Russia’s hybrid war against Ukraine becomes more firepower intensive, but hackers make their mark. Cybercrime does business as usual.
Dave Bittner: The situation in Russia's war against Ukraine and Mr. Putin's frustration with his intelligence services; provocations, state hacking and influence operations in a hybrid war; Lapsus$ hits Ubisoft with ransomware; LockBit hits Bridgestone America; the Escobar banking trojan is out in the wild; Kaspersky source apparently not compromised after all; Daniel Prince wonders if we're properly preparing for the roles of tomorrow; Rick Howard is pulling on the kill chain; and the wayward aim of public opinion.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 14, 2022.
Dave Bittner: We begin with a brief update on the Russian war against Ukraine, particularly as it's being conducted in cyberspace. On the ground, Russian forces continue to encounter strong resistance and self-inflicted logistical problems.
Situation reports from the UK's Ministry of Defence.
Dave Bittner: This morning's update from the U.K.'s Ministry of Defence emphasized the plight of refugees and the civilians who have remained in place. The MOD wrote, quote, "more than 2.5 million refugees have been forced from their homes as a result of President Putin's attack on Ukraine. Indiscriminate Russian shelling and air attacks are causing widespread destruction. The U.N. have reported that there have already been 1,663 civilian casualties since the Russian invasion began. As with previous such estimates, the true figures are likely to be significantly higher and will continue to climb as long as Russian operations continue" - end quote.
"Angry and frustrated."
Dave Bittner: Russian President Putin's increasingly extreme policies seem to be driven, at least in part, by his disappointment in the way the situation has developed for his forces. The AP quotes U.S. Director of Central Intelligence William Burns, a former U.S. ambassador to Moscow, as telling Congress, quote, "I think Putin is angry and frustrated right now. He's likely to double down and try to grind down the Ukrainian military with no regard for civilian casualties" - end quote. Burns sees Mr. Putin as living in a propaganda bubble of his own creation. U.S. intelligence officials see few face-saving ways for the Russian president to exit what's become a costly war. DCI Burns told Congress, quote, "he has no sustainable political endgame in the face of what is going to continue to be fierce resistance from Ukrainians" - end quote. Director of National Intelligence Avril Haines said Mr. Putin "perceives this as a war he cannot afford to lose. But what he might be willing to accept as a victory may change over time given the significant costs he is incurring" - end quote.
Cyber operations against Ukraine.
Dave Bittner: Satellite internet service delivered by Viasat was interrupted on February 24, around H-hour of Russia's invasion. The U.S. National Security Agency, France's ANSSI Cybersecurity Authority and Ukrainian intelligence services are jointly investigating whether the incident was a Russian cyberattack. The target and the timing suggest circumstantially that it was. Reuters reports, quote, "the hackers disabled modems that communicate with Viasat's KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later, some remain offline" - end quote. The Viasat incident seems the most serious cyberattack of the war. Cyber incidents traceable to Russia have been observed outside the Ukrainian theater of operations, but these seem, for the most part, to be familiar criminal or at worst privateering capers that have long been run by the Russian underworld with Moscow's toleration and sometimes encouragement. While Russia's war against Ukraine has indeed been a hybrid war with cyber phases, those phases have been characterized by low-grade distributed denial-of-service attacks and website defacement.
Restraint in cyberspace, both Russian and Western.
Dave Bittner: An essay by Jan Kalberg in the CyberWire offers an explanation of why this might be so. Destructive attacks, once executed, are difficult to repeat, and deploying the cyber weapons such attacks would use should wait until it makes strategic sense to do so. If there's no combat advantage in, for example, taking down a power grid, it shouldn't be surprising that such attacks haven't yet materialized. The effects of a cyberattack, however devastating, are of finite duration, and it's difficult to repeat them at need. A similar calculus seems to be informing U.S. restraint against Russian assets, POLITICO reports.
Information operations, by and against Russia.
Dave Bittner: The Washington Post has an account of FSB strong-arm tactics used as early as September of last year to pressure Apple and Google to trim their policies to accommodate official Russian sensibilities. Those tactics extended to threats of arrest made against corporate personnel in Russia. The Post characterizes the threats as preparatory work for the censorship the current hybrid war against Ukraine has brought in its train, and it says the companies at the time blinked.
Dave Bittner: Influencers remain engaged in Russia's war against Ukraine, and here, as is the case with other items influencers flack, from clothing to drinks, they're being paid for their services. Vice reports a Russian campaign to pay influencers to retail Moscow's propaganda to their gullible followers. The U.S. National Security Council is running a rumor-control effort that specifically addresses the spread of Russian disinformation through TikTok. Prominent TikTokers, the Washington Post says, were given a Zoom meeting by the White House in which the lines of Russian propaganda and the human cost of repeating it were outlined.
Dave Bittner: Meta's platforms Facebook and Instagram have relaxed their customary strictures against hate speech to permit stronger language about Russia's war against Ukraine to pass its filters, and Russia has responded by adding Instagram to its blocked list. Authorities in Moscow have also asked a court to designate Meta an extremist organization, which, Bloomberg comments, would effectively criminalize all of its activities in Russia. Meta spokesman Nick Clegg issued the company's response, which repeated familiar claims of commitment to free speech and opposition to hate speech, and said that the relaxed rules apply only to users in Ukraine, the expression of whose outrage Meta is unwilling to censor. Mr. Clegg says in particular that the company on whose behalf he speaks won't tolerate Russophobia. Meta did clarify in other communications that it wouldn't permit people to call for the death of a head of state. Unnamed here is Mr. Putin, whose death a number of people have publicly desired. So, everybody, no more death to Putin posts.
Another Toyota supplier has been hit with ransomware.
Dave Bittner: Turning elsewhere, another Toyota supplier has been hit with a cyberattack, Reuters reports. The criminal gang Pandora claimed responsibility for the attack on Denso, a company that manufactures a wide range of automotive parts, including engine components. Another supplier, Kojima, had come under attack at the end of last month. That incident led Toyota to shut down domestic production for a day. The ransomware attack on Denso's German operations have not affected manufacturing or other operations.
Lapsus$ hits Ubisoft with ransomware.
Dave Bittner: The Lapsus$ gang has racked up another victim, Security Affairs says. This time it's game-maker Ubisoft. The company confirmed that it came under cyberattack last week, but that its games and services were now performing normally.
LockBit hits Bridgestone America.
Dave Bittner: The manufacturer Bridgestone Americas has confirmed that it sustained a ransomware attack on February 27. BleepingComputer says the LockBit gang has claimed responsibility, and the group is threatening to release stolen data if the ransom isn't paid. Bridgestone confirmed that the threat actor stole information from a limited number of Bridgestone systems.
The Escobar banking Trojan is out in the wild.
Dave Bittner: BleepingComputer reports that the Escobar Android banking Trojan is able to steal Google Authenticator codes to overcome two-factor authentication. The Trojan, which is still under development, is being offered to a maximum of five customers for $3,000 per month.
Kaspersky source apparently not compromised after all.
Dave Bittner: Ukrainian hacktivists claimed to have obtained and released Kaspersky source code, but their caper seems at best overblown. ComputerWeekly reports that the Russian anti-virus company says that its source code wasn't in fact compromised, and that all the hacktivists obtained was material freely available from the company's public website.
Public opinion's aim is sometimes wayward.
Dave Bittner: And finally, to return to the war against Ukraine, the New York Times reports that some people are shunning and denouncing companies and businesses they misperceive as Russian. Stolichnaya vodka, for example, is the target of many boycott calls, but Stolichnaya is produced in Latvia, and the distillery's corporate parent is in deeply inoffensive Luxembourg. And just because a restaurant has the word Russian in its name doesn't mean it's actually Russian. So enjoy your meal with a clear conscience and hold the slacktivism.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So for this week's "CSO Perspectives" podcast, you are tackling a subject that I know you really enjoy, and that is the intrusion kill chain. What do you have in store for us?
Rick Howard: Indeed it is, my friend. And, you know, I've been doing this InfoSec thing for a long time now, close to 30 years. And I have to say that I'm one of those lucky people to have found a profession that I legitimately love. I mean, I love all the things - all right? - all of them, all right?
Dave Bittner: (Laughter) OK.
Rick Howard: You know, like zero trust and resilience and risk forecasting. But the thing that really gets my heart pumping is adversary playbooks across the intrusion kill chain and the models we use to convey that information to each other, to leadership and to the world at large.
Dave Bittner: You know, I think one of the first conversations you and I ever had - it may have been the first. It was at RSA - I want to say, like, 2015, something like that. We talked about the kill chain.
Rick Howard: What? I'm shocked - shocked, I say.
Dave Bittner: I know, right? You? You? Well, so as I understand it, you know, most folks in our space think that there are three competing models to consider if you want to deploy intrusion kill chain prevention as a strategy.
Rick Howard: Yeah. Yeah.
Dave Bittner: You've got the original Lockheed Martin kill chain model that came out right around 2010 or so.
Rick Howard: Yep, 2010. Yep.
Dave Bittner: You've got the Department of Defense diamond model that came out the next year. And you've got the ATT&CK Framework, which MITRE released in 2013. But your point of view is that these models don't compete at all, that they're complementary. How could that possibly be, Rick?
Rick Howard: (Laughter) Well, you know, I may be a contrarian. What can I tell you? All right? So...
Dave Bittner: OK.
Rick Howard: And - but I would say that many network defenders think you have to choose one over the other. And from my viewpoint, that just isn't true. Each model is trying to accomplish a different piece of the same goal. It's all riffing off the same intrusion kill chain idea. Like, one's a strategy document, like the Lockheed Martin paper. One's an operational construct for defensive action - MITRE. And one's a methodology for cyberthreat intelligence teams - that's the diamond model. For adversary playbooks, this collection of bad guy activity across the kill chain, you don't choose one model over the other. All of these models work in conjunction with each other. So if the metaphor for preventing the success of cyber adversaries is an elephant, each of these models represent different parts of the elephant. So, in this episode, we're going to explain each model and discuss how network defenders can incorporate all three of them into their first principles of defensive strategies.
Dave Bittner: You know, isn't there a parable about blind men riding an elephant?
Rick Howard: I was trying to come up with that, and I just couldn't swing it. So...
Dave Bittner: OK, all right. Well, I don't want to put you out on a limb here. All right. Well, that is all part of "CSO Perspectives." You can find that on our website. It's part of CyberWire Pro at thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Daniel Prince. He's a senior lecturer in security and protection science at Lancaster University. Daniel, always great to have you back on the show. You are an instructor there at Lancaster University, and I know that is part of your job that is near and dear to your heart. I want to just check in with you on where we sort of stand right now in terms of preparing folks for those cybersecurity roles that are coming in the future.
Daniel Prince: Yeah. Thanks, Dave. So, I'm, you know, the program lead for our MSc at Lancaster University. And it's really interesting talking to the students as they come in and the types of jobs that they're thinking about going for. And that started me and others at the university thinking about how, through our courses, we're preparing the students for the next generation of roles. I mean, over the last 11 - 10, 11, 15 years that we've been teaching, you know, like, comprehensive security courses at Lancaster, the types of roles have really changed from, you know, the early concepts of trying to just - focusing on information security. And then it became cybersecurity, and then we started to get really specialist roles like SoC analysts and, you know, forensics analysts. And now we're starting to see people talking about, well, you know, I'd like to specialize in, you know, the protection of critical national infrastructure. And so what we're starting to see really over this last decade is, you know, as we're seeing in the job market, is this increasing specialization from generic, you know, people that can work across different aspects of cybersecurity now to increasingly detailed specialization.
Daniel Prince: And so the challenge that we have as a university and other universities have is, really, are we preparing individuals for these future roles, particularly as we get to the point where we're seeing things like smart cities and smart cars? You know, instead of being a mechanic in the future, do we need to have, as part of the MOT, or the test that the car is fit to be on the road, also an annual penetration test? And so sitting alongside somebody with, you know, greasy overalls, you've got somebody with a laptop as your car comes in, and, you know, they run a penetration test against it so that we know that it's also safe to be on the road from that perspective. And so we need to really think about agile ways in which we can respond but still be able to teach the core knowledge which is needed for individuals to go into the profession.
Dave Bittner: Yeah. I mean, that's fascinating, the challenge that you all face there, of having those foundational things that everyone needs but then also not being just reactive, that you have to prepare them for a rapidly changing vertical.
Daniel Prince: Yeah, definitely. I mean, you know, some of the students I've been talking to in our current cohort, you know, we're talking - I'm talking to them about smart city engineering and the security there, smart home engineering, you know, sitting alongside electricians and making sure that you're protecting those types of systems. And I think it's - what's interesting is this idea that cybersecurity as an educational pathway is not just something that happens in large organizations but is starting to become something that is front and center in consumers' lives in terms of they're going to start procuring - you know, consumers are going to start procuring directly cybersecurity services either because they want to or because they have to because of legislation, like, thinking about - you know, you look at something like a Tesla, which is, you know, effectively a smartphone on wheels. You know, it has to be safe to be - going back to the car analogy - has to be safe to be on the road. And as part of that safety, you know, it's constantly getting, you know, software updates. How do we know that that car is OK to be on the road from a cybersecurity perspective?
Daniel Prince: And that means that the individual who owns that car would also have to procure directly some services to help test that, especially as these facilities, these pieces of infrastructure become old, you know, and - you know, when, 10 years down the line, where - you know, when you've got a second-hand - or 20 years down the line, when you've got second-hand Tesla, they may not be getting the software updates anymore. How do we know that that is a vehicle that should be permitted on the road? And the same can be said for smart homes that are built from the ground up to be smart or smart cities or other facilities. How do - you know, when you're buying a house, you have to have a structural survey to know that it's sound for - to get a mortgage.
Daniel Prince: From the university's point of view, is there a push to make sure that all the students are coming out with a well-rounded understanding of cybersecurity? I mean, I'm thinking of my own experience in college, and granted, this was, you know, a long time ago. But, you know, we took physics classes for non-majors, math classes for non-majors just as part of creating that well-rounded student. What is the conversation going on that, as you mentioned, you know - the students who are leaving university who may not be cybersecurity specialists but at least having that basic understanding to head out into the world?
Daniel Prince: Yeah. I mean, that is exactly the thing that we're working on at the moment. So how do we provide the appropriate level of education that a history grad or a law grad needs to have to be able to do their job given that their job is, you know, fundamentally different and digitally enabled from, you know, several years ago? And so sort of the approach that I'm taking in discussing with others is we're never going to be able to teach, you know, a history grad everything that they need to know about security. And even if we get into specifics, the next time they upgrade their phone, the security functionality will change, and so they'll have to learn it all over again.
Daniel Prince: And so the key thing that we want to be able to try and do with our students is to empower them to be able to ask some questions and then inspire them to try and go find the answers. So it's really important to be able to have a community of people going into the workplace who know the right starting point. And so often I wonder whether new grads going into job roles really have that understanding where to start with cybersecurity. And if we can manage that, that will see a big change in the way that students will go into the workplace and the way that the workplace will respond.
Dave Bittner: All right. Well, Daniel Prince, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.