Hybrid aggression and hybrid resistance. Sanctions, defense, and (maybe) retaliation. MuddyWater is newly active. Trickbot seems to have retired. Notes on misinformation and the fog of war.
Dave Bittner: Russia's full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defenses in cyberspace as sanctions are imposed on Russia. Iran's MuddyWater threat actor is back with renewed cyberespionage. Goodbye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp from Logicworks and Rock Lambros from RockCyber on the CISO evolution. And some notes on the fog of war.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 25, 2022.
The situation on the ground in Ukraine.
Dave Bittner: There are confirmed Russian attacks in progress in some 20 Ukrainian cities, with Russian forces moving in from the Russian East, the Belarusian North and the Black Sea South. Fighting is reported in and around the capital Kyiv as Russia seeks the replacement of the Ukrainian government. Kyiv appears to be a decapitation objective. Ukrainian regular forces are resisting Russian heavy forces - that is, mechanized forces equipped with tanks and other armored vehicles. And there are reports of irregular resistance as well, which the Ukrainian government has encouraged.
Dave Bittner: Some of the Russian forces engaged in the invasion have staged through and attacked from Belarusian territory. There are no credible reports of Belarusian troops proper involved in the invasion, but they're apparently available should their participation become necessary or desirable. Belarusian President Lukashenko said yesterday that they would fight if Russia needed them. Russian Foreign Minister Lavrov has offered to negotiate with Ukraine, the New York Times reports. All Ukraine needs to do is stop resisting the Russian special military operation, so the price of negotiation is surrender.
Public uses of intelligence.
Dave Bittner: Both the U.S. and the U.K. have been unusually forthcoming about the intelligence they've developed concerning Russian capabilities and intentions over the past two months. At least two advantages may have derived from the unusual openness. The New York Times thinks it enabled greater transatlantic solidarity and more effective coordination of policy and sanctions. Quartz argues that Russian disinformation was noticeably less effective than it might otherwise have been given quick American debunking and, even more so, predictive "prebunking."
The situation in cyberspace, as Russia pursues its hybrid aggression.
Dave Bittner: The Russian invasion of Ukraine was preceded by a distributed denial of service attack that included wiper malware HermeticWiper. Russia has itself begun to experience some retaliatory DDoS attacks, The Record reports. Who's responsible is unknown, but neither hacktivism nor state-directed action can be ruled out. The Record says, quote, "the perpetrators of these attacks remain unknown, but the sudden and senseless breakout of the Russo-Ukrainian armed conflict this week has also drawn a lot of sympathy on the side of the Ukrainians, including from the Anonymous hacktivist group, which called on its members to attack Russian government targets," end quote.
Dave Bittner: Computing notes that someone - probably, in The Guardian's estimation, the Ukrainian government - has invited hacktivists to take action against Russia. And The Daily Mail is running a screamer that credits the Anonymous hacktivist collective with declaring war on Mr. Putin and with taking down the media outlet RT.
The civilized world remains on alert for Russian cyberattacks.
Dave Bittner: Governments generally sympathetic to Ukraine have raised their own level of alert for Russian cyberattack. The U.S. Cybersecurity and Infrastructure Security Agency continues to update its Shields Up advisory, posting more recently, quote, "Russia's unprovoked attack on Ukraine, which has been accompanied by cyberattacks on Ukrainian government and critical infrastructure organizations, may have consequences for our own nation's critical infrastructure, a potential we've been warning about for months," end quote.
Dave Bittner: This is not based on specific indicators or warnings but rather presents a prudential judgment. Quote, "while there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia's destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our allies. Every organization large and small must be prepared to respond to disruptive cyber activity," end quote.
Was President Biden presented with offensive cyber options for use against Russia?
Dave Bittner: NBC News reported yesterday that President Biden had been presented with options for cyber operations against Russian infrastructure. Quote, "two intelligence officials, one Western intelligence official and another person briefed on the matter, say no final decisions have been made. But they say U.S. intelligence and military cyber warriors are proposing the use of American cyber weapons on a scale never before contemplated. Among the options - disrupting internet connectivity across Russia, shutting off electric power and tampering with railroad switches to hamper Russia's ability to resupply its forces, three of the sources said," end quote. But White House Press Secretary Jen Psaki was quick with a denial. There is nothing to the story, she tweeted. Quote, "this report on cyber options being presented to POTUS is off-base and does not reflect what is actually being discussed in any shape or form."
Another round of sanctions.
Dave Bittner: The EU is today working out the sanctions it will apply to Russia as a partial response to that country's aggression in Ukraine, Reuters reports. The Kyiv Independent tweeted that the Council of Europe has suspended Russia's right of representation. British Prime Minister Johnson yesterday announced new sanctions against Russia. These include, the Telegraph reports, asset freezes on all major Russian banks, legislation to prohibit Russian companies from raising finance on U.K. markets, sanctions against more than 100 individuals, entities and their subsidiaries, trade and export bans on a wide range of tech equipment, an imminent ban on the Russian airline Aeroflot and an intention to shut off Russia's access to the SWIFT payment system. That last is an intention. Russia, for now at least, retains access to SWIFT.
Dave Bittner: The additional sanctions the U.S. announced yesterday continued Washington's policy of gradual incrementalism. None of them are regarded as a knockout blow against the Russian economy, but they will impose certain costs on Moscow. And Washington notes with satisfaction that allies including the European Union, Australia, Japan, Canada, New Zealand and the United Kingdom are taking coordinated parallel measures. A White House fact sheet enumerating the new sanctions emphasizes their effect on Russia's banks and on its ability to import crucial technology. It also singled out a number of Russian big shots who've been placed under full blocking sanctions.
Dave Bittner: The White House explained that, quote, "this action includes individuals who have enriched themselves at the expense of the Russian state and have elevated their family members into some of the highest positions of power in the country. It also includes financial figures who sit atop Russia's largest financial institutions and are responsible for providing the resources necessary to support Putin's invasion of Ukraine. This action follows up on yesterday's action targeting Russian elites and their family members and cuts them off from the U.S. financial system, freezes any assets they hold in the United States and blocks their travel to the United States," end quote. It's noteworthy that sanctions are being leveled against Belarus as well as Russia. As the White House put it, quote, "costs on Belarus for supporting a further invasion of Ukraine by sanctioning 24 Belarusian individuals and entities, including targeting Belarus' military and financial capabilities by sanctioning two significant Belarusian state-owned banks, nine defense firms and seven regime-connected officials and elites. We call on Belarus to withdraw its support for Russian aggression in Ukraine," end quote.
Dave Bittner: The measures stopped short of cutting off Russia's access to the SWIFT International Bank Transfer System, a move many observers thought would be among the more punitive measures that might be taken. White House sources indicated that Russian access to SWIFT was permitted to continue at the request of U.S. allies. U.S. Senator Bob Menendez, Democrat of New Jersey and chair of the Senate Foreign Relations Committee, approved of the steps taken so far, but took care to point out that removing Russian banks from the SWIFT payment system should be on the agenda for further rounds of sanctions. Ukraine, understandably, would like to see the U.S. and its NATO allies doing much more. President Zelenskyy said yesterday, quote, "this morning we are defending our state alone. Like yesterday, the world's most powerful forces are watching from afar. Did yesterday's sanctions convince Russia? We hear in our sky and see on our earth that this was not enough," end quote.
Iranian state actors renew cyberespionage.
Dave Bittner: While Russia's brutal, indiscriminate hybrid war against Ukraine dominates the news, other state actors haven't been idle in cyberspace. A joint British-American alert calls out Iran's MuddyWater threat group for renewed cyberespionage. According to CyberScoop, CISA says, quote, "MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran's Ministry of Intelligence and Security, targeting a range of government and private sector organizations across sectors including telecommunications, defense, local government and oil and natural gas in Asia, Africa, Europe and North America," end quote. As is customary with state threat actors, MuddyWater's name is legion. It's also known as Earth Vetala, MERCURY, Static Kitten, Seedworm and TEMP.Zagros.
Trickbot really does seem to be out.
Dave Bittner: The Record reports that Trickbot does indeed seem to have been retired. It's been inactive for months, and its gang leaders have said they're calling it quits. Such announcements should be treated with due skepticism. And they're not evidence that the hoods have reformed, just maybe moved on to other fields of criminal endeavor. We may have heard the last of Trickbot, but we will probably hear from its masters again all too soon enough.
The US publishes its study of supply chain security.
Dave Bittner: The U.S. departments of Commerce and Homeland Security have issued an Assessment of the Critical Supply Chains Supporting the US Information and Communications Technology Industry. It's the result of a yearlong, presidentially directed study of the security of those supply chains. Its recommendations include strengthening the U.S. manufacturing base and introducing greater security and transparency into the industry's supply chains. Not all of the findings and recommendations are immediately related to cybersecurity, but most of them are. The cyber-specific risks addressed include theft of intellectual property and the outsourcing of firmware development to untrustworthy, often overseas third parties.
It’s difficult to know the facts on the ground.
Dave Bittner: And finally, there will continue to be a lot of news about the hybrid war Russia is waging against Ukraine. It's good to bear in mind that reports about combat are inevitably tentative. And the more immediate and specific they are, the more tentatively they should be taken. All specific reports of damage and casualties should, in particular, be treated with a degree of respectful skepticism. MIT Technology Review offers some useful advice about the ways in which mis- and disinformation easily spreads in wartime. Old video and images circulate in social media and the mainstream press where they are represented as current imagery.
Dave Bittner: Some of this is a simple matter of error born of inexperience, some of it is more-or-less sincerely driven by partisan desire and expectation, and some of it is deliberate disinformation. There are also often problems with missed translations of reports especially between unrelated or more remotely related languages. But there's another reason to treat claims with caution. It's very difficult in ground operations for anyone, including commanders and their staffs on the scene, to know the detailed effects of combat with clarity and precision. Anyone who's been involved in military training exercises will have experienced this difficulty firsthand, and combat intensifies it. So it's wise to treat the reports from serious media as representing more-or-less sound approximations and follow the news with that in mind.
Rick Howard: I'm joined by Matthew Sharp - he's the Logicworks CISO - and Rock Lambros, the CEO of RockCyber. Guys, welcome to the show.
Matthew Sharp: Thanks, Rick. Good morning.
Rock Lambros: Rick, thanks for having us.
Rick Howard: We're talking to you because you just published a book called "The CISO Evolution: Business Knowledge for Cybersecurity Executives." So congratulations, I know how hard that is. Matthew, let's start with you. What's the thesis of the book? Is there a throughline message that you're trying to convey here?
Matthew Sharp: The message is primarily, you need business acumen to thrive, to have a seat at the table. And we comprise business acumen of three pillars. We talk about foundational business knowledge, communication and education, and leadership.
Rick Howard: I'm so glad you did this book because just looking through it, the explanation of just the financial statement for an organization, I wish they would have had that when I was much younger. I had to learn all that through osmosis and crawling into the CFO's office and say, can you please explain this to me? So thank you for explaining that to the masses. I really appreciate that (laughter).
Matthew Sharp: Right on.
Rick Howard: So, Rock, let me bring you into this. Why publish this book now? Has something significantly changed in the CISO evolution that we all need to take a look at? Or is it just a - is this a missing piece that CISOs need to have under their belt?
Rock Lambros: Yeah, I don't think anything's changed, which is the problem, right? So it is the missing piece that I think CISOs need to have under their belt. Cybersecurity, we can't treat it like black magic anymore. We got away with that for too long, like, saying, just give us money, and we're going to do things over here, but...
Rick Howard: Guilty. I've done that in my career, and I feel bad about it now 'cause it's definitely not the right way to do it.
Rock Lambros: CISOs are more and more being asked into the executive suite. And also on the flipside, CISOs are more and more complaining that they're not getting a seat at the table at the executive suite. So what's that gap? What's that missing divide? And Matt and I believe it is that foundational business knowledge.
Rick Howard: For those listeners to my own podcast, "CSO Perspectives," over on the CyberWire Pro side, they know that I've been focusing on cybersecurity first principles. So, Matthew, you know, you hooked me when I discovered that your very first chapter is on first principles. So tell me what your take is on CISO first principles and how I can add that to my philosophy going forward.
Matthew Sharp: Yeah, well, first of all, I think the work that you've done in blowing up the entire concept of what we've been doing for the last 20 or 30 years, starting anew from first principles is great. I feel like one of the foundational - one of the very early things that should be in the list is business acumen. And so early on in our book, we help articulate, and we give some really neat - case study examples are dissecting a business model, reading a financial statement, creating influence maps, creating a business case, and articulating value. Without those things, I really feel like you're going to struggle and fight an uphill battle. We have the opportunity to learn from generations past that the black art approach doesn't work, and we see this heavy demand in the boardroom today that they want better, more articulate information that directly ties cyberprograms to business outcomes.
Rick Howard: So your point to me about first principles is if you don't understand the business, it doesn't matter if you have a grand strategy for zero trust or intrusion kill chain prevention or resilience. It doesn't matter 'cause you can't communicate on the same level as business leaders.
Matthew Sharp: It's awesome to have this strategy, but where are you going to apply it?
Rick Howard: (Laughter).
Matthew Sharp: And how do you know when you should apply what?
Rick Howard: That's a good point.
Matthew Sharp: I mean - and then further - I mean, some companies are lucky enough to have executive teams that recognize the value or the need for cyber. But not all businesses have even come to the conclusion that cybersecurity is an absolute requirement.
Rick Howard: Rock, you being a CEO of your own company, you have an interesting view of the CISO world that most other CISOs like me don't get on a daily basis. And the book definitely slants more towards the business side of the CISO job than, say, infosec strategies that Matthew and I were just talking about. So is this book your message to security leaders about how to get things done in the business world?
Rock Lambros: Absolutely. It is really more of a business book aligned to cybersecurity than the other way around. Being on the consulting side for the last several years, as I walk into clients, I'm seeing these gaps and these symptoms where my clients, CISOs or head of security programs - they're burned out. Their programs are underfunded. They are not aligned to the organizational strategy. They don't understand what the disconnect is, why they can't get their message across. And you know, these are all symptomatic, in our opinion, of not bridging that gap between operating cybersecurity in a vacuum where, you know, technical controls will rule the day and business outcomes.
Rick Howard: So the book is called "The CISO Evolution: Business Knowledge for Cybersecurity Executives." Matt, Rock, thanks for coming on the show.
Dave Bittner: There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for interview selects where you'll get access to this and many more extended interviews.
Dave Bittner: Carole Theriault continues her look at the security of mobile devices from the CyberWire U.K. desk. She files this report.
Carole Theriault: So I recently had a tete-a-tete with you about mobile security tuneups because we are all super addicted to our smartphones. And we talked about the leading legacy apps from our devices. I have a few more things for you guys to consider all in the hope of making your phone a little bit more secure.
Carole Theriault: OK, first, let's get the obvious out of the way. Let's talk passwords. Password cracking is a real thing, and it's one of the key routes to breaking into accounts. Now, most of us know that, but how many of you are reusing passwords across accounts? Every app is created by people, and people make mistakes. So let's say a mistake exposes your account details, perhaps even get into the hands of a ne'er do well. If your email or your username and password are the same for several accounts, how hard is it for somebody to hit up the most popular 50 apps with your stolen username and password just to see if they can get access? And this is why it is vital to avoid reusing passwords. And in my view, the best practice is to use a password manager, a reputable one. They will guide you to create unique, hard-to-crack passwords and will make sure that all your accounts have unique authentication practices.
Carole Theriault: OK, now let's talk a little bit about privacy settings. Let's imagine that you've cleared out the apps you don't use regularly, and you've addressed any poor password practices that you may have been employing on your phone. The last thing I want to talk to you about is privacy settings. And the big ones, as far as I'm concerned, are location services. So of course, you have apps that legitimately need to know where you are like a GPS sat-nav app. But many apps have this turned on for no justifiable reason. Take control, take a look, and turn that off if you don't want them to track your location.
Carole Theriault: Same goes for the microphone. Your audio is needed by some apps like if you want to make a phone call. But many have it turned on by default. Again, make sure the apps that have access to your microphone have a legit reason. You could also include photos, calendars, cameras, reminders, notes. All these apps could be sharing information, so take a peek at the privacy settings on your phone to make sure you are tickety-boo with all the settings.
Carole Theriault: I mean, listen. You spend hours and hours and hours every single day on these darn things. It's worth taking a few minutes just to tweak and do a cybersecurity tuneup. And, you know, if doing this on your own kind of daunts you, it's time to reach out to one of your techies in your life. Buy or bake them a cake. Make them a latte, whatever, in exchange for a little smartphone security tuneup. That's what I would call a win-win. This is Carole Theriault for the CyberWire.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Dick O'Brien from Symantec's Threat Hunter team. We're discussing Noberus, a technical analysis that shows sophistication of new Rust-based ransomware. That's "Research Saturday." Do check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Velicky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.