The CyberWire Daily Podcast 3.18.22
Ep 1538 | 3.18.22

Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism may go too far. C2C market notes. Advice from CISA and NIST. Prank calls as statecraft.


Dave Bittner: Hacktivism and other cyberattacks continue against Russian targets, but some may have gone too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Seay from MISI with sights on maritime port security. And Rear Admiral Mehoff, call your office.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, March 18, 2022. 

Dave Bittner: Anonymous has resumed, or continued, its campaign of defacement against Russian-networked closed-circuit cameras, rigging them to display such messages as Putin is killing children, 352 Ukraine civilians dead, Slava Ukraini, Vice reports. 

Dave Bittner: Russian government websites have also come under attack. In an unusual announcement, Russia's Ministry of Digital Development and Communications said the attacks were unprecedented. They appear, from the account offered by the Washington Post, to be a mixture of distributed denial-of-service attacks and website defacements. A statement from the Ministry, apparently addressing the DDoS attacks, said, quote, "We are recording unprecedented attacks on the websites of government authorities. If their capacity at peak times reached 500 gigabytes earlier, it is now up to 1 terabyte - that is, two to three times more powerful than the most serious incidents of this type previously recorded," end quote. Among the website defacements was one affecting the Russian Emergency Situations Ministry website whose content was changed. The Ministry's hotline number was replaced by a heading, come back from Ukraine alive, followed by a number Russian soldiers could call for assistance should they be interested in desertion. 

Dave Bittner: It's not always clear which actions are those of hacktivists and which are conducted by Ukrainian digital services. WIRED gives high marks to Kyiv's Ministry of Digital Transformation in what amounts to a mash note to a government agency run by tech-savvy freaks who've proven themselves to be a formidable war machine. The closeness of Ukraine's cyber operators to NATO hasn't escaped Russian notice, either. Moscow's ambassador to Estonia, where NATO's Cooperative Cyber Defence Center of Excellence is located, sees more evidence of Western plotting and blackmail, BleepingComputer reports. Ambassador Lipayev explained to TASS in an interview today, quote, "Our suspicions on this score have turned out to be correct. This first step will certainly entail others, pursuing the aim of converting Ukraine into a stronghold for political, economic, ideological and military blackmail of Russia," end quote. 

Dave Bittner: Cloud security firm Snyk has found malicious code in the npm open-source ecosystem that seems motivated by a hacktivist determination to strike Russia and its increasingly shy junior partner Belarus. 

Dave Bittner: Snyk explained quote, "On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing what can only be described as a supply chain attack impacting the npm ecosystem. This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package. This security incident involves destructive acts of corrupting files on disk by one maintainer and their attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain - the transitive dependencies in your code can have a huge impact on your security," end quote. 

Dave Bittner: Hacker News explains that node-ipc is a prominent node module used for local and remote inter-process communication with support for Linux, macOS, and Windows. It has over 1.1 million weekly downloads. 

Dave Bittner: An npm manager wrote and published an npm module that he described as follows - quote, "This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite," end quote. At the very least, Snyk says, this particular form of protest calls into question the trustworthiness of the maintainer, who goes by the hacker name RIAEvangelist, and his other contributions. 

Dave Bittner: Snyk concludes, quote, "Snyk stands with Ukraine, and we’ve proactively acted to support the Ukrainian people during the on-going crisis with donations and free service to developers world-wide, as well as taking action to cease business in Russia and Belarus. That said, intentional abuse such as this undermines the global open source community and requires us to flag impacted versions of node-ipc as security vulnerabilities," end quote. 

Dave Bittner: Google's Threat Analysis Group is investigating a financially motivated - that is, criminal - initial access broker its researchers are calling Exotic Lily. The group is working with the gang known variously as FIN12 and Wizard Spider, best known as proprietors of the Conti ransomware. Exotic Lily has exploited a vulnerability in Microsoft MSHTML. 

Dave Bittner: Security researchers with Cisco Talos describe a suggestive convergence between BlackCat malware and the BlackMatter DarkSide gang. BlackCat has pooh-poohed other attempts to link them to BlackMatter and its DarkSide ancestor, denying that it's just a rebranding of BlackMatter and insisting that it's a new team made up of alumni from other ransomware-as-a-service groups. But in one respect at least, Talos seems to have the goods on them. BlackMatter was an early adopter of BlackCat. The researchers write, quote, "BlackCat seems to be a case of vertical business expansion. In essence, it's a way to control the upstream supply chain by making a service that is key to their business - the ransomware-as-a-service operator - better suited for their needs and adding another source of revenue. Vertical expansion is also a common business strategy when there is a lack of trust in the supply chain. There are several cases of vulnerabilities in ransomware encryption and even of backdoors that can explain a lack of trust in ransomware as a service. One particular case mentioned by the BlackCat representative was a flaw in DarkSide BlackMatter ransomware allowing victims to decrypt their files without paying the ransom. Victims used this vulnerability for several months, resulting in big losses for affiliates," end quote. 

Dave Bittner: CISA and the FBI have advised satellite communications operators to take a number of steps to increase the security of their systems. For immediate action, they recommend that operators take the following steps today - use secure methods for authentication, enforce principle of least privilege, review trust relationships, implement encryption, ensure robust patching and system configuration audits, monitor logs for suspicious activity and ensure incident response, resilience and continuity of operations plans are in place. It's familiar advice but nonetheless valuable for having been offered before. Basic cyber hygiene is always a good idea. The alert doesn't explicitly mention the Russian threat to satellite systems, but, as SecurityWeek points out, it's likely that the warning was prompted by the ongoing investigation of probable interference with Viasat service in Ukraine and parts of Eastern Europe. It's significant that the agencies recommend reading the recent annual threat assessment of the U.S. intelligence community for what it has to say about state-sponsored threats to satellite systems. 

Dave Bittner: NIST has released SP 1800-10, "Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector." The document is noteworthy for communicating its advice by walking its audience through 11 attack scenarios that cover physical, network and software supply chain avenues of approach. 

Dave Bittner: And finally, the U.K.'s defense and home secretaries, Ben Wallace and Priti Patel respectively, separately entered Microsoft Teams meetings, which Mr. Wallace said had been properly set up, during which they believed initially that they were talking to Ukrainian Prime Minister Denys Shmyhal. The Telegraph reports while the person he was speaking with looked like Mr. Shmyhal and was sitting in front of a Ukrainian flag, the defense secretary grew suspicious when the person who looked like Shmyhal began asking about British naval deployments and Ukrainian intentions. Presumably, the real Prime Minister Shmyhal wouldn't need the U.K. to tell him what his government's intentions were. Mr. Wallace ended the call after 8 minutes and has ordered an investigation. Ms. Patel's experience was similar. 

Dave Bittner: The Guardian's account of the incidents considers them hoaxes, leaving open the question of whether Russian services were behind them. But it's equally severe about the security measures that made it possible for an impostor to get through to members of the Cabinet. So a question - are phone pranks more or less credible when they arrive through business collaboration tools? If the calls were the work of Russian intelligence services, it represents something new. Who expected Moscow to call in and effectively identify themselves as I.P. Freely? One would expect more. A call like that might convince Moe Szyslak for a minute, but a Cabinet minister? 

Dave Bittner: Taking place next week in Fort Lauderdale, Fla., is the Maritime and Control System Cybersecurity Con - Hack the Port 22. The event is put on by MISI, the Maryland Innovation and Security Institute, and DreamPort in support of USCYBERCOM and its mission partners. The event highlights the importance of securing our maritime ports. Armando Seay is director of DreamPort. 

Armando Seay: In 2020 and 2021, there were two maritime strategies - one for the Coast Guard and then a national cyber policy for maritime. What we discovered in communications with folks at CISA, the Department of Homeland Security and Coast Guard - actually, the Pentagon, as well - it was not getting enough attention. If you look at the Iranian playbook, Cyber Command playbook that was released, it totally pointed out the fact that they were looking to do malicious cyberattacks at maritime ports to disable forced projection of their adversaries, to disrupt supply chains. In the U.S. alone or the world, like, 90% of goods travel through some sort of maritime ports. I mean, they eventually make it onto rail systems and trucking systems, but then, you know, it's transported overseas, you know, through ships, and they get to various shores when we export goods. So you can disrupt the entire global and domestic economies regionally and nationally by, basically, attacking a port. There are some reports that are saying there's been a 500, you know, 400% increase in threats to maritime ports around the world. You can go all the way back to NotPetya - right? - and all that - right? - in Ukraine, which is in the news, obviously, very much today. And it all points to the impact of maritime ports as very critical to the U.S. economy and our global ability but also force projection. We deliver a lot of our military goods and supplies when we're - have to project force around the world via ports. You know, tanks and food and fuel and all of those things are done through maritime ports, in part. And maritime ports connect to rail systems and other surface transportation systems. So it's a very interconnected ecosystem. And if you look at any port, take a very close look - I'll give you an example - the port of Tampa in Florida. Seventy percent of Florida's fuel comes through that port. Whenever there's a hurricane in Florida and people wonder, why are we running out of gas, it's because all of those tanker ships have moved away from the coast of Florida. And all of those fuel trucks waiting to get refueled by those tanker ships don't have anything to wait for because the ships aren't coming in until the storm has passed. So things like Colonial Pipeline in the water plant attack in the Florida brought very, very keen attention to the fact that, whoa, wait a minute. Our ports transport fuel. We offload, you know, wastewater and other things, LNG gas. We aren't as prepared as we need to be for a cyberattack that could have the same or worse impact than a hurricane could. 

Dave Bittner: The Hack The Port Conference kicks off next week in Fort Lauderdale, Fla. The CyberWire is a media partner. I'll be attending in person and hosting a session. You can learn more at There's a lot more to this conversation, if you want to hear more, head on over to CyberWire Pro and sign up for Interviews Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC Stormcast" podcast. Johannes, it's always great to have you back. You know, I think the message has certainly got out there about backups. You know, ransomware has been top of mind for so many people that I suspect there are few who are out there who aren't doing regular backups. But there's a little more to it than that, as you wanted to point out today. 

Johannes Ullrich: Yeah. So backups are important. They're often sort of considered your last line of defense when it comes to a ransomware. But keep in mind, backup - it's complex. It's boring. So a lot of people don't really pay a lot of attention to it. So in addition to just the testing that your backups are working, keep an eye on your backup software because one trend that I've seen over the last year is that there are really a lot of vulnerabilities in backup software. And if you think about it, the vulnerability can be either in whatever central platform used to manage your backups. It may be in the agents that you need to deploy on systems in order to create these backups. All of these components have vulnerabilities. They usually run with elevated privileges because they need to have access to all of your files on the system. And I think it's a little bit that - not to have too much the "Star Trek" reference, but the undiscovered country of how attackers may get into your system. So in addition to attackers outright wiping out backups - we have seen that, of course, quite a few times - they may actually use your backup software as an entry point into your network. 

Dave Bittner: I mean, it's not just the management software. I mean, you should - checking up on the hardware, too, right? I mean, I'm thinking about, like, you know, Synology systems, things like that. 

Johannes Ullrich: Yeah, these network-accessible disk platform storage systems - Synology mentioned, QNAP - you know, they have a rich history of vulnerabilities themselves. They often have been already used as an entry point. Like, there was this SynoLocker. And lately - forgot what it was called - the QNAP was affected by some ransomware as software. So these platforms are part of it, part of the problem. And the software like, you know, recently, IBM's spectrum protect - they're usually used to update, like, containers, to backup containers. They had some critical vulnerabilities. Kaseya, Unitrends - they had, I think, back in December vulnerabilities. It's hardly a month goes by without one or two sort of really critical vulnerabilities in that kind of software. 

Dave Bittner: Yeah. I mean, I guess it's worth noting, putting that on your schedule. The care and maintenance of your backups includes checking to make sure that you can actually restore from them and - but also add to that list that they're up to date. 

Johannes Ullrich: And always remember once a month, delete a file and ask your sysadmins to recover it and see if it works. If you don't do that, it will not work once you actually need it. I ran myself this a few times, so... 

Dave Bittner: Yeah, no, I - yeah, count on it, right? 

Johannes Ullrich: Oh, and before you delete that file, make your own backup of it. 


Dave Bittner: Yeah. Yes, absolutely, absolutely. Right, right. Take it home. Store it under the steps in the attic or whatever. 

Johannes Ullrich: Print it out. 

Dave Bittner: Right. Yeah, yeah. 

Johannes Ullrich: (Laughter). 

Dave Bittner: All right. Johannes Ullrich, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday." My conversation is with Nathan Brubaker from Mandiant. We're discussing their research "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information." That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.