Russia’s hybrid war against Ukraine is currently heavier on the cyber than it is on the kinetic. BlackCat’s connection with DarkSide. An alert on LockBit. And six Indian call centers indicted.
Dave Bittner: Hey, everybody. Dave here. Excited to let you know that we have added another great show to the CyberWire podcast network. It's the International Spy Museum's long-running podcast SpyCast. Listen in as the museum's historian and curator, Dr. Andrew Hammond, gives you exclusive access to all things espionage and undercover. Each week, the International Spy Museum offers a new SpyCast podcast, featuring interviews and programs with ex-spies, intelligence experts and espionage scholars. Check it out on our website at thecyberwire.com/spycast, and be sure to subscribe wherever you get your favorite podcasts. A big welcome to SpyCast to the CyberWire podcast network.
Dave Bittner: The FSB is active against Ukrainian targets as NATO continues to work out the cybersecurity assistance it will provide Kyiv. BlackCat is found to be connected to the DarkSide gang. The FBI issues an alert about LockBit. Kevin Magee from Microsoft on their final report on Nobellium and the SolarWinds attack. Rick Howard steers the Hash Table toward supply chains. And the U.S. has indicted six call centers in India.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Monday, February 7, 2022.
Dave Bittner: Researchers update their accounts of Russian cyberespionage as observers look at the complexity of Russia's decision-making with respect to Ukraine.
Dave Bittner: Microsoft late Friday released more information on the threat actor it calls Actinium and that others call Gamaredon or Primitive Bear. The Microsoft Threat Intelligence Center, MSTIC, quote, "has observed Actinium targeting organizations in Ukraine spanning government, military, non-government organizations, judiciary, law enforcement and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access and using acquired access to move laterally into related organizations. MSTIC has observed Actinium operating out of Crimea with objectives consistent with cyberespionage," end quote. Actinium, MSTIC concludes, represents a different set of activities than the pseudoransomware wiper deployed against Ukrainian sites in January. So they don't believe Actinium is responsible for WhisperGate.
Dave Bittner: Ukrainian security services have attributed the activity to the FSB, specifically an FSB unit operating out of Crimea, and it's significant that MSTIC also sees Actinium's geographical base as lying in the peninsula Russia seized in 2014. Primitive Bear is not generally reckoned as smarter than the average bear, but neither are its operators complete rookies, either. They vary their infrastructure periodically to evade detection, using over a 30 period some 25 new unique domains and more than 80 distinct IP addresses. Its domain name DNS records change on the average of once a day, not fast enough to count as fast-flux, but enough for a plausible form of evasiveness. In general, Actinium quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later. These are fast-moving targets with a high degree of variance. The group also hosts the malicious macros remotely, which helps them evade detection by static analytical systems.
Dave Bittner: Microsoft sees Actinium's principal objective as collection, and establishing persistence within targeted organizations in furtherance of future cyberespionage. It's typically gained initial access through phishing. Some of its phishing emails misrepresented themselves as coming from the World Health Organization.
Dave Bittner: The Wall Street Journal reports, quote, "After the attack last month, Lithuania offered to deploy a group of emergency defenders, known as the Cyber Rapid Response Team, to help protect Ukraine’s networks. The rapid response team includes cybersecurity experts from Lithuania, Estonia, Croatia, Poland, the Netherlands and Romania," end quote. While Ukraine hasn't yet accepted the offer, Victor Zhora, chief digital transformation officer at Ukraine’s State Service of Special Communications and Information Protection, suggested that Kyiv could use assistance with quick response and quick countermeasures to defend our networks.
Dave Bittner: U.S. Deputy National Security Advisor Anne Neuberger has been consulting with NATO allies to organize a coordinated response to cyber threats Russia poses to Ukraine - and by implication, to Ukraine's neighbors and supporters. The Telegraph quotes her on the way in which a hybrid war is likely to develop. She said, quote, "We’ve been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to destabilize and further invade Ukraine. The Russians understand disabling or destroying critical infrastructure can augment pressure on the country’s government, military and population, and accelerate the receding to Russian objectives," end quote.
Dave Bittner: Why hasn't Ukraine been given access to NATO's Cooperative Cyber Defence of Excellence? The Kyiv Post, citing Oleksiy Danilov, secretary of Ukraine's National Security and Defense Council, says Hungary blackballed Ukraine's membership late last year. Danilov says Hungary was the only NATO member to vote against Ukraine's membership.
Dave Bittner: The BlackCat ransomware gang, thought to be responsible for fuel delivery disruptions in Germany, has been traced, tentatively at least, to former members of the BlackMatter/DarkSide group. BlackCat is the name MalwareHunterTeam gave them when the threat actor emerged in November. The gang calls itself ALPHV and would rather you address it as such. BleepingComputer describes BlackCat as a feature-rich operation, unusual in that it writes its code in Rust. It is, like its apparent predecessors, a ransomware-as-a-service player that gives its affiliates a highly customizable attack tool. In a conversation with the Record, BlackCat does the usual horn tooting and, amid other inside baseball gassing, says it's a former DarkSide affiliate that borrowed their advantages and eliminated their disadvantages. They say they are apolitical and very good at what they do, but they quack like Russian privateers. An Emsisoft analyst, Brett Callow, thinks BlackCat isn't a former DarkSide affiliate at all but simply DarkSide itself undergoing a rebranding after their loss of face due to an error that Emsisoft took advantage of to enable victims to recover their files without paying up. This cost affiliates millions. That's also essentially what DarkSide's C2C rival LockBit said back in December. DarkSide was brought down by the attention it drew when it attacked the Colonial Pipeline in the U.S., which suggests that BlackCat's attack on oil tanking may be a case of history repeating itself.
Dave Bittner: Speaking of LockBit, the FBI's Friday flash alert on that gang hints that LockBit may soon receive some unwelcome law enforcement attention itself. LockBit has been a player in the ransomware-as-a-service market since September of 2019. They've achieved additional notoriety more recently for their efforts to bypass initial access brokers or rogue pen testers and instead recruit insiders from their victims who'd be willing to give up their organizations in exchange for a cut of the take. To hear LockBit tell it, the rewards they're offering the faithless for betrayal are better than chump change. BleepingComputer quoted one such come-on on back in August. Quote, "Would you like to earn millions of dollars? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate mail, et cetera. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak," end quote. Millions of dollars seems like a stretch, but whatever LockBit's offering is more than the proverbial 30 pieces of silver.
Dave Bittner: Anyway, it's too much to expect truth in advertising on the criminal-to-criminal marketplace. As the old UMW leader John L. Lewis said in a different context many years ago, he who tooteth not his own horn the same shall not be tooted. So factor that in. Still, probably not chump change. The bureau's advice is sound, if familiar. Use strong and unique passwords. Use multifactor authentication. Keep your software up to date. Enable protected files in windows. Use a host-based firewall. And finally, restrict privileges and access to users who actually need them. The alert also advises network segmentation. Monitor systems and networks for unusual activity. Use time-based access for admin accounts. Disable command-line and scripting activities and permissions. Regularly backup data offline and ensure the backups are both encrypted and immutable. If you see signs of LockBit, the bureau would like to hear from you. Good hunting, FBI.
Dave Bittner: And finally, you know those guys who call you up and say they're from the Social Security police and tell you that your Social Security number has been involved in criminal fraud and is about to be suspended? We get them all the time, and they always sound like they're being placed from some boiler room or someplace like that and not from a nice office park on Security Boulevard. Some of them have been quite rude when our Social Security desk sought to engage them in conversation and appealed to their conscience or sense of religious devotion, shouting F you, for example, before slamming down their phone or growling, we're going to drag you out in handcuffs - stuff like that. Well, hey, what do you know? Turns out they may not be legit after all. The U.S. Attorney's Office for the Northern District of Georgia has announced the indictment of six call centers in India and their directors on charges related to conspiracy to defraud. The scams included not only the Social Security police shtick but also loan scams and IRS payment fraud.
Dave Bittner: The U.S. attorney also offers some advice for that dwindling number of Americans who still answer their voice calls. Quote, "The public should exercise caution with any caller who claims to be a government employee. Government agencies will never threaten you with immediate arrest or other legal action if you do not send cash, retail gift cards, wire transfers or internet currency. They will also never demand secrecy from you in resolving a debt or any other problem," end quote. Good advice. Remember, none of this is real, although we confess we'll miss listening to the editorial staff's chats with the scammers and their appeals to the better nature of the boiler room.
Dave Bittner: And it's always a pleasure to welcome back to the show our own Rick Howard. He is the CyberWire's chief security officer, chief analyst. Rick, it's great to have you back. You know, last year, 2021 seemed to me to be the year of the supply chain attack. You know, we had big headline news about IT vendor victims. We talked about SolarWinds. We talked about Accellion. And I know a number of our listeners who lost a huge portion of their holiday break dealing with the whole Log4j vulnerability.
Rick Howard: Yeah, that's true.
Dave Bittner: You know, it feels like supply chain attacks are new or certainly focused on. But that's really not the case, is it?
Rick Howard: It feels like that. I know what you mean, right? And - but, you know, supply chain attacks have been around since the internet was young. You know, nation-state actors like, you know, North Korea, Russia, China and the U.S., by the way, you know, they've all been using that technique since at least the early 2000s and probably much earlier than that. In the commercial space, probably the most infamous case - I wonder if you're remembering this, Dave - is when the hackers broke into the Home Depot network. This is back in 2014. And the way they did it is they first compromised the Home Depot HVAC contractor, then leveraged their credentials to get into the Home Depot network. So that was the first one that I can remember.
Dave Bittner: Yeah, so it's not so much that it's new, but I guess it feels right now like we're just really focused, thinking hard about how to protect against this particular attack vector. And that is the topic indeed of this week's CSO Perspectives episode.
Rick Howard: Yeah, that's right. We decided to take a closer look at the strategies that you - that could mitigate the risk to something tolerable, you know? And to be fair, though, all of us knew - you know, all of us network defenders have known about this attack vector, you know, for years. But it hadn't really happened that many times, and so we didn't really dedicate a lot of resources to solving it. I mean, you know, we got - all of us of a million things we have to do, right?
Dave Bittner: Right.
Rick Howard: So this is one more thing on the plate. But with all the news from last year, protecting against supply chain attacks has become a priority in the network defender zeitgeist, right? So we take a look at our first principle zero-trust strategy, all right, to limit access and privilege to all the software and vendors that you use in the supply chain today. And then how a technique called software bill of materials, which has been in the news of late - these S bombs, basically a food label for the software they use - might help us in the relatively near future.
Dave Bittner: All right, well, we will check it out for sure. It is CSO Perspectives, part of CyberWire Pro. You can find out all about it on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Dave Bittner: And I'm pleased to be joined once again by Kevin Magee. He's the chief security officer at Microsoft Canada. Kevin, it's always great to have you back on the show. You and your colleagues recently released your final report on Nobelium, which is, of course, part of the SolarWinds campaign there. I wanted to check in with you on that. What are some of the things in the report that caught your eye?
Kevin Magee: I took a number of lessons away from the report, Dave. And they really gave me an opportunity through this attack in this report to step back and start to look at the broader picture of some of these - the future of these attacks. And that's looking at the overall TTP of the specific threat actor over a longer period of time. You can start to see how patterns or see, you know, sort of the future of where attacks are headed that you can't see in individual sort of random smash-and-grab attacks. This was a very thought-out, nation-state-sponsored or equivalent attack, primarily devoted to gain strategic advantage over another country by stealing secrets. And it was a slow and patient attack that was very methodically planned and executed over time.
Kevin Magee: So there are a lot of opportunities to really see again what a specific threat actor is doing and get a sense for how we can protect against that threat actor. But also, we know that other threat actors are looking at the success of this attack, and they're going to start replicating that success. So how can we prepare for those eventualities as well, too?
Dave Bittner: To what degree are the TPPs used an attack like this, you know, considered to be burned now that the - you know, they've been used up and we have to move on to other things. Is that a factor in something like this?
Kevin Magee: Sadly, a lot of the techniques they used in the intrusion were basic password spraying, you know, exploits, the vulnerabilities of unpatched devices. That was some of the basics. So they're really not burned. I think what this group's made them different is the bespoke, human-operated nature of their attacks. You know, they leveraged a wide range of techniques to achieve penetration. They adapted their toolset to the victim's unique environment. They did things like, you know, waiting a month until a reboot, so - to see which systems weren't patched and then exploiting those systems. So just the patience and stealth deployed by this threat actor, I think, is what makes them unique, not specific zero-days or anything like that. And that can lull us into a false sense of security when we say, hey, it was a zero-day; it's burned. This is a new way of approaching attacks as opposed to a specific secret weapon that this organization used to mount this attack.
Dave Bittner: So the things we've learned from this attack, how does it inform how we go forward here? What are the takeaway lessons here for organizations?
Kevin Magee: Yeah. I've got really three that I really focused on in reading through this report. And ultimately - and we've discussed this before - I feel we need to start focusing on the individual arrows of the attacks and start identifying and shutting down the archers. And that's going after the adversary and understanding what the adversary looks like and how they go about their business. And there's a great paper by a fellow you might know named Rick Howard and his partner Ryan Olson, "Implementing Intrusion Kill Chain Strategies." Really, the idea of an adversary playbook, I think, is starting to take off, building on the work of Lockheed Martin on the original kill chain, but really identifying the, you know, what is the TCP of a threat actor? How do we collect that? How do we understand the actions they take? And then how do we automatically deploy and update our security controls to - and our security posture in real time - be that SOAR, be that DevSecOps or whatnot. But a real-time sort of response to threat actors, not just individual attacks is, I think, the first lesson that I really took away.
Kevin Magee: The other two quick ones are just identity - identity, who is the primary attack vector used. And we need to really focus on identity as the new perimeter, and I think we're all coming to terms with that. But then I think the most important one is we need to take care of our security teams. This was a low and slow, you know, attack vector over a year or so. Taking care of security teams - defender fatigue is really a real thing. We need to make sure that we're looking after our teams. We need to have reserves. We have to ensure that there's not fatigue and exhaustion that's happening with our teams so that they can identify, they can react and they can spot some of these long-term trends. But then, you know, be all-hands-on-deck when there is an incident, and be prepared and have the energy and reserves to respond.
Dave Bittner: And how do you do that? As a leader of a team, you know, in this time of COVID, it's - that's got to be a challenging thing to do.
Kevin Magee: It's very challenging. And we've discussed in the past, being an introvert, it's really hard to inspire your troops during a pandemic when you're doing it on video. So - and we've gone away from prioritizing things like team building or collaboration or whatnot because there's just so much work to do. And a lot of our people are feeling just defeated when they face threat actors like this that are so organized and the campaign is so well-executed over time by a nation-state actor during the pandemic. Again, stepping back and looking at how we can do things more strategically, how we can start to build automation and take advantage of things like artificial intelligence or adversary playbooks or SOAR or whatnot to take some of the workload and some of the mindless tasks away from our defenders so that they can focus on what they do best, which is things like threat hunting and whatnot, which machines really just can't do as well as humans yet today. But it's also more fulfilling work for the individuals on the team as well to do something different rather than always following up on whether that was a real phishing attempt or not, which can be very disheartening and really lead to vendor fatigue very quickly.
Dave Bittner: All right. Well, interesting insights, as always. Kevin Magee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.