The CyberWire Daily Podcast 2.28.22
Ep 1524 | 2.28.22

An update on Russia’s hybrid war against Ukraine. Offensive cyber operations under hacktivist guise. Russian privateers return (also as hacktivists). Some non-war-related hacking.

Transcript

Dave Bittner: Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine and Russia. A SWIFT kick. Return of the privateers, now in the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on the KillACK backdoor malware and its continued evolution. Rick Howard revisits the Cyber Sand Table. And criminals exploit Ukraine's suffering in social engineering campaigns. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 28, 2022.

Ukrainian resistance may have stalled the Russian advance at key points.

Dave Bittner: Russian forces have failed to reach their initial objectives, stalling in the north and east while advancing more rapidly from Crimea in the south. Neither Kyiv nor Kharkiv, the two large cities under greatest pressure, have yet fallen. Kyiv Mayor Klitschko described the city as suffering and hard-pressed but as holding on and, significantly, neither surrounded nor occupied. Military Times reports a quieter night in the capital. The invading forces are also reported to have failed to take Kharkiv, Ukraine's second-largest city with a population of nearly a million and a half. The city is only 40 kilometers from the Russian border and was expected to fall quickly. It's also a largely Russophone city and one that might have been expected to offer a tepid resistance, if not an outright welcome to Russian forces. Instead, resistance has been strong and violent, not at all the march of flowers some had expected. Failure to take Kharkiv represents an early and surprising failure for the invading forces of Russia's Western Military District. 

Cyber operations against Ukraine.

Dave Bittner: RiskIQ confirms that it's seeing Ghostwriter activity against Ukrainian troops. Ghostwriter has been associated with the Belarusian government and with the group being tracked by Recorded Future and others as UNC1151. Recorded Future thinks it's likely that Russian elements, particularly the GRU, have used Belarusian infrastructure and cooperated with Belarusian intelligence services to run operations against Ukraine. The BBC reports that other hackers have rallied to the Russian colors and volunteered to hit Ukrainian online assets. The ones talking to the BBC claim to be cutting quite a swath, but it's unclear how effective they may actually have been. Over the weekend, the U.S. Cybersecurity and Infrastructure Security Agency released, with its FBI partners, an updated advisory on the wiper malware used against Ukraine last week. The advisory is principally forward-looking, intended to suggest defensive measures that U.S. and allied organizations might take to protect themselves should the attacks expand beyond Ukraine. But it also contains significant information about last week's attacks. 

Cyber operations against Russia.

Dave Bittner: Most of the attention in the hybrid war has gone to Russian attacks against Ukraine, but there have been operations running the other way, too. Hacker News reports that Russia's National Computer Incident Response and Coordination Center has warned its domestic clientele that cyberattacks against Russian critical infrastructure are to be expected. The hacktivist group Anonymous seems to be siding with Ukraine, although, as always, it's difficult to know who speaks for an anarcho-syndicalist collective, according to ZDNet. As always, statements by hacktivists should be received with cautious skepticism. Anonymous, however, has claimed responsibility for an attack against Russian media outlet RT. And RT was indeed knocked offline by a cyberattack, The Daily Beast reports. Ukraine's government hasn't been reluctant to call for hacktivist volunteers. BleepingComputer reports that Kyiv is calling for an IT army to take on Russian targets and that it's also released a target list - Russian government agencies, government IP addresses, government storage devices and mail servers, three banks, large corporations supporting critical infrastructure and even the popular Russian search engine and email portal Yandex. Mykhailo Fedorov, vice prime minister of Ukraine and minister of Digital Transformation of Ukraine, tweeted out the call. Quote, "We are creating an IT army. We need digital talents. All operational tasks will be given here. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists," end quote 

Dave Bittner: Caveat emptor for those considering freelancing, however much one might wish Ukraine well - cyber operations can be difficult to control and are inherently escalatory, Dragos's Robert M. Lee reminds us. 

Diplomacy, now short of surrender?

Dave Bittner: Russian Foreign Minister Lavrov last week offered to negotiate with Ukraine, but, the New York Times reported, only after Ukraine ceased all resistance to Russia's special military operation. That hasn't happened, and Ukrainian resistance has if anything stiffened. Apparently unconditional surrender is no longer the price of negotiation, as Moscow has agreed to meet today with Ukrainian representatives to seek a resolution to Russia's war of choice. Representatives of the two sides have now agreed to meet at a checkpoint close to the Belarusian border, according to POLITICO and many other sources. President Zelenskyy has not expressed high hopes for the meeting. The Guardian quotes him as saying, "I do not really believe in the outcome of this meeting, but let them try, so that later not a single citizen of Ukraine has any doubt that I, as president, tried to stop the war, end quote. 

Dave Bittner: Bloomberg describes the Russian delegates to today's talks as a relatively low-level contingent, composed of deputy defense and foreign ministers, but the fact that Russian officials seem willing to negotiate at all without insisting on their earlier preconditions suggests an erosion of confidence in the military situation. 

SWIFT kicked.

Dave Bittner: A number of Russian banks will be expelled from SWIFT, the Society for Worldwide Interbank Financial Telecommunication. European Commission President Ursula von der Leyen announced late Saturday another incremental increase in sanctions to be levied against Russia in response to its invasion of Ukraine. She began with a direct and harshly honest characterization of Russian aggression. 

Dave Bittner: Of the additional sanctions she outlined, the most significant involve blocking a number of Russian banks, those most closely aligned with Russia's war economy from the SWIFT International Funds Transfer System. 

Dave Bittner: The new sanctions are in keeping with the graduated incrementalism that's marked the Western response to the Russian invasion, but curtailing access to SWIFT is regarded by most observers as a serious blow to the Russian economy. The measures are targeted - they don't affect all banks, but rather a set of financial institutions that are closely associated with Russia's ability to make war. 

Dave Bittner: General export controls are expected to have a strongly negative effect on the Russian tech sector. On an individual level, the AP reports, Russia is seeing a run on banks and ATMs as people try to get what foreign currency they can. 

Return of the privateers, now in the guise of patriotic hacktivists.

Dave Bittner: Conti, the familiar ransomware gang, says it will strike those who oppose Russia. According to Reuters, Conti blogged, quote, "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructure of an enemy," end quote. So any serious suppression of cyber criminal gangs by Russian security authorities has proven to be, as was foreseeable, largely an illusion, at best temporary and tactical. 

Dave Bittner: On the other side, Computing reports that a Ukrainian hacker, possibly a member of Conti, has doxxed the gang, releasing details of its internal chatter and some of the gang's sensitive data. Conti's blog was unavailable this morning. 

Not all hacking is war-related.

Dave Bittner: There may be a reflexive tendency to blame any cyber incident on Russia, given the current war in Ukraine, but it's worth remembering that there are other criminal organizations out there who have little or nothing to do with that conflict. 

Dave Bittner: California-based chipmaker Nvidia, for example, was hit last week by a cyberattack, the Telegraph reports. The paper quoted a company insider as saying that internal systems were "completely compromised," and the Telegraph reported a priori speculation that the attack was related to the ongoing hybrid war in Ukraine. Bloomberg subsequently reported that the attack was unrelated to Russia's war against Ukraine and that the disruption to the company's systems was less serious than it at first appeared. Nvidia told Bloomberg, quote, "Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," end quote. WCCF Tech said over the weekend that the incident was a ransomware attack by the South American group Lapsu$. 

Dave Bittner: And according to Reuters, Toyota has also been affected by a cyberattack on a supplier that's caused Toyota to suspend Japanese production. The nature of the attack on the supplier, Kojima Industries, is unknown. Toyota characterized the incident as a supplier system failure. Authorities are investigating, and haven't ruled out a Russian connection. 

Criminals exploit Ukraine's suffering in social engineering campaigns.

Dave Bittner: And finally, security firm Avast warns that criminals have begun, in their sorry but entirely foreseeable custom, to exploit people's sympathies for those suffering in Ukraine. The company writes in its blog, quote, "As cybercriminals seek to take advantage of the chaos, we have tracked in the last 48 hours a number of scammers who are tricking people out of money by pretending they are Ukrainians in desperate need of financial help. In the past, we have seen similar scams for people stuck while traveling or looking for love. Unfortunately, these attackers do not operate ethically and will use any opportunity to get money out of people willing to help others in need. What’s suspicious is the immediate mention of Bitcoin, as well as the usernames that consist only of letters and numbers," end quote. If you're moved to help, Avast advises doing so through well-known, credible, trusted organizations, and doing so through those organizations' official websites, not through links shared on social media. And it is always my pleasure to welcome back to the show the CyberWire's chief security officer and chief analyst, Rick Howard. Rick, welcome back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So for this week's "CSO Perspectives" episode, you are dusting off your Cyber Sand Table to talk about an infamous breach from the past. But first things first here, remind our listeners what exactly is the Cyber Sand Table, and why is it useful? 

Rick Howard: That's a very good question, Dave. So I got the original idea of a Cyber Sand Table from my old military days, when, after my unit completed an on-the-ground field exercise, the leaders would all gather around a map board afterward for a hot wash and replay the exercise to see if we could learn anything. If we were really fancy, we would use an honest to goodness - and I swear I'm not making this up - physical contour map, complete with sand to represent the terrain - thus the phrase sand table - and a bunch of plastic army soldiers to represent the units on the ground. Or, you know... 

Dave Bittner: Boys and their toys, right? 

Rick Howard: Yeah. Army guys, you know... 

Dave Bittner: (Laughter) Right, right - army guys playing with army men. 

Rick Howard: Yeah. And I know that there's people in the audience that don't really like to use the military metaphor in conjunction with cybersecurity, so this is no different from when Tom Brady, the recently retired and perhaps most successful NFL quarterback of all time, studied hours of game film each week to prepare for his next contest. And what I'm advocating for here is that network defenders should take the time to review the game film, if you will, of publicly known breaches to see if we can learn anything to improve our own security posture. 

Dave Bittner: All right. I see. So I don't know a whole lot about Mr. Brady, but I do know about his reputation for spending a lot of time with game film. Like, he would - that was something he really dug into, you know, looking at mistakes from previous opponents and, you know, sort of being introspective, trying not to repeat those mistakes in future contests. 

Rick Howard: Exactly. Exactly. That's what we're trying to do here. 

Dave Bittner: So what game film are you going to review for this particular sand table exercise? 

Rick Howard: So this is one of my favorite all-time public breaches because we have a lot of information today about what happened behind the scenes. The breach is the Chinese government's compromise in 2013 of the U.S. government's Office of Personnel Management, or OPM. It's a big, famous case that you've probably heard about. 

Dave Bittner: One of the biggies, yeah. 

Rick Howard: I think what people forget, though, is that the breach resulted in one of the largest hauls in a publicly known cyber espionage operation in terms of the sheer tonnage of personal data stolen, like some 20 million background check records, each containing 10 years' worth of data, and the most impactful in terms of how long the information stolen will be useful to the Chinese government since it will take at least 50 years before the people that belong to those 20 million records will age out of the government workforce. 

Rick Howard: And I don't know about you, Dave, but I'm still pretty mad that this happened. I'm extremely mad. Like, you know, many in our audience got the letter from OPM telling - I got the letter saying, hey, my records were stolen. And when you read the accounts of what happened, it reads like a Marx Brothers far - something like, you know, "Night of the Opera" or something. I mean, it's that nuts. OPM had no security team to speak of, no security tools deployed and a leadership team who, year after year, ignored their own internal inspector general about how serious the issue was. And they went up against a world-class cyber operator named Deep Panda. OPM - they didn't have a chance. 

Dave Bittner: Yeah. You know, my recollection never having had a security clearance myself and honestly never wanting one... 

Rick Howard: Yeah. 

Dave Bittner: (Laughter). 

Rick Howard: I'm very happy that I don't have one now. 

Dave Bittner: Yeah. I don't need that kind of anxiety. But, you know, I have been on the side of having neighbors who have them, and so having those phone calls, those interviews, you know, neighbors saying, hey, is it OK if the people who do the security clearances give you a call? And just because of that, it made me wonder, to what degree was my information in anything from OPM because - just from being on the sidelines? 

Rick Howard: Yeah. And you were definitely scooped up, right? So the Chinese know about you, Mr. Bittner, OK? And so they're coming for your food or something. I don't know. 

Dave Bittner: (Laughter) All right. Well, do check it out. It is "CSO Perspectives." That is part of CyberWire Pro. You can find out more about that on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is a managing director and global cyber defense lead at Accenture Security. Josh, it's always great to have you back on the show. I know you and your team have had your eye on a particular bit of backdoor malware called KillACK, and you're seeing some evolution there. Can you bring us up to date on what you all are tracking? 

Josh Ray: Absolutely, Dave. And thanks again for having me back. Yeah, this is really geared towards the cybercrime kind of research community for those listeners out there, and it's about the evolution or continued evolution of, really, the KillACK malware. I think version .028 has come out here. And, you know, the KillACK PowerShell malware that - one of our senior cybercrime threat analysts, Curt Wilson, was actually telling me about many in the community know that it's a PowerShell malware that's been leveraged as part of ransomware operations by threat groups like FIN7. And Curt was telling me that he's seen KillACK updated about nine times from October 2020 to now. So this is a really good indication that the threat is, you know, actively evolving to continue to avoid detection. 

Dave Bittner: Can you give us a little bit of the backstory here, exactly what this does and how it goes about its business? 

Josh Ray: Yeah. Without getting too far into the weeds, KillACK provides really, like, a lightweight backdoor and system profiling function for threat actors, so - many of whom, as I mentioned before, use it for ransomware activity. This is a post-compromised malware, so, you know, it's a stage two malware. And, you know, the stage one is typically a spearphishing type of attack, from what we've seen. Killack is memory-resident malware, right? So it's fileless. And despite that not necessarily being new, it can make it difficult to detect and find, you know, when you're doing forensics. 

Josh Ray: Now, the newest version adds some capability to use a victim organization as proxies for, say, outbound traffic. And it's also important to note, especially from a detection standpoint, that it's been used in conjunction with other malware families like Goodwin to the JavaScript backdoor, Carbanak, Takeout, DiceLoader, JSSLoader. So, you know, many that are working in the malware analysis and cybercrime community will be familiar with these names. And I highlight this not only for detection purposes but also because using a variety of these tools together really helps the actors kind of fly under the radar. But it also gives them a really interesting way to evaluate the efficacy of really all their wares together. 

Dave Bittner: Well, let's talk mitigation here. I mean, what are your recommendations for folks to best protect themselves? 

Josh Ray: Yeah. And the good news is, I mean, this is something that, you know, net defenders can really kind of sink their teeth into and hopefully get, you know, a little bit left of boom and take a more proactive approach, right? So one of the things that we talk to our clients about in trying to mitigate this activity is always deploying the newest version of PowerShell with logging enabled. This could really help, you know, provide an early alert that your environment has been compromised. And it's important to be aware that threats like KillACK can be mitigated earlier in the kill chain. 

Josh Ray: Another thing you can do is ensure that your EDR is properly tuned to protect its PowerShell activity. I mean, think about - normal, everyday users are not going to be using PowerShell. One of the things that we always recommend, especially if you can do it well, is to implement really strong egress filtering. This is a great way to disrupt that command and control traffic. So when you think about the fact that this is a stage two type of malware, you really want to make sure that you're implementing strong egress filtering. 

Josh Ray: Network supplementation, obviously, to help thwart, you know, that lateral movement - that's very important. You know, having the advanced ability to conduct advanced forensics, especially in memory, having a third-party retainer is also really important. These are all things that we feel, especially against this type of threat, that you're going to need to really drive that resilient security posture. 

Dave Bittner: All right - well, good information for sure. Josh Ray, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.