Putin goes medieval (we paraphrase the UK defense secretary). Cyberattack disrupts a logistics giant. Two reports look at the state of industrial cybersecurity.
Dave Bittner: With diplomacy at a standstill and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strike continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with assistant director Bryan Vorndran of the FBI Cyber Division. Our guest, Ed Amoroso from TAG Cyber, explains research as a service; and two looks at the recent and prospective state of industrial cybersecurity.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 23, 2022.
Dave Bittner: Diplomacy seems to be at a standstill, at least temporarily. Russia stands more or less alone with full support from Syria and Belarus and some relatively tepid support from China. In general, Russia's President Putin is playing an aggressive role Europe hasn't seen since the 1930s.
Ukraine prepares for renewed Russian cyberattacks (with some help from the EU).
Dave Bittner: Reuters reports that Ukraine yesterday renewed its warning that it saw signs of renewed cyberattacks against its banks, its defense sector and government websites. The warning appears to have been based upon indicators and warnings and not merely a matter of a priori probability. CERT-UA based its assessment on what it observed in dark web chatter. Those attacks have in fact materialized over the last few hours. It's a massive distributed denial-of-service campaign, and it's said to have hit banks and government websites, particularly sites run by the foreign ministry and the security services. The Telegram says that authorities are working to mitigate their effects. The U.S., U.K. and Australia have attributed recent cyberattacks against such Ukrainian targets to Russia's GRU. The EU's Cyber Rapid Response Team has been activated and will deploy to Ukraine. The move, Politico says, has been welcomed by Kyiv. Activation was a joint decision of the six states that contribute to the team - Croatia, Estonia, Lithuania, the Netherlands, Poland and Romania.
The GRU ups its game.
Dave Bittner: Speaking of the GRU, the Russian military intelligence service has upgraded its attack toolkit, replacing the VPNFilter malware familiar from earlier attacks with an improved version the UK's NCSC and the US agencies CISA, NSA and FBI are calling Cyclops Blink. The four agencies issued a joint advisory warning of Cyclops Blink just a few hours ago. It's a large-scale modular malware framework being used to attack network devices. Cyclops Blink is normally distributed to its victims under the guise of a firmware update.
Apparent provocations and false flags continue.
Dave Bittner: Ukrainian officials say that the most recent round of cyberattacks has been accompanied by a wave of phony bomb scares. The former defense minister of the so-called Donetsk People's Republic - one Vladimir Kononov - is said to have been the target of an attempted assassination by bomb, the nominally separatist region announced. TASS asserts that one man - not Mr. Kononov himself but someone going to meet the former defense minister - was injured in the attempt.
Western sanctions accumulate (but "incrementally" and "proportionately").
Dave Bittner: Germany's refusal to certify the Nord Stream 2 pipeline - a move that blocks a substantial increase in Russian sales of natural gas to Europe - was the first and most consequential of the sanctions imposed as the week began. TASS communicated the Kremlin's regret over the decision, quoting spokesman Dmitry Peskov to the effect that "this is a purely economic commercial product, which is also called to become a stabilizing element for the gas market in Europe, further to mutual benefit and both suppliers and consignees of our gas in the first instance Germany and other European states are interested in it," end quote. Other sanctions have aimed to reduce Russian access to global financial and capital markets. The Telegraph reports that Britain has imposed what Prime Minister Johnson describes as the first barrage in its own sanctions program, singling out five banks and three high-net worth individuals. Prime Minister Johnson said, quote, "any assets they hold in the U.K. will be frozen. The individuals concerned will be banned from traveling here, and we will prohibit all U.K. individuals and entities from having any dealings with them," end quote. He signaled that other sanctions are being held in reserve. Quote, "this is the first tranche, the first barrage of what we are prepared to do, and we hold further sanctions at readiness to be deployed alongside the United States and the European Union if the situation escalates still further," end quote.
Dave Bittner: The EU has, according to the AP, sanctioned the 351 members of the Duma, who voted for recognition of Donetsk and Luhansk, and also 27 other Russian institutions and individuals from the defense and banking sectors. President Putin himself was not among them.
Dave Bittner: And the U.S. introduced further sanctions beyond those already imposed Monday that prohibit U.S. persons from doing business with the two Ukrainian provinces Russia is seeking to detach. The newest measures are designed to punish Russian oligarchs and impede Moscow's ability to sell sovereign debt. Administration officials say they're holding more and more severe sanctions in reserve, but the Telegraph reports critics call the limited measures appeasement. S&P Global records informed speculation that the incremental approach may be at least in part motivated by concerns about economic blowback.
Dave Bittner: After today's round of cyberattacks, Western governments announced their intention to ratchet up sanctions. The U.S. is sanctioning the Nord Stream 2 pipeline's parent company and is considering comprehensive export controls. The U.K. and the EU are also preparing to increase their sanctions.
Economic effects of the crisis may have a significant cyber dimension.
Dave Bittner: Moody's Investors Service has taken a look at the cyber implications of the crisis, which it sees as central to assessing credit quality. Its analysts have concluded that attacks on critical infrastructure are a high risk in terms of consequence, vulnerability and likelihood. Quote, critical infrastructure is a likely target of cyberattacks amid ongoing Russia-Ukraine tensions for two reasons. First, the Russian government has a history of launching cyberattacks on critical infrastructure, according to a wide spectrum of cybersecurity experts. And second, these types of attacks are typically more damaging for a country than our attacks on other "targets, end quote. The report explains the probable forms such attacks on critical infrastructure might take. Quote, "Ukraine has been a testing ground for Russia's cyber capabilities for at least the past decade, with critical infrastructure a frequent target. Critical infrastructure sectors include food and agriculture, energy, health care, emergency services, chemicals, dams, financial services, information technology, nuclear reactors, transportation systems and water and wastewater systems," end quote.
Dave Bittner: The report also sees NotPetya as providing an example of the way in which cyberattack would, in all likelihood, not remain confined to a specific geographical region. In the case of NotPetya, for example, large multinationals became channels through which malware delivered as the payload in a maliciously modified Ukrainian tax preparation software package spread well beyond the initial points of infestation. Not only were the multinationals themselves affected, but their customers were as well.
Dave Bittner: Nor should businesses count on being able to transfer the risk of cyberattack to their insurance carriers. Cyber exclusion clauses are growing increasingly common. Cyber coverage has tended to migrate away from more traditional lines of coverage to cyber-specific policies, which generally offer lower coverage limits. Such policies now commonly have war or hostile action exclusions, and insurance associations have developed and shared model exclusion clauses.
Cobalt Strike continues to be misused by criminals.
Dave Bittner: Criminals continue to misuse Cobalt Strike. Ahn Lab reports that the tool is being distributed to vulnerable Microsoft SQL servers. BleepingComputer explains that the legitimate penetration testing software package is attractive to the underworld because of its ready availability and extensive suite of capabilities, hence its widespread misuse.
A major logistics company struggles to recover from a cyberattack.
Dave Bittner: Operations at the major logistics firm Expediters International have been disrupted by a cyberattack disclosed Sunday. And the Wall Street Journal reports that the company currently still has only a limited ability to conduct operations. There's speculation that the incident was a ransomware attack, but as ZDNet notes, the company won't confirm that.
Trends in industrial cybersecurity.
Dave Bittner: Dragos has released its 2021 ICS Cybersecurity Year in Review. It identifies new threat activity groups with a probable focus on ICS targets. And it also comments on the continuing expansion of the attack surface industrial organizations represent. One problem the report outlines is a widespread lack of visibility organizations have into their own systems. According to the report, 86% of organizations report limited to no visibility of ICS environments.
Dave Bittner: And finally, IBM also sees a growing threat to industrial firms, specifically to those involved in manufacturing. They're particularly vulnerable to supply chain attacks, and they've recently been receiving unwelcome attention from ransomware gangs.
Dave Bittner: Many organizations find value in getting outside independent insights from researchers and analysts who can gather and synthesize market reports, vendor assessments, industry trends and so on. Ed Amoroso is CEO of research and advisory firm TAG Cyber and also a professor at NYU. He and his team recently published their 2022 Q1 security report, which focuses on research as a service.
Ed Amoroso: Well, most companies rely on research analysts to assist them in understanding vendors and understanding where they come from and how they might fit. Even some of the companies that do it perhaps are - maybe because of the complexity of cybersecurity or the size of the industry or just the amount of revenue that's being tossed around, it's been our observation that the original goals have sort of gone awry to some degree. So we've been focused on trying to bring enterprise teams back to their roots and think through selection of vendors in the same way that an engineer would think about the materials and components that go into building a bridge, right? You wouldn't want to drive over a bridge and ask the engineer, hey, how'd you pick those cabling? And they scratch their head and think, you know, I'm not really sure. They were kind of legacy. They were laying around here before, so we figured we'd just use them on the bridge. I mean, how many - we laugh at that on a bridge, but how many times would you hear exactly that analog to that made by a CISO at a bank? Why are you using that endpoint tool? You know, it's funny. We had some - it was just here when I got here. I don't really know. It's insane. It's not the way to do it.
Ed Amoroso: And I will say that with virtualization in cloud, it's much easier to swap things in and out than it used to be. It's very possible now that if you're not happy, for example, with some gateway that you're using, firewalls, if it's running on a virtual platform, you don't have to wait three months for the vendor to ship something. You pull it off the loading dock, you put it in a data center. None of that is applicable anymore. You can very quickly swap images out. So it's a good time for people to get their arms around a more rational means for managing their cybersecurity portfolio.
Dave Bittner: What are you finding in terms of how organizations kind of turn the dials of how much they handle internally and how they coordinate with an outside provider?
Ed Amoroso: Really depends on the size and the sector. You know, as you go down market to smaller companies, everybody's using applications that sit in a SaaS infrastructure or cloud. It's kind of cool, right? Like, you can be a little company. You and I, Dave, could start a company tomorrow and in the afternoon, we'd have our own IT department. We'd get it from Microsoft. We'd have our own payroll system. We'd get it from some payroll SaaS provider. And on and on - you get serve - sales capability from Salesforce or Pipedrive or one of these CRMs. It's amazing. Like, you really very quickly can build up capability in and around - so for research and for selection of cybersecurity, it's become the same thing, where these things can be turned up like utilities. And managed service providers are morphing from, say, managing your firewall to something that is more timely. That's why you hear these - this designation, DR, detection response, like managed detection response, endpoint detection response or even extended or X detection response. That's really just providing a utility-based security capability that would be plug compatible with with all these SaaS and cloud capabilities that people are doing. So the security becomes more a service utility. Now, that's really found everywhere for smaller companies.
Ed Amoroso: As you move upstream, it's more a mix, right? If you're a big, giant bank or you're a big service provider like the program I used to run in telecom, you have the ability to mix and match and do things internally, build things in your own data centers. But there's no question that the economics and sort of the mood, the general trend and tenor of our industry, is more and more toward outsourcing things and letting some expert do what they do well. That's unmistakable. And it's certainly also true in cybersecurity.
Dave Bittner: What's your advice for organizations to find someone to provide this who's a good fit? What sort of questions should they be asking?
Ed Amoroso: Well, again, it really does matter what sector you're in and how big the organization is. So, for example, in the federal government, you know, as you deal into critical infrastructure that have national security or even life implications, say military, then are specialized experts that you want to be working with who understand your domain. Once you get into commercial, then there's a whole host of different research and advisory teams that work. You know, obviously, I'm pretty biased. I think we do a wonderful job. But there's a lot of smaller and bigger ones that work. If you're a vendor, then it's quite a decision to make because if you jump in a little too soon with some of the larger research and advisory firms, you could be wasting your money. I'd rather see you hire an engineer than go pay $150,000 to be mentioned in a report. But at some point, the vending community can benefit from using these types of services. So I would say it really does vary. But if there's one bit of advice, I would say make sure that you don't waste your money. You know, if you feel like it's a decision whether to hire engineers or, you know, go, say, get mentioned or use advisory services in a marketing capacity, much rather you hire the engineer. I think that's a better decision.
Dave Bittner: That's Ed Amoroso from TAG Cyber.
Dave Bittner: And I'm pleased to welcome to the show Bryan Vorndran. He is the assistant director of the FBI's Cyber Division. Mr. Vorndran, it's great to have you here on the CyberWire. I wanted to start off today by just getting a sense for the mission of the Cyber Division of the FBI, the strategies that you have, your place among the various federal agencies. Can we start there?
Bryan Vorndran: Thank you for the introduction, Dave. I'm very much looking forward to our conversation today. You know, the FBI has a few unique authorities within the United States government relative to cyber. Certainly we're the lead federal investigative agency for threat response, which essentially means that when there is a computer intrusion, the FBI would have the lead for any investigative action or to enable intelligence community partners or private sector partners for follow-on action. And secondly, we have a keen interest in domestic intelligence, and in order to inform that authority, that means that we have to have very good working knowledge of everything going on relative to cyber within the United States. And then that allows us to inform the intelligence community about trends, ongoing threats, but also puts us in a good position to collaborate with our IC partners and very significant private sector partners as well.
Bryan Vorndran: Third is we obviously have very specific authorities within statute to investigate state actor compromises of U.S. networks, whether those are private networks, academic networks, defense, industrial-based networks. And those are important authorities to us as well. Where we fit in with an agency such as CISA is that CISA would be on the asset response side. They would be responsible for mitigation or patch management, these types of things about broad vulnerabilities, and do inform the resiliency in that defense side. So we're very much on the investigative, proactive operational side, whereas in comparison, CISA would be on the asset management. We do do a lot of work in our space with the United States Secret Service. They are a very, very good partner of ours. And they have complementary authorities to ours for the U.S. government.
Dave Bittner: Give me a sense for how you all dial in with the limited resources that you have as any, you know, government agency does. How do you turn those dials and decide what your priorities are when it comes to the mission for cyber?
Bryan Vorndran: Sure. We essentially segregate into five key buckets on the operational side. Four of those buckets are the major state actors of Russia, China, Iran and North Korea. And then we have a broad, overarching criminal threat that we would know as ransomware, botnets, SIM swapping, these types of threats faced by individuals and companies here in the United States. But in terms of priorities, those are very much at the state actor level, as well as within the criminal space, decisions that are made within the inner agency of the intelligence community based on available intelligence, but really guided by which state actors or which criminal groups are having the biggest impact and causing the most disruption and the most loss to organizations here in the United States. So that's the very, very focused answer about how we try to delineate our adversaries and how we try to prioritize against them.
Dave Bittner: And what are the primary ways that people interact with the FBI? I mean, you have the IC3, which is a way for folks to report issues, but what are the major ways that those interactions take place?
Bryan Vorndran: Sure. We have a few different mechanisms. So first of all, we obviously have a very decentralized workforce. So we have 56 field offices in the FBI. We have hundreds of additional resident agencies that are offshoots of those FBI field offices. So we have the capability to get a cybertrained FBI agent really to any doorstep in the country here within an hour. That becomes very, very important when a corporation or an organization or an academic institute becomes the victim of a cybercrime. We do have great capacity to expand - to respond domestically, to have meaningful conversations with people who have become victims.
Bryan Vorndran: And I think, you know, while we talk cyber, it is important to remember that the victims behind cyberattacks are still human beings. And I do think the FBI is very, very strong in that space. We also have very proactive outreach efforts that have been sustained for decades at this point. We have relationships with hundreds and probably thousands of organizations throughout this country and even abroad, where there is a proactive, ongoing dialogue for exchange of information and intelligence related to cyber. That's a two-way flow of indicators of compromise, TTPs, other malware signatures, just to make sure that we are doing our best to stay in line with the threat and to keep channels of communication open.
Bryan Vorndran: You know, we always encourage organizations, companies, academic institutions to build that relationship with the FBI before they become a victim of an intrusion - the familiarity of having a personal relationship with someone in the FBI, or someone in CISA for that matter. So we always make these recommendations to build those relationships now. You had mentioned IC3. IC3 is www.ic3.gov and is the primary intake for internet crimes for the FBI. That would cover online frauds such as romance scams. That would cover business email compromise. And it would cover traditional cyber intrusion reporting. And so that is a very, very key portal. On a weekly basis, that intake portal receives about 20,000 individual leads, so it's a very, very active portal for us. But we also encourage people that it's specifically related to cyber. If they are the victim of a computer intrusion, they should call their local field office immediately to try and get support.
Dave Bittner: All right. Well, Bryan Vorndran is the assistant director of the FBI's Cyber Division. Thank you for joining us today, and I'm looking forward to continuing our conversation.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.