-looking eels and the other things. So every week we explore some part of that coral reef.

Andrew Hammond: So in the past, you know, just some of the headlines that I could share with your listeners - we've had on CIA directors, NSA, GCHQ, MI6. But it's not just about the past. In the first month with CyberWire, we're going to have the NATO intelligence chief on. We're going to have Joe Weisberg, the creator of "The Americans," on the show. Farther down the pipeline, a couple that I'm particularly interested in is El Chapo and Intelligence and the IRA and intelligence, so the Irish Republican Army. And for your listeners, they may also be interested in some of the other stuff that we have coming up. There's one that's a former CIA case officer who became a cyber entrepreneur. And there's another one with another CIA case officer who's involved in strategic cyber. So I think that there's - what we try to do is just look at the past, present and future of intelligence espionage and all of its dimensions.

Dave Bittner: You know, one of the things I really enjoy about a visit to the Spy Museum - and we should say it's right down in the middle of everything down in Washington, D.C. - is the combination of the artifacts themselves with the rich, deep storytelling that you all put into the exhibits. And I think that extends to the podcast, as well - that, you know, those - the rich history of the things that you all have collected but put into context with the stories from around the world.

Andrew Hammond: Absolutely. You should - we should get you over here, Dave.

(LAUGHTER)

Andrew Hammond: I mean, I think you're absolutely right. It's the stories that bring the artifacts alive, right? So we've got great artifacts, but we've got just incredible stories attached to them. And that does transfer over to the podcast. So, for example, last year, I interviewed a 100-year-old lady who was in Los Angeles. But during the Third Reich, she was a young Jewish woman that went undercover in Nazi Germany. That's, like, one of those doozy stories that comes along every now and again. So there's just incredible stories that are attached to the artifacts. And you're right. Our location is amazing. We're between the mall and the river. If anybody wants to come to the Spy Museum, it's really nice down by the wharf now. Yeah, the location - I mean, another interesting thing about the location is, you know, maybe New York could also be a contender, but this is one of the global epicenters of intelligence and espionage. This is a city of spies. And it wasn't just during the Cold War. It's happening now. So we're really at the center of the action in many respects.

Dave Bittner: Yeah, there's really something for, I'd say, you know, kids of all ages, folks interested in this sort of thing. It's - if you do make it to D.C., it's on my list of must-visit places. And as I said, we are excited to welcome the "SpyCast" to our network of shows. Excited to have you aboard. So we encourage everyone who's listening to this podcast to check it out. It's "SpyCast." Andrew Hammond, thanks for joining us.

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast, which if you have not yet checked out, what are you waiting for? It's a great show. You should check it out. It's a lot of fun. Do it. (Laughter) Ben, good to have you back, Ben.

Ben Yelin: I will endorse that view.

Dave Bittner: (Laughter).

Ben Yelin: It is a great show. And good to be back with you, Dave.

Dave Bittner: Yeah, absolutely. I want to touch base with you because the ongoing saga of NSO Group and their Pegasus spyware continues and had some interesting reporting from the folks at The New York Times Magazine about this. What's the latest, Ben?

Ben Yelin: Yeah, so we found out some new, really interesting information. We have covered the NSO story on this podcast and on the "Caveat" podcast for a long time. This is the world's most potent spyware, as The New York Times calls it - Pegasus, made by the Israeli company NSO. It's been used for beneficial purposes by countries all around the world to track terrorists, drug cartels. It was the technology used to obtain the drug cartel ringleader El Chapo in Mexico. But it's also been used for ill. So many countries who have purchased this Pegasus spyware have used it to spy on journalists, dissidents, et cetera. So that's why it's particularly controversial.

Ben Yelin: This investigation by The New York Times Magazine uncovered a couple of pieces of really interesting information. The first is that our own FBI was interested in purchasing this Pegasus spyware, even though the NSO has been blacklisted by the American government. And they wanted to use the spyware for domestic surveillance purposes. We don't know exactly what that would have entailed or, you know, what sort of criminal investigations the FBI thought would justify the use of this type of spyware. But nevertheless, we find out in this investigation that the FBI abandoned plans to purchase this spyware in the middle of 2021. So it was interested, but it ultimately decided against it. Notable that it happened six months into a new presidential administration.

Ben Yelin: The other key piece of information here is that Pegasus and - the spyware itself and also NSO has been a key part of the diplomatic strategy for the Israeli government. So they've used this spyware as sort of a key component of their diplomatic negotiations. Particularly in 2020, they came to these series of agreements with countries across the Arab world - these so-called Abraham Accords. And as part of those accords, they offered to provide this spyware for these governments. Some of these governments, you know, particularly countries like Saudi Arabia, are using them for nefarious purposes - you know, spying on journalists, spying on political dissidents. But Israel sees this spyware and this company as one of its assets in diplomatic negotiations. This is something it can offer its partners in diplomatic negotiations.

Ben Yelin: So those two pieces of information, I think, were the new nuggets to come out of this investigation. And then there's, of course, the fact that this was all leaked to The New York Times Magazine. They said that they obtained this information. So I'm certainly interested in, you know, who's doing the leaking and what their motivation is for leaking this information.

Dave Bittner: It's interesting that the FBI ultimately thought better of it. You have to wonder if the fact that it was banned and so much controversy about it, general knowledge about it in the public - you know, was it too hot to handle? - or whatever was behind their decision-making process. But suppose - I mean, hypothetically, if we went down that path and the FBI decided to use something like this, is this the kind of tool that's normally in bounds for them, that this is the kind of thing they would use regularly?

Ben Yelin: Yeah. I mean, so there's no limit on surveillance technology just based on the nature of the technology itself. It depends on whether the people who are allegedly being spied on have a reasonable expectation of privacy. Then, you know, if they have that reasonable expectation of privacy, you have a Fourth Amendment search. And then those searches have to be reasonable. And one way you can determine reasonableness if there's no warrant is weighing the security interests of the government or the government's - whatever the government's interests are against the potential invasion of privacy. But there's nothing, you know, in our Fourth Amendment jurisprudence that says, per se, once you get a technology that, say, breaks, you know, end-to-end encrypted applications, that is illegal, you know, the government can't use it. That's just not the way our Fourth Amendment jurisprudence works. It really depends on how that technology is being deployed.

Ben Yelin: So domestic agencies certainly could have used Pegasus spyware. They use all, you know, different types of - as we've talked about on this podcast and Caveat, whether it's state law enforcement agencies or the FBI, they use illicit surveillance methods all the time in a variety of realms. So, you know, this certainly would have been, depending on how they used it, in bounds for law enforcement. Now, it's a little complicated when you're talking about encrypted applications because people are trying to conceal their communications, so they do have a subjective expectation of privacy. And, you know, I think that expectation is reasonable, given how robust end-to-end encryption is. But, you know, maybe the assumption that your communications are going to stay private might change if people realize that this technology exists, where, you know, Israeli company NSO is advertising that, you know, this can be a valuable intelligence tool into the window of a person who is using this type of technology.

Dave Bittner: Yeah, it's fascinating - well, interesting developments, for sure. Ben Yelin, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

HOST(S):

Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.

Schedule: Monday-Friday

Creator: CyberWire, Inc.