Doxing, trolling, and censorship in a hybrid war. Borat RAT. State’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Wild youth. Hey spooks: brown bag it like the GRU.
Dave Bittner: Doxing, trolling and censorship in a hybrid war. Western organizations remain on alert for a Russian cyber campaign. Known Russian threat actors continue operations against Ukraine proper. The Borat RAT is described. Welcome the U.S. State Department's Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Your wild ways will break your mother's heart. Rick Howard weighs in on Shields Up. Josh Ray from Accenture on ideological differences on underground forums. And fast-food as an OPSEC issue.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 4, 2022.
Dave Bittner: As the week opens, news of Russia's war against Ukraine is dominated by accounts of atrocities that have come to light as Russian forces retreat from areas they'd occupied in the northern parts of the country around the capital.
Dave Bittner: The Main Intelligence Directorate of the Ukrainian Ministry of Defense has released what appears to be personal information on 620 people it claims are FSB officers working on Russia's war against Ukraine. The data exposed includes names, phone numbers, addresses, vehicle license plates, SIM cards, date and location of birth, signatures and passport numbers. Security Affairs points out that the authenticity of the data cannot be confirmed.
Dave Bittner: Hacktivists associated with the Anonymous collective tweet that they've succeeded in doxing the Russian Orthodox Church. Anonymous TV said, hackers leaked 15 gigabytes of data stolen from the Russian Orthodox Church's charitable wing and released roughly 57,500 emails via DDoSecrets. DDoSecrets noted that due to the nature of the data, at this time, it is only being offered to journalists and researchers.
Dave Bittner: Vice describes Cyber Front Z, a troll farm that hires social commenters, spammers, content analysts, programmers, IT specialists and designers to run social media posts and other comments intended to advance Moscow's line concerning its war against Ukraine, and to do so at scale, with fake persona deployed to give the impression of a mass movement. Cyber Front Z's home base and public face is on Telegram, but its trolls operate in other media. It's noteworthy that the front's operators need to fire up their VPNs to gain access to other largely blocked social networks, and also noteworthy that the VPNs themselves are currently in bad odor with the Kremlin, wary as it is of the VPNs' reputation for anonymous circumvention of censorship.
Dave Bittner: Some Russian influence operations are more tightly focused. Vice reports elsewhere that the Security Service of Ukraine last week exposed a bot farm operating out of Ukraine but, according to the SBU, remotely controlled from Russia. The bots were smishing Ukrainian soldiers with resistance-is-futile texts. They said, the outcome of events is predetermined. Be prudent and refuse to support nationalism and leaders of the country who discredited themselves and already fled the capital. There's a triple exclamation point emphasis in the original. The guy whose apartment they found the trolls' server in said he had no idea what was going on.
Dave Bittner: Telephone tip hotlines, websites and Telegram channels have been established to encourage and enable good citizens to report those whom President Putin has described as traitors. The Telegraph observes that it would be inaccurate to conclude the denunciations were explicable purely in terms of state pressure. The paper quotes OVD-Info, which the Telegraph describes as a Russian human rights organization, to the effect that such denunciations arise also from a broad popular base of support. The Telegraph said ordinary people are getting involved in the repression, too. This is being driven by ordinary Russians.
Dave Bittner: Massive cyberattacks of the kind widely expected have yet to materialize. But Western intelligence services continue to warn that Russia can be expected to be keeping its options open in this respect. U.S. deputy national security adviser Anne Neuberger spoke with NPR on Friday.
Anne Neuberger: We continue to see evolving intelligence, as we talked about last week, that the Russian government is exploring options. And we continue to, most importantly, double down in working closely with the private sector to share that sensitive threat intelligence and really try to create the urgency for action and the call to action to put in place the cybersecurity measures that would prevent that from being successful.
Dave Bittner: Deputy national security adviser Neuberger also cautioned that there was no specific intelligence that such an attack was imminent but that the private sector should take steps to increase its resilience, should such attacks take place.
Dave Bittner: Known Russian threat actors have been active in the theater of operations. Researchers at Malwarebytes report UAC-0056, also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.
Dave Bittner: Earlier in March, CERT-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.
Dave Bittner: In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a URL and download a first-stage payload or distributing fake translation software, in this campaign, the threat actor is using a spearphishing attack that contains macro-embedded Excel documents. Malwarebytes has a blog post which provides technical analysis of the new campaign.
Dave Bittner: Cyble describes a new and unusually capable remote access Trojan, Borat RAT, an homage to the Sacha Baron Cohen character, which the researchers call a triple threat, combining, as it does, the functionality of a RAT, spyware and ransomware. BleepingComputer reports that Borat's place in the C2C underground market is unclear. It's not known whether it's being sold or being freely traded, but it seems to be spreading through the underworld.
Dave Bittner: The U.S. State Department today stood up its new Bureau of Cyberspace and Digital Policy. The bureau will be led initially by Jennifer Bachus, a career foreign service officer. She'll serve as principal deputy assistant secretary for the CDP bureau until the Senate confirms an ambassador-at-large to lead the organization.
Dave Bittner: CISA continues to set the table for a meal of best practices. April is National Supply Chain Integrity Month, and CISA's focus is on the information and communications technology supply chain. They say, information and communications technology products and services ensure the continued operation and functionality of U.S. critical infrastructure. However, recent software compromises and other events have shown the far-reaching consequences of these threats.
Dave Bittner: The BBC reports that two teenagers, one 16, the other 17, were arraigned Friday at London's Highbury Corner youth court on charges connected with the activities of the Lapsus$ gang. Both are charged with fraud as well as a variety of computer-related offenses. Both have been released on bail. Their names are being withheld on account of their tender years.
Dave Bittner: And finally, to return to the war against Ukraine, unsecured Russian tactical communications appear to remain an important source of detailed information on the movements and condition of Russian units. WIRED describes the intercepts and what they reveal. It's not just tactical comms, either. Gustatory comms are also spilling the metaphorical beans. The Verge reports that Yandex Food, a food-delivery subsidiary of the Russian internet giant Yandex and, roughly speaking, Russia's equivalent of GrubHub or DoorDash, disclosed in early March that it had sustained a data breach that exposed customer information. The company blamed the dishonest actions of an employee for the leak and reassured customers that their login credentials and payment information, at least, weren't compromised. About 58,000 diners were affected, and the Russian powers that be aren't happy. According to Reuters, the information regulator has restricted access to an online map that appeared on March 22 where the names, phone numbers and addresses of Yandex.Eda customers was exposed, and said Yandex faced a fine of up to 100,000 roubles. That's about 1,000 bucks. There's also woofing about a class-action suit on behalf of injured diners.
Dave Bittner: The fine may be low, but the data is interesting. Bellingcat has sifted through it and found that a lot of deliveries go to military and intelligence personnel. The GRU seldom appeared in the data, but the FSB was well-represented. Maybe the GRU has better opsec than its sister agency, or perhaps the military intelligence types just tend to brown-bag it. The data exposed betrayed both identities and, indirectly at least, affiliations. Particularly interesting are the instructions the purchasers gave the delivery people on how to get through the various checkpoints - things like, go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end; or as another diner wrote on their order, closed territory - go up to the checkpoint. Call number ten minutes before you arrive.
Dave Bittner: Well, what are you going to do, right? It's not like you're going to just walk over to McDonald's for that Happy Meal anymore.
Dave Bittner: It's always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer and chief analyst. Rick, the "CSO Perspectives" podcast over on the Pro side has been on hiatus for a couple of weeks now. But, you know, we've had recent developments in the war in Ukraine. And I know you've got some thoughts about how all network practitioners should be thinking about potential Russian cyberattacks in the near future. What do you got for us today?
Rick Howard: Yeah, hey, Dave. And that's right. The Cybersecurity and Infrastructure Agency, or CISA, issued their Shields Up warning on 21 February this year. And by the way, my hat is off to them for using a Star Trek reference to warn of a pending Russian cyberattack. How great is that? Come on. You're going to like that part.
Dave Bittner: (Laughter) Yes. Yes.
Rick Howard: So a couple of days ago, though, President Biden encouraged private sector companies to strengthen their cybersecurity against a potential attack from Russia. And he said, I quote, "It's part of the Russia's playbook," end quote. And he's right. With the Ukraine war moving into a new phase and specifically as allied countries in the West push President Putin further and further into a corner with sanctions and whatnot, it seems likely that he might lash out against the U.S.
Dave Bittner: Well, so the Shields Up program encourages all U.S. organizations that if you've been delaying cybersecurity projects for whatever reason, now is probably a good time to put those on the front burner.
Rick Howard: Well, absolutely. And that's excellent advice. And here at the CyberWire, we support CISA's efforts to get the word out on these general-purpose recommendations - things we all should have done by now, even before this Russian situation. But let's face it - these things are things that we've known in the security community to do for at least a decade. So if you haven't done them yet, the chances are you will get them done, say, in the next few weeks before the Russians do something catastrophic are pretty low. So may I offer a little different advice that you can do this very moment that will be more impactful, let's say?
Dave Bittner: By all means, let's have it.
Rick Howard: (Laughter) All right. So for the last two years on the "CSO Perspectives" podcast, we've been talking about four cybersecurity first principle strategies. Two of them, zero trust and resilience, would fall under the umbrella of the Shields Up program. These are general-purpose strategies that would help against all kinds of adversary - you know, criminals, hacktivists, nation states. But one strategy, intrusion kill chain prevention, is tailor-made for this unique situation that we find ourselves in. And the difference between intrusion kill chain prevention and zero trust is that on the kill chain, we are deploying specific detection and prevention controls on whatever security tools you have in place precisely designed for that known threat - in this case, Russia. And we have a fantastic collection of open-source intel on everything the Russians have done in cyberspace for the past 20 years. Just wag on over to the MITRE ATT&CK Framework wiki and look up the Russian adversary groups and campaigns. There's, like, 19 of them, and at least seven of them have been active this year. You know, you've heard them all - all of the Bears, like Fancy, Cozy, VOODOO and Primitive, and a few new groups we haven't heard of before, like Walleye (ph), Zebrocy and Earworm. And in the ATT&CK wiki, Mitre list the tactics, techniques and procedures for most of them. So my recommendation is for all network defenders to go through that list and install as many detection and prevention controls you can come up with for all of those Russian actions across the kill chain on the security stack that you already have in place. Now, I hear the naysayers out there, Dave. You know, there's a chance...
Dave Bittner: No. In cybersecurity? Naysayers?
Rick Howard: So I agree that there is a chance that Russia will come up with an entirely new campaign across the kill chain that we've never seen before. But you know what? The odds aren't that great. Instead, they will most likely cobble together a bunch of their greatest hits and use those. So if you have prevention and detection controls in place for as many of the known Russian tactics, techniques and procedures as you can, your chances of preventing a successful Russian cyberattack against your organization is pretty high.
Dave Bittner: All right. Well, I mean, that is - that's excellent advice. But what about for, say, smaller organizations, those folks who don't have SOCs or intelligence teams? They're going to find this difficult to navigate. What should they do?
Rick Howard: Well, I mean, that's a great question. And my advice to those organizations is they should be turning to their own security vendors now and demanding to know the specific ways that their products are protected against the Russian adversary playbook - you know, the Amazons, the Googles, the Microsofts, for sure, but also all those pure-play security vendors like Palo Alto Networks, Check Point, Cisco and a gazillion others that are out there. The bottom line here is that we've been looking at the kill chain philosophy for over a decade. The Lockheed Martin researchers published their paper on it in 2010. This year, 2022, is the use case for the model. We're pretty sure the Russians are coming. We know how they operate in cyberspace, and we're all going to look pretty bad if the Russians successfully attack us and we didn't have any of those protections in place beforehand.
Dave Bittner: All right. Yeah. Well, wise words, huh?
Rick Howard: Well, I don't know about that. We'll see how it goes.
Dave Bittner: Right. I'm just imagining you with your hands on your hips saying, I told you so. I told you so.
Rick Howard: I told you. Yeah. I'm wagging my finger at everybody right now (laughter).
Dave Bittner: (Laughter) That's right. That's right. That's right. All right. Well, get to it, folks. Rick Howard, thanks so much for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined once again by Josh Ray. He is managing director and global cyber defense lead for Accenture Security. Josh, it's always great to have you back.
Josh Ray: Dave, happy to be back as always.
Dave Bittner: You know, I know you and your team, as lots of people are, are keeping a close eye on the conflict between Russia and Ukraine. I wanted to check in with you today to see what sorts of things you all are monitoring on underground forums.
Josh Ray: Yeah. Dave, this is really kind of a first for us, and - you know, in the sense that we've been kind of in this mission space for, shoot, now over - at least over a decade around monitoring underground forums. And I think for the first time, we've really started to see an ideological split amongst cybercriminals. Now, you see it all the time with the hacktivists and things like that, but we're talking about financially motivated criminals that are now choosing sides. And that's got some really significant implications around targeting, around capability that I think, you know, your listenership really should be aware of.
Dave Bittner: You know, we've joked for a while that there's no honor among thieves. And so it's interesting for me to hear you describe some of these - you know, these fractures that are happening among this community. Any specifics you can share with us?
Josh Ray: Yeah. It's actually - I mean, talk about no honor among thieves, I mean, there's even one forum that one of our researchers was telling me about where, you know, instead of actually selling wares or looking to, you know, profit from some of this activity, they're offering places to stay for some of these different refugees that are coming out of Ukraine. But, you know, the big shift, I think, for us and what we've seen is really around this idea of, you know, are you actors, which, you know - and a lot of these forums which have banned some of these ransomware-affiliate cartels because of the heat that was brought on from a lot of law enforcement are now welcoming them back in, right? So the gloves are really starting to come off here. We're starting to see activity around actors that are leaking data instead of actively selling it. They're giving significant discounts on some of the things that they would normally look to, you know, drive, you know, high degree of profit on as well. And from a targeting standpoint, I think the thing that's most disturbing is that, for a while, critical infrastructure was - had abated - or the targeting of critical infrastructure - for a while. But now we're starting to see that come directly back into the fold. So Western critical infrastructure targets like oil and gas companies, but especially financial services and insurance companies, are looking to be targeted because I think they're being viewed as that kind of, quote, unquote, "working arm of the sanctions." So this is something that, especially, I think folks need to be worried about.
Dave Bittner: And is this a response to some - as you say, the sanctions and the financial squeeze that's going on for folks who are in Russia?
Josh Ray: I mean, I think part of it, but it's - I think it's primarily politically motivated, right? I mean, they're really lining up as far as either pro-Russian or pro-Ukrainian and taking their capability and their wares with them. And here's the thing to really kind of think about. You know, when we first started watching hacktivists way back when, some of the other, you know, hackers in the forum would kind of laugh at some of the capability. This is early on, you know, 10-plus years ago. And they were using tools that were, you know, commoditized or whatever. Now we're talking about cybercriminals that are highly technical, that are highly capable, that are - have the resources to pay, you know, millions of dollars for zero-day exploits. And we've seen them do that now and over the past, you know, few months, and with the access and the ability to impact companies significantly, right? So it's kind of bad enough now that we're starting to see, you know, individuals line up, you know, across these different ideological lines. But when they start to cross-collaborate or organize, I think we're going to see a heightened threat, especially to Western corporations.
Dave Bittner: You know, I think a lot of folks are left scratching their heads that we haven't seen more cyberactivity than we have. What's your reaction to that?
Josh Ray: I think the fact that the kinetic attack has been kind of methodically plodding along, there maybe hasn't been a need to bring out some of those cyberweapons that they might be kind of holding close to the chest. But also, you know, the fear of invoking additional impact from, say, like, Western countries like the U.S. or other NATO countries could be also, you know, playing into that as well, too. Like, once they start to significantly target critical infrastructure in those countries, we may see an escalation. And I think everybody is kind of, you know, a little bit leery, potentially, of that happening.
Dave Bittner: Yeah. All right. Well, Josh Ray, thanks for joining us.
Josh Ray: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.