The CyberWire Daily Podcast 2.17.22
Ep 1518 | 2.17.22

Someone’s engaged in provocation in the Donbas. Ukraine sees a Russian influence operation in recent DDoS attacks. Ice phishing as a threat made for a decentralized web.


Dave Bittner: Provocation may have begun in Ukraine, and no one but Russia can see any signs of a Russian withdrawal of troops. Recent DDoS attacks in Ukraine are seen as an influence operation. The compromise of International Red Cross data has been tentatively attributed to an unnamed state actor. Johannes Ullirch from SANS shares a fancy phish. Our guests are Mike Theis and Stacy Hadeka from Hogan Lovells to discuss the cyber aspects of the False Claims Act. And Microsoft describes ice phishing.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, February 17, 2022. 

Dave Bittner: Russian forces near Ukraine appear to have been augmented, and NATO governments see no signs of the withdrawal Moscow said was in progress. And by all indications, recent cyber-operations seem to have been more information warfare than sabotage. 

Dave Bittner: Organization for Security and Cooperation in Europe monitors reported multiple shelling incidents in eastern Ukraine. Accounts in the Guardian and elsewhere have focused on a children's school, variously described as a kindergarten or a nursery school, that was hit by shellfire said to have injured three people. Ukrainian authorities accused Russian-led nominally separatist forces of artillery attacks in the Donbas this morning. The separatists, CBS reports, blame Ukrainian forces. In any case, artillery fire hitting a kindergarten is difficult to improve upon as a false flag provocation - it’s an almost parodic story of outrage. That's how Ukrainian President Zelensky has characterized the incident, and NATO governments are tending to agree. 

Dave Bittner: Far from confirming Russian claims that the forces it's maintained on high alert in forward assembly areas near Ukraine are now beginning to return to their garrisons, the New York Times reports that both U.S. and U.K. sources say the withdrawal isn't happening. British Foreign Secretary Liz Truss was among the senior officials to publicly dispute Russian withdrawal claims. In fact, Russia seems instead to have deployed an additional 7,000 troops to border areas. Forbes cites a U.S. official to the effect that the 7,000 represent a further augmentation to the 150,000 troops already in a high state of readiness near Ukraine. Quote, "Russia keeps saying it wants to pursue a diplomatic solution," the unnamed senior administration official said. "Their actions indicate otherwise. We hope they will change course before starting a war that will bring catastrophic death and destruction," end quote. 

Dave Bittner: Ukrainian military intelligence is said to have assessed that Russia’s assembly of combat power, disturbing as it is, remains insufficient for a full-scale invasion. If one accepts at face value the traditional military wisdom that an attacker needs a 3 to 1 advantage over the defender to have a reasonable chance of success, and if one simply counts troops in the theater, that's probably correct. But local superiority can be achieved - you fight the forces you find on the ground in front of you, not the ones in other parts of the country - and the troop build-up is certainly sufficient for offensives with objectives short of the conquest and subjugation of the entire country. Estonian intelligence services think that such limited offenses are more probable. 

Dave Bittner: This week's distributed denial-of-service attack against two large Ukrainian banks and the country's public-facing Ministry of Defense sites are now being attributed to Russia. The goal being imputed to them is influence. The intention appears to be inculcating the belief that Russian intelligence services can work their will against a weak Ukrainian government shown to be incapable of meeting its core responsibilities of public safety. The Ukrainian Center for Strategic Communications and Information Security posted, quote, "the key goal of the attack is to show the strength of foreign intelligence services and the weakness of the Ukrainian government and to sow panic and chaos in society," end quote. 

Dave Bittner: The Guardian reports that Ukrainian authorities didn't specify a particular Russian organization as responsible, which suggests the attribution is circumstantial. So the operation retains a fig leaf of deniability. Ukrainian authorities also described the incident as unusually large. Nonetheless, it fell far short of crippling either the Ministry of Defence or financial services across the country. It would, however, represent a plausible effort at sowing doubt and mistrust. The Telegraph reports that both the U.S. and U.K. have stepped up their assistance to Ukraine's cyber defenders. 

Dave Bittner: Preparation is being used in several senses as people discuss Russian pressure on Ukraine. There is, of course, the ordinary language sense of getting ready for something. There's also strategic preparation aimed at sapping an adversary's capacity for effective resistance. Influence operations designed to fragment civil society would often serve that purpose, as would demonstrations intended to show that the adversary's cause is hopeless. And that seems to have been the point of this week's DDoS attacks against Kyiv. This is the sense in which observers are mostly talking about cyber preparations for a prospective Russian expansion of direct combat against Ukraine. Forbes describes how such operations can serve as a precursor to a broader offensive. 

Dave Bittner: There's also battle space preparation, which usually means intelligence collection and analysis in support of current operations. And finally, there's preparation in the sense of an artillery preparation, fires directed against enemy positions in advance of an attack by maneuver elements. The fires in the Donbas this morning aren't an artillery preparation in the proper sense. They're too random and indiscriminate for that, but they do serve well as a provocation. 

Dave Bittner: A cyber preparation in this tactical sense has yet to be seen. One form it might take is an attack on Ukraine's power grid, which would have an immediate effect on military operations. Russia conducted limited attacks against Ukraine's grid in 2016 and 2017. Robert M. Lee, CEO of industrial cybersecurity firm Dragos, commented in a media session yesterday that while Ukraine has probably improved its response capability since those attacks, its ability to defend the grid is in all likelihood about where it was five years ago. 

Dave Bittner: The International Committee of the Red Cross, the ICRC, yesterday released an update on the incident it sustained in which threat actors obtained sensitive information about refugees and other vulnerable populations. The ICRC suspects state-sponsored actors. They are believed to have gained access to the ICRC's systems by exploiting an unpatched vulnerability in Zoho ManageEngine ADSelfService. KrebsOnSecurity reports informed speculation that the incident was an Iranian influence operation. 

Dave Bittner: Someone using the hacker name Sheriff in the Anglophone RaidForums criminal market advertised sale of stolen Red Cross and Red Crescent data. The offer was framed in a way that suggested it was part of an extortion campaign, but Sherriff's email address has been seen before in an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States. It's a possibility only at this stage, more suggestive than dispositive, but interesting nonetheless. 

Dave Bittner: Microsoft describes a new style of blockchain-centric attack, ice phishing. Redmond sees it as a threat made for the decentralized Web3. Microsoft researchers see this winter's Badger DAO phishing attack as representative, a caper that netted the attackers about $121 million. The goal of ice phishing is to obtain the victim's cryptographic keys. Once the crooks have your key, they can move the contents of your wallet whither they wish. 

Dave Bittner: In ice phishing, the criminals inveigle the victim into signing a transaction that delegates approval of the user's tokens to the attacker. That may sound sinister, but it's actually quite common as a way of enabling interactions with DeFi smart contracts, permitting users to swap tokens. Quote, "in an ice phishing attack, the attacker merely needs to modify the spender address to attacker's address. Once the approval transaction has been signed, submitted and mined, the spender can access the funds. In case of an ice phishing attack, the attacker can accumulate approvals over a period of time and then drain all victims' wallets quickly," end quote. And that, says Microsoft, is what happened in the Badger DAO case. Expect more of this should the internet move toward the decentralized model of Web3. 

Dave Bittner: The False Claims Act is the U.S. federal government's primary legal tool to go after organizations who've defrauded the federal government. It goes back to the Civil War and is often referred to as the Lincoln Law. Recently, the Department of Justice has been increasing their scrutiny on companies providing cybersecurity products and services to the federal government. I recently spoke with Mike Theis and Stacy Hadeka, both attorneys at the law firm Hogan Lovells and specialists on the False Claims Act. 

Mike Theis: Cybersecurity requirements in terms of software and defenses and other things that may be required by contract regulation or other law - and to use the False Claims Act as the way of incentivizing companies to making sure that they comply - the way that that works - as you may know, the False Claims Act does and has since the Civil War included provisions for private citizens to file suit - the so-called qui tam provisions of the False Claims Act created financial incentives for people to come forward and file suit on behalf of the United States. The United States investigates and can either take over the case and handle it itself or can decline and let the private citizen go forward with the suit. The False Claims Act was overhauled in 1986 to substantially enhance those private whistleblower provisions. And since 1986, the Department of Justice has had a really extraordinary record of successes in enforcement under the False Claims Act. 

Stacy Hadeka: I was just going to mention that there's already been a few cybersecurity False Claims Act cases that we've seen and, of course, we think the government's certainly going to leverage as they pursue False Claims Act allegations and investigations going forward. And two of those - one involved a leading IT company where a whistleblower actually alleged vulnerabilities in certain computer systems that were furnished to the federal government. That case was ultimately dismissed. But there is currently an ongoing case with respect to a leading defense contractor in the aerospace industry sector, also with respect to whistleblower allegations. It was alleged that the company made false statements regarding its compliance with respect to DOD and NASA cybersecurity requirements. And so again, we've already kind of seen a playbook laid out for some cases in this area where DOJ, of course, can leverage as it moves forward with new investigations. And the case I was mentioning with respect to the leading aerospace and defense contractor - that's currently ongoing and survived a round of motions to dismiss, and then summary judgment motions, and is moving forward on to the merits. 

Dave Bittner: So is it fair to say that in terms of companies assessing how they need to approach this, that this is more of a risk assessment exercise rather than a - kind of a checkbox black and white, hey, we did this and now we're good sort of thing? 

Mike Theis: Yeah, I think that's right. I think that this is, you know, something else that needs to be added to the chief compliance officer's list of items to be auditing, checking for, conducting internal investigations, especially before they get into a situation where there is an intrusion or a breach. In other words, this is part of the, you know, good business hygiene that companies in this current environment have to engage in to make sure that they are taking appropriate steps to guard against breaches and intrusions, that they are careful with the sensitive or confidential data that they handle and fulfilling the obligations that they have to deliver cybersecurity to the United States government when they are contracting with them. 

Mike Theis: Department of Justice is very deliberately unleashing the forces of the private sector motivated by the financial incentives that are created by the qui tam provisions in the False Claims Act, you know, to get people to come forward and report these things. And so individual employees of companies that do business with the federal government now have a - you know, an open invitation to come forward and report their companies. And so chief compliance officers and, you know, legal and regulatory teams at companies that do business with the government should be looking at, what are we doing to make sure that we are living up to the expectations that the government has in terms of software, cybersecurity defenses taking steps to ensure that we protect our data. 

Stacy Hadeka: Yeah. And following up on that, too - I don't think there is a one-size-fits-all approach here, especially because, as you noted, that there is some companies that may be providing items that pose less risk to the federal government. Of course, where I would recommend companies start is really with the contract itself and understanding what federal business and work it has. A lot of times, companies that are working with the federal government have a small fraction of federal government work when it may have a larger commercial presence. And so taking what those government contracts personnel - security personnel are saying, I think, is kind of a culture that needs to be addressed from the top down. And so companies, as Mike was saying, in their compliance regime need to ensure that they're understanding what government obligations they have and also recognizing that they need to take these seriously. 

Dave Bittner: There's much more to my conversation with Mike Theis and Stacy Hadeka, which you can find on our Caveat podcast. The Hogan Lovells law firm recently published a guide for cybersecurity companies in regard to the False Claims Act, and you can find that on their website. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute. But more important than any of that, he is the host of the ISC StormCast podcast, which, Yohannes, you just celebrated 13 years and - what? - over 5,000 episodes of that show. Congratulations. 

Johannes Ullrich: Thank you. Yeah, it has been quite a ride. And, well, it's also always interesting to sort of listen in on these very old podcasts, sort of how they sound and the topics being covered. Some things change. Some things really haven't changed. 

Dave Bittner: Yeah, it's true. You know, and I often, you know, brag about our own achievements here. But I have to say, 13 years and all those shows, you are the undisputed marathon winner in the cybersecurity podcasting zone. So tip of the hat to you for that. 

Johannes Ullrich: Thanks. Good to hear this coming from my second favorite daily podcast. 


Dave Bittner: That's funny. Yours is my second favorite as well. What a coincidence. Well, we got some good stuff to talk about today. You have been tracking some interesting phishing techniques that have been going on using some distributed web platforms. What's going on here? 

Johannes Ullrich: Yeah. So first of all, a little bit distributed web - sometimes, people call it a part of that Web3. Now, of course, that's a term that some interpret a little bit different. But the basic idea of these distributed web platforms is sort of the really nice idea of having sort of a censor-free web. But, of course, censor-free also means it's hard to take things down - even outright malicious content like phishing pages. 

Dave Bittner: So what exactly did you find here? 

Johannes Ullrich: So in this particular example, the platform they're using is They call themself Skynet, so they play a little bit on that movie reference. But what it essentially allows you is, like - many platforms are being abused for phishing. It allows free web hosting. You upload an HTML file. They push back a URL that can now be used to reach that HTML file. That HTML file, of course, can also contain JavaScript. That's where it, in this case, gets a little bit more interesting. So instead of just having a simple static HTML page that impersonates one particular website, when they are sending you a link, they're appending your email address to the end of the link. And, well, if you receive one of those emails - but always, of course, play with it. Try a different email, and see what happens. 

Johannes Ullrich: In this case, what they're actually doing is they have a little JavaScript on the page that uses a service that will create an image of a webpage. So they take the domain part of your email address. They use that service to then retrieve an image off your homepage and use that sort of as a background for the login box. So this way, the page you're visiting - the phishing page, looks exactly like your current home page, which, of course, may entice people to then enter their credentials. They also pull in a logo that they add to the login dialogue box. I've seen that before, hadn't really seen sort of the complete copy of the page. Sometimes this looks really awful, of course. 

Dave Bittner: (Laughter) Right, right. 

Johannes Ullrich: It may actually make people less likely to enter their credentials, but you know, it depends really on the page. And it's yet another trick sort of in the phisher's arsenal here to come up dynamically with a more plausible page, not sort of have a one-size-fits-all, like, you know, these standard Outlook 365 phishing pages that you usually see. 

Dave Bittner: Yeah, that's fascinating how they sort of render it on the fly there. I mean, are there any obvious red flags that tipped their hand? 

Johannes Ullrich: As sophisticated as kind of this phishing page was, the email itself was, I think, pretty bad. It was a DHL email kind of, you know, your shipment could not be delivered, one of those emails. Now, I thought it looks pretty bad. On the other hand, I'm using like a little system that sort of removes all HTML markup from emails and such. So emails usually look ugly if they're not important, like all these commercial emails. 

Dave Bittner: (Laughter) Right. 

Johannes Ullrich: It's sort of a little bit a self-defense system here, but I thought the phishing email was not really done very well. And, of course, the resolution may not - of that background image may not really match the resolution of your browser. They use a fixed resolution for that image. If any of the phishers are listening, you could easily fix that by adding those parameters based on JavaScript. The data that you're submitting is then sent to a domain that has sort of a crypto coinish (ph) name kind of staying with that Web3 theme kind of a little bit. What's also a little bit interesting here is the WHOIS data is actually not anonymized. Like, 99% of the time when you're looking at a website like this or at any domain these days, you're getting sort of anonymized, like, WHOIS data. Here, they do have actual information. I assume it's fake, but the same name and email address is used for a couple other suspicious websites. The website itself doesn't really display any content, just an empty page, so not really sure yet who is receiving the data. It's a little bit better. 

Johannes Ullrich: And I think the main issue here - it's different than the other phishes, which, of course, makes it more likely to be not detected. Takedown of it - so that's, of course, of course, one of the issues with these distributed web platforms. - they do have an email address you can send complaints to. To have stuff taken down - now I, send them an email. The site is still up there. Now it's three days later as we are recording this - not really sure where this is going. But, of course, the same may also happen with a lot of these cloud hosting platforms and such that are being abused. It often takes a few days for malicious content to be removed. 

Dave Bittner: Yeah. Well, it's certainly a clever, I suppose, implementation of automation there. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Velicky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.