The CyberWire Daily Podcast 3.1.22
Ep 1525 | 3.1.22

Updates on Russia’s invasion of Ukraine, and the cyber phases of a hybrid war. Hacktivists and privateers. New Chinese malware described. Registration-bombing.


Dave Bittner: Stalled columns, rocket fire and negotiation over Ukraine. Two new pieces of malware are found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWiper. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic war of attrition. Daxin is a backdoor that hides in normal network traffic. Registration bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And is Razzlekhan taking a deal? From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 1, 2022.

Russia moves more forces against Kyiv and Kharkiv.

Dave Bittner: A few preliminary notes on the Russian invasion of Ukraine and how it's proceeding on the ground. Commercial overhead imagery shows a very large convoy of Russian military vehicles headed for Kyiv. Both Kyiv and Kharkiv are under attack, with heavier artillery fire reported in Kharkiv. The New York Times reports an increase in civilian casualties.

Bilateral negotiations have no immediate result, but will resume later this week.

Dave Bittner: Yesterday's talks between Russian and Ukrainian representatives held at a checkpoint in Ukraine near the Belarusian border concluded without any result beyond an agreement to hold further meetings later this week, The New York Times reports

Dave Bittner: That had been generally expected. It's noteworthy that Russia is negotiating at all since Moscow's going-in position had been that it would have nothing whatsoever to say to Kyiv until Ukraine laid down its weapons. A Russian spokesman did say he saw some possibility for both sides to find common ground.

The UN General Assembly takes up Russia's war against Ukraine.

Dave Bittner: The U.N. General Assembly's emergency session opened in New York yesterday afternoon. According to Reuters, sentiment is running heavily against the Russian war. Secretary General Antonio Guterres denounced the Russian invasion. Deutsche Welle reports that Russian Ambassador Nebenzya defended his country's actions by characterizing them as self-defense against Ukrainian aggression and its alleged violations of the Minsk Accords and therefore legitimate under the U.N. charter. 

Dave Bittner: He has also indulged in some utterly unconvincing statements, saying that, quote, "the Russian Army does not pose a threat to the civilians of Ukraine, is not shelling civilian areas," end quote, when, of course, the Russian Army is obviously doing both. The Russian denials seem almost pro forma, offered without much serious intention of convincing anyone. 

Dave Bittner: The General Assembly is expected to vote on Russia's war tomorrow. Cuba, Nicaragua, Iran, Syria, China and possibly India are expected to either refuse to condemn Russia or at least abstain. Belarus, of course, is a docile appendage of Moscow and will surely vote with its masters.

"Binary narratives" travel better. 

Dave Bittner: An op-ed in Izvestia offers some insight into the developing Russian line about negotiations with Ukraine. The war is very complex. Russia's needs and concerns are very real, and the world should look beyond shallow Ukrainian grandstanding and lazy internet memes and come to grips with the, again, very complicated realities underlying Russia's security concerns. And a Ukrainian negotiator's deliberate breaches of protocol - he was wearing a T-shirt and a baseball cap and was photogenically glaring at the Russian side - shouldn't sway a sober and realistic appreciation of those complicated and difficult realities, all of which is one way of framing brutal and unprovoked aggression. 

Dave Bittner: What's particularly interesting is the Russian turn to complexity as a theme, which suggests that there's a growing realization that the line asserting that Ukraine is the aggressor and is led to boot by a neo-Nazi junta isn't finding legs. Contrast that with an assessment of Ukrainian President Zelenskyy messaging, which has largely succeeded in presenting the war in clear, simple terms, all the more successful for being basically true. The Telegram quotes social media observers as noting that binary narratives, good versus evil, and not the inside baseball of the Minsk Accords and the allegedly recent provenance of an allegedly artificial nation, always do well in social media. 

Two new pieces of malware found in use against Ukrainian targets.

Dave Bittner: ESET describes two new tools in use against Ukrainian targets. IsaacWiper and HermeticWizard. The former is a distinct strain of wiper. The latter, a worm that spreads HermeticWiper. ESET is circumspect about attribution, writing, quote, "ESET research has not yet been able to attribute these attacks to a known threat actor," end quote. But circumstantially, all signs point to Russia. The use of the malware coincided with the Russian invasion. And so far, only infestations in Ukraine have been reported. 

Dealing with WhisperGate and HermeticWiper.

Dave Bittner: CISA and its FBI partners have continued to update the guidance they've issued on the wiper malware that's been observed in sporadic use against Ukrainian targets. The Globe and Mail reports that Canadian authorities are offering comparable advice to their country's own businesses. 

The muted cyber phases of a hybrid war.

Dave Bittner: Russia has shown, in attacks on sections of the Ukrainian power grid going back to 2015, the ability to mount large-scale and destructive operations against its neighbor. But so far, the cyber war has been limited to relatively confined wiper attacks, which are cyberattacks proper, and influence operations, which are disinformation and trolling. The Washington Post describes the relatively quiet cyber front and notes Columbia University's Jason Healey as saying, quote, "We imagined this orchestrated unleashing of violence in cyberspace, this ballet of attack striking Ukraine in waves. And instead of that, we have a brawl and not even a very consequential brawl just yet," end quote. That, of course, could change. Influence operations have been more extensive. Hacktivists claiming to be adherents of the Anonymous collective have taken down or defaced Russian media and government websites. Ukraine has also recruited and online IT army of volunteer hacktivists to take action against Russian interests. 

Dave Bittner: Some of the response to both cyberattacks and influence operations has involved a public-private partnership, The New York Times reports, as companies follow governments' lead in opposing Russian operations against Ukraine. Microsoft has been openly rendering assistance to the Ukrainian government. Such cooperation isn't confined to the U.S. Bitdefender is working closely with Romania's National Cyber Security Directorate to help Ukraine against the Russian cyberthreat. And CyberScoop summarizes the ways in which security companies are offering assistance to those threatened in Ukraine and elsewhere. Social media companies have also moved to restrict Russian access to their platforms, the AP reports, and to label material that can be traced to the Kremlin as deriving from Russian government sources. 

Leaked files reveal Conti as a privateer (or at least a crew of FSB goons).

Dave Bittner: For its part, Russia has had the aid of some criminal gangs. The Verge, speaking with Hold Security, reports that the chat logs leaked from the Conti ransomware gang shortly after the hoods pledged allegiance to the Kremlin were obtained by a legitimate Ukrainian researcher who infiltrated the gang and not by a disaffected, if patriotic, criminal. Among the more interesting revelations in the chat logs are indications that Russia's FSB security service had can't go after the muckraking news service Bellingcat. Russian toleration and protection of cybercriminal gangs has played an important role in the gang's success and survival. But Conti's experience may have moved other crews to trim in the direction of apolitical neutrality, SC magazine reports quoting the newly high-minded criminals of Conti rival LockBit, who published a commitment to inclusion and good behaviour that could have come out of any dean of students office. Quote, "Our community consists of many nationalities of the world. Most of our pen testers are from the CIS, including Russians and Ukrainians. But we also have Americans, Englishmen, Chinese, French, Arabs, Jews and many others on our team. Our programmers and developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles. We are simple and peaceful people. We are all earthlings. For us, it is just business, and we are all apolitical. We are only interested in money for our harmless and useful work," end quote. So there you have it. It seems as if LockBit is unsure of continued Russian protection. The organs, after all, have their hands full nowadays. 

Sanctions move from deterrence to economic "war of attrition."

Dave Bittner: Foreign Policy reviews the current state of sanctions against Russia there, along the lines of those the U.S. has levied against Iran but less comprehensive. On the other hand, there's a great deal more international unanimity on the measures imposed against Russia. Even traditionally and proverbially neutral Switzerland has sanctioned Moscow over its invasion of Ukraine. The International Institute of Finance predicts Russian default on its international debt unless the crisis in Ukraine is resolved soon. Should Russia default, as seems likely, the IIF sees a double-digit contraction in the country's economy as a likely result. 

Daxin: a backdoor that hides in normal network traffic.

Dave Bittner: Symantec describes a sophisticated hacking tool it's calling Jackson and attributed to China. Quote, "The most recent known attacks involving Daxin occurred in November 2021. Daxin's capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic," end quote. Daxin, in summary, is a stealthy backdoor designed for use against hardened networks. The warning has also been distributed through the Joint Cyber Defense Collaborative. The JCDC is an information-sharing organization whose members include CISA, the FBI, NSA and 21 U.S. technology companies in addition to Symantec. 

Registration-bombing lets fraud hide in the weeds.

Dave Bittner: BlackCloak describes registration-bombing attacks that are serving as misdirection for financial fraud. Victims receive a very large number, often measuring in the hundreds, of emails confirming their registration to sites they may never have even visited, still less signed up for. The intent is to push emails that might alert the victims to financial fraud to the bottom of the inbox, where the criminals hope they'll be overlooked in the clutter. 

Razzlekhan talking a deal?

Dave Bittner: And finally, CNBC reports that Heather "Razzlekhan" Morgan, sometime rapper, self-proclaimed crocodile of Wall Street and accused altcoin launderer, may be working out a plea deal with prosecutors. We hope her musical stylings are part of that deal in some way, right? 

Dave Bittner: Allianz Global Corporate & Specialty is a major corporate insurance carrier, and they recently released their 2022 Risk Barometer report tracking business risk for organizations worldwide. This year, cyber risk topped the list right up there with business interruption and natural disasters. Tresa Stephens is regional product leader and the deputy head of cyber for U.S. for Allianz Global Corporate & Specialty. 

Tresa Stephens: So I think that cyber has become the most feared cause of business interruption in this year's survey because it's not really as well-understood as traditional business interruption triggers like, you know, natural catastrophes or fires. And therefore, sort of that mitigation plan isn't really as well-developed as for some of those traditional BI lost causes. 

Dave Bittner: But looking through some of the other items on your list here that folks are concerned about when it comes to risk, I mean, as you say, there's things like natural catastrophes, pandemic outbreak - it makes sense that that's on the top of people's minds - changes in legislation and regulation. You know, it strikes me that a lot of this does sort of cross paths with cyber, that it seems like, you know, cyber has its tentacles in so many different things these days. 

Tresa Stephens: I mean, absolutely, especially when you're talking about changes in legislation and regulation. I mean, it's sort of - the technology evolves, and then, you know, we regulate it on the back end. So there's always sort of this game of catch-up that you're playing in order to prepare yourself for kind of the oncoming sea changes in the way that, you know, regulations like GDPR might be deployed and then your business has to respond to it. 

Dave Bittner: Was there anything in the data you gathered this time around that was particularly surprising? 

Tresa Stephens: So there was an interesting new entrant this year into the top 10. And that was the shortage of the skilled workforce. So that's obviously specific to this year, given the sea change we've had with the great resignation. I am actually a longtime listener of your show. I'm a big fan. And I think actually a couple of weeks ago, you interviewed Kevin Magee, and he also mentioned something he called defender fatigue. We have a situation where machines just can't do threat hunting as well as individuals. So you've got these people sort of, like, manning defenses. You know, and they're eventually going to fall asleep behind the parapet because we're in a situation where you have this lack of a skilled workforce. You're kind of relying on fewer people to do more. And it's just a recipe for disaster when it comes to IT security. 

Dave Bittner: You know, it seems to me like particularly, like, in the insurance arena, we're seeing a lot of volatility where, you know, the insurance companies are seeing things like ransomware. And so they're adjusting how they approach this. You know, the cost of policies are going up, and what they cover is going down. Do you anticipate that this volatility is going to continue for some time now? Or do you suspect it will settle into a little more of an equilibrium? 

Tresa Stephens: My sincere hope is that we settle into an equilibrium. At the moment, it's a hard market for cyber insurance. The policy prices are obviously going up because of the claims that we're paying out have significantly increased. I think in the last three years, the costs related to ransomware incidents have more than doubled. I mean, it has a lot to do with sort of the commercialization of ransomware as a service. You know, it's like cybercrime is - it's big business now. My hope is that, you know, we start going after the attackers more aggressively. So we're reducing the number of, you know, individuals out there who are actively engaging in this kind of criminal activity. But, I mean, you know, there are regulatory - like, OFAC now is suggesting that you shouldn't, you know, give in to these cyber terrorists. You know, different countries are kind of choosing their attack on how they want to address paying cybercriminals. And, you know, in the wake of sort of those changes, we might see, you know, the market shift. There might be some more stabilization in terms of rates or coverage that's available. But right now, it's really an inflection point for our industry. 

Dave Bittner: If I'm the person who's in charge of, you know, managing these sort of risks in my organization, turning the dials, setting the various types of resources, how do you recommend I make this case to the powers that be? If I have to walk into the boardroom and make my case for the types of things we need to defend against, do you have any words of wisdom there? 

Tresa Stephens: I mean, I would say you could look at the data if you're trying to convince somebody that it's a problem, especially when you look at just the last year. I mean, we've had these big kind of milestone cyber events and attacks. You know, we've got Kaseya. We've got Accellion. We've got SolarWinds. We've got this Log4j vulnerability, you know, that was discovered last year in December. I mean, it's hard to ignore that the problem is pervasive. And I think it's a foolhardy endeavor not to invest in shoring up your defenses against those inevitable problems. 

Dave Bittner: That's Tresa Stephens from Allianz Global Corporate & Specialty. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: So we would be remiss if we did not talk about the situation going on in Ukraine right now. Certainly, lots of policy implications for tech companies and cybersecurity, as well. Give us your overview. What are you tracking? 

Ben Yelin: Yeah, I mean, there's so much that's involved in this rapidly developing story that relates to what we talk about on this podcast and on "Caveat." I mean, we've never seen this type of hybrid warfare where there's kinetic action happening on the ground in Ukraine, and then there's this cyberwarfare, whether it's active cyber measures on the part of the Russian government, which we really haven't seen to the extent that I think we expected, or information warfare. In that realm of information warfare, there was an article that caught my interest from Ars Technica entitled "Big Tech Spent Decades Skirting Geopolitical Issues. That Is No Longer an Option." And this theme has been echoed in other publications as well. All of the big tech companies are interested in preserving their bottom line. They don't want to get involved in geopolitical conflicts. They want to be neutral platforms where you can have users with a variety of political viewpoints from all over the world. You want the biggest market possible. 

Ben Yelin: Just by the nature of what's happened over the past several days in Ukraine, they've been forced to make some decisions that go against that practice of neutrality. A couple of examples - Meta, the parent company of Facebook has restricted accounts from Russian troll farms pretending to be Ukrainian citizens, you know, bloggers, per se, criticizing the Ukrainian government and praising the Putin government in Russia. Twitter has started labeling tweets from Russian state media sources as tweets from Russian state media sources. They've never engaged in that before. A really interesting example to me is Google obviously runs probably the most - the first- or second-most popular maps application out there. 

Dave Bittner: Yeah. 

Ben Yelin: And they generally collect real-time traffic data. So using their magic formulas, they can figure out where traffic is bad, which roads are clogged, which places in a given city are busy or we could expect to be busy at a given time. And because that information could be so useful to people who are fighting this war - you know, people who have instigated this invasion - Google has gone to the extraordinary step of shutting down maps through Ukraine so that Russian military forces don't have access to real-time traffic data about which roads are clogged, where the refugees are trying to leave and, you know, information about what parts of a given city are busy. Because that could indicate, you know, for example, where civilians are sheltering or where civilians are planning counterattacks. So I just think it's really interesting that we finally have a scenario here where tech companies can't just sit on the sidelines. I think they've seen what other international institutions have done and, you know, have taken what's happened in Ukraine so seriously that they feel like they have to step up as well. So I found that very interesting. 

Dave Bittner: Yeah. Where do you suppose this goes? I mean, do we ultimately - is this a - we've seen, for example, oil companies, you know, divesting themselves from Russia. Could we see similar things with the tech companies? Simply, you know, could Twitter or Meta say, we're just not going to do business in Russia anymore? 

Ben Yelin: See, that has its own drawbacks as well because, you know, all of these tech companies run platforms where there is, at least theoretically, the free flow of information. 

Dave Bittner: Right. 

Ben Yelin: And that free flow of information is critical at a time like this where if you're in Russia, the alternative is state-run media sources, which, to put it mildly, aren't always on the up and up in terms... 

Dave Bittner: Right. 

Ben Yelin: ...Of telling the truth. 

Dave Bittner: Right. 

Ben Yelin: So if you shut down Twitter, that cuts off an avenue for Russian citizens to get actually accurate information. 

Dave Bittner: Yeah. 

Ben Yelin: Now, they might not get it anyway because of censorship and Russian government actions. But it's not as easy as just saying, you know, for the betterment of Russian citizenry and for Ukraine, we're just going to get out of that market entirely. 

Dave Bittner: Yeah. 

Ben Yelin: So it really is a difficult decision for these companies. You know, we've seen rather large protests in the streets of some major Russian cities - Moscow, Saint Petersburg - that probably wouldn't happen if, you know, some type of free-flowing information had not made it into the Russian populace... 

Dave Bittner: Right. 

Ben Yelin: ...Where they had some degree of information as to what was happening in Ukraine and, you know, who was morally culpable. You know, it's certainly not as easy as just saying, if you want us - you know, step out of the Russian problem, just get out of the country entirely - I don't think that's an adequate solution. 

Dave Bittner: Right. Right. All right. Well, we will keep an eye on it. Time will tell, as they say. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 


Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.