Disinformation and cyberattacks in Russia’s hybrid war against Ukraine. DDoS attack hits Israeli telcos. Captured tools are old news. Recent trends in cybercrime.
Dave Bittner: Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cybercriminals look for letters of marque from both sides. Ukrainian cybersecurity firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS takes down Israeli sites. China claims to have captured NSA hacking tools. Our guest is Ben Brook, CEO of Transcend, with a look at data privacy and recent trends in cybercrime.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 15, 2022.
Dave Bittner: The operations map maintained for the public by the British Ministry of Defense shows more Russian airstrikes but continued sluggish progress of ground forces. There are reports that in some areas, notably around Kyiv, Russian forces have halted their advance and turned to constructing field fortifications. That is, they're now digging in and not moving forward for the time being, at least.
Dave Bittner: ESET researchers have found a new wiper they're calling CaddyWiper, the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine. ESET tweeted, quote, "this new malware erases user data and partition information from attached drives. ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations," end quote. First observed yesterday morning, the malware seems to have been compiled the same day it was deployed. CaddyWiper has little in common with its two predecessors. As ESET put it, "CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed," end quote.
Dave Bittner: It did share one tactic with HermeticWiper - deployment via group policy object, which suggests to ESET that the attackers had prior control of the target's network beforehand. The wiper's operators are apparently interested in maintaining persistence in the target's networks. Quote, "interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations," end quote. The Verge reports that the effect of the attack seems so far to have been small. One organization appears to have been affected, but the consequences of that attack and the organization's identity remain publicly unknown.
Dave Bittner: Researchers at Aqua Security review the techniques, many involving commodity malware and cloud-native services, being used in the cyber phases of Russia's hybrid war against Ukraine. Help Net Security reports that financially motivated - that is, criminal - cyber groups are choosing sides in Russia's war against Ukraine. In a rough and ready way, the criminals have tended to side with Russia, for whom many of them have historically served as privateers, and the hacktivists like Anonymous have tended to side with Ukraine. But this may be changing, as some Russophone gangs are expressing a willingness to hack Russian targets if there's a good prospect of making it pay. There also appear to be personal and ideological rifts in the underworld that are leading some gangs toward one side rather than the other.
Dave Bittner: So privateering is converging with hacktivism. Accenture reports that this is something new. Quote, "for the first time in the more than 10 years that Accenture's cyber threat intelligence team has been tracking dark web activity, we're seeing previously coexisting financially motivated threat actors divided along ideological factions. Those actors, who previously acted opportunistically with financial motivations and a global outlook, are now following a highly targeted attack pattern. Pro-Ukrainian actors are refusing to sell, buy or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities in support of Ukraine. However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting enemies of Russia, especially Western entities due to their claims of Western warmongering. This change in targeting and motivation has had several far-reaching consequences for underground actors and the threat they pose," end quote.
Dave Bittner: Politico describes how Ukrainian cybersecurity firms have pivoted from defense to offense, deploying their capabilities against Russian targets. The account takes Hacken as representative of the trend and describes the challenges of adjusting to the different set of norms that prevail in wartime.
Dave Bittner: Cyber units of Ukraine's intelligence services are said to have successfully infiltrated the Kalashnikov Concern, a major Russian defense company. Quote, "over three terabytes of data has been downloaded for analysis, which included everything from technical specifications of their civilian and military weapons to all of their financial data, including offshore shell companies, bank accounts and customers both illicit and illicit," end quote. That's reporting from Inside Cyber Warfare, who add that the technical details of weapons have been shared with Western intelligence agencies.
Dave Bittner: Bloomberg reports that the Russian state-directed television news show "Vremya" broadcast by First Channel was briefly disrupted by a young woman, subsequently identified as Marina Ovsyannikova, an editor with the station who walked behind a newsreader holding a sign that said, in English, no war, followed by the message in Russian, stop the war. Don't believe propaganda. They're lying to you. She spoke a few sentences, including, stop the war. The newsreader spoke louder in an attempt to drown our Ms. Ovsyannikova, and then the program cut quickly to a generic scene of a hospital. The New York Times has video of the protest.
Dave Bittner: First Channel told TASS, quote, "An incident took place with an extraneous woman in shot. An internal check is being carried out," end quote. The gesture of dissent was brief but remarkable. Ms. Ovsyannikova was taken into custody by police and will probably be charged with an administrative violation for discrediting Russia's armed forces. A Meduza editor tweeted a link to a video Ms. Ovsyannikova posted shortly before her protest. The Telegraph's translation of her remarks run as follows - quote, "Unfortunately, in recent years, I worked on Channel One making Kremlin propaganda, and I am now very ashamed of this. I'm ashamed that I allowed lies to be spoken from the TV screen. I'm ashamed I allowed Russian people to be zombified. We were silent in 2014 when this was all just beginning. We didn't go to protests when the Kremlin poisoned Navalny. We just silently observed this anti-human regime, and now the whole world has turned away from us," end quote.
Dave Bittner: The Israeli National Cyber Directorate has confirmed that Israel sustained a distributed denial-of-service attack yesterday, CyberScoop reports. The attack briefly knocked some government sites offline. While most service was quickly restored, some overseas sites remained unavailable into this morning. Netblocks traced the outages to two leading Israeli telcos, Bezeq and Cellcom. Haaretz says that a defense establishment source told the paper that it was the largest such attack the company has experienced and that it was believed to be the work of an unnamed nation-state. That state is widely thought to be Iran, but the Israeli government has offered no specific attribution.
Dave Bittner: Chinese security services claim to have captured an NSA hacking tool, but The Register points out that there's less here than meets the eye. The tool in question, Nopen, is old news, having been leaked by the ShadowBrokers back in 2016.
Dave Bittner: Intel471 describes recent trends in ransomware attacks. Looking at the fourth quarter of 2021, they found that the most common strains of ransomware were, in descending order, LockBit 2.0, Conti, PYSA and Hive. The sectors most often affected were consumer and industrial products, manufacturing, professional services and consulting, real estate, life sciences and health care, technology, media and telecommunications, energy, resources, agriculture, public sector, financial services and nonprofit. Cequence Security finds that cybercriminals are increasingly using APIs as attack vectors. The researchers see three trends in this area - more variety in payment fraud, more sophisticated shopping bots and more cunning account takeover attempts.
Dave Bittner: And finally, Elon Musk has challenged President Putin to single combat. Quote, "I hereby challenge Vladimir Putin to single combat. Stakes are Ukraine," end quote. He emphasized his challenge in a subsequent tweet - do you agree to this challenge? Mr. Musk even flashed some Cyrillic characters and some Russian phrases in the tweets. Cyrillic and Russian in the originals. But how will Mr. Putin get the message? Sure, these Cyrillic characters are probably helpful, but we hear Twitter's blocked where Vladimir Vladimirovitch lives. Poor guy. But if he takes Mr. Musk up on that virtual glove across the face, he's a wilder and crazier guy than we would have thought - a real Cyrillic character.
Dave Bittner: Data privacy firm Transcend recently surveyed decision-makers in fintech, e-commerce and B2C sales organizations to gain insights on their concerns over privacy regulations and compliance. Ben Brook is CEO of Transcend.
Ben Brook: Very few of those polled felt very confident in their organization's current ability to comply, this full range of privacy laws that are already in effect around the world. And in fact, only 1 in 5 of those surveyed said that they're confident that their company is compliant with global laws. And similarly, 89% of them were at least slightly concerned about their ability to keep up with new laws that end up being enacted over the next year or two. So as we see new laws come into effect in Colorado and Virginia and China and India, the layers of complexity that are going in for compliance, they're really compounding. And so it's driving a lot of concern within these organizations today.
Dave Bittner: Yeah, one of the things that struck me as I was reading through the information that you shared was that it seems as though a lot of organizations are a bit frustrated with the situation here in the U.S., that there are so many data privacy laws and it's hard to keep up.
Ben Brook: Yeah, absolutely. And what we're seeing is, within the states there's a fragmentation occurring of privacy laws where each state is passing its own privacy law that looks a little bit different from the other ones. And that means a lot more complexity in terms of how one can regulate the way they use data, where it actually comes down to the geography of the end user in question. There's certainly some frustration across orgs where it's just plain difficult to keep up when there's just so many interwoven requirements.
Dave Bittner: What about all of this falling on the chief information officer or the CISO? Is there any sense that we're heading towards a time when it should be standard for organizations to have a chief privacy officer?
Ben Brook: I think absolutely. I think it's something we're already seeing as the rise of the chief privacy officer. We've actually already seen that 25% of the organizations surveyed had a chief privacy officer in place. And that's a number that's effectively grown from zero over the past four years. And so we're definitely seeing that stakeholder rise into organizations, but it also does not necessarily completely take privacy off of the CISO's plane.
Dave Bittner: So based on the information you've gathered here, what are your recommendations for organizations moving ahead here? I mean, how should they plan to operate in this new reality or where, you know, privacy is going to have increased focus on it?
Ben Brook: Pretty much boil it down to two things. The first is having just the framework to be ready to basically ingest new laws that will come every year for the next decade. So basically accepting and then planning for the fact that there will be compounding complexity on the front of actually using data and actually having rules around each use case for data so that they'll continue to compound over the next decade, I think. The next is to actually start investing in infrastructure that is specifically built for privacy. So there's a rise in tooling, essentially focused on personal data specifically that helps businesses comply with these privacy laws.
Ben Brook: So for example, as I mentioned at the top of the priority list was the need to automate these workflows for responding to privacy requests, that's a very unique infrastructure that didn't exist, you know, five years ago, where it's specially tailored to actually delete a given individual across your data stack. So there's a really growing need to invest in the infrastructure that actually treats personal data as something as a special class of data that has to be governed and developing those capabilities to actually go in and execute on any given individual. Those companies - Transcend, my company, is one of them - that are specifically tailored for personal data and generally called data privacy infrastructure.
Dave Bittner: That's Ben Brook from Transcend.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, and also my co-host on the Caveat podcast. Hello, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: Interesting article caught my eye - this is from Kim Zetter writing over on Politico - really highlighting what we have and have not seen when it comes to cyber capabilities in this ongoing war in Russia and Ukraine. What's going on here, Ben?
Ben Yelin: Yeah. So maybe I'm out of line here, but I almost found this article somewhat reassuring. So we know that our intelligence agencies - the CIA and NSA - have spent decades now spying on Russia's computer networks. They are collecting intelligence - both, you know, for the purposes of figuring out what Vladimir Putin's going to do, as they did prior to this war in Ukraine...
Dave Bittner: Right.
Ben Yelin: ...But also for the potential to order destructive cyberattacks on Putin's regime. I think we've always imagined that we would use this as a defensive weapon, that if we were attacked with some type of kinetic or cyber incident, that we would want to have the capabilities to respond in kind. But what this article gets at is both sides - the United States and Russia - are treading very slowly in this potential cyber conflict. And I think the reason they are treading slowly is the same reason we didn't have widespread nuclear armageddon during the Cold War, and that's mutually assured destruction.
Ben Yelin: We don't know exactly what Russia's capabilities are, but if we went in and, you know, for the purposes of responding to Russian aggression in Ukraine, damaged the critical infrastructure in Moscow - we shut off the lights, we damage the sewer system, water treatment plants, et cetera - there's a very real fear that they not only would retaliate against us, which would escalate the conflict, and that certainly could be very difficult for our own citizens having power cut off in a major American city or attacks on other parts of our critical infrastructure. But it could escalate from there. You know, the cyber warfare could lead to kinetic warfare, which could eventually lead where a place where none of us want to be, which is full-on war between two nuclear powers.
Dave Bittner: Right.
Ben Yelin: So I just thought it was interesting and encouraging that both sides are treading lightly. Government hackers have been working for the past couple of decades to develop these capabilities. I just think there's a reluctance to use them knowing that Russia potentially has the capability to retaliate.
Dave Bittner: I find it fascinating that we look at this and, in retrospect, it makes absolute sense. But this is not the way that people were thinking going into this conflict. What do you make of that?
Ben Yelin: Right. I think people were expecting that Russia would have already used offensive cyber operations in Ukraine to help their war effort - so shutting down Ukrainian power grids. A point that you made on the "Caveat" podcast when we discussed this is they really haven't done that, really, because they think it would be detrimental to their own war effort. They have to use the same cellular networks that are already deployed in Ukraine for their offensive military operations.
Dave Bittner: Right.
Ben Yelin: So I think we haven't seen that yet as part of this conflict. I think the conflict has been - I don't want to say traditional but has kind of been more of a 20th century type of warfare. They, with their military through air and ground support, invaded a sovereign foreign country, and we responded with economic sanctions. I think that's the safest place for all of us to be right now, given that this could potentially turn into a large global conflict. I think people imagined that we would - if they destroyed Ukrainian power grids or nuclear facilities or something or any other attack on critical infrastructure, I think people were anticipating that we might use our cyber capabilities to do the same in Russia. But I think there is a real reluctance to do that because of this fear of escalation.
Ben Yelin: Breaking into their country's core systems is something we frankly have been able to do. It's kind of a power that we can't use lightly because if our calculus is wrong and we use this as an offensive weapon, as we say in the 2000s, we don't want the smoking gun to be a mushroom cloud.
Dave Bittner: Yeah. To what degree is this situation establishing norms in cyber conflict? Is - because this is all new. A hybrid war like this is still relatively new. So to what degree, if any, is this establishing future rules of the road?
Ben Yelin: I think it's really unclear. It's a unique situation when we're dealing with Russia as opposed to some of our other adversaries, whether they are nation-states or terrorist groups. For one, they've lost a lot of their economic power as a result of this war, but they're still a nuclear-armed country. And we also have reason to believe that they have enhanced cyber capabilities. We've seen them perpetuate cyberattacks before. Certainly their involvement in the 2016 election, GRU, indicates that those capabilities are there.
Ben Yelin: So we know that they could respond in kind. I'm not sure that that would be the case in other cyber conflicts across the world, so I don't think this is setting any broad ground rules for cyber warfare, right? I think the fact that it is Russia is significant for the reasons that I mentioned. So I think it might not be precedent-setting, but I think it's just an interesting outgrowth of the conflict that we're seeing now.
Dave Bittner: Yeah. All right. Well, that article is over on Politico. It's written by Kim Zetter. It's titled "Not the Time to Go Poking Around: How Former U.S. Hackers View Dealing with Russia." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.