The CyberWire Daily Podcast 2.3.22
Ep 1508 | 2.3.22

Ukraine goes to a higher state of cyber alert. Chinese cyberespionage hits financial services in Taiwan. Arid Viper is back, and so is Adalat Ali. BlackCat disrupts fuel distro in Germany. Hacking the DPRK.


Dave Bittner: Ukraine and NATO increase their cyber readiness. Chinese cyber-espionage has been looking closely at financial services in Taiwan. Hacktivists hit Iranian state television. Arid Viper is fishing for targets in the Palestinian territories. Verizon's Chris Novak shares his thoughts on the cyber talent pool. Our guest is Torin Sandall from Styra on Open Policy Agent. And, dude, treat yourself to a pair of Vans.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 3, 2022. 

Dave Bittner: Ukraine has officially increased its state of cybersecurity readiness. President Zelenskyy has enacted the National Security and Defense Council's decision of December 30, 2021, titled "On The Plan For Implementing The Cyber Security Strategy Of Ukraine." U.S. deputy national security adviser for Cybersecurity and Emerging Technologies Anne Neuberger continues her discussions with NATO allies. LRT reports that she's warning that Russian cyberattacks during Moscow's ongoing campaign of pressure on Kyiv should be expected. Quote, "Russia has used cyber as a key component of their force, so this is a proactive trip both to talk about improving resilience and to highlight overall NATO's commitment to NATO members' cyber resilience in that way," end quote. 

Dave Bittner: According to Ukrinform, the Netherlands has promised Ukraine technical assistance for its cyber defense and has declared an interest in closer cooperation with Ukraine on cybersecurity. In a joint statement issued by Ukrainian President Volodymyr Zelenskyy and Netherlands Prime Minister Mark Rutte, the two countries said, quote, "following the cyberattack against Ukraine on 14 January, the Netherlands stands ready to provide technical cyber assistance to Ukraine. The two leaders expressed their interest in advancing cooperation on cyber issues, as well as on other matters of mutual concern, in the face of the contemporary challenges, including hybrid threats and fight against disinformation," end quote. 

Dave Bittner: Critical infrastructure is expected to figure largely on Russian targets lists should the ongoing conflict escalate. An essay in The Conversation argues that the metaphorical first shots against Ukraine have already been fired in cyberspace and that this is entirely consistent with the Gerasimov doctrine that has shaped Russia's approach to hybrid war. The sector, generally regarded as providing both high-value and high-payoff targets, is electrical power generation and distribution. While Ukraine has sought to improve the security of its grids since Russian disruptive attacks in 2016, that effort remains a work in progress and won't be completed in the near term. 

Dave Bittner: One of the challenges Ukrainian authorities face are the remaining connections of its power grid with Russia's. Kyiv has sought to decouple itself from the Russian grid. But again, the Kyiv Post points out, that's not something done overnight. As an aside, it's not unusual for power grids to cross international borders, even uneasy ones. During the Cold War, for example, there were electrical power distribution connections across the inner German border. As to the form such cyberattacks might take, most of the press is betting on form. Since Russian operators have used pseudo-ransomware in past attacks, many are looking for a repetition of that method. It's tried. It's deniable, although more implausibly than plausibly given recent events. And it's available. 

Dave Bittner: The Christian Science Monitor describes the ways in which NATO's understanding of cyber conflict has evolved. In particular, the threshold for the invocation of Article 5, the alliance's provision for collective defense, has gotten lower. Part of the motivation for this is to improve deterrence, where uncertainty can sometimes make an adversary more reluctant to move. The Monitor quotes David van Weel, NATO assistant secretary general for emerging security challenges, who told journalists in December, quote, "up until now, the idea among cyber adversaries was, if we don't completely disable the full country's infrastructure, it'll probably be OK. With the new policy we're saying, well, that's not necessarily true. I'm making it less defined. Sorry for that," end quote. So sorry, not sorry, as they say. The U.S. in particular is interested in cooperating on what U.S. Cyber Command calls hunting forward, a more assertive doctrine that was on display in last year's incursion into the Internet Research Agency, a Russian organization closely associated with that country's offensive cyber and influence operations. 

Dave Bittner: Symantec researchers this morning released a report on the recent activities of Antlion, a Chinese government-directed advanced persistent threat that's been working against financial services in Taiwan over the past 18 months. Its attacks are marked by the installation of the xPack backdoor. It's an espionage operation. And Symantec thinks the duration of Antlion's persistence in the networks it targets notable. It's been able to spend months inside its targets, giving it ample time to survey and collect information. Adalat Ali, a dissident Iranian hacktivist group known for defacing websites and rail transit message boards late last year, has resurfaced and hijacked Iranian state television streams, the Record reports. 

Dave Bittner: Cisco's Talos research unit describes renewed activity by Arid Viper, now conducting politically themed phishing against Palestinian targets. Arid Viper strikes Talos as technically unsophisticated but also as indifferent to stealth or misdirection, which suggests the group doesn't worry about public exposure. Arid Viper has been thought to be based in Gaza, which suggests that it's a party to intra-Palestinian disputes. 

Dave Bittner: As the effects of a cyberattack on two German petroleum distribution firms continues to disrupt operations, the nature of the attack has become clearer. According to ZDNet, Germany's BSI has determined that it was a ransomware attack and that the BlackCat group was behind the incident. Reuters reports that Belgian prosecutors have opened an investigation into a cyber incident that hit the Port of Antwerp on Friday. The attack seems to have centered on the port operator, Sea-Tank, but few details are publicly available, and the story is still developing. 

Dave Bittner: And finally, we close with a story that, among other things, points out not only the difficulty of attribution but also the surprising vulnerability of big organizations to small and determined threat actors. Over the past two weeks, North Korea's access to the internet has been largely disrupted. Admittedly, North Korea's internet access is already tightly controlled and centrally monitored from Pyongyang. You don't casually log on to TikTok or window shop for Vans or follow clickbait about what the stars of "Friends" look like today. It's simply not done. But some organizations in the DPRK do enjoy regular internet access, maintain pages and so on. Those include the Air Koryo national airline and the official portal of the Dear Successor's government. But these sites and others like them have been up and down for a good fortnight. 

Dave Bittner: It's got to be the U.S. Cyber Command - right? - leaning forward in the foxhole because of the DPRK recent missile tests, right? Well, not so fast. Wired says it knows what's actually going on. And they seem to have the goods. In fact, Wired writes, it was the work of one American man in a T-shirt, pajama pants and slippers sitting in his living room night after night, watching Alien movies and eating spicy corn snacks and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country. 

Dave Bittner: Wired identifies the gentleman by his hacker name, P4X, and describes him as a security researcher - in fact, one of the security researchers whom the North Korean intelligence organs pestered in late 2020 and early 2021, attempting to steal the tools they used in their work. Even though he prevented Pyongyang's goons from getting any of his goods, Mr. 4X was aggrieved by the effrontery. He let his resentment simmer for a year, as Wired puts it, and then decided to take matters into his own hands. P4X told Wired, quote, "for me, this is like the size of a small-to-medium pen test. It's pretty interesting how easy it was to actually have some effect in there," end quote. 

Dave Bittner: Given the way North Korea is and isn't online, his operation probably had little effect on daily life. And given that North Korean intelligence organs, like elements of the Lazarus Group, probably work from offshore - where the connectivity, and, no doubt, the shopping are better - it's unlikely that he had much effect on them. Still, he counted coup. Martyn Williams, a researcher for the Stimson Center's 38 North Project said, quote, "If he's going after those people" - that is, Pyongyang’s intelligence services - "he's probably directing his attentions to the wrong place. But if he just wants to annoy North Korea, then he's probably being annoying," end quote. 

Dave Bittner: Anyhoo, Mr. 4X isn’t necessarily done. He’s organizing Project FUNK, for Eff-You North Korea, to which he hopes to recruit like-minded hacktivists. In the meantime, he surely merits congratulations for being annoying, and for avoiding harm to regular people. So nicely done, and we wouldn’t say that if it involved any other country than the DPRK. 

Dave Bittner: Open Policy Agent is a project that came out of the cloud native computing foundation, and it aims to provide policy-based control for cloud-native environments. The CyberWire's Rick Howard has more of the details, and he files this report. 

Rick Howard: I'm joined by Torin Sandall. He's the VP of open source at Styra. And you are here to explain the relatively new open-source project called Open Policy Agent or OPA, as the cool kids say. So can you describe the problem that OPA solves and how Styra decided to initiate the project? 

Torin Sandall: OPA is an open-source project. We donated it to the CNCF, the Cloud Native Computing Foundation. And what Open Policy Agent, or OPA as we like to call it, does is it helps organizations, large enterprises basically unify authorization or who can do what across the stack. So it provides a way for security engineers, DevOps engineers, software developers, basically anyone involved with security in an organization to, you know, codify the rules that control who can access what resources in the organization across the entire stack. So whether you're talking about applications or data or APIs or CI/CD pipelines or container platforms or the cloud, OPA is sort of a one-stop shop for expressing rules that govern access. 

Rick Howard: So I'm familiar with the idea of infrastructure as code, but OPA's more policy as code. That's kind of the phrase you hear. Can you describe the difference there? 

Torin Sandall: Infrastructure as code is sort of this idea of basically specifying the configuration that defines your computer network and storage resources as code or as data. Policy as code is sort of a similar idea, right? I think in the past, a lot of the time, policy was implemented and enforced and monitored by humans through tribal knowledge in the organization or through spreadsheets and PDFs and wikis and stuff like that. And so this idea of a policy as code is to say that modern systems can't really be managed that way. And so you really need more of an automated approach. And so policy as code is basically taking best practices from software development and applying them to the implementation, monitoring and enforcement of policy in an organization. 

Rick Howard: So how does OPA solve that problem? I mean, I understand what you're saying, that there's between deploying architecture like, you know, servers and workloads and things. But this is policy about who has access and who should have access, right? Is that correct? 

Torin Sandall: The fundamental thing that OPA gives you is a high-level, declarative language that you can use to express rules that govern access to the system. You know, if you have a service that is exposing salary data, you might write some rules for OPA that say that only employees can see their own salary data, as well as anybody in their management chain. Their subordinates or their peers are not allowed to see their salary, right? So you can basically take that logic and you can express it in OPA's policy language. And then you can have that logic distributed out to your OPAs by a system you build or that you buy. And then it can get enforced inside of the system through an integration between salary application and OPA. 

Rick Howard: So here at the CyberWire, we are all learning about zero trust as a strategy. You know, in order to do zero trust, you have to know precisely who is logging into your systems and what system they are authorized to access across all data islands like cloud services, both SaaS and IaaS cloud services, mobile devices and data centers. So could OPA be used as a zero-trust engine or a platform to control that across all those workloads? 

Torin Sandall: So OPA helps you implement zero trust because it provides this lightweight engine that you can deploy next to each and every piece of software. The way that we think about it is that it's sort of like a host local cache for policy decision making, OK? So you take it, and you can literally run it on the same server as the other piece of software that requires decision making or the same - in Kubernetes, it's the same pod. Or on, you know, on Amazon, it would be within the same instance, right? 

Torin Sandall: So OPA's really designed and implemented for these highly kind of, like, distributed environments where zero trust is a really important architectural concept. And so we see, you know, lots of organizations using OPA to implement all kinds of, like, east-west, you know, security controls and microservice environments, as well as north-south and so on. So yes, OPA's definitely kind of a key building block for a kind of a modern, cloud-native zero trust architecture. 

Rick Howard: Well, Torin, this is really exciting stuff. I've been looking for this kind of thing for a long time. Thanks for coming on and explaining it for us. 

Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the global director of the Threat Research Advisory Center at Verizon. Chris, it is always great to have you back. I want to touch base with you about where we stand right now when it comes to our cybersecurity talent pool. You hear a lot of things about this, depending on who you ask. What are you seeing these days? 

Chris Novak: Yeah, it's a pleasure to be here, Dave. And, you know, I think the talent pool is a hot topic everywhere you go. Nobody - when it comes to cyber, nobody has enough. Nobody has what they want. Everybody wants more, and I think there's a lot of things that go into it. I think to some degree, you know, we've seen - I don't know if I want to say we've been a little bit spoiled in the past. You know, you'd go out and open up a job role, and you'd say you want a candidate that's got all these different things. And you might very well find it, but now I think the demand on the talent pool has dramatically increased for a variety of reasons. 

Chris Novak: And then you also have kind of, you know, maybe I might say, turmoil in the broader labor market, combined with the fact that the pandemic has changed either who wants to work, where they want to work and how they want to work. So, you know, any kind of stability that we had in terms of how we pursued new talent, that is all kind of thrown up in the air and mixed around. So our approach to the whole model has to change. 

Dave Bittner: You know, I've seen criticism that people want to hire cybersecurity folks, but they want them to walk in fully baked. 

Chris Novak: (Laughter). 

Dave Bittner: And they're not willing - you know, they're not willing to do the training to hire that entry-level person and nurture them for however long it takes to get them to that level. Do you find that's a fair criticism? 

Chris Novak: Actually, I do. And I think, you know, even ourselves, I think, you know, we've all been guilty of that a little bit. But I think it's important for us to look at it and say, we can't expect that, right? I mean, I started in cybersecurity before there was an opportunity for anybody to even be fully baked, as you said. And so, you know, you had to learn. You had to be trained. You had to be mentored. You had on-the-job training. There might not have even been, you know, universities you could go to to get a degree in it. 

Chris Novak: And I think we need to kind of look at the industry kind of almost through that same lens and say, look, we need to invest in our talent. We also need to embrace diversity. And, you know, I look at that as we need to pull in people from all different backgrounds, not even necessarily cyber, right? Because if we are all trying to pull from cyber, we're still all pulling from that same pool. 

Chris Novak: But I'll tell you that I've got some great people on my team that - they have law degrees. They have chemistry degrees, biology degrees. You know, they come from all different walks of life. They didn't necessarily study and start in cyber. It was just something that was really attractive to them. They kind of got sucked in. And then from there, you know, they were invested in. They were grown. They were trained, and they became phenomenal talent. And I think that's why we need to look at some of these kind of adjacent talent pools and opportunities for us to kind of go beyond the - let's find the unicorn that's got 10 years of experience and everything to, you know, let's find someone who's got the passion, the interest and the excitement. And let's make that investment. 

Chris Novak: You know, like at Verizon, we've done a lot in terms of developing our internship and new college hire programs, recognizing that, you know what? Someone coming to us with little to no experience but the passion and the interest and the fire in their belly to learn - that is very valuable. We can mold them. We can train them. And we can grow them to be what we need them to be. 

Dave Bittner: What about that person who has that fire, who has that passion, but they find themselves up against HR departments where, you know, they can't get past that gate. They can't get their resume in front of the people who may see them for the potential that they have. 

Chris Novak: That's a great point, and I'm sure there's going to be a lot of HR people out there that are going to hate me for what I'll say to that (laughter) but I'll say it anyways. And what I would say is, you know, persistence pays off. I think there are a lot of places where you will encounter that problem. There's automated screening and all sorts of other things that will trip up people. And this is an area where I think that, you know, going back to kind of the roots of the industry is kind of helpful in my own mindset in recognizing that some of the best people we've ever picked up didn't start in or have any background in cyber. But they reached out and they said, I'd like to do it. And these are the ways that I can show that I have that passion, that fire in my belly. 

Chris Novak: So what I would encourage people to do is find those people that you think are either looking for the talent - maybe they've indicated on LinkedIn that they're hiring or they're part of an organization that's hiring or they're part of an organization that you know you'd be excited to work for - send them a direct message. I get a lot of these on LinkedIn, a lot of these on Twitter, and I answer every single one of them. And God knows how many I will get after I just said that. But nonetheless, I think it's a great thing, and I've mentored and helped a lot of people. You know, if they don't have the background and they're looking to understand what should I have as a good base, what will help me open the door, either with with a Verizon or anyone else, and I'll sit down with them and even have a call with them and say, look, let's talk about what you're doing, where you're at, what are your interests. Here are maybe some trainings or some certifications or some free and available resources out there. There is a tremendous amount of knowledge and educational material that is freely available. 

Chris Novak: And I think again, the persistence piece is key. If you can't get in through that front door with the typical HR and recruiting screenings, kind of take that side door route and try to contact people through social media. Let them know you're interested. You know, I can't guarantee everyone's going to be responsive to that, but I know my team, we're always looking for good talent. And we're always trying to diversify where we pull that talent from. So, you know, we're typically very eager to speak to people who are excited about the field. And I think also, you know, to that point, it's also important when we're focusing on how we invest and grow the talent - you know, from our standpoint - you know, every now and then, I'll hear criticism from people who'll say, look, you know, it's expensive to invest and train people. And then at the end of the day, that only may get them to a certification. And then they go get a job somewhere else. I'm like, look, that's just business, right? That's just the way the world works. At any point, I could go get another degree, get another certificate and leave and go work somewhere else. 

Chris Novak: But at the same time, I also look at it and say every single person that we've hired, we've hired them away from somewhere else, too, right? And that business has probably invested in them and trained them as well. And so I look at it as kind of a not so much about kind of being, you know, selfish and how do I grow my piece of the pie, but how do we be kind of more selfless and say, how do we just grow the whole pie for all of us? And in turn, you will be rewarded with your piece of the pie, respectively, gets bigger. 

Dave Bittner: All right. Well, Chris Novak, thanks for joining us. 

Dave Bittner: And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.