The CyberWire Daily Podcast 4.15.22
Ep 1558 | 4.15.22

Further developments in Russia’s hybrid war. Conti claims responsibility for the Nordex hack. Lazarus Group heist. Indictments in influence ops case.


Dave Bittner: Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsible for the Nordex hack. The half a billion stolen from Ronin went to the Lazarus Group. Betsy Carmelite from Booz Allen Hamilton shares insights on the cyber implications of the conflict in Ukraine. Our guest is Ian McShane from Arctic Wolf. And indictments in a case of influence operations.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, April 15, 2022.

Further developments in the Incontroller/Pipedream industrial control system threat.


Dave Bittner: E&E News reports that it seems clearer that the ICS-focused tools now generally attributed unofficially to Russia were designed with the energy sector and particularly liquefied natural gas facilities as their targets. We've received a number of comments from industry on the discovery of the attack kit, being called Incontroller by Mandiant or Pipedream by Dragos. The unusually large number of industrial control system advisories that CISA released yesterday seems a partial response to this recently discovered threat.

Conti claims responsibility for the Nordex hack.


Dave Bittner: BleepingComputer reports that the Conti gang has claimed responsibility for the ransomware attack on wind turbine manufacturer Nordex. Conti had long been the leading suspect in the incident. In related news, Istanbul-based security firm Infinitum IT says it's determined that the data extortion operation Karakurt is really just an arm of the Conti gang. They were able to track the activities of one gang member, and that led them to other evidence that suggests the distinction between Conti and Karakurt is really a distinction without a difference. Karakurt's activities have been confined to the second half of double extortion. They steal data. They don't encrypt it. 

The half-a-billion stolen from Ronin went to the Lazarus Group.


Dave Bittner: Having attributed the $540 million theft from DeFi platform Ronin to North Korea's Lazarus Group, the US Treasury Department has updated its North Korean entries on OFAC's list of sanctioned persons and organizations. The Record reports that blockchain researchers at PeckShield have been laundering the rough Etherium equivalent of $9 million every two or three days for the past several weeks, moving funds from the wallet where they held their take. Only about 7 1/2 percent of their take seems to have been laundered by the end of last week. The Lazarus Group is thought to be using the cryptocurrency mixer Tornado Cash to move its funds. 

Indictments in an influence ops case.


Dave Bittner: And finally, the U.S. has indicted three Russian nationals on connection with a long-running influence operation. A Russian legislator and two of his staffers face U.S. federal charges connected to sanctions evasion and illegal influence operations. The U.S. Department of Justice has unsealed an indictment filed with the U.S. District Court for the Southern District of New York that alleges three violations of federal law - one count of conspiring to have a U.S. citizen act as a Russian agent in the United States without notifying the attorney general, one count of conspiring to violate and evade U.S. sanctions in violation of the International Emergency Economic Powers Act and one count of conspiring to commit visa fraud. The activities the trio are charged with have none of the high spy drama one would associate with the recruitment of agents of influence. There's nothing particularly lurid in the Justice Department's account of what they are alleged to have done. They sought meetings with members of Congress, for example, offered free trips, all expenses paid, to receive an award. They wrote letters. They sought to arrange meetings with the prime minister of Crimea, someone who, in the official U.S. view, doesn't really exist. The Congress members are said to have turned them down at all points. The influence operation is alleged to have run from 2012 through 2017. None of the three gentlemen charged are in custody, but the indictment will limit their travels to countries without effective extradition treaties with the U.S. 

Dave Bittner: Arctic Wolf Networks recently published their 2022 State of Cybersecurity report, tracking where security professionals and IT leaders rank themselves, their risk appetite and their ability to mitigate cybersecurity risks. Ian McShane is Field CTO at Arctic Wolf Networks. 

Ian Mcshane: So I think there's three things that are really interesting to me. I think, firstly, the kind of confirmation that information security, or cybersecurity, is really financially driven. And that might seem like an obvious statement. But what I mean by that is that, you know, while defenders or operators or practitioners, they might be in it for the security, you know, to do some good or to disrupt adversaries, really what it comes down to for businesses and organizations is how they can balance that fiscal spend against the risk. You know, they don't want their wallets to hurt. And so what they really need to understand is how is the trade-off going to work from investing here or not investing here? 

Dave Bittner: What are the other things that drew your attention? 

Ian Mcshane: Yeah. The second one is around cloud security, right? It's been no surprise for the last decade or so that cloud security adoptions on the up. But what was interesting in this survey is that around 20% have found - only around 20% have serious kind of security monitoring for the cloud. Twenty-eight percent of our respondents actually said it's their biggest concern. So that's a relatively small number of people that think it's concerning and a relatively small number of organizations that are able to do something about it. But when we look at the kind of incidents that we investigate at Arctic Wolf, almost half of them include some kind of cloud asset touchpoint. So that was an interesting statistic there as well. 

Dave Bittner: What do you suppose is driving that disconnect? Is it a matter of not having resources to come at this, or what do you suspect is going on? 

Ian Mcshane: I think there's a number of issues. The biggest one is probably not fully understanding the shared security responsibility model that a lot of cloud's infrastructure certainly has. So it's no surprise over the last few years that a lot of breaches that involve cloud assets linked to misconfiguration or, you know, people leaving the default settings, the default security configuration, in place and then allowing that to be exploited. So I think if organizations are trying to abstract their infrastructure, they also have this kind of implicit trust in the provider, which isn't necessarily the right thing to have. 

Dave Bittner: Well, let's move on to the third thing then. You mentioned three. What was the third one that caught your eye? 

Ian Mcshane: Well, the third one, and this has been a big topic for a couple of years now, is that, you know, staffing. When we see three-quarters of organizations saying they don't have enough people, that's no surprise. But it's something that's really impacting their ability to achieve their security objectives or to meet their security objectives. And so what's interesting is when you look through the responses that a lot of them are saying they don't - it's not only lacking the ability to bring people in, you know, it's lacking the ability to keep people in their organization already. You know, we're seeing this kind of musical chairs or Great Resignation, as it's been called, where some organizations are able to attract new people and not able to maintain the current level of staffing that they have. 

Dave Bittner: Do you have any sense for what could be done to turn that around? I mean, is it - it strikes me that a lot of organizations expect folks to come in sort of fully baked and ready to go and that there's a lack of internal training and real pathways for learning. 

Ian Mcshane: Yeah, you've got to, like - companies are really keen to hire people that they expect to hit the ground running - right? - have an instant impact rather than looking for people, maybe, with fewer years of experience who can learn on the job. I think the reality is that many of the most experienced people, you know, the ones that would take the, in air quotes, "unicorn" or "rock star" kind of check box that a lot of organizations look for - they've realized that their skills can not only command a premium, but, you know, they're able to pick and choose their roles more than ever. So while some might relish the challenge of picking up and helping to modernize a struggling security practice, others, other experienced professionals, might, you know, want to get back to cutting-edge security rather than spending months and years getting back to basics. 

Dave Bittner: So what are your recommendations then? I mean, based on the information that you've gathered here, what advice do you have for organizations looking to protect themselves? 

Ian Mcshane: Yeah. I think it comes around to spending. I talked about the fiscal side of things, and we've talked about the human side of things. But the - I guess the way I see it is that organizations, we know, are definitely spending more than ever on cybersecurity. But honestly, a lot of that spending is focused more on the tools than it is on the actual human operators. And when infrastructure scope expands - you know, things like cloud adoption and growth and remote working and globalization - so does the volume of the work that has to be done. And alert fatigue is talked about a lot - right? - but that's not the only issue that's affecting staff. It's the inability to be able to do enough tactically and strategically to keep their security ship afloat. And I think a lot of front-line staff - practitioners and operators - are asking why more isn't being spent where it's needed, which is in the people. And I don't think that means an increase in spending. I often recommend that most organizations can actually benefit from an audit of what they already spend on toolings and ask themselves some - I guess, some pretty tough questions, like, am I using this to the best of its ability, and what would happen if I stopped using this? Because when organizations can have, you know, 20, 30, 40 upwards security tools, there's usually significantly more value in having that honest audit and a project to calculate the benefit of having an additional human or two versus continuing to subscribe to or use semi-effective security tools. 

Dave Bittner: That's Ian McShane from Arctic Wolf Networks. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Betsy Carmelite. She's a senior associate at Booz Allen Hamilton and federal attack surface reduction lead. Betsy, it's always great to have you back on the show. I want to touch base with you on the situation in Ukraine - the Russian invasion - and your take on what you and your colleagues are tracking when it comes to the situation as it affects cybersecurity. 

Betsy Carmelite: Sure, Dave. And thanks. It's great to be back. We all know that last week, President Biden made the statement that Russia may be exploring options for potential cyberattacks against the U.S. surrounding the situation with the hostilities in Ukraine. Then we saw in response, the Kremlin spokesperson, Peskov, telling reporters that the Russian Federation doesn't engage in banditry, outright rejecting the warning. And then in addition, we saw CISA gather critical infrastructure partners in a public meeting asking them to respond to the Shields Up call for guarding themselves against potential cyberattacks. So with all that in mind, what we are doing is looking at what is happening around potential cyberattacks from Russia through a logical framework to the Russian military cyber operations. And as a firm, we've done quite a bit of research in this area and released a report recently about uncovering the logic behind Russian military cyber operations. 

Dave Bittner: Well, can you take us through that? What does that framework look like? 

Betsy Carmelite: Sure. So we're looking at the methods and philosophy behind Russian military cyber operations, which align historically to Russia's cyber operations timing, target selection, tactical characteristics with Russian military doctrine. Considering that framework, Russia may engage its cybercapabilities to respond really to its evolving strategic military initiatives. Russia's military is a leading user of offensive cyberweapons that deny, degrade, disrupt, destroy. And really, we see that Russia uses these operations quite logically to respond to specific, declared circumstances that impact their national security in ways consistent with that published doctrine. 

Dave Bittner: You know, I think a lot of folks have been left scratching their heads that we haven't seen more from Russia when it comes to offensive cyber in this particular campaign. Do you have any insights on that? 

Betsy Carmelite: Yeah, I think that is really the big question - when are we going to see cyber in all of this? When are we going to see that big NotPetya-like attack again? And in looking at this situation, what we've - what we really feel is that there's a lot of fog of war around this situation cyber-wise. There are lots of actors. There are lots of operations. We see volunteer cyberactors. Really, like, who is doing what? So it's really difficult right now to say comprehensively what is happening. So what I wanted to focus on was pointing back to our Russian military cyber operations report. We can specifically look at how there is a fundamental connection between GRU, which is the main intelligence directorate in the Russian military - GRU-attributed cyberactivity and the GRU's mission to monitor, neutralize and counter certain publicly enumerated circumstances. So if we're seeing something - if Russia's seeing something that endangers its military security, the GRU executes its mission using methods consistent with declared strategic concepts. We also recently saw The Washington Post come out with a report saying that the attack on Ukrainian satellites was probably attributed to the GRU. So we're seeing that action and reaction as a direct threat to Russian national security interests. 

Dave Bittner: So is it fair to say that, you know, because - just because we haven't seen much activity on this front so far that we should not have our defenses down, that it may be yet to come? 

Betsy Carmelite: That's right. That's right. One of the ways to protect yourself around this type of situation is really understanding the context in which this threat operates. And what are really some of the historical actions it's taken? And how would an attack against your organization advance your adversary's interests, advance, you know, possibly Russia's interests? - with security strategies tailored to that understanding. So we look at that through a threat-centric risk management process, first creating an organizational profile. Understanding your locations, partners, customers, information you possess and so forth. And then you consider your potential adversaries. Once you've established some of those parameters. I would say two of the best things you can do for your risk management strategies and activities are using threat intelligence and looking at implementing internal and external threat hunts focused on expected adversaries. 

Dave Bittner: All right. Well, stay vigilant for sure. Betsy Carmelite, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Symantec's Allan Neville. We're going to be discussing Antlion, the Chinese state-backed hackers using custom backdoors to target financial institutions in Taiwan. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.