Blocking and tackling in the cyber phases of Russia’s hybrid war against Ukraine. Info-harvesting SDK. Recon into a power grid. Hydra Market indictment. Catphishing. Advance fee scams with a new twist.
Dave Bittner: An update on U.S. cyber defensive operations and the war in Ukraine. You can’t tell your oligarchs without a scorecard. Google ejects data-harvesting apps from Play. China preps the cyber battlespace against India’s power grid. More moves against Hydra Market. Bearded Barbie’s catphishing. Betsy Carmelite from Booz Allen Hamilton on a blueprint for achieving a secure and resilient dot gov. Our guest is Padraic O'Reilly from CyberSaint with a fresh look at ransomware. And your majesty, meet this dissident, who also needs to move money for the best of reasons.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, April 7, 2022.
Dave Bittner: The U.S. Department of Justice announced late yesterday that the command-and-control functionality of Cyclops Blink, a major GRU-run botnet afflicting WatchGuard firewalls and ASUS routers, had been taken down.
The US says it neutralized a major GRU botnet.
Dave Bittner: The department described the court-ordered act of lawfare as follows - the Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, the GRU. The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as bots, the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.
Dave Bittner: Cyclops Blink had been publicly in British-American crosshairs since February 23, when the NCSC, CISA, the FBI and NSA issued a joint advisory describing the malicious campaign. WatchGuard published remediations that same day, and ASUS followed suit shortly thereafter.
Dave Bittner: The New York Times points out that the takedown was preemptive, as Cyclops Blink had simply been staged and not, as far as is known, actually been used. It could have been employed in a range of operations, from simple surveillance to destructive attacks. U.S. Attorney General Garland said, fortunately, we were able to disrupt this botnet before it could be used.
Meta disrupts Russian and Belarusian influence operations
Dave Bittner: The Washington Post reported this morning that Facebook's corporate parent Meta had disrupted influence networks operated on behalf of the Russian and Belarusian governments. The Post writes, the social media giant disclosed the campaigns in a 27-page report, including efforts to falsely report Ukrainian users as breaking the rules and efforts to hack into the accounts of Ukrainian military personnel. We continue to see operations from Belarus and Russia-linked actors target platforms across the internet, Facebook Head of Security Policy Nathaniel Gleicher said during a call with reporters. We know that determined adversaries like this will keep trying to come back.
Dave Bittner: Facebook, which last year changed its name to Meta, said it has been fighting efforts by Russian authorities to promote propaganda about the war, including false claims about Ukrainian military aggression in the region or blaming Western nations’ complicity in the war. The company said it gave fact-checkers in the region more resources and launched a special operations center with Russian and Ukrainian speakers to monitor war-related issues on the platform.
Dave Bittner: The Belarusian activity Facebook shut down included work by Ghostwriter, well-known for Eurocentric disinformation operations. Meta's Quarterly Adversarial Threat Report details the Russian and Belarusian operations and the steps Meta took against them. The report says, in part, government-linked actors from Russia and Belarus engaged in cyber-espionage and covert influence operations online. This activity included interest in the Ukrainian telecom industry; both global and Ukrainian defense and energy sectors; tech platforms; and journalists and activists in Ukraine, Russia and abroad.
Sanctions drive Russia closer to insolvency.
Dave Bittner: Russia at midweek offered payment in rubles against dollar-denominated bonds. The move, forced by U.S. blocking of additional Russian dollar accounts, is generally seen as a possible sign of approaching Russian default. Banks refused to process about $650 million in payments, Bloomberg reports, which forced Russia to offer rubles instead. Both the U.S., according to Reuters, and the U.K., according to the Telegraph, have substantially tightened financial sanctions.
Dave Bittner: The oligarchs haven't been forgotten either. Forbes has a useful list of who's who among the oligarchs, if you are keeping score at home.
Data-harvesting apps ejected from Google Play.
Dave Bittner: The Wall Street Journal reports that Google removed dozens of apps from its Play Store when it was found that they contained data-harvesting code carried in a software development kit provided by Measurement Systems, a Panamanian company said to have connections with the U.S. firm Vostrom Holdings. Infected products researchers at AppCensus found include Muslim prayer apps, a QR code reader and a speed trap detector.
A Chinese APT is interested in India’s power grid.
Dave Bittner: Recorded Future reports a Chinese government campaign against India's electrical power sector. It appears to be in its reconnaissance phase and directed toward battlespace preparation, as opposed to, say, theft of intellectual property. Recorded Future says the prolonged targeting of Indian power grid assets by Chinese state-linked groups offers limited economic espionage or traditional intelligence-gathering opportunities. We believe this targeting is instead likely intended to enable information gathering surrounding critical infrastructure systems or is pre-positioning for future activity.
A third move in the ongoing case against Hydra Market.
Dave Bittner: Germany's BKA took down Hydra Market's servers. Then the U.S. Treasury sanctioned the contraband market and some associated operations. And now the U.S. Justice Department has indicted the Russian boss, whom the U.S. attorney for the Northern District of California alleges is responsible for the operation. Dmitry Pavlov faces charges of money laundering conspiracy and narcotics conspiracy. If convicted, he also faces forfeiture of all assets acquired through his crimes and of any assets he used in the furtherance of his crimes. Mr. Pavlov is said to have provided Hydra Market's servers through his company Promservice. At present, he's at large and presumed to be living it up in Russia.
Catphishing reported in Israel.
Dave Bittner: Researchers at Cybereason describe an elaborate and well-researched catphishing campaign - its unlikely name is Bearded Barbie - that's associated with Hamas and aimed at Israeli officials. The threat actors involved are familiar names - the Molerats and APT-C-23. Cybereason says the attackers used fake Facebook profiles to trick specific individuals into downloading trojanized direct message applications for Android and PC, which granted them access to the victim's devices. The principal malware used is new - Barbie Downloader and BarbWire Backdoor, both of which are said to be stealthy. Cybereason also found an upgraded version of the previously known VolatileVenom Android implant.
Dave Bittner: The campaign will be familiar to all connoisseurs of social engineering. According to Cybereason, this campaign relies mostly on classic catfishing - using fake identities of attractive young women to engage with mostly male individuals to gain their trust. These fake accounts have operated for months and seem relatively authentic to the unsuspecting user. The operators seem to have invested considerable effort in tending these profiles, expanding their social network by joining popular Israeli groups, writing posts in Hebrew and adding friends of the potential victims as friends. So sure, she says she's the friend of a friend of maybe a friend, but trust us, that doesn't make it so.
Out: Nigerian princes. In: Russian dissidents.
Dave Bittner: Finally, Nigerian princes are so yesterday. Now everyone who's anyone is getting email from Russian dissidents. Like the rest of us, you've no doubt been emailed by widows of Nigerian princes. Now, Avanan warns, there's a new kid on the advance-fee scam block. Nigerian princes, meet the Russian dissidents. They're asking for your help in withdrawing money from a Turkish bank account. Seventy-five percent of the money will go to Ukrainian relief, and you get to keep the balance. There are really actual Nigerian princes, and there are really actual Russian dissidents. But the real ones have one big thing in common; they don't need your help moving money.
Dave Bittner: Security firm CyberSaint recently released their State of Ransomware Attacks Report, highlighting which industry sectors pay the most in ransom and who's getting hit the hardest. Padraic O'Reilly is co-founder and chief product officer at CyberSaint.
Padraic O’Reilly: The big one that stood out for me was that the propensity to back up - that is, across the critical infrastructure sectors we looked at - is related to the propensity to pay. So if you are not all that inclined to back up, you are certainly more - you are more inclined to pay the ransom. The industries that do a better job with backups more generally and sort of, you know, contingency planning and incident response are more confident in saying no when it comes to paying ransom. So that one - it seems obvious on the face of it, but it was good to see it in the data. You know, and that's something when we talk to companies - you know, because a whole host of things is suggested with respect to ransomware. And backups is certainly on the list. But sometimes companies don't know how to prioritize all of that.
Dave Bittner: What about ransom payments? You did some digging there as well.
Padraic O’Reilly: Yeah, we did. And we looked at sort of the propensity by industry. You know, some of that is, you know, industries that, you know - I mean, Colonial, for example, came out and announced within days that they had paid the ransom. You know, industries with, you know, huge OT infrastructure and products that they have to deliver to market who can't afford any downtime whatsoever often pay.
Padraic O’Reilly: Twinned with that, you might see local government and, you know, health care and others that are maybe quicker to pay the ransoms because of the inability maybe to have backups. And also, they're protecting, you know, patient data or individual citizen data or Social Security numbers and things like that. So there's fear maybe of, you know, class action lawsuits.
Padraic O’Reilly: When I talked to the Irish government last year, their health service had been hacked, and they announced that they weren't going to pay. But they were very concerned when I talked to the politicians over there that the class action suits would be, you know, following hot on the heels of that announcement.
Dave Bittner: What are you all tracking in terms of organizations' approach to risk management? I mean, is there a general maturation that's happening across industries?
Padraic O’Reilly: I think so. We have an offering in our product. It's sort of a tier of the software that is easier for, you know, commercial or smaller interests to operationalize. And it takes the ransomware framework that came out last year from the FBI and NIST and operationalizes that in system. So we're - you know, we're seeing companies that have some exposure - I mean, all companies really do when you look at the frequency of the attacks - beginning to try and understand the risk management challenges around ransomware and have some graphics and just some high-level things they can show to their senior management in order to prioritize the remediation of some of the gaps with respect to ransomware.
Dave Bittner: When I saw the stats that you put out about local government, you know, that makes sense to me that, you know, they're always underfunded and, you know, playing catch-up with a lot of these things. I was a little surprised at medical. What is the reasoning behind that? Is it - I mean, is it the velocity they run at? What's the - what do you suspect?
Padraic O’Reilly: Well, that's - I've - I'm always scratching my head when it comes to where they are, you know, with respect to some of this. And I do think some of it is the velocity they run at. They do have a lot of data. They have a lot of challenges around claims and filing claims. When things were moving to the cloud, you know, they were hiring - rapidly hiring developers to, you know, integrate different applications and do, you know, new claims processes. And just - they do a lot of things on the fly with data in health care.
Padraic O’Reilly: So I think there is often, in health care, a retrospective tendency to be reactive and to try and fix things in retrospect. I do think that COVID has put a lot of pressure on them to migrate a lot of their data services to the cloud. You can kind of see that with the online, you know, doctors' appointments. You know, that came very quickly. But, you know, actually, you know, the protections around it may not be fully baked.
Padraic O’Reilly: So I do think there is an aspect of the speed of innovation. I know that all sorts of health care concerns hire individual, you know, dev teams to integrate many applications and to create new interfaces all the time. I don't know that they're always spec-ing those out for secure development lifecycle stuff.
Dave Bittner: That's Padraic O'Reilly from CyberSaint.
Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a senior associate at Booz Allen Hamilton and also a federal attack surface reduction lead. Betsy, it is always great to have you back. I want to talk about a report that you and your colleagues recently put out there. And this is about security in the federal space. What can you share with us today?
Betsy Carmelite: Sure, Dave. One of the things that we wanted to talk about was revolutionizing a way for the .gov environment to approach and execute cybersecurity. To ensure the resilience against increasing digital threats, we want to look at how the U.S. can design and activate a whole-of-nation cyber strategy and a supporting cybersecurity system that integrates cyber defense and offense to provide a credible deterrence policy. It also empowers greater collaboration between the public and private sectors in critical domains, and it mobilizes the cyber technology and innovation base. One of the ways that we are approaching this is through a recent study we conducted and devised called The Blueprint for Achieving a Secure and Resilient .Gov.
Dave Bittner: Well, can you take us through some of the details? What's in that report?
Betsy Carmelite: Sure. This provides a framework which serves as really a North Star that can empower federal cyber leaders and sets federal agencies from CISA to smaller civilian agencies on that path to cybersecurity transformation. And where we're seeing that this design must go is through broadening the scope of cybersecurity. There needs to be a full-spectrum capability to project power and defend against cyber espionage, sabotage and influence operations so that we're all coming together and it's not really conducted in disparate pockets. So that means developing policies, plans, programs for, again, that whole-of-nation effort.
Betsy Carmelite: Secondly, we're looking at the need to leverage both offense and defense and really the integration of those two and synchronizing the way it conducts those activities. We could talk to defenders about capturing the tactics that they have seen used by attackers and feed them to NSA and U.S. Cyber Command to support defense-led offensive operations. And that way, the U.S. can deter cyber adversaries through punishment, by retaliating in cyberspace and other domains against those who would attack the nation. And at the same time, the government must find ways to capture insights from offensive cyber operations and itemize them and share them with defenders to accelerate those defensive improvements.
Dave Bittner: So from a practical point of view, how do you envision a plan like this being executed?
Betsy Carmelite: So there are a few kind of verbs I'm going to throw out here that can really put the .gov space on a path to that cybersecurity revolution. So in terms of direction, directing, we can really accelerate the positioning of the Department of Homeland Security's CISA as the director and orchestrator of federal cybersecurity. CISA's job really must focus on eliminating complexity, establishing single standards and reporting requirements for .gov agencies, and then working with the Office of Management and Budget to centralize cyber budgeting, planning and program execution.
Betsy Carmelite: Next, identify in which we want to embrace that threat-centric risk management across the entirety of the digital ecosystem; so using modeling, emulation and all that identification of how adversaries might attack, especially, for example, in supply chains. For defend, we want to move from reactive threat detection and incident response to proactive cyberdefense operations. For connect, we want to recognize that the data and the ability to work with it, use it, operationalize it, needs to be a lot faster than adversaries, and it's imperative for effective cybersecurity. So we're looking at those, reimagining that public and private cooperation and partnership. And then finally for protect - really, let's break free of the tools and realize that cutting-edge technology is really not the be-all to end-all. Instead of layering products in a redundant manner, let's shift our emphasis to architecting more defensible networks and finding the talent who can operate well within those networks.
Dave Bittner: You know, it really strikes me that, you know, to your point of collaboration and the public-private partnerships that I think, more than we've seen in the past, we're really seeing organizations like CISA, organizations like the NSA are really public-facing in a way that they haven't been before and really, you know, engaging with the private sector in a way that, to me, seems to be very productive.
Betsy Carmelite: And I think that CISA's reliance on the private sector, with the private sector owning the majority of critical infrastructure in the U.S., their reliance on that real-time information sharing is going to become critical. We see in many of the Ice acts where companies really need to do some more company-to-company, organization-to-organization sharing to help each other understand what threats they're seeing. But what would also help from CISA are cybersecurity standards to make it easier for companies to focus on cyberdefense mitigation rather than compliance 'cause compliance is going to take you only so far when you have to respond to an incident. And so using kind of those publicly available standards, blueprints and understanding how they can build on the work of NIST would really be helpful in that public-private cooperation.
Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.