The CyberWire Daily Podcast 2.2.22
Ep 1507 | 2.2.22

Both sides in the conflict over Ukraine are talking with their allies and preparing for conflict in cyberspace. A cyberattack disrupts gasoline distribution in Germany. Notes on APTs and privateers.


Dave Bittner: Tensions between Russia and Ukraine remain high as diplomacy is at a temporary impasse. NATO prepares to render cyber assistance to Ukraine. An unspecified cyberattack affects gasoline distribution in Germany. The White Tur threat group borrows heavily from several APTs, but itself remains mysterious. Charming Kitten gets some new claws. Caleb Barlow on Harvard’s analysis of Equifax. Our guest is Gunter Ollmann from Devo discussing their third annual SOC Performance Report. And the Trickbot gang seems to be privateering in that old familiar way.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, February 2, 2022. 

Dave Bittner: The conflict between Russia and Ukraine is, for now at any rate, at an impasse, with diplomacy between the two sides not advancing. Russia continues to position itself as the aggrieved party, Ukraine as dangerous and NATO as misled by American bad faith. In the meantime Ukraine digs in and NATO prepares for an escalation of hybrid conflict that is expected to prominently feature cyber operations. NATO is consulting with Ukraine. Russia is consulting with Belarus as China stands by as a more-or-less sympathetic observer. 

Dave Bittner: U.S. Deputy National Security Advisor for Cybersecurity and Emerging Technologies Anne Neuberger is conferring with NATO policymakers in the North Atlantic Council, after which she'll visit her counterparts in Poland. The Wall Street Journal reports that NATO is working toward a significant package of cybersecurity aid for Ukraine, and the New York Times characterizes Neuberger's mission as "largely focused on how to coordinate a NATO response should Russia again attack parts of the power grid in Ukraine or take out communications in an effort to destabilize the government of President Volodymyr Zelensky," end quote. 

Dave Bittner: The Times quotes an unnamed senior U.S. official to the effect that the U.S. believes Russia is interested in replacing the government in Kyiv with a friendly one - that is, one more like the regime in Belarus. Quote, "If Putin could accomplish that without occupying the country and sparking an insurgency, that would be his best option," end quote. And attacks on infrastructure, especially on Ukraine's power grid, could prove to be, from the Russian point of view, agreeably destabilizing. 

Dave Bittner: Ukraine has, for its part, continued to seek close collaboration with NATO on cybersecurity. While NATO turned down Ukraine's request last year for a formal association with the Tallinn-based Cooperative Cyber Defence Centre of Excellence, Defense News reports that Estonia in particular has cooperated closely with Ukraine and continued to advocate for Kyiv with Estonia's NATO partners. 

Dave Bittner: The Estonian Ministry of Defense wrote in a statement last week, quote, "The parties discussed the organization and overall state of Ukraine’s national cyber security, including the recent large-scale cyberattacks against Ukraine and their impact on the current security situation," end quote. Margus Matt, undersecretary of cyber matters at the ministry, added, quote, "Estonia is ready to send cyber specialists to Ukraine to further develop this exchange. By supporting Ukraine, we are also strengthening our own defense posture," end quote. 

Dave Bittner: It's possible for countries who aren't NATO members to become contributing participants in the CCDCOE. Austria, Switzerland, Sweden and Finland presently enjoy that status. The Centre's director, Estonian Air Force Colonel Jaak Tarien, told Defense News that, quote, "right now the CCDCOE is mapping out new possible cooperation areas with Ukraine, since Ukraine has unique experience in combating hybrid threats. Sharing it will help to improve both the knowledge and readiness to face such threats in each Member State of CCDCOE individually and in NATO as a whole," end quote. 

Dave Bittner: The cyber threat doesn't run entirely in one direction, and while the open letter from the Congress of Russian Intellectuals is a protest, there's a possibility that other dissenters could move to hacktivism. In addition to the prospect of NATO retaliatory or preemptive cyber operations, hacktivists could begin to hit Russian targets. The Moscow Times looks at the recent disruption of Belarusian rail transport by the Cyber Partisans and speculates that similar hacktivism might also surface in Russia. 

Dave Bittner: Gabriella Coleman, professor of anthropology at Harvard University and author of two books on computer hacking, told The Moscow Times, quote, "the BCP have been so spectacular and effective that I could definitely see a few other groups popping up in the region" - end quote. The number of hacktivist groups - activists who use technology to affect social change - has been on the rise across Russia in the last few years. And with brutal crackdowns on public protests sweeping across the post-Soviet region, cyberspace may be the safest place for collective discord. There are dissenting voices within Russia itself, although it's not clear how much of the Russian populace they represent. 

Dave Bittner: More than 2,000 members of the Congress of Russian Intellectuals, Radio Free Europe/Radio Liberty reports, signed an open letter Sunday in which they decried the threat of military action against Ukraine as immoral and denounced any such war as tragic and unjustifiable. Gabriella Coleman added in her conversation with The Moscow Times, quote, "in Russia, there's clearly a highly trained technical class of people, and there is disaffection, so you would expect to find at least a small pocket of hacktivism" - end quote. 

Dave Bittner: While so far, Russian cyber operations against Ukraine have been relatively closely confined to their intended targets, the malware used in the WhisperGate pseudo-ransomware lacked the worming capabilities that enabled NotPetya to spread so quickly beyond its initial Ukrainian infestations. Well, that could change. Cyber Dive and others recount the potential threat future operations could pose to Western businesses, and those businesses would do well to inspect their insurance coverage. Exceptions for acts of war and other acts of states made it difficult for many of them to recover damages they sustained from NotPetya in 2017. 

Dave Bittner: We read yesterday in the German business publication Handelsblatt that the gasoline distribution firm Oiltanking and Mabanaft Group, an energy company, have come under an unspecified cyberattack that they're working to resolve. Both companies are subsidiaries of Marquard & Bahls, and BleepingComputer suggests that they may have been infected through their parent organization. Computing reports that the incident has taken the automated systems responsible for filling and emptying its fuel storage tanks offline at 13 facilities in Germany that, between them, handle about 155 million tons of material every year. The filling of petrol tankers is being held up as a result. Mabanaft has declared force majeure at the oil terminals it operates in Germany. Officials downplay the seriousness of the disruptions, which they say have not had a major effect on German fuel supplies. There's no attribution yet as to who's responsible for the attack. And so there's no consensus either as to whether it's a criminal caper or a state-directed act of cyber espionage. 

Dave Bittner: PwC describes a hitherto unknown threat actor they're calling White Tur and the White in PwC's naming convention means that the researchers haven't yet associated the actor with any particular geographical area. PwC's study of the group began with the investigation in January 2021 of a phishing campaign. White Tur is unusual in that it seems to have borrowed tactics, techniques, procedures and code from a range of unrelated, advanced persistent threats. Its only distinctive feature is its victimology. It prospects defense, government and research organizations in Serbia. But PwC is unable to discern any unifying motive that would point to a particular threat group. 

Dave Bittner: Cybereason says the Iranian threat group Phosphorus, also called APT35 and Charming Kitten, has increased its activity and shown new capabilities, including highly modular malware and a novel PowerShell Backdoor - being called Powerless Backdoor - that evades detection by running a dot-net application without launching the telltale PowerShell-dot-exe. It's also using open-source tools and publicly available exploits. Cybereason finds that some of Charming Kitten's indicators of compromise overlap those associated with the Memento ransomware operation. 

Dave Bittner: WIRED has an account of the internal chatter of the TrickBot gang. It does indeed seem to operate like a business, and while it was briefly disrupted last October by U.S. Cyber Command, it's back and operating from Russia with the familiar impunity Moscow confers its privateers. 

Dave Bittner: And finally, happy Groundhog Day. The Pittsburgh Post-Gazette reports that Punxatawney Phil emerged from his tree stump on Gobbler’s Knob, saw his shadow, and predicted six more weeks of winter. 

Dave Bittner: Sadly, the town of Milltown, N.J., reports their own groundhog, Milltown Mel, passed away just days ago, leaving locals scrambling to find a suitable rodent replacement. Who knew there's no such thing as a strategic groundhog reserve? 

Dave Bittner: Data and security analytics company Devo recently released results from their third annual SOC Performance Report. Gunter Ollmann is chief security officer at Devo. One of the challenges he sees from the report is getting leadership and SOC analysts on the same page. 

Gunter Ollmann: Well, I think the leaders are much more positive about how things are going, you know, about feeling much more positive about the value that SOC brings to business, much more - you know, feels much stronger, that they're bringing new value to the business, that they're solving business problems and that their analysts are on form and delivering what the business requires. Meanwhile, the guys in the - guys and girls in the trenches are, you know, feeling swamped - you know, alert fatigue, posture fatigue, policy fatigue. They're up against the grind. They feel swamped by the number of tools, the technologies, and they feel, year on year, less like they are contributing positively to their organizations. 

Dave Bittner: And what do you suppose is causing that mismatch there? Is there a lack of communication between the two groups? 

Gunter Ollmann: Yeah. There's clearly a lack of communication. And certainly if you ask those folks in the trenches about how - you know, how leadership is communicating what their delivering and how leadership understands what the day-to-day operation, that gap is broadening. You know, and so communication is key there. And I think, you know, the other direction as well, that maybe those leaders have a little bit of a, you know, rose-tinted-glasses view of what it's like to now sit in front of those screens and respond to threats. 

Dave Bittner: In terms of the SOC analysts themselves, can you give us some insights as to what is the spectrum between the haves and the have nots in terms of the tools and the resources they have available to them? 

Gunter Ollmann: I think one thing to sort of look at is - and it comes out in the report - that, you know, 70% of those folks at the coalface state that working in the SOC is painful, right? And that pain affects their recruitment, their retention. And the burnout is, you know, increasingly a problem. I think one of the one that is pretty scary in this - you know, and it applies to both the high-performing and low-performing teams - and that is that 63% of the respondents have said they considered changing careers and leaving the job. And all this report was done September time. I would bet a dollar that those SOC teams that managed through the Log4j work over Christmas, I would say that, you know, many more have been reconsidering their careers and leaving jobs. 

Dave Bittner: What do you suppose they need then? How do we move the needle here and make it so that they're - they have the tools they need and they're more satisfied with the job that they're doing? 

Gunter Ollmann: Well, one of the pieces of feedback is that from the fields - sorry, from the trenches - is there's too many tools - right? - swamped with information, too many tools, to many new things to learn. And, you know, if that's the problem statement, I think the other side of this is they're looking for the integrations, the actual real application machine learning and artificial intelligence to deal with both the drudgery of SOC response, but also just, you know, let those - the triaging, the case management tools, but bringing it all together into - you know, I would hate to use the term suite, but effectively, how do you bring all these disparate technologies, different tools into a single flow for response and mitigation? 

Dave Bittner: For the high functioning SOCs, what are the common elements there, the ones who are doing well? 

Gunter Ollmann: Well, I think some of the problems - you know, shared problems between both the leadership and, you know, the operations teams there - I think the ones that they sort of highlighted were you know, information overload and the attack surface visibility has been, you know, a shared sort of problem. And I think the attack surface visibility, you know, and the management of that has become probably one of the more critical elements of, you know, modern SOC operations and protection with inside the enterprise. As - you know, cloud expands, and the tools and technologies that, you know, every worker is now using requires so many new degrees of specialization. So I think that has contributed to information overload and, you know, new alerts and new tool creep. 

Gunter Ollmann: The other one where - that was highlighted was really about the turf or silo issues between the IT operations and SOC, right? So who actually owns some of these things, whether it's the data, the retention, the policy compliance of these alerts, for example, through to, you know, who's responsible for actually responding for a different tiered - is it a security advance? Is it a policy violation? So I think that's a key part. And the last one, you know, on shared problems has been the whole aspect of compliance with data privacy and data protection requirements has the crimped the ability for many of these SOC teams and SOC analysts to understand, investigate and provide speedy remediation to attacks. So those were sort of shared problems between those leaders and in the trenches for those high-performing teams. 

Dave Bittner: That's Gunter Ollmann, chief security officer at Devaux. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. Caleb, always great to have you back on the show. There was a recent study that was released from the folks at Harvard. And they were looking at the Equifax case. I wanted to dig in with that with you. There's some interesting things in this report, yes? 

Caleb Barlow: Well, it's not even a report. It's actually a Harvard Business study, you know, a case study that they use in teaching class. And it's a whopping $8.95 if you buy it on Amazon. Well... 

Dave Bittner: OK. 

Caleb Barlow: ...This is an incredibly powerful tool that I think most people don't realize is out there. So, you know, the team at Harvard basically took the time like they do with all of these cases to go do an intensive study of the Equifax breach. They write up a case. And then when they teach these things at Harvard Business School, they present the case, and the students have to discuss it and decide, you know, what would they do in this situation? 

Caleb Barlow: Now, I've had the opportunity to sit in on this at Harvard multiple times as kind of an outside expert when they discuss this case. And it's a really fascinating case study that you can even use in your own executive team or if you're doing cyber education. First of all, not only is it inexpensive, but it's not what you think is going to happen. 

Caleb Barlow: So when, you know, most people hear Equifax, Dave, they kind of look at it and go, oh yeah, well, that was, you know, a bunch of idiots that made a bunch of dumb decisions. when you read the case, you come back with a whole different opinion because the case is walking through, what do these executives know and when did they know it? And you suddenly look at it, and you scratch your head going, yeah, I could see how they made that decision. Yeah, maybe my company would make the same decision. And then you suddenly start to realize that what they were missing might have been a little different than what you thought. 

Dave Bittner: Can you give us an example here? What are what are some of the things that stood out to you? 

Caleb Barlow: Well, I think when most people hear about Equifax and what we saw in the news, you know, of course, this thing is predicated by the fact that you had some insider trading and, you know, just a bunch of big screw-ups in the process of response. But the reality is, when you look at it, a lot of the tools and capabilities were in place like many other companies. In fact, you know, what I've seen classes end up with at the end of the discussion after talking about this for an hour is really a conclusion that maybe this wasn't so much a lack of preparation for preventing a breach, but maybe it was more about a lack of preparation of how to respond when one was breached, having those runbooks in place, exercising them and making sure that was communicated well in the organization. 

Caleb Barlow: You know, unfortunately, this is a great example of where, you know, a siloed management team was making independent decisions without looking at the bigger picture. And these are the types of things we all need to learn. So it's a great way to kind of get across that point and have a little bit of fun in discussing a case study. 

Dave Bittner: Interesting. So this is available on Amazon? 

Caleb Barlow: Yeah, it's available on Amazon. Like I said, literally $8.95. You can probably also pay a whole lot more and go to Harvard and have this come up in a class. I think they teach it about once a year. They've also got one out there on the Target study, you know, Target case study, which, of course, is a little more dated. But it's just a really cool tool because, again, it's one of those things that puts you in the seat of that executive to really go, based on what they knew, would you have made the same call? And what do you think they could have done differently? And these are great ways for everybody to learn. 

Dave Bittner: Yeah, absolutely. All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliot Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.