The CyberWire Daily Podcast 3.23.22
Ep 1541 | 3.23.22

British-American warnings of a Russian cyber threat, and Russia’s response. More on the Lapsus$ gang incidents at Microsoft and Okta. And Secureworks looks at Conti and sees a criminal ecosystem.


Dave Bittner: The U.S. and the U.K. warn of impending Russian cyberattacks, and Russia responds with warnings against banditry, crime and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lapsus$ gang incident, and so does Okta. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxiety. Secureworks takes a look at the criminal ecosystem around Conti. And Josh Ray from Accenture talks about the cyber workforce.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 23, 2022.

Dave Bittner: U.S. President Biden's warning Monday that Russia was likely to engage in cyberattacks against the U.S. continues to draw attention. Deputy national security adviser Anne Neuberger clarified the president's statement. Quote, "as the president has said, the United States is not seeking confrontation with Russia. But he has also said that if Russia conducts destructive cyberattacks against critical infrastructure, we will be prepared to respond," end quote.

Dave Bittner: National Security Adviser Jake Sullivan discussed some of the implications such an attack might have for NATO's collective defense agreement. Quote, "we could see circumstances wherein which a collective response by the alliance to a cyberattack would be called by an ally. That is absolutely something we and other countries could bring capacities to bear to help a country both defend itself and respond to a particular cyberattack," end quote. The FBI reports seeing signs of battlespace preparation against U.S. energy providers, and the U.S. Cybersecurity and Infrastructure Security Agency continues to recommend that organizations take appropriate precautions.

Dave Bittner: The U.S. has emphasized the importance of taking basic steps to improve cyber defenses and organizational resilience. Federal News Network reports, quote, "there is evolving intelligence that Russia may be exploring options for cyberattacks against the United States." CISA director Jen Easterly told a session with critical infrastructure operators and stakeholders yesterday, quote, "there is evolving intelligence that Russia may be exploring options for cyberattacks against the United States." Her comments came at the beginning of a three-hour session that CISA was quick to make public. That's not, as Easterly commented, exactly shocking news, but she emphasized the importance of taking appropriate precautions against such attacks.

Dave Bittner: In an apparent nod to the military proverb that those who defend everything defend nothing, she said that CISA was focusing on the lifeline sectors - that is, communications, transportation, energy, water and financial services. That last sector is of particular concern, Easterly said, because it seems a likely target for a Russian retaliation for the heavy sanctions most of the world has imposed on Moscow for its war of aggression against Ukraine.

Jen Easterly: We've been working very hard here at CISA to reach across sectors. But we're really focusing right now on what we call the lifeline sector - so specifically the communications sector, the transportation sector, the energy sector, the water sector and then, of course, the financial services sector - just given the concerns about potential retaliatory attacks for the very severe sanctions that the U.S. and our partners have imposed on Russia.

Dave Bittner: So the public U.S. response to the Russian cyberthreat is essentially expressed by CISA's Shields Up alert. The U.K.'s National Cyber Security Centre has seconded the White House warning. Quote, "in heightened periods of international tension, all organizations should be vigilant to cyber risks. And for several months, the NCSC has been advising organizations to bolster their cybersecurity. The NCSC has already published actionable guidance for organizations to reduce their risk of cyber compromises. While the NCSC are unaware of specific targeted threats to the U.K. resulting from Russia's illegal invasion of Ukraine, we recommend organizations follow this advice as a priority," end quote. That published guidance has much in common with CISA's Shields Up.

Dave Bittner: Reuters quotes Kremlin spokesperson Dmitry Peskov as saying, quote, "the Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry," end quote. His contention, of course, is both pro forma and absurd. Russian privateering and direct states cyberattacks have been notorious narratives in cyberspace for two decades.

Dave Bittner: Andrey Krutskikh, a diplomat with a background in arms control who presently serves as director of the Russian Foreign Ministry's Department of International Information Security, struck a more statesmanlike tone than did Mr. Peskov. In an interview with Newsweek, Mr. Krutskikh pointed out the way in which cyberspace had become an international commons and the importance of all sides working together to secure its beneficial use for all. He said, quote, "modern life is impossible without information and communications technologies. They determine our wellbeing, security and survival. Relying on them, we can become richer or lose all our savings. They are transboundary and almost almighty. Amidst this reality, the main task is not to frighten each other with digital means but to try to reach agreements before it's too late," end quote.

Dave Bittner: He said that cyberattacks were particularly likely to drive escalation of any conflict. Quote, "a cyberattack, be it accidental or intended, including one perpetrated under a false flag, can easily trigger escalation between states, leading to a full-scale confrontation. Ensuring international information security, therefore, becomes one of the key factors that directly influence strategic stability," end quote. Mr. Krutskikh pointed with open-eyed innocence at the ways in which cybercrime had contributed to international mistrust. Quote, "hacker groups tend to target their activities at big businesses, banks and financial institutions. Ensuring international information security, therefore, becomes one of the key factors that directly influence strategic stability, end quote.

Dave Bittner: Elsewhere, Deputy Foreign Minister Sergei Ryabkov said Tuesday that Russo-American relations were at a breaking point. Quote, "Yesterday, a note of protest was handed over to the American ambassador, noting that what was happening has put relations on the verge of breaking off. They must stop issuing threats against Russia" - the they he's referring to being the Americans.

Dave Bittner: CISA has a fish to fry outside of shields up, of course. The U.S. Cybersecurity and Infrastructure Security Agency yesterday issued two industrial control system security advisories, both for products from Delta Electronics.

Dave Bittner: Both Microsoft and Okta have confirmed that they were hit by the Lapsus$ gang. In Microsoft's case, Redmond said, our investigation has found a single account had been compromised, granting limited access. Some company code was exfiltrated, but no customer data or code were affected. Okta's case is more complicated. The company, which will hold a webinar later today to discuss details of the incident, said, quote, "The Okta service is fully operational and there are no corrective actions our customers need to take. After a thorough analysis of these claims, we have concluded that a small percentage of customers, approximately 2.5%, have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and our contacting them directly," end quote.

Dave Bittner: Lapsus$ continues to claim, as The Record and other sources report that the effect on Okta was much more serious than the company's public statements suggest. According to Forbes, some of Okta's customers feel the company has been slow to inform them of potential problems. One customer, Cloudflare, which uses Okta's identity management solution for internal employee accounts, offers advice to other customers about how to respond to the possibility of compromise.

Dave Bittner: And finally, Secureworks finds useful information in recent leaks involving Conti and its affiliates, which comprise a mature cybercrime ecosystem across multiple threat groups with frequent collaboration and support. It's the kind of criminal ecosystem that could easily be used for those destabilizing operations Russia's been warning against.

Dave Bittner: One of the side effects of the pandemic, combined with global and national political and economic situations, is an increase in a general sense of anxiety. I know I've felt it, and the term doomscrolling is related to it for sure. Researchers at F-Secure were curious about the phenomenon of digital anxiety, and they set out to gather facts and analyze the results. Tom Gaffney is principal consultant at the consumer division of F-Secure.

Tom Gaffney: Historically, it's really been looking at it from the angle of children. So there's obviously concerns from parents that kids have overexposure to digital devices, various social media and not engaging in a certain real-world (ph) - so lots of studies into that area. But because of the pandemic, we wanted to understand how that had affected the adults working from home instead of being in an office.

Dave Bittner: Well, let's go through some of the things that you found out here in the survey. What were some of the items that caught your eye?

Tom Gaffney: Well, the headline is that we found that across the board, people have concerns that they are more stressed or suffer more anxiety online. And the headline figure is 58% of all respondents found that that was the case. But when you talk about people who've shifted from working in a physical location, in an office somewhere, to working online, that rose up to 67%. That was probably the standout headline that we saw.

Dave Bittner: And do you have any sense as to what's driving this, why the shift to working from home is increasing their anxiety about online security and privacy?

Tom Gaffney: Well, we - for the answer to that, we turned to academics. So we worked in conjunction with some academics in the U.K. and elsewhere. And they helped us derive a few conclusions from this. Probably the main one is the expectation that people are worried because they are being thrust into more at-home working without a lot of training or preparation. So typically, if work for a company, you've got a computer or a phone, and they've got an IT department that take care of the security on that for you. But in the (unintelligible), people are taking their devices and - and they're responsible for managing that security in a home environment. And most of us don't necessarily have the skills to set up home devices and home networks that have got the same kind of security strength that you would have in a corporate environment.

Tom Gaffney: So that brings in itself the element (ph) of stress. People wonder and what kind of things they should do. And at the same time, we think that - or we know, in fact, that there's an increasing overlap when you're working all the time from home between what you're doing for work and what you're doing in your personal life. And these factors together have increased the anxiety.

Dave Bittner: What can employers do to help put people at ease? What sort of things could they put in place?

Tom Gaffney: There's a lot of things that they can do. They can do training to give guidance to people on how to do - run the actual practical tools they need for their security tools. And it gives guidance on how to use their devices. So, for example, we recommend that we try and encourage separation between what you do in your work device, if you've got a work laptop or a work thing, and try and separate that from what you do for your own personal things, like your browsing, shopping and social media. Try not to mix doing that on different - on the same device because then that line between what you do for work and for your private life blurs even harder for people to separate. So we recommend highly that they have that kind of strength.

Tom Gaffney: And if companies want to go the extra mile, they can, as we've seen some companies gladly around the world. I'll use Volkswagen's example. They actually encourage - or they mandate that outside of working hours, they don't allow bosses to send messages to their staff. Now, this might not work for a small company, you know, up to ten employees, but for larger corporations, they can take a lead and sort of help employees have a separate boundary between what they do for work and what they do for private life.

Dave Bittner: That's Tom Gaffney from F-Secure.

Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead at Accenture Security. Josh, always great to welcome you back.

Josh Ray: Thank you, Dave.

Dave Bittner: I want to check in with you today on where things stand in terms of our cybersecurity workforce. You know, we seem to be sitting at this moment, I think particularly right now with the situation going on in Ukraine, this moment highlights the fact that there's a whole lot of people out there who've been working really hard, and it's been a while since they've had breaks. I suspect there are a lot of teams out there that are teetering on the edge of burnout.

Josh Ray: Oh, yeah. I think to say they're well into burnout is probably an understatement. You know, I was just thinking about, you know, the amount of just global activities that my team has had to be engaged in to support clients, right? And just going as few years back as, you know, WannaCry, NotPetya, the Soleimani strikes, SolarWinds, Colonial, Kaseya, Elysium, you know, Log4j, Ukraine - I mean, I could go on and on, but, you know, all of these things - right? - wrapped up, you know, under the umbrella of a global pandemic that, you know, these security practitioners are having to kind of deal with on a day-to-day basis, along with their regular jobs, on top of, you know, I'm sure multiple incidents that, you know, don't make it up into the news, you know, that's a massive amount of work that these folks are having to do. And they always have to be right. And it's a huge amount of pressure. So, you know, when we think about, like, how do we care and feed for that workforce, I mean, I think it's a really a kind of a multi-pronged approach. And I don't think we've solved it by any stretch of the imagination. But we're taking a lot of different approaches to try to get it right.

Dave Bittner: Well, let's dig into that some. I mean, one thing that strikes me is, you know, having a deep enough bench that you can cycle folks in and out as people need breaks. But, you know, the flip side of that is we have a shortage of qualified people, right?

Josh Ray: Right. And, you know, demand for services are incredibly high, too, right? So I think - you know, so there's a couple things. I mean, growing talent is one that you have to take kind of a long-term approach on, right? So how do you start them young? How do you go into the high schools or even the middle schools and get kids excited about this idea of cybersecurity? And it's not so much that everybody needs to be - have a - you know, have a programming background, but more along the lines of how do you excite them about the mission? How do you get them excited about, you know, combating bad guys every day and really engender that investigative mindset within, you know, the middle school and high school ranks and then start to kind of focus and train them on specifics? You know, there's massive amounts of disciplines just within security operations and cyberdefense where we play but just across the whole security landscape.

Josh Ray: So I would say, you know, kind of starting those programs young and kind of engaging the youth to build that next generation, and then I think, you know, we got to be more creative about how do we attract talent? Like, you know, the computer science, you know, degree is great. But we've had a lot of success recruiting from a variety of different types of backgrounds, you know, whether that be some type of, you know, history majors or religion majors or folks that have more of, you know, a soft sciences background. You're going to get a variety of different points of view. And I think it takes all kinds of, you know, diverse thought to really, you know, help be successful within this mission space.

Dave Bittner: What about specifically, you know, burnout, taking care of the people that you already have? How do you - you know, you can only hand out so many bonuses, right?

Josh Ray: Right. Yeah. And, I mean, you know, anybody can go at this point in the industry and go make more money. Like, that's just a - it's just a known fact. But it's really about how do you engender that sense of belonging and culture and mission? That's something that we spend a lot of time on. And quite frankly, I think, you know, the pandemic has had - you know, really dealt that a blow because this is a community of people that really likes to be around one another. And I'm not saying they have to, you know, work at an office 9 to 5 every single day. But they need to be able to get together. They need that human interaction to really share ideas and just talk about what they do many times in their free time as well. So we - I think we've got to get back to, you know, in the safest way possible, being able to work together and collaborate together, going back to conferences and kind of rebuild the culture of the security community. So that's one.

Josh Ray: And then secondly, the idea of recognition - right? - making sure that they're recognized for the work that they're doing, I think, whether that's, you know, through different programs that HR can help you stand up. But just as leaders, you know, making sure that we take time to reach out personally and say, hey, thanks, you know, you guys are doing a great job. And that goes a long way. And it makes people feel - you know, feel valued. But I think most of all is folks want to feel that sense of belonging. They want to serve something that's bigger than themselves. And I think that's why, you know, people get attracted to this particular mission.

Dave Bittner: Yeah. All right. Well, Josh Ray, thanks for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire Team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.