Updates on Russia’s hybrid war, including cyber ops and influence operations. Mustang Panda focuses on Europe in its cyberespionage. Ransomware hits oil and gas sector. UPS vulnerabilities.
Dave Bittner: Updates from the U.K.'s Ministry of Defense on Russia's war in Ukraine. On influence operations, the advantage still seems to go to Ukraine as Russian efforts look inward. Assessing the effects of hacktivism and cyber operations in the hybrid war. Mustang Panda rears up in European diplomatic networks. Ransomware hits a Romanian fuel distributor. Andrea Little Limbago from Interos on data traps. Carole Theriault tracks the fight against deepfakes. And vulnerabilities are found in UPS devices?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 8, 2022.
Dave Bittner: The Russian army continues to exhibit surprising tactical and operational shortfalls. Its roadbound heavy forces, even as slow moving as they proved to be, have clearly already outrun their logistic support. Having been unable to capture key Ukrainian cities, they've turned to heavy and indiscriminate targeting of civilians despite a second negotiated round of cease-fires.
Dave Bittner: The U.K.'s Ministry of Defense yesterday afternoon tweeted an update on Russia's war against Ukraine and took particular notice of Moscow's attempts to control information. Quote, "Russia is increasingly restricting domestic social media access to limit negative coverage of Russia's invasion of Ukraine. This will further confine the information space and make it increasingly difficult for the Russian population to gain access to anything other than the Russian state official view. This indicates the Kremlin's concern over the Russian population's attitude to the conflict," end quote.
Dave Bittner: Earlier this morning, the MoD added a spot report. Quote, "Ukrainian resistance against a Russian offensive toward Kyiv endures around the nearby towns of Hostomel, Bucha, Vorzel and Irpin. Russia continues to directly target evacuation corridors, resulting in the death of several civilians whilst trying to evacuate Irpin. Due to heavy fighting in the town, it has reportedly been without heat, water or electricity for several days," end quote.
Dave Bittner: Moscow is recycling implausible and unsupported claims that Ukraine is attempting to create a dirty bomb - that is, a radiological catastrophe - by mining a research reactor in Kharkiv. Sputnik maintains that Russian forces are actually the heroes in Kharkiv, having secured the reactor and prevented the disaster the Ukrainians had prepared. Russian government-controlled media are also claiming that Ukraine is attempting to conceal a large-scale biowar program it's been operating with U.S. support and collusion. Neither of these seem to have any international legs, but then the audience is probably a domestic one.
Dave Bittner: Russian domestic influence operations continue in other respects to rely heavily on censorship. There are also some signs of direct intimidation of journalists. Reporters in Odesa say they've received menacing emails. The Atlantic Council describes what appears to be a coordinated campaign of intimidation.
Dave Bittner: Even the most assiduous propagandists seem to have trouble finding good help nowadays. Some of the emails were sent by people who forgot to delete the instructions that had been embedded in the sample text they were given, things like add here a few paragraphs on local specifics, or these emails should be disseminated every day to crush the morale, or send emails individually, not to a list, and think about painful dots to push on. We think painful dots are what Americans would call hot buttons. You know, you tell them and you tell them.
Dave Bittner: The biggest obstacle to a successful Russian information campaign, however, apart from persuasion being inherently harder to achieve than confusion, may be the pervasive availability of social media and a large international journalistic presence in Ukraine. Unusual Western openness with intelligence, notably used for what some have called prebunking, the anticipation of Russian disinformation themes and the release of fact checks before the disinformation finds its legs, seems to also have played a part.
Dave Bittner: A report late last week from Check Point Software gives a timely reminder that in any war, and in a hybrid war especially, early reports and claims should be treated with cautious skepticism. That applies to claims on behalf of both sides, which may or may not eventually be confirmed.
Dave Bittner: Who's helping Russia defend its networks, and who's assisting them in recovering from cyberattacks? Huawei, the Indian news service WION reports. Australian Defense Minister Dutton, the Daily Mail says, has criticized Huawei for working on behalf of Russia and accused Moscow and Beijing of having an unholy alliance.
Dave Bittner: The Conti gang, which has publicly pledged its allegiance to Mr. Putin's war, has shrugged off the reputational damage it sustained when it was infiltrated by a Ukrainian hacker who released records of the gang's internal chatter. eSentire has published an extensive account of Conti's history and an assessment of its current capabilities. Attacks the group conducted against Western targets may have represented a contribution to Russian battlespace preparation.
Dave Bittner: The U.S. FBI updated its alert concerning Ragnar Locker yesterday. Quote, "as of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by Ragnar Locker ransomware, including entities in the critical manufacturing, energy, financial services, government and information technology sectors," end quote.
Dave Bittner: Ragnar Locker was composed by Russophone coders, and MITRE notes that Ragnar Locker doesn't encrypt files if it determines that its target is in either Russia or the near abroad. This makes it likely that its operators have enjoyed a privateer's immunity from Russian authorities. Operators, we stress, is a plural here. Ragnar Locker is a tool, not a threat actor, and it's been used by various gangs.
Dave Bittner: Cyber-espionage will follow crisis, and the Russian war against Ukraine is proving no exception. Proofpoint this morning released a report on the activities of TA416, a Chinese APT also known as Mustang Panda. Its current interests have obviously been shaped by the war. TA416 is targeting European diplomatic entities, including an individual involved in refugee and migrant services. It uses tracking pixels to help profile targets during its reconnaissance phase. The phishing emails that eventually deliver the payloads to TA416's targets have often impersonated United Nations agencies. Quote, "the multiyear campaign against diplomatic entities in Europe suggests a consistent area of responsibility belonging to TA416," end quote.
Dave Bittner: Bloomberg reports that Resecurity found that threat actors succeeded in accessing the networks of 21 companies, most of them in the oil and gas sector, over a two-week period in February. Resecurity declined to attribute the activity to any nation but did go so far as to say that the activity seemed to be state-sponsored. Bloomberg notes that some of the incidents appeared to overlap those Microsoft attributed to Strontium, also known as APT28 and Fancy Bear - that is Russia's GRU military intelligence service. The timing and target selection are suggestive, circumstantially, of a Russian operation.
Dave Bittner: The Hive ransomware gang has hit Romania's Rompetrol oil company, disrupting fuel stations throughout the country. BleepingComputer says that the gang has demanded a $2 million ransom.
Dave Bittner: Finally, researchers at security firm Armis this morning announced that they'd found three zero-day vulnerabilities in APC Smart-UPS devices. A UPS device is an uninterruptible power supply, something that provides emergency backup power for mission-critical assets. They're used in data centers, industrial plants, hospitals and other places that need reliable, uninterrupted power.
Dave Bittner: Until recently, UPS devices hadn't been considered security risks, but that's changed as more of these devices have become remotely managed and so networked. Armis calls the vulnerabilities, taken together, TLStorm, and they say they could be exploited to disable, disrupt and destroy APC Smart-UPS devices and attached assets. APC is a unit of Schneider Electric. This is a case of responsible disclosure, and Armis has worked with Schneider, which has prepared and made available patches and mitigations that address the vulnerabilities. If you use these UPS devices, be sure to patch them.
Dave Bittner: Our U.K. correspondent, Carole Theriault, has been tracking the growing sophistication of deepfakes and the concerns they've triggered. Today, she files this report on a new coalition that has set their sights on fighting deepfakes.
Carole Theriault: So according to Forbes, a coalition of technology companies set up to combat deepfakes has released the first version of its technical specification for digital provenance - the Coalition for Content Provenance and Authority, C2PA - not exactly a name that slips off the tongue, however. According to Forbes, C2PA counts Adobe, Microsoft, ARM, Intel, Truepic and the BBC amongst its illustrious list of members.
Carole Theriault: And the gist is this - platforms can define what information is associated with each type of asset - by asset, I mean an image, a video, a podcast, a document - and they can specify how that information is presented and stored and how evidence of tampering can be identified. In other words, it allows content creators to selectively disclose information about who has created or changed digital content and how it's been altered.
Carole Theriault: Leonard Rosenthal, chair of C2PA's Technical Working Group and senior principal scientist at Adobe, is quoted in Forbes saying, as the C2PA pursues the implementation of open digital provenance standards, prototyping and communication from coalition members and other external stakeholders will be critical to establish a system of verifiable integrity on the internet. OK. That is a statement written by a committee if ever I saw one because it is nebulous at best. But let me just distill what I think it is trying to say. Hey, guys, get on board with this. Otherwise, it's going to fail.
Carole Theriault: But, you know, these things get complicated. They always do. Maybe not all deepfakes are bad. Consider the movies, for example. According to Technical.ly, the big movie houses started using the technology that is deepfakes to reduce the cost of movie production during the 'rona pandemic. That, too, is a slippery slope. How long before some actor breaks his leg and is contractually obliged to have a deepfake play his role? Or what if an actor is bidding for a role against a deepfake of Laurence Olivier?
Carole Theriault: I mean, as the technology becomes ever more accessible, organizations will not only be the ones creating deepfakes. Individuals creating content on YouTube and other video platforms may well want to use deepfakes, if only just to make their channel pop. Oh, look. Hey, look at the big celebrity that just popped in on my channel. I mean, I can see it. I'm predicting it now.
Carole Theriault: So as always, we want to stop deepfakes for bad intentions. We want to regulate the use of deepfakes in good intentions. And we want to look at how it can be used by the common person in order to advance the technology in a safe way. Not a big ask, right? This was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it is always a pleasure to welcome you back to the show. There is a term that I saw coming out of I believe the U.K., and it's data traps. You being a data scientist, I thought you'd be the perfect person to check in on what exactly this means and what the implications are. What can you share with us today?
Andrea Little Limbago: Yeah, thanks for bringing this up. It really hasn't risen to a lot of attention, but back in December of 2021, the U.K. intelligence chief brought this notion and warned against both debt traps and data traps. Now, debt traps have been used before, and that basically is the weaponization of debt where countries provide other countries loans to get leverage over them. And so we see that a lot. And so, you know, that wasn't really what was as novel. It's something to be concerned about for sure, but wasn't as novel as - of also sort of tying that into data traps.
Andrea Little Limbago: What they noted was that, you know, if you allow another country to gain access to your data and gain control of that data, basically, it erodes your sovereignty. And so what he really was warning about was the access that other governments are starting to have to both public and private sector data as an erosion of sovereignty and control and as a means for leverage as well. And so what they're really looking at, you know, is looking at data as basically this resource - right? - a strategic resource. And he is framing it in that lens.
Andrea Little Limbago: And I think for many governments - especially, you know, digital authoritarians that we've talked about, for sure - you know, really do look at data as a strategic resource. And democracies really haven't done that as much, and that's shifting - but really haven't done that as much. And so that's where you see why it was so important for the U.K. intelligence chief to bring this up was to highlight that this is - should be a concern of both the private and public sector that knowing where your data is, making sure what - that you're protecting it, you know, at home but knowing where it is abroad and knowing what kind of access other, you know, adversaries may have to that data.
Andrea Little Limbago: And then what would happen to government, to your society, to your company if that data was accessed? And I think, as we all know - you know, within this audience, you know, integrating various forms of data together can really lead to useful insights. So that's great. It also can lead to useful insights in negative ways against, you know, an entity as well. So it really is trying to, you know, raise the alarm about the necessity to protect your data not just at home but, you know, abroad.
Dave Bittner: It's interesting to me, you mentioned sort of the contrasts between democracies and other governments. I mean, is that a cultural thing? Is there - do different nations approach their attitude towards data in different ways?
Andrea Little Limbago: Yeah. I think they definitely do. And on the one hand, you know, it's kind of a spectrum in that we absolutely can point to areas where democracies and democratic governments have overreached in areas of civil liberties and human rights. So it's not saying that democracies are completely devoid of any kind of activity in that realm. But the extent of which it goes on and sort of the guardrails that are in place to prevent it are very, very different.
Andrea Little Limbago: And so you do see amongst the digital authoritarians really the quest to, you know - yeah, I think of it as data hoarding - bring in as much data as possible. And that's why you see everything from the OPM attack - feels like about a decade ago at this point - you know, through, you know, the health care data that's getting attacked, through airline data, getting, you know, taken in, through, you know, like, hotel membership data. Like, all that different data basically can be pattern of life when brought together and can be used for just a variety of means. And that's not even mentioning some of the IP theft as well that we've seen.
Andrea Little Limbago: And so you see more of the authoritarians looking at no target as being off limits. For the democracies, really the focus is much more so on, you know, what would be, like, you know, in quotes, you know, "traditional espionage," not necessarily targeting IP or the commercial entities. It's more so for, you know, the leadership in espionage, along those lines, versus the theft of IP.
Andrea Little Limbago: And so it does create a very different playing field between the two. And that's really what the - I think the U.K. chief was really trying to highlight was whether it's your company or within your digital supply chain and your partners that may have your data elsewhere, to be really concerned about that. And even in the policies that we see - you know, you see, like, the General Data Protection Regulation in the EU is protecting data for individual citizens.
Andrea Little Limbago: Whereas elsewhere, you know, from Russia to China, Kazakhstan, you know, really across all of these - you know, actually Thailand, Vietnam - many, many countries increasingly have data localization requirements. And so you have to store the data there. Additional policies and regulations then add components as far as, oh, and we can access this data if we deem it, you know, essential to national security. And that umbrella of what is essential to national security basically is endless for them. So there's a big risk of storing that data abroad with - you know, with a government that could have easy access to it.
Dave Bittner: Well, and, you know, we're seeing - I think it's the EU that's been going head to head with Facebook over data storage and being able to transfer data overseas, across the ocean, and trying to keep some sovereignty to their data. I mean, is this - is that part of what we're talking about here?
Andrea Little Limbago: I think it is. And I think that's an additional component of it, because on the one hand, we do see sort of this - the splintering of the internet and the different sovereign areas. And so, really, the challenge is, how can we have the free flow of data - because that is really essential for, you know, functioning economies - while still preserving, you know, sovereignty and individual data rights?
Andrea Little Limbago: And I think in the Facebook case, it's especially relevant for the case of looking at the citizens' data and maintaining control over the citizens' data. Whereas for some of the other instances, it might be that they may want more so the free flow of data along the lines of commercial information and so forth for, you know, economic purposes.
Andrea Little Limbago: And so, you know, not all data's the same. And I think we're starting to get into an area as well where we'll start seeing some, you know, distinct categorizations of different kinds of data, which will then have different policies applied to them. So, I mean, if we think we have a patchwork of policies and regulations now, I think that's just going to continue to explode. Hopefully, it's done well in the direction of greater security. But we will see - 'cause at the same time, there are concerns over, you know, everyone trying to create their digital fortress around a country 'cause that also, you know, leads to this - basically digital protectionism. And that isn't optimal for the free flow of information and ideas, either. So there's going to have to be a balance.
Dave Bittner: Yeah. All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Great. Thanks, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.