Epistemic closure in a hybrid war. Wiper used against VIasat modems. US Treasury sanctions more Russian actors. Remediating Spring4shell. Notes from law enforcement. And we’re not joking.
Dave Bittner: Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4Shell. Warnings of ransomware threats to local governments. Emergency data requests are under senatorial scrutiny. An NSA employee's been charged with mishandling classified information. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. And Rick Howard speaks with Maretta Morovitz on cyber deception.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 1, 2022.
Dave Bittner: A meeting this week of the United Nations Open-Ended Working Group for security and the use of information and communications technologies - a body established some time ago at the instigation of Russia - continued its deliberation concerning international norms of conduct in cyberspace. Bloomberg says the sessions were dominated by sharp Western criticism of Russian cyberaggression and misconduct and Russian rejoinders to the effect that it and nobody else is really the injured party in cyberspace. Vladimir Shin, the Russian representative, said that accusations of Russian cyber offenses were completely unfounded and, channeling the spirit of Richard Milhous Nixon, that Mr. Shin was confident he spoke for the silent majority.
Dave Bittner: This technique of unlikely insistence was also seen earlier this week in a statement issued by Russia's Ministry of Foreign Affairs. Remarkable for mendacity, even by the low standards of Russian diplomacy, it's worth reading in full as a distillation of Moscow's talking points about its hybrid war, so do go and read the whole thing. But to summarize, according to Russia, the foreigners who oppose the fundamentally defensive special military operation, whose goal is the demilitarization and denazification of Russia's smaller neighbor, those foreigners, the ministry says, are a bunch of Russophobes incited and hired by the United States and its satellites. They're carrying out hundreds of thousands of malicious attacks daily against Russia. The foreigners are stealing Russians' personal data, and worse yet, they are posting fake news online to disorient and demoralize Russian society, discredit the actions of the Russian Armed Forces and government agencies, encourage unlawful activities of the public, and complicate the operation of their industrial sectors and sow fear and instability in their country. It's all coordinated and unprecedented by the U.S. and NATO. In fact, this cyberwar is being waged by an army of cyber mercenaries who have been given concrete combat tasks that often border on terrorism. Naturally, the Russians are fighting back - with great success, they say - and they're going to take all this up at the U.N. So there.
Dave Bittner: The widespread and damaging Russian cybercampaign against Ukraine and Western targets that's been widely expected has yet to appear, although Russian operators have maintained at least a continuous nuisance level of attacks against Ukrainian networks. But Western authorities continue to warn that such attacks are likely and that organizations should be prepared to withstand them. CISA's Shields Up alert is representative. The Register, talking to private sector experts, notes that Russian cyberattacks have increased over the past month, and that industry sees itself as having a narrow window in which it can improve its resilience to such attacks. ExtraHop CEO Patrick Dennis told the Register that he expects the rising effects of sanctions to increase the likelihood that Russia will retaliate in cyberspace against economic warfare it's unable to counter in other ways.
Dave Bittner: SentinelLabs researchers have concluded that Russian wiper malware, specifically a variant they call AcidRain, was deployed against Viasat modems, and Viasat has substantially confirmed SentinelLabs' analysis. The researchers explain AcidRain is an ELF MIPS malware designed to wipe modems and routers. We assess with medium confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government. AcidRain is the seventh wiper deployed against Ukraine since the beginning of the hybrid war. The Viasat attack is noteworthy because it alone had significant spillover into operations outside Ukraine proper. It's regarded as the most serious cyberattack of Russia's war so far, and the most likely suspect is the GRU's Sandworm APT.
Dave Bittner: Spring has released a patch for the Spring4Shell remote code execution vulnerability in its framework. Cyber Security Works has published a detection script that enables an organization to determine its exposure to this particular vulnerability.
Dave Bittner: The FBI has warned - and CISA seconded the warning - that ransomware operators pose a rising threat to local governments. The bureau's advice is familiar - apply sound security practices and don't pay the ransom.
Dave Bittner: Revelations that Apple and Meta responded to fake emergency data requests have led Senator Ron Wyden, Democrat from Oregon, to begin an investigation of the emergency data request system as such. Law enforcement surely needs ways of getting data in an emergency, but there should be, the senator suggests, some checks and balances that will enable companies to distinguish real requests from subpoena fraud.
Dave Bittner: The U.S. Attorney for the District of Maryland has announced the indictment of an NSA employee, Mark Robert Unkenholz, with 13 counts of unlawful retention of classified material and 13 counts of unlawful transmission of classified material. He's alleged to have used his personal email account to send classified information to someone who worked at different times for two unnamed companies. Mr. Unkenholz, who was arraigned yesterday in Baltimore, is said by the Military Times to have worked for an office responsible for engaging private industry. Sure, you want to reach out to private industry, but not with classified information they're not authorized to receive, and especially not when you store that information and send it through your personal email account.
Dave Bittner: It is April Fools' Day, which, by our measure, is the perfect day for our own Rick Howard to talk with Maretta Morovitz on the Engage framework for cyber deception. Here's Rick.
Rick Howard: I'm joined by Maretta Morovitz, the Engage lead at MITRE. Maretta, thanks for coming on the show.
Maretta Morovitz: Thanks so much for having me. I'm really excited to be here.
Rick Howard: You've been working for MITRE for over six years now and - as a cybersecurity engineer. But now you're running this relatively new MITRE project called Engage. Can you give me the elevator pitch for what Engage is?
Maretta Morovitz: Sure. So Engage is MITRE's collection of resources to lower the barrier of entry and raise the ceiling of expertise in adversary engagement.
Rick Howard: That's a fancy phrase for deception operations. Is that right?
Maretta Morovitz: Almost. We like to kind of think about it as you have sort of two pillars. You have denial, and you have deception. And when you think of these two sets of activities, you can do either one sort of on their own. But when you work with them together and then you layer a strategic planning and analysis on top, that's what we really talk about as adversary engagement - that full process from planning to operating, where you're incorporating that deception and that denial and then ending with that understanding where you're really taking the outputs of your operations, understanding sort of what you're getting. Is it driving towards your goals? Did you make progress toward your goals? - and then feeding that back in. So you have that kind of continuous iterative loop of refining and learning and growing.
Rick Howard: You officially announced the project, although it's been in beta for a few months. But you officially announced it in February. And you and your team have created a website with resources and information for all kinds of stuff. So can you walk us through what we can find at the site?
Maretta Morovitz: Yeah. So what - obviously, kind of core and central to who we are is our Engage matrix. So that features prominently on our site. One of the things that we did between releasing our beta and now is we had a lot of conversations with folks in the community, whether those were CISOs, defenders, vendors, all our different user groups, and really understood, what were their use cases? How were they thinking about this? Did Engage support them? And one of the big lessons we learned was that just putting a matrix out into the world, while useful, really didn't provide enough support and guidance for the community to enable really what they needed to do.
Maretta Morovitz: And so one of the things you'll find on the website is we have a starter kit. If you're looking to just sort of understand what is this space and how do I jump in, we have a starter kit. If you'd rather kind of see the whole picture of all the different tools, we have a whole collection of resources. And that includes white papers. It includes posters. It includes the matrix. It includes a variety of things. It's sort of - you can pick and choose a la carte style what you're interested in. And we also have pages where we're highlighting things going on in the community. So we have a whole community spotlight section where we're really focusing on just showcasing what's out there and all the other interesting work and interesting directions the community is going in.
Rick Howard: So I've been a big fan of the idea of deception and operations around deception, you know, actually blocking bad guys from what you've discovered, since my early days in the cybersecurity world. But in the commercial world and maybe even the academic world, spending resources on deception always felt like it was a nice-to-have item compared to other things that would probably have a bigger impact, like zero trust or resilience or intrusion kill chain prevention using the MITRE attack framework. And deceptions operations aren't fire and forget. They're pretty work intensive. My experience - you need heavy lift of people and process and technology to even get a basic program working. Has that situation changed here recently? Is that why MITRE and Engage are pursuing this now?
Maretta Morovitz: Yeah, I think - so I think, in a lot of ways, there's a lot of different pieces and layers to what you just said. So I'm going to walk through them all. I think, first and foremost, that a lot of what adversary engagement is, is it's a mindset shift, right? And I think zero trust is that same mindset shift. It's adversaries are - eventually are going to get in. And we need to make a presumption of compromise mentality when we think about our defenses, right? It's not enough to think about hardening. It's not enough to think about defense in depth if you don't think about what happens when they eventually get through. And so a big piece of what MITRE is trying to say with Engage is not that you need to go buy the super fancy subatomic honeypot that does a million things.
Rick Howard: The subatomic honeypot - I need that (laughter).
Maretta Morovitz: On the blockchain - no. And maybe that might fit your needs. But maybe what fits your needs is a number of decoy share drives that you sort of identify where your high-value data lives or maybe your high-value employees, and you start sprinkling decoy shares around their drives and making sure that there's some ambiguity in that environment. Or maybe it's a matter of sprinkling decoy credentials in your network. So that way, when a credential gets - one of those credentials gets used, you get a high-fidelity alert that something is going on. So I think a lot of what deception is - it can be sort of this resource intensive, but it also can be, how do I think about upping the ambiguity in my environment, upping the uncertainty so that when someone gets in, I'm not automatically lost? And that's sort of the - kind of the main point that we care about.
Rick Howard: Good stuff, Maretta. But we're going to have to leave it there. That's Maretta Morovitz, the Engage lead at MITRE. Maretta, thanks for coming on the show.
Maretta Morovitz: Thanks so much for having me. This was great.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to welcome back to the show Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, great to speak with you again. You know, I think all the things that we've been tracking here in regards to Ukraine and Russia and the tension on the border there has really brought to light a lot of the information issues that I know are things that you track and have your eye on. What specifically has caught your eye here?
Andrea Little Limbago: Yeah. Thanks for having me back, Dave. So what I've been, you know, researching and sort of, you know, discussing across the community for a while is this notion of bots, trolls and warriors because I think it's an easy thing to remember, you know, if nothing else. But it really - what it does is it, you know, epitomizes the - what I think of as the modern digital authoritarian playbook.
Andrea Little Limbago: And within that, you have the bots, which are basically the leveraging automation - everything from simple, automated scripts to machine learning and AI - that then in turn helps inform the range of cyberattacks. That's where you get the cyber warriors, which are not necessarily my favorite term, but that's kind of the, you know - that's kind of where we have fallen with how we describe some of the folks in that field. But that really does reference the range of cyberattacks, from DDoS to ransomware, wiper malware and so forth.
Andrea Little Limbago: And then there's the trolls, which are the disinformation, misinformation that goes on. And for each of those, you know, the automation, the bots and so forth can both help spread the - you know, cast a wide net really, really well for a very broad impact, but they also enable really strategic and tactical targeting. So it's almost - you know, it's a multiuse approach to basically achieving objectives. And what we've seen, you know, over the last few months between - with Russia toward Ukraine is exactly this modern authoritarian playbook in the digital realm, where we see the disinformation combined with cyberattacks combined with bots, all working together to try and spread - you know, both for the psychological impact and also for physical impact.
Dave Bittner: Yeah. It's been interesting to me to see - for example, the U.S. intelligence community has been unusually open about the things that they're seeing here. And it seems to me to be an effort to counter exactly the thing you're talking about.
Andrea Little Limbago: No, that's right. I think this is actually a really interesting example. What we're seeing - what it actually looks like for, you know, democracies to come together and actually try and counter some of that playbook. Meanwhile, this, you know, authoritarian playbook has been around for a while now, almost, you know, a decade - everything but the digital components to it. Democracies really haven't pulled together a counterweight for a playbook, and so it's interesting to watch what's going on right now. It'll be interesting to see how well it plays out, but I think there has been good coordination, being very open about what Russia is doing in those areas.
Andrea Little Limbago: And I think in addition, you know, the Ukrainian intelligence service has been very, very open, trying to, you know, highlight the bot forms that they have identified, being very open about, you know, when they're getting, you know, the biggest DDoS attack that they've ever had before, which happened early February - you know, the attacks on their financial systems and so forth. And so I think the transparency and openness about that, which, you know, in some regards is a little bit different - you know, for a while, you know, companies or entities that are hit by various kinds of cyber activity tended to keep it quiet and try to...
Dave Bittner: Yeah.
Andrea Little Limbago: ...Deal with it on their own. Now we're seeing that that paradigm is flipping to be very open about all of this, to really sort - you know, call Russia out for what they're doing, what their activity is. And I think that's a good example for how, you know, transparency can help counter it. And it's hard. I don't - for sure, there are competing narratives that are going on right now.
Dave Bittner: Yeah. I mean, it's - even just things like saying - you know, they've been saying, this is what we expect to see from them. You know, we think they're going to put stories about atrocities out there in the press - that, by preempting that, it can take away some of the sting.
Andrea Little Limbago: It can. And, you know, the challenge, though, is that that's - you know, it's targeted pretty well for the English-speaking parts of the world. But you still - you know, the - Russia is doing a very good job basically infiltrating various kinds of Russian-language media outlets as well. You know, but at the same time, the U.S. also has called them out for doing that, you know, saying that the - you know, that the Russian intel services are coordinating with their - with various kinds of Russian-language media outlets.
Andrea Little Limbago: But it's hard, you know, if you have parts of the world only getting news from certain areas or only reading from certain, you know, influenced content - yeah, it becomes very hard to counter. So it does have to be, you know, a really broad approach to doing it. But I think we're seeing - this is the norm that we'll be seeing from now on. You know, this isn't - you know, I think we - very often, we've talked about, you know, cyberattacks as - in hybrid warfare, almost thinking about it as being down the road. But I mean, it's what we're seeing now. We've seen it in the past.
Andrea Little Limbago: And again, this isn't new. When Russia invaded Ukraine in 2014, there were cyber components to that. So that's - you know, on the one hand, we shouldn't be surprised because we've seen sort of that steady drumbeat. We had - we saw NotPetya. We saw NotPetya actually, you know, expand well beyond the borders. And I think that's where - you know, for folks in the U.S. who still may not be watching it that closely, especially, you know, businesses - that, you know, what Russia may continue to do against Ukraine most likely won't stay in Ukraine. Again, NotPetya really just is such a good example for how very, you know, targeted Ukrainian software can then - you know, attack on that can end up causing billions of dollars of damage across the globe.
Dave Bittner: All right. Well, Andrea Little Limbago, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Michael DeBolt from Intel 471. We're discussing PrivateLoader, one of the most popular commodity malware loaders on the underground. That's "Research Saturday." Do check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe - and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.