Cyberattacks reported in Ukraine as Russia signals a willingness to negotiate with NATO. TA2541 targets aviation and allied sectors. BlackCat’s tough to shake. Romance scams. Beamers.
Dave Bittner: Reports of cyberattacks against Ukrainian targets as the parties to the crisis resume negotiations. The U.S. has been forthcoming with intelligence on Russia’s ambitions in the region. An apparent criminal group is targeting aviation and related sectors. BlackCat ransomware victims are having difficulty recovering. Why conditions favor romance scams. Ben Yelin looks at pending cyber breach notification laws. Our guest Padraic O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector. And beamers defraud Roblox players.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, February 15, 2022.
Dave Bittner: Security firm Intel 471 writes that rates of cybercrime against Ukrainian victims, most of which would be expected to originate in Russia, have been unusually low during the crisis. The Russian government has publicly cracked down on cyber gangs over the past two months, but this may represent a diplomatic gesture that could be easily reversed should tactics change.
Dave Bittner: There may have been such a change today. Buzzfeed correspondent Christopher Miller tweeted this morning that there are signs of a surge in cyberattacks against Ukrainian financial services and the country's Ministry of Defense. The Ministry of Defense has itself tweeted that it's undergoing distributed denial-of-service attacks.
Dave Bittner: People on the ground in Kyiv are sharing over social media that there’s no comprehensive, general shut-down of banking operations - some ATMs are working, for example, while others are not. The situation is still developing, but there’s online a priori speculation that the incidents may represent a kind of virtual artillery preparation for a more general attack in a hybrid offensive.
Dave Bittner: Preparation or not, there are mixed signals, on balance encouraging, concerning Russian intentions with respect to Ukraine. Moscow is signaling that it's interested in further diplomacy aimed at reducing tensions over Russia's ambitions in Ukraine - most obviously in what the New York Times calls stage-managed, televised meetings among Russian leaders. Foreign Minister Lavrov - the good cop - was yesterday shown giving President Putin his assessment of prospects for negotiation. Quote, "I believe that our possibilities are far from exhausted. I would propose continuing and intensifying them," end quote. President Putin - the bad cop - responded with what the Times characterizes as an ambiguous, good.
Dave Bittner: Foreign Minister Lavrov called some U.S. proposals constructive, and it appears there's some Russian interest in confidence-building measures that might be put into place to mediate Russo-NATO relations. But the U.S. reacted, in the AP's characterization, coolly. Quote, "the path for diplomacy remains available if Russia chooses to engage constructively," White House principal deputy press secretary Karine Jean-Pierre said, quote, "however, we are clear-eyed about the prospects of that, given the steps Russia is taking on the ground in plain sight," end quote.
Dave Bittner: German Chancellor Scholz is in Moscow for talks. Reuters says his going-in diplomatic position includes both an indication of willingness to address such legitimate security concerns Russia may have and a clear statement that Russian escalation will prompt sanctions. He said, quote, "we are ready for very far-reaching and effective sanctions in coordination with our allies," end quote.
Dave Bittner: There are contradictory indications of the current state of Russian deployments near Ukraine. On the one hand, Russia says that, some exercises having concluded, it's moving many units back to garrison. The New York Times quotes Russian statements that some forces in military districts near Ukraine are leaving assembly areas and returning to home station. On the other hand, U.S. intelligence sources have said, the Wall Street Journal reports, that Russian force levels in the immediate theater of operations have increased, up to 105 battalion equivalents from 83 such units earlier in February.
Dave Bittner: Russian conventional forces may not be the ones used in an escalation. It's possible, the Atlantic Council says, that Russia would use deniable, nominally insurgent proxies to fight on the ground.
Dave Bittner: The U.S. has been unusually forthcoming with intelligence during the crisis. Foreign Policy sees this as a possible sign that the U.S. is catching up with its rivals in this aspect of information operations. The strategic calculation is that transparency will serve as a deterrent - the more that's known about hybrid operations and strategic deception in particular, the less likely they are to succeed.
Dave Bittner: In a conference call yesterday afternoon, the U.S. FBI and CISA reiterated recent warnings that organizations in the U.S. should be alert for increased hostile cyberactivity originating with the Russian government. The substance of the call, to judge from a report by Yahoo News, emphasized vigilance and security best practices.
Dave Bittner: Director of the U.S. Cybersecurity and Infrastructure Security Agency Jen Easterly has tweeted a short guide to interpreting the Shields Up alert, and she explicitly holds up NotPetya as a foreshadowing of how the Russian threat might manifest itself in practice. Quote, "every organization in the U.S. is at risk from cyberthreats that can disrupt essential services. As we know, the Russians have used cyber as a key component of their force projection, to include disabling or destroying critical infrastructure. While there are no specific credible threats to the U.S. homeland at this time, we are mindful of the potential for Russia to consider escalating its destabilizing actions in ways that may affect our critical infrastructure, to include cascading impacts we saw with NotPetya. All organizations must adopt a heightened posture of vigilance. The time to act is now," end quote.
Dave Bittner: Proofpoint has published details of a study that tracks the activity of TA2541, a threat actor that has targeted the aviation, aerospace, transportation, manufacturing and defense industries for years. Its preferred tactic is phishing, using malicious files to dangle a remote-access Trojan fishhook in front of its intended marks. The group has evolved beyond familiar email phishing with malicious attachments and now sends victims links to cloud services, like Google Drive, where the payload resides.
Dave Bittner: The researchers describe TA2541 as criminal, but offer little other attribution or characterization. CyberScoop reports that it may have a geographical connection with Nigeria.
Dave Bittner: Some indication of ransomware's disruptive effects may be seen in the experience of Mabanaft GmbH & Company KG, the German fuel storage company that sustained a cyberattack during the last week of January. The firm still hasn't returned to normal operations. Bloomberg reports that Mabanaft's first tests of restored operations have been unsuccessful. The company is believed to have been the victim of BlackCat ransomware.
Dave Bittner: Whatever action Russian security authorities have taken against cyber gangs recently seems not to have affected the Russophone underworld's position in the global criminal marketplace. A study by Chainalysis concludes that about three-quarters of ransomware payments are going to Russian criminal groups. Evil Corp alone accounts for some 10% of the global total. Chainalysis also notes that such attacks continue to avoid targeting members of the Commonwealth of Independent States, an organization of former Soviet republics that have remained more or less friendly to Russia.
Dave Bittner: Romance scams, of course, tend to spike around Valentine's Day. But as the U.S. Federal Trade Commission pointed out this week, they're trending up generally. What's fueling the increase? It's a convergence of the non-harmonic kind - people are feeling lonely and disconnected during the pandemic, socially distant, and they're looking for companionship online more than ever before, the Wall Street Journal notes. Take the scams and catfish who cumber the internet and couple them with the easy remittance cryptocurrencies offer, and the environment is ripe for romance scams. Some of the lonely-hearts scams are brutally direct, using bogus dating sites, Trend Micro reports, to induce the amorous and incautious to fork over various pieces of valuable information, including, of course, credit card details.
Dave Bittner: And finally, Vox has a report on a new venue for cybercrime where the victims are disproportionately young. Roblox, the popular gaming platform where you can make your own game, is presently being infested with beamers. These are people who impersonate others and steal from them in the in-game purchase marketplace Roblox offers.
Dave Bittner: Vox writes, quote, "so-called beamers are able to profit from stolen Roblox items via massive dedicated marketplaces that handle at least tens of thousands of underground transactions and which take a cut of each sale, too. Some of the items sold in these marketplaces likely include hacked items," end quote. And so a criminal marketplace again grows up in the shadow of an online community. Hold on to your skins, friends.
Dave Bittner: In late January, President Biden announced his administration is expanding the Industrial Control Systems Cybersecurity Initiative to include the water sector. They said the Water Sector Action Plan is a collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technologies and systems that provide cyber-related threat visibility indicators, detections and warnings.
Dave Bittner: Padraic O'Reilly is co-founder and chief product officer at CyberSaint, a software security solutions company that does quite a bit of work with the water sector.
Padraic O’Reilly: It's pretty complex. There's a lot of different structures in place. There are municipalities, localities that have primary authority, there is some state authority and the feds do have some say so through the EPA. So it's a pretty complex structure, and it's - as you can see, it's regulated in some respects, but not really when it comes to cyber. And even the initial guidance now is presented more in the form of guidance and not as regulation yet.
Dave Bittner: So what exactly has the Biden administration done here in terms of their approach to cybersecurity and water treatment plants?
Padraic O’Reilly: I think what they're trying to do is to leverage some of what they are doing with electric and pipeline, some of those directives and the rethinking around all of that and apply that to water. And they're doing in a slightly different way with respect to water because of the structure that we just talked about. There are many, very, very many small water treatment facilities and they are, you know, really understaffed with respect to cyber. And it's a hard thing to ask them to step up their cyber practice when they don't have the resource.
Padraic O’Reilly: So what the Biden administration is doing is taking some of the learnings out of the electric infrastructure push last year with CISA, which was to get more monitoring into place, and about 150 electric concerns have already signed on to that. So they're going to work with the largest water treatment plants and kind of build the best set of best practices with the largest plants first and then float those learnings downstream, more or less.
Dave Bittner: Do you feel as though this is a reasonable approach to the situation?
Padraic O’Reilly: I do. I work with several water treatment concerns in my business. I've seen firsthand how constrained they are, and I've seen also firsthand how they're not as mature as certain other sectors. And they need - they need help. And this - you know, this - basically, this plan is a way to increase the cadence and communication between the federal government and these smaller concerns and get them the help they need.
Dave Bittner: Can you give us some insights with, you know, some of the organizations that you work with? I mean, what sorts of things are they dealing with on a daily basis when it comes to managing their own cybersecurity?
Padraic O’Reilly: Well, they're managing a, you know, complex threat landscape and a pretty complex threat attack surface, particularly, you know, after COVID in the sense that, you know, a lot of water treatment plants have some remote access now. You can see that the Oldsmar attack, that that was through remote access. That was through a thing called TeamViewer. And the person in the control room actually saw the cursor moving. So you have this remote access issue, which increases the threat attack surface.
Padraic O’Reilly: And there's a lot of bad actors out there right now looking to leverage any number of vulnerabilities in there. You know, we saw them all come out last year - SolarWinds and the rest. And they're generally understaffed, so they might have a SIM or a logging tool in place, but that quickly gets overwhelming if you don't have analysts on hand, right? So what they really need to do is mature a bit with respect to seeing what's coming in across their networks and doing some internal monitoring, which is another really difficult thing to do when you're understaffed.
Dave Bittner: Are you optimistic that we're heading in the right direction when it comes to the things that are coming down from the White House and these plants' abilities to accommodate them?
Padraic O’Reilly: Yeah, I'm quite optimistic. I think the White House is taking the correct approach on this. It's long overdue in some respects.
Padraic O’Reilly: The only thing that I'm a bit concerned about are the layers of governance between sort of these initiatives and the actual operators of the plan. Part of the reason we're in this situation is governance has been, you know, a little - has overlooked cyber historically, and that can't continue. So, you know, hopefully after this initial round of help is in place, you know, I hope the EPA and the administration and the Senate take a look at whether or not this has to become, you know, more of a regulatory issue.
Dave Bittner: That's Padraic O'Reilly from CyberSaint.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the Caveat podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article from the folks over at Mimecast written by Karen Lynch. And they have sort of gathered up, aggregated a list of some of the laws that are pending on reporting and paying ransomware as we are well into 2022 here. That'll be interesting to review some of these with you, Ben. What's on this list?
Ben Yelin: Sure. So the closest we came to getting a piece of legislation in this regard was towards the end of last year, when a provision for reporting cybersecurity or ransomware incidents made it into the defense authorization bill at first. That bill always changes at the last minute, and those provisions were left out of the final bill.
Ben Yelin: But we do have a number of proposals pending in Congress, most of them with bipartisan support. So there's a bill - the Cybersecurity Incident Notification Act, which comes from the Senate Intelligence Committee. That would require companies to report any cybersecurity breach or an attempt with potential national security, government or economic impact within 24 hours. So that's a rather strict requirement.
Ben Yelin: A separate bill is a little less strict. The Cyber Incident Reporting Act gives a longer window - 72 hours. With that longer window, it also would institute criminal penalties for organizations that did not comply, whereas in the first bill I mentioned, it's only a civil penalty.
Dave Bittner: Now, would these two be mutually exclusive? In other words, you know, could they both be passed or would you have to come down with one or the other?
Ben Yelin: I think they could both be passed. I mean, there are lots of circumstances where the same action can subject you to both civil and criminal penalties.
Dave Bittner: I see.
Ben Yelin: So it might be report within 24 hours to avoid a civil penalty. Report within 72 hours or else you receive a criminal penalty.
Dave Bittner: I see.
Ben Yelin: I could see that taking place.
Dave Bittner: So if you want to drag your heels and you're OK paying a fine, have at it.
Ben Yelin: Right. Exactly.
Dave Bittner: Yeah.
Ben Yelin: If there's some reason that, you know, you don't want to report after 24 hours, whether that's reputational or whether you're just, you know, not really sure exactly what happened, then yeah, that might be your way out of it if you just want to avoid criminal penalties.
Dave Bittner: How are companies responding to the specter of these - of this sort of legislation coming online?
Ben Yelin: So companies are sort of split on this. I think many companies that are victimized by ransomware are anxious about these reporting requirements just because they've been attacked, and now you have this extra onus on you to report back to the federal government. If you think that information is going to get out, your organization or company might suffer reputational damage. If it indicates that you've been negligent in protecting, you know, say, personally identifiable information, that could subject you to legal liability.
Ben Yelin: It's kind of a prisoner's dilemma of sorts here because we want information in the aggregate about cyber incidents, and we want to know the extent of ransomware, how many companies are actually paying the ransom. That's useful information for the country, for our federal agencies, but it might not be advantageous for companies themselves to actually report that they've been the victim. You know, and then separate from these reporting requirements, there's the question of whether you should be punished for paying a ransom.
Ben Yelin: So Mimecast, where we got this article, actually did a survey on this - the survey is going to be released shortly - saying that 72% of companies attacked by ransomware said that they paid the criminals, whereas only 19% of them recovered their data. So, you know, if we are talking about a system, which has been proposed, where we penalize companies for paying the ransom, going beyond reporting requirements, you know, that's going to be a high percentage of organizations that are going to face this really difficult choice.
Ben Yelin: Sometimes paying the ransom is the easiest thing to do to recover your data, but that might subject you to federal, criminal and civil penalties. And, you know, I think there would be a lot of companies that would lobby against that tradeoff. I think that leaves us kind of looking to see what happens in 2022.
Ben Yelin: There's going to be another defense authorization bill that might be a good opportunity to stick in a couple of provisions about mandatory reporting. My guess is that we'd see mandatory reporting make its way into federal statute before we saw anything related to ransom payments. And that's just kind of where I'm at on that.
Dave Bittner: All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.