The CyberWire Daily Podcast 3.25.22
Ep 1543 | 3.25.22

Fears of Russian escalation, with both chemical and cyber weapons, rise. DPRK APTs exploit Chrome vulnerabilities. Mustang Panda is back. Arrests made in the Lapsus$ case.


Dave Bittner: Fears of Russian escalation as Ukraine's counteroffensive sees success. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And friends, friends, friends, your wild ways will break your dear mother's heart.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 25, 2022. 

Dave Bittner: The U.S. Justice Department has unsealed two indictments of four Russian nationals, all employed by the Russian government, in connection with cyberattacks against energy sector targets. The first indictment involves the ultimately unsuccessful 2017 Triton/Trisis attack against safety systems in a petrochemical plant. The second involves the Dragonfly campaigns between 2012 and 2017. These sought to compromise and maintain persistence within industrial control systems used in the energy sector. 

Dave Bittner: The unsealed indictments are being widely taken as showing the sort of active threat Russian operators pose to critical infrastructure. CISA director Jen Easterly clapped at the Justice Department over Twitter. She said, good to see the Justice Department indictments on Russian state-sponsored cyber actors. Along with our FBI and DOE teammates, we're releasing a cybersecurity advisory with information and actions to defend against related threats to the energy sector. An unnamed Justice Department official told the Guardian these charges show the dark art of the possible when it comes to critical infrastructure. 

Dave Bittner: The Washington Post reported this morning that U.S. intelligence analysts have now attributed the attack against Viasat services to Russia's GRU, the country's military intelligence service. The U.S. government has yet to make a public announcement of the determination. Ukraine has for some time claimed that Russia was behind the cyberattack, which Ukraine's military intelligence services viewed as Russian battlespace preparation. The Post writes, asked this week whether Ukraine knew who was behind the attack, Victor Zhora, deputy head of the State Service of Special Communications and Information Protection, Ukraine's main cybersecurity agency, said, we don't need to attribute it, since we have obvious evidence that it was organized by Russian hackers to disrupt the connection between customers that use this satellite system. He added, of course they were targeting the potential of the Ukrainian military forces first as this happened just before the invasion. 

Dave Bittner: California-based Viasat, which hasn't offered any attribution of the incident, told Air Force magazine how it was accomplished. The ground management network that manages the KA-SAT network and manages other Eutelsat networks - that network was penetrated. And from there, the hackers were able to launch an attack against the terminals using the normal function of the management plane of the network. The company said the damage was limited. Only users who inherited their service from Eutelsat were affected. Viasat said even on that network, none of our mobility and none of our government customers were affected. The controls we have around those users kept them safe. 

Dave Bittner: Russia's ability and, up to a point, will to conduct cyberattacks against its adversaries in the hybrid war against Ukraine is not in doubt. But at this stage of the conflict, Ukraine itself remains largely online, and the wiper and distributed denial-of-service attacks it has sustained since the run up to Russia's invasion haven't seriously impeded access to the internet. The Record's coverage suggests that this is largely due to the resilience of Ukrainian infrastructure and the hard work of the country's telecommunications sector. But Russia does seem to have pulled its punches. An essay in We Live Security, while cautioning that a major cyberattack certainly can't be ruled out, considers the possibility that Russia's apparent restraint may have been induced by effective deterrence. That would be both deterrence by denial and deterrence by promised retaliation. 

Dave Bittner: Yesterday, CISA and the FBI released an alert titled Tactics, Techniques and Procedures of indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector. It provided background on the Russian cyberattacks addressed in the two indictments the U.S. Department of Justice unsealed Thursday. The advice the alert offers on hardening an organization against similar attacks is comparable to the advice the agencies have been circulating since CISA told everyone to go to Shields Up - familiar, but nonetheless sound sets of best practices for both enterprise and industrial control systems. 

Dave Bittner: Russia's Foreign Ministry, whose Twitter feed has been marked by defiance, self-pity and implausible insistence yesterday shared its take on Russian progress in Ukraine. Exactly one month since the start of the special military operation in Ukraine, it is going according to plan, and all the stated goals will be achieved. Life is returning to normal in the territories already liberated from nationalists. No one else sees it quite this way. 

Dave Bittner: North Korean threat actors have been exploiting two remote code execution vulnerabilities in Chrome, Google reports. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. The former has been largely interested in journalists. The latter has mostly busied itself with operations against cryptocurrency users and the financial services sector more generally. 

Dave Bittner: Chinese intelligence services who have increased their collection activity as the crisis of Russia's war against Ukraine intensifies, have combined a new remote access Trojan with complex, evasive techniques intended to impede detection. The group researchers are observing is the one generally known as Mustang Panda. 

Dave Bittner: And finally, the mystery of who Lapsus$ is and what it's up to may have been solved. The BBC reports that City of London police have arrested at least seven teenagers in connection with the gang's activities. They told the BBC seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing. So Lapsus$ seems to have been a crew of script kiddies. For all that, their activities were damaging and disruptive. Lapsus$ was in it for the lols, the cash and the cachet. 

Dave Bittner: As minors, none of the names of those arrested have been released. The apparent leader, who goes by the hacker name White and Breachbase, is said to be a 16-year-old boy in Oxford. The BBC talked with the kid's father, who said, I had never heard about any of this until recently. He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games. The father added they're going to try to stop him from going on computers. Good luck with that, Dad. If you figure out how to keep him offline, let us know. We could all use that parenting tip. 

Dave Bittner: The cybersecurity industry needs more qualified workers, and it needs them now. Demand is high, and that's leading some candidates to forgo a four-year degree and instead opt for a coding boot camp, hands-on, vocational-style training designed to get students up to speed and ready for employment ASAP. Liliana Monge is co-founder and CEO of Sabio Coding Bootcamp. 

Liliana Monge: When we first began, we thought maybe we would work with high school students that decided not to go to college. However, because this is vocational training and the expectation is that when you're done, you will go get a job, we have actually found that people who are about 22 to 29 are the most likely to want to enroll in the program. We, of course, will happily enroll anyone. We actually had a gentleman who had retired from the State Department at age 65. He came to the program, and he's now a software engineer in Irvine. However, most people who are in their early 20s are most drawn to the program. 

Dave Bittner: So someone who completes the types of programs that you all offer here, what are their expectations in terms of entering the job market? What - to what degree are they prepared for the jobs that are out there? 

Liliana Monge: Yeah. So we have found that most of the people who graduate from our program are ready to join a team because they will, you know, obviously have a certain amount of experience. And so they're going to need assistance and support inside of an organization. So typically, if it's a smaller business, maybe there's already a senior engineer architect on the team, and they need someone to support them with maybe some front-end work or some SQL work. 

Liliana Monge: If you have larger organizations like Microsoft, they themselves have an onboarding process that takes four months for people who are graduating from coding bootcamps, and so they themselves will bring you in. They will give you additional curriculum for four weeks just so that they can, once again, give you additional context for how they do things at Microsoft. And then they will put you with a team for an additional three months. And then, depending on how you perform, Microsoft can hire you as a full-time software engineer. 

Liliana Monge: So it really depends on the type of organization that our grads are interested in joining. There are different types of opportunities. It's rare that one of our grads will go and be like, the first technical team member in an organization's org chart. That typically is not what we see just because our fellows are going to have less than six months of experience. 

Dave Bittner: So in terms of, you know, comparing this to someone who might have their sights set on, let's say, a four-year degree, how does this compare to that? 

Liliana Monge: Yeah. So as I started in the beginning, you know, we like to make sure that people understand that this is vocational training. It's something that is going to give you sufficient skills so that you can join a team and add value. And so there has to be some infrastructure already there. My understanding of computer science grads is that, you know, they're going to come out with a lot more theoretical understanding of how those systems were designed and why they were designed a certain way. 

Liliana Monge: So, you know, software development takes a lot of its words and, you know, the way they structure it from the world of construction. And so a lot of us are familiar with the concept of what an architect will do, right? They design the blueprints, but they're not the ones out there swinging the hammer and actually building your house. And so in software engineering, it's very similar. You may have someone who has a lot more experience or someone who's secured a computer science degree, who may architect a system, who may design a new system altogether from the ground up. 

Liliana Monge: Coding bootcamps are designed to give you vocational skills that will get you into the job market rather quickly. So it doesn't have to be binary in terms of an engineering team. You can have different types of professionals. Just like when you go to a hospital, you know, you meet with a doctor and they've had a certain type of education. But then you also meet with nurses, with registered nurses and different types of professionals. So the same thing works in the tech ecosystem. 

Dave Bittner: I would imagine, too, this provides a lot of folks with an opportunity to get a foothold in the industry without loading themselves up with a lot of debt. 

Liliana Monge: Yes. So the time - the opportunity cost is much lower when you attend a coding boot camp. The price to participate in the Sabio Coding Bootcamp is $15,000, and that's pretty standard across the United States, in that range of 15,000. And you're correct. I mean, my understanding is that if you want to do a computer science undergraduate degree, it's going to be somewhere between 100 to 200,000, depending on where you're going to go. So there are very significant differences in opportunity cost. You know, our program can be done in four months. A computer science degree can take you four years. And it's really just about, you know, someone's personal preference, where they are in their life that, you know, you have to assess, which solution is best for me? 

Dave Bittner: That's Liliana Monge from Sabio Coding Bootcamp. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by David Dufour. He is the vice president of engineering and cybersecurity at OpenText. David, always great to have you back on the show. As we are well on our way into 2022 here, it seems as though ransomware continues unabated. And I have to say, one of the things that strikes me is the ongoing professionalization of the organizations who are up to this. I know this is something you've had your eye on as well. 

David Dufour: Absolutely. And you know, you and I have touched on this topic many times, David, where these gangs have become more and more professional. You know, several years back, you and I were seeing proper quality control in the actual ransomware itself because some strains of ransomware weren't decrypting properly. And those strains would die off because no one would pay the ransom. And the code itself just kept getting better and better. And now, as with - a lot of times, we see in the threat landscape - they've really institutionalized this, have well-defined processes and are doing a really good job at executing. 

Dave Bittner: It's interesting to me, in addition to that, that we see different groups sort of specializing in different things that you can - you know, if I'm someone looking to put together a ransomware offering, dare I say, yeah, I can get a little from column A, a little from column B, depending on who I want to hit and, you know, how much I want to charge and how much help I think I need. 

David Dufour: That's exactly right. And, you know, we've seen time and again where a new solid strain of ransomware will come out. The creator of that ransomware will go out and look for folks to deploy that on devices for them. Then they'll see who's the most successful at that deployment. And then they will shut the whole thing down, tighten up the code base, modify it a little bit, go with the top-tier folks at getting that stuff distributed, and then they will hit the world hard and fast. And we see that time and again. 

David Dufour: And I hate to say, it's kind of like if you imagine in the movies, the mobster movies, where they are all sitting around a table talking about, I'm going to take the south side; and you're going to take the north side. I mean, literally, they're not sitting around a table because it's COVID. And obviously they're staying at home and, you know, quarantining properly. But no, seriously, they're sitting around and really communicating how they're going to divide this up, who's the best at what component of this, and then they execute with the best of the best. 

Dave Bittner: We've seen a little bit of disruption here. Do you think we're going to see more of that this year? 

David Dufour: So we have seen pretty solid disruption. We will continue to see that. But like we all know, it's a moving target. And once we disrupt somewhere, knock some things offline, some folks will come up with something and, you know, what's next? Now, does that mean we should not be executing on this and should we not be trying to protect? We obviously should. I mean, we used to see types of threats 15, 20 years ago that we don't see anymore. And so we'll get past this. But for now we've just got to kind of whack-a-mole and get it solved as we can until we come with a more holistic solution on how to resolve it. 

Dave Bittner: Is your sense that, you know, the low-hanging fruit for the ransomware operators isn't so low anymore, that, in general, there's better awareness around that - you know, the - we talk about digital hygiene - that the general level of that has improved in a measurable sort of way? 

David Dufour: I mean, in a jaded - I'm going to say no. I mean, these folks every year are making more and more and more money. And so to your specific point, they started out attacking individuals, consumers, small businesses and then - you know, just to see how things worked. And now - that - we've kind of protected that level. But what they've done is up-level it and take that exploit path, where they find exploits with larger organizations. And they've gotten just more sophisticated. So I would say, we get better at each level as they attack that level. We're not getting in front of it. 

Dave Bittner: All right. Well, David Dufour, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's Research Saturday and my conversation with Symantec's Dick O'Brien. We're discussing the Shuckworm cyberespionage campaign against Ukraine. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.