The CyberWire Daily Podcast 3.7.22
Ep 1529 | 3.7.22

Cyber dimensions of Russia’s hybrid war against Ukraine. Hacktivists and cybercriminals choose sides. Lapsu$ releases NVIDIA and Samsung data (and says a victim hacked back).

Transcript

Dave Bittner: Russian influence operations fail as few support Russia's war of aggression. Ukraine will become a contributing participant in NATO's CCDCOE. Ukrainian cyberattacks and the marshalling of hacktivists. Russian cyberattacks surprisingly restrained and unsurprisingly supported by criminal organizations like Conti. The FBI’s Bryan Vorndran joins us with insights on the work his team did on Sodinokibi. Rick Howard looks at vulnerability management. And the Lapsu$ gang releases data taken from NVIDIA and Samsung in separate extortion incidents.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 7, 2022. 

Dave Bittner: A quick note about the situation on the ground in Ukraine. Within hours of agreeing to cease-fires late last week that would have permitted civilians to evacuate areas of active fighting, Russian forces resumed shelling the evacuation routes they'd agreed to protect. Russia today declared new humanitarian cease-fires in areas with heavy refugee traffic, but it seems unlikely that these will be any more reliable than earlier cease-fires. The U.K.'s Ministry of Defence, in its regular update on Russia's war against Ukraine, yesterday assessed the situation as follows. Quote, "Russian forces probably made minimal ground advances over the weekend. It is highly unlikely that Russia has successfully achieved its planned objectives to date. Over the past 24 hours, a high level of Russian air and artillery strikes have continued to hit military and civilian sites in Ukrainian cities," end quote. 

Dave Bittner: Demonstrations around the world this Sunday ran strongly against Russia, The Washington Post reports, with governments disputing Russian government propaganda in social media. The fear and suffering produced by Russia's war against Ukraine are, in Russian President Putin's view, the fault of Ukraine and NATO, since sanctions against Russia amount to a declaration of war. Ukrainian actions - and not, as one might think, the full-scale and unrestrained Russian invasion - have called Ukraine's continued existence as a state into question. The current leadership - that is, Ukraine's government - needs to understand that if they continue doing what they're doing, they risk the future of Ukrainian statehood, Mr. Putin said. 

Dave Bittner: In a call with Turkey's President Erdogan, President Putin said that suspension of hostilities would only be possible, quote, "if Kyiv stops military operations and carries out well-known Russian demands," end quote. Those demands include demilitarization and neutralization, both to be guaranteed in perpetuity by constitutional amendment, formal recognition of Crimea as a Russian province, and formal recognition of the independence of both Donetsk and Luhansk. Russia would negotiate, Mr. Putin said, but it would not stand for protracted negotiations designed simply to draw the fighting out. Indeed, given that his well-known Russian demands are non-negotiable, there would seem to be no room for negotiation beyond perhaps choosing a time and place for the formal surrender. 

Dave Bittner: The NATO Cooperative Cyber Defence Centre of Excellence, the CCDCOE, announced Friday that Ukraine will become a contributing participant. The 27 members of the CCDCOE voted unanimously to extend membership, which Ukraine has accepted. Participation in the CCDCOE isn't necessarily restricted to NATO members. Austria, Finland and Ireland are members who don't belong to the Atlantic alliance, and participation doesn't constitute NATO membership. 

Dave Bittner: Distributed denial-of-service attacks, relatively easy to mount, lend themselves to the sort of hacktivism that's surged with sympathy for Ukraine. BleepingComputer reports that Russia's National Coordination Centre for Computer Incidents, a service established by the FSB, has distributed a list of 17,576 IP addresses said to be used in the DDoS campaign, and a second list of referring domains involved in the operation. The Russian organization also recommended measures organizations should take to defend themselves. 

Dave Bittner: The volunteer hacker army that Ukraine has sought to rally, and succeeded in rallying to its cause, have been given some targeting instructions. They've been told, Reuters reports, to hit Belarusian railroads and the GLONASS positioning system. The volunteers are said, according to officials in Kyiv, to be principally tasked with collecting intelligence and aren't supposed to pursue non-military targets. So stated Ukrainian policy is to have its volunteer IT army operate under real operational control. 

Dave Bittner: Tight control over a quickly assembled and protean volunteer corps may be difficult to achieve in practice. Concerns about control aren't trivial. The responsibility to exert control over an armed force is a central concept in the law of armed conflict. While international law governing the cyber phases of a hybrid war remains largely unformed, there are analogies with armed conflict that ought to give one pause. To whom do the hackers answer? When peace is negotiated, will they cease virtual fire? What about the familiar difficulty of attribution of cyber activity? 

Dave Bittner: In some respects the hacktivist enthusiasm represents, according to WIRED, pandemonium. The New York Times, while reporting that Ukraine has been deliberate and intentional in its recruitment of hackers, quotes Matt Olney, director of threat intelligence at Cisco Talos - quote, "it is crazy. It is bonkers. It is unprecedented. This is not going to be solely a conflict among nations. There are going to be participants that are not under the strict control of any government," end quote. 

Dave Bittner: Much of the hacktivist activity so far has involved website defacements and DDoS attacks. The DDoS attacks have raised more questions among observers. Security firm Avast, no crew of Russian stooges, and very alive to the iniquity of Russia's war. They've released a decryptor for HermeticRansom, used in the early stages of that war. And they nonetheless caution that freelancing DDoS can be a dangerous game. For one thing, it's worth remembering that even in a war, there's such a thing as an illegal combatant. 

Dave Bittner: Avast offers four reasons to think twice before casually signing on to a DDoS operation. First, performing DDoS attacks is illegal. Second, ensuring your security while using such tools is difficult to achieve, and by participating in these actions, you risk your privacy. Third, by using these tools, you could cause counterproductive collateral damage, especially if you don't understand what you're doing by using them. And finally, historically, similar tools have been abused by various actors who piggybacked on their popularity and started distributing their own variants, including malware. 

Dave Bittner: Russian cyberattacks have been more muted since the outbreak of President Putin's war against Ukraine, but they haven't been absent. Ukraine's State Service of Special Communications and Information Protection tweeted Saturday, quote, "Russian hackers keep on attacking Ukrainian information resources nonstop. Since the beginning of invasion, DDoS attacks have been primarily aimed at the resources of Verkhovna Rada, Cabinet of Ministers, President of Ukraine, Defense Ministry and Internal Affairs Ministry. The only thing the occupants managed to do was to substitute the front pages at the sites of some local authorities," end quote. 

Dave Bittner: This morning the U.K.'s Ministry of Defense tweeted an updated assessment of Russia's operations, highlighting their effects on communications. Quote, "Russia is probably targeting Ukraine’s communications infrastructure in order to reduce Ukrainian citizens’ access to reliable news and information. Russia reportedly struck a TV tower in Kharkiv yesterday, suspending broadcasting output. This follows a similar strike on a TV tower in Kyiv on 01 March 2022. Ukrainian internet access is also highly likely being disrupted as a result of collateral damage from Russian strikes on infrastructure," end quote. 

Dave Bittner: Russian cyber offensive operations have thus far had a negligible effect on either the war or on international support of Ukraine, particularly as that support has been manifested in sanctions. Defense Daily, Government Technology and the Hill all reiterate warnings that organizations should remain on their guard against Russian cyberattacks. 

Dave Bittner: The Hill on Saturday published an appreciation of why a general cyber campaign against Western supporters of Ukraine has so far not materialized. As much as sanctions have hurt Russia, Moscow's risk-and-reward calculus so far indicates that it may have more to lose than to gain from an escalation in cyberspace. InfoRisk Today late last week offered an inventory of various explanations for Russia's relative restraint. They include such disparate assessments as operational incapacity, a decision to hold cyber capabilities in reserve, a desire to avoid escalation and, the least plausibly, probably, a simple unreadiness to go on the cyber offensive. 

Dave Bittner: The Lapsu$ gang has followed its extortion attempt against NVIDIA with a similar attack against Samsung, claiming to have obtained sensitive information, 190 gigabytes of which it's now released online, Computing reports. 

Dave Bittner: BleepingComputer said Friday that Laspsu$ claims to have source code for every Trusted Applet installed in Samsung's TrustZone environment, algorithms for all biometric unlock operations, bootloader source code for all recent Samsung devices, confidential source code from Qualcomm, source code for Samsung's activation servers and full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services. 

Dave Bittner: Concerning the NVIDIA hack, Lapsu$ said that the victim retaliated by hacking back. The gang said, quote, "they were able to connect to a virtual machine we use. Yes, they successfully encrypted the data." But, added Lapsu$, the gang followed anti-ransomware best practices and backed up the stolen data, so everything’s fine. 

Dave Bittner: Avast argues that hacking back represents a slippery slope. It can be hard to stop and hard to contain. We should note that the hacking back claims originate with Lapsu$, not NVIDIA. As the hoods put it, we have a backup and it's safe from the scum, said the scum. We note, they emphasized their outrage with three - count them, three - exclamation points. 

Dave Bittner: And it's always a pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer, also our chief analyst. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: You know, usually on these segments, we talk about your "CSO Perspectives" podcast. And I want to get to that in a second, but before we do, there's another show that you head up around here. And what I love about this show is it is an example of a very simple idea well-executed. And there's a great pleasure in that, and that is called "Word Notes." Just give us the short, little description of what "Word Notes" is about. 

Rick Howard: Well, thanks for saying that, Dave. I'm glad you like it because I'm having a blast putting it together. And "Word Notes" episodes are really short. They're less than five minutes, and they attempt to explain the alphabet soup of words and acronyms that permeate the cybersecurity space. So if you're really not sure about the meaning of words like cryptographic failures or non-fungible tokens or even fast flux attacks, you know, those words that just kind of spring off your lips, OK, so... 

Dave Bittner: Sure. 

Rick Howard: So this is the show for you. So we define the word. We give it some historical context, you know, so that we can see where it fits into our world. And then we attempt to find where the word has popped up in our pop culture; meaning, have we seen it in any of our nerd properties in TV and movies? Or did some famous person somewhere refer to it? 

Dave Bittner: Yeah. I mean, you know, one of the things about this is that every industry has its lingo, and I think you have to be really careful about that lingo not being gatekeeping. And I think that's something that can happen here because if you don't know the lingo, it's hard to be part of the conversation. So this - you know, this show helps folks stay up to speed on the lingo and get some perspective on it as well. I have to ask, what is your favorite nerd reference so far? 

Rick Howard: Oh, you know, I love being able to put the nerd references in because, you know, the secret might be out. I'm a little bit of a nerd myself. You know, people may have noticed that. 

Dave Bittner: Really? I hadn't noticed that. No. 

Rick Howard: So one of my favorite nerd references so far is the show we did for Monte Carlo simulations, and the clip we ran, it was from the "Avengers: Infinity War" movie when Dr. Strange goes into a trance to calculate the odds of defeating the big bad guy, Thanos, in the next movie, right? 

Dave Bittner: (Laughter) Right. 

Rick Howard: And he's essentially doing a Monte Carlo simulation. So how cool is that? 

Dave Bittner: Yeah. OK, cool's one word for it, yeah (laughter). 

Rick Howard: OK. Yeah. I may have my nerd hat on. OK. What can I say (laughter)? 

Dave Bittner: That's fine. Hey, listen, I'm a card-carrying member myself. 

Rick Howard: Hey, I meant to talk to you about that. Your dues are - you have to pay your dues. You're a little late. All right. So we're watching you. 

Dave Bittner: Oh, I'm not an honorary member? I still have to pay? All right. All right. Fine. Before I let you go here, what is this week's "CSO Perspectives" show about? 

Rick Howard: Yeah. So for this show, I have a different take, a hot take, you might say, on where vulnerability management fits into our infosec program. I think it directly supports our zero trust strategy, but it requires help from our intelligence teams, our DevSecOps teams and our ability to forecast risk till it all sort of comes together in one little ball. 

Dave Bittner: All right. Well, that is all part of "CSO Perspectives." You can find that as part of CyberWire Pro, which you can find on our website, thecyberwire.com. Rick Howard, thanks for joining us. 

Dave Bittner: And I'm pleased to welcome back to the show Bryan Vorndran. He is the assistant director of the FBI's Cyber Division. Bryan, welcome back to the CyberWire. You know, I wanted to touch on some specific work that you and your colleagues have done at the FBI, some of the value that you bring to the table here, hoping today we can go through some of the work that you all did on Sodinokibi. What can you share with us today? 

Bryan Vorndran: Thanks, Dave. You know, when we look at our role within the cyber ecosystem of the United States government, we really see ourselves as an enabler and an action arm. And at times, we would be in the lead to action certain operational opportunities, and in other scenarios, we would be in a position to enable others, such as NSA or Cyber Command or private sector partners. Related to Sodinokibi specifically, Sodinokibi was obviously a ransomware group based in Russia that had very significant effects on thousands of victims here in the United States and even more globally. But I think it's a good highlighting case for me to explain how we work at the center of that ecosystem. So we had good intelligence based on our investigation that had been ongoing for over 18 months earlier this year. And through that, we were able to enable specific actions on behalf of the part of IC partners and private sector partners. But that case also shows our global reach because when Yaroslav Vasinskyi conducted the attack against Kaseya, we immediately got to work and our ability to prove through evidence that Vasinskyi's hands were on the keyboard that conducted that ransomware attack, and then our follow-on work with DOJ to ensure that we were able to get a red notice in place and an arrest warrant in place, allowed us to work with Polish authorities to secure his arrest. And now Vasinskyi is facing extradition. So the Sodinokibi case specifically shows how we sit at the center of that ecosystem. We have tremendous relationships with Cyber Command and NSA because of our investigative authorities were able to generate significant intelligence and evidence to share with them. And then lastly, as I mentioned with the global reach to Poland - and Poland is just one example - we actually have representation in 70 countries around the world. We just have the tremendous ability to expand from our U.S. footprint to impact adversaries that are thousands and thousands and thousands of miles away and bring them to justice. So I think that case very much highlights our central role in the ecosystem. And, Dave, I didn't even mention all of the cryptocurrency seizures that were part of that case. We have millions of dollars of seizures that have been made public in that case. And again, it speaks to the central role of the FBI, but also, as importantly, our work with our interagency partners in the intelligence community. 

Dave Bittner: Can you give us some insights as to - how often is it that the FBI takes the lead in these investigations? And what are the elements that dictate which organization within the federal government takes the lead from case to case? 

Bryan Vorndran: So when we speak solely about investigations, certainly the FBI is going to be the lead investigative agency for nation-state cyber actors, the criminal space that would really comprise botnets, ransomware, these types of threats. There is some differentiating between whether Secret Service or the FBI is going to be lead. On the traditional, large ransomware variants, the FBI is generally going to be a lead. And that has certainly come to attention in the last eight to 12 months here in the country. But in terms of prioritization moving forward into a broader conversation about operational impact, I think what we value the most is conversations with private sector partners and our intelligence community partners about how we can impose the maximum cost on an adversary. How can we make their life more difficult? How can we cause them to have a bad day or a bad week? Sometimes that's done through indictments. Sometimes that's done through arrests. Sometimes that's done through cyber effects operations. Sometimes that's done through sanctions or rewards for justice provided by Department of State. The point is that there is very good ongoing dialogue within the interagency - and when I say the interagency, I do mean, the FBI, Secret Service, State, Treasury, NSA, CISA and Cyber Command - right? - about how do we impose cost? And so those are becoming very mature conversations within the government about - how do we use all of our tools, all in tandem, all in a synergistic way, to impose the maximum cost? And I'm proud to be a part of that, to be honest with you because I've seen maturity in the last year, and I expect more maturity to continue to grow in the upcoming years. 

Dave Bittner: All right. Well, Bryan Vorndran, assistant director of the FBI's Cyber Division. Thanks so much for joining us. 

Bryan Vorndran: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.