Disinformation in Russia’s war of aggression. Correlating overhead imagery and radio intercepts. Taking down state-sponsored cyber ops. Threats to power grids.
Dave Bittner: Microsoft disrupts GRU cyber operations. Facebook takes down Iranian coordinated inauthenticity. India's power ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. And grid security and the value of exercises.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 8, 2022.
Microsoft disrupts GRU cyber operations.
Dave Bittner: Microsoft says it's blocked GRU cyber operations directed against U.S., European and Ukrainian targets. Redmond calls the group Strontium in its metallic naming convention for threat groups. But the threat actor is also known as APT28 and, of course, Fancy Bear. The disruption was a familiar takedown. Microsoft explained, on Wednesday, April 6, we obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks. We have since redirected these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable victim notifications.
Dave Bittner: This particular GRU campaign isn't the only one Microsoft has observed during Russia's war against Ukraine. Microsoft characterized Strontium's use of its now-sinkholed infrastructure as follows. Strontium was using this infrastructure to target Ukrainian institutions, including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information. We have notified Ukraine's government about the activity we detected and the action we've taken.
Facebook takes down Iranian coordinated inauthenticity.
Dave Bittner: Among the inauthentic social media operations Meta took down this week were two Iranian espionage groups. Meta's quarterly adversarial threat reports said the first network was linked to a group of hackers known in the security industry as UNC778. The second was a separate, previously unreported group that targeted industries like energy, telecommunications, maritime logistics, information technology and others. The first familiar actor, the threat cluster UNC788 - associated with Phosphorus, Charming Kitten - used a malicious version of a legitimate Android birthday calendar app, a remote access tool that represented itself as a Koran and a data harvesting and remote access tool in a chat application. Its target list also included familiar interests - journalists, dissidents, human rights activists, universities and so on.
India’s Power Ministry says it stopped a Chinese cyberattack.
Dave Bittner: Indian authorities say they successfully stopped a cyberattack by Cicada, the Chinese threat actor also known as Stone Panda or APT10. The attacks described by Recorded Future were concentrated in the disputed Sino-Indian border around Ladakh. The Deccan Herald quotes Power Minister R.K. Singh as saying, "two attempts by Chinese hackers were made to target electricity distribution centers near Ladakh but were not successful."
Grid security and the value of exercises.
Dave Bittner: Power grid security has been of concern elsewhere. The Wall Street Journal and README credit the biennial GridEx war game with doing much to shape CISA's Shields Up program. The most recent GridEx was held in November, which afforded an opportunity to prepare for increased threat levels during the run up to Russia's war against Ukraine.
Dave Bittner: A report of lessons learned from the exercise was released yesterday. It includes high-level recommendations, each of which is expanded in some detail in the body of the report. They include continue to build effective communications procedures and systems to share operational information, clarify the differing crisis communications roles of the Electricity Subsector Coordinating Council and Reliability Coordinators with government and their members, including Canadian members, continue to build effective communications procedures and systems to share security information, continue to build on understanding of GSE, continue to enhance routine and emergency operations coordination between the electricity industry and natural gas providers, strengthen operational coordination between the electricity industry and communications providers and, finally, continue to reinforce relationships between governments in the United States and Canada to support industry response to grid emergencies. Note the emphasis on communication and relationship-building. And, of course, remember - shields up.
Dave Bittner: Sometimes in the course of, say, penetration testing, you need to deliver client reports. And they'll often have very sensitive information in them, sometimes data that you don't want to necessarily include in clear text. And so you have a need to redact information. With text, that's pretty easy. But sometimes it happens in a photograph. There's a picture of a screen or something like that, and you have some text in there inside an image. So how do you properly redact that? Dan Petro is a lead researcher at Bishop Fox.
Dan Petro: People would like to get really cute and clever with redaction techniques. You know, you try, like, blurring the data or swirling it or something like that. And very often, you would see pixelization - like, pixelation. It's a kind of way of saying - like, look like kind of half-revealing the data. And it was always apparent to me, at least at the time, this process can't be secure. There must be a way of, like, undoing that redaction process, right? Like, it's clearly leaking information through. Like, you can see bits and parts of it. But there was never, like, a tool to, like, properly do this...
Dave Bittner: Yeah.
Dan Petro: ...That, like, really worked. And so I finally got around to making a tool that, you know, does basically exactly that - that you could take pictures of a redacted text using that pixelation process and reverse it into its original text.
Dave Bittner: Well, take us through exactly how you set about doing this.
Dan Petro: Yeah, that's a good question. So there's some existing tooling on this. The most prominent is a tool called Depix that uses this, like, really fancy process of, like, a de Bruijn - I think I'm saying that right; the J might be silent or something - sequence that's literally trying to take those pixels and really reverse them.
Dan Petro: Let's take a further step back about, like, what the heck is a pixelation process to begin with, right? The algorithm for it is actually remarkably simple. You just take an NxN grid. You just define how big you want your block size to be. And then the algorithm just goes through and averages all the pixels inside of that block and then sets the pixel equal to that average. So it just basically takes all the data and smears it into these blocks. And the algorithm is remarkably consistent across, like, every tool. So whether you use GIMP or Photoshop or, like, whatever, it'll basically do the exact same process.
Dan Petro: So this tool called Depix is super-clever. And it actually - what it does is it tries to figure out, like, what letter could have resulted in that exact pixel given its precise value. Like, depending on varying circumstances, there might be some noise on, though, right? Like, if you had a picture of a picture or if there's some slight error in the rendering, the wheels tend to fall off it pretty quickly.
Dave Bittner: So is this a matter of that - you know, the English language, for example, has a limited number of characters. And if you combine that with a - you know, something like a dictionary, do you find yourself making pretty good guesses?
Dan Petro: In my tool, Unredacter, we didn't use English words as, like, guesses because it doesn't necessarily brute force the whole thing much like a password cracking technique. My insight into this was Depix is really great and really fancy, but it's almost too fancy for me. Like, I wanted to do something much more dumb. Like, how about we just brute force it character by character? We're just going to guess. So all my tool does is you tell it the font and, like, the font size and some other detailed information around, like, character spacing and letter space and things like that enough to reliably reproduce the original format of the text. And then it just guesses the characters one by one. So it tries the letter A and then renders it using Headless Chrome - it's an Electron app - and then tries the letter B and then tries the letter C and sees which one matches up. And what's really nice about that is that doesn't need to match up exactly. You can kind of get within a certain distance of it. It's like - as a kind of fuzzy matching threshold. So even if there a little bit of noise or you don't get the font exactly right or you don't get the spacing quite precise, it's actually fine. As long as it's close enough, it's good. And you can do that character by character. So you don't need to, like, guess whole - unlike password guessing, you need to get the whole password. You can't just guess half the password. There's no, you know, extra credits. There's no partial credit for half-guessing a password when you're password cracking, right?
Dan Petro: Well, that's not true with this redaction technique, with pixelation. If you get the first three letters right, then you can know about that. And that's kind of, you know, the crux of the vulnerability if you really put down to it. Unlike a regular hashing problem that has - in cryptography terms, it has no diffusion, we would say. If you change one letter, it only changes the hash, if you want to call it, the pixelization (ph), the redacted text. The only changes are in that exact area. And so the consequence of that is you're able to guess it character by character. So you actually don't even need to, you know, throw English words at it or whatever. So if you wanted to, that would actually strictly improve the process.
Dave Bittner: So how good is it?
Dan Petro: I was very quickly able to solve the challenge text that I could produce. But, you know, that only means that I could solve a problem that I made for myself. So naturally, the very first thing I wanted to do was find a good test for this. And lo and behold, there's actually a wonderful challenge text by another company called JUMPSEC that looked into the exact same problem, found depicts (ph), and identified that, you know, maybe it works a little bit better in theory than in practice. And they issued, like, a challenge to the internet to say, like, here's some redacted text. You know, if you can solve this, send us a note.
Dan Petro: And so, yeah, I threw Unredactor at it, and it worked. So I was super happy with it. I reached out to Caleb over there at JUMPSEC, and they confirmed that my guess was correct. They work out of the U.K., so it took a little while, but they sent me some JUMPSEC swag. I got like a mug...
Dave Bittner: (Laughter).
Dan Petro: ...And a nice notebook from them. So two shoutouts to Caleb over at JUMPSEC. They're a great sports.
Dave Bittner: So what are your recommendations then? I mean, in terms of redacting things, I guess, you know, pixelization is no longer on the menu, right?
Dan Petro: Definitely the only way to go about it is to use black bars fully covering the information you want to protect. Anything else is leaking information that can potentially be reversed. So Unredactor doesn't specifically work against blurred text, but there's no reason one couldn't make a slightly modified version of my program that just works on blurred text. So I wouldn't recommend doing that sort of thing either. Of course, that comes with the normal caveats that there's a bunch of other things that could go wrong with redacting text. If you use PDFs, for instance, you have to make sure that the redaction technique you're using is, like, actually removing the letters and not just simply making it so that there's a black text on a black background. But, you know, those words are still there.
Dave Bittner: Right.
Dan Petro: That kind of thing happens a lot. In some cases, context can give you away, where, like, if you're, for instance, redacting information in a report or, like, a court document where there's only two names, Alice and Bob, and you say, like, you know, the perpetrator was blank, but it's clearly only three letters long, like, well, then that's not really redacting very much, is it?
Dave Bittner: (Laughter) Right.
Dan Petro: So there's still some things that can get you into hot water, but at least the very basis, use black bars fully covering the text, and that is in the actual image of the text, not in a simple highlight function.
Dave Bittner: That's Dan Petro from Bishop Fox. His depixelation tool is called Unredactor. You can find it on GitHub. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for interview selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at OpenText. David, always great to welcome you back to the show. I want to ask you to get out your crystal ball look forward for the rest of 2022. What are some of the specific attack mechanisms that you think we may be in for as this year plays out?
David Dufour: Yeah, 2022 (laughter) - I think a couple of things are going to be the super fun repeat of 2021 and 2020 and 2019. You know, we're going to continue to see a ton of ransomware attacks and phishing attacks. I mean, these are so successful. They have no reason to, you know, divert from that focus on those two type of both delivery mechanisms and, you know, attack vectors and getting information from you.
David Dufour: Now, there's a couple of things that keep popping up that are super fun for old guys like myself. You're being, of course, in your spry, spry 20s there, David, but worms. We're seeing a ton of worms. And this comes along with the proliferation of ransomware. And, you know, you and I have talked many times about how the attackers have moved up a level from the consumer and small business to the larger organizations. And this is why worms are an important part of their attack toolkit now, because once they land inside an org, they're using worms all over the place to deliver as much as they can. So it's pretty interesting to see that happening.
David Dufour: And kind of one of the last exciting, terrifying things about this year being an election year, David - I think we're going to see a ton of deepfake - a ton of things coming out in terms of - and those aren't directed necessarily at someone to steal their information. But I think we're going to see a lot of video, audio, AI, modified technology that's going to make it hard. You know, with the proliferation of bad information, it's - it always upticks in election years.
Dave Bittner: Is there anything that you feel isn't getting the attention it deserves - anything that, you know, you're trying to just shout from the rooftops and, you know, get people to focus on?
David Dufour: I have said this to you so many times, and it isn't anything exciting. Back up your data, people, and patch your systems because a lot of this stuff goes away if you do that. That's one thing. And then another is - really, to hit on something that people don't realize can be a cyber issue is supply chain. You know, we're struggling right now with inflation, with costs of everything. And the minute that gets back on its feet, some, you know, government organizations, some individuals could really disrupt the supply chain, and knock us back down. And I think that's something we don't pay a lot of attention to because IoT was hot and exciting for a while. Then it faded away. And everyone has stopped thinking about industrial security, and it's a big deal.
Dave Bittner: All right. Well, David Dufour, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Alon Zahavi from CyberArk. We're discussing their research, "How Docker Made Me More Capable and the Host Less Secure." That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.