The CyberWire Daily Podcast 4.18.22
Ep 1559 | 4.18.22

Nuisance-level cyber ops in a hybrid war. “CatalanGate.” Industrial Spy caters to victims’ competitors? Conti chatter. $5 million reward for info on DPRK ops. Exercise Locked Shields.


Tre Hester: Nuisance-level cyberattacks continue on both sides of Russia's hybrid war against Ukraine. Face-saving disinformation. CatalanGate. Industrial Spy says it caters to victims' competitors. More on what's been learned from Conti's leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss the 232% increase in LinkedIn phishing attacks. And Exercise Locked Shields begins tomorrow.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire Summary for Monday, April 18, 2022. 

Nuisance-level cyberattacks continue on both sides of Russia’s hybrid war against Ukraine.


Tre Hester: Interfax-Ukraine relays a warning from the State Service for Special Communications and Information Protection that Russian operators are sending phishing messages that represent themselves as communications from Kyiv's security service, the SBU. The State Service's warning says in part, quote, "The enemy does not abandon attempts to arrange cyberattacks in Ukraine. And although they are usually unsuccessful, each of us should be attentive to information security. Yes, this time the occupiers are sending out computer viruses allegedly on behalf of the SBU. Cybercriminals use popular instant messengers for correspondence. In messages, they ask to download a file with instructions for actions for a period of wartime, although, in fact, it is a computer virus," end quote. The targets of the phishing campaign are, for the most part, government officials. The authorities advise the usual precautions against social engineering. 

Tre Hester: The Gibraltar-based crypto exchange has disclosed that it experienced a disruptive denial-of-service attack last Tuesday. It describes the attack as unsuccessful and, while offering no attribution, notes that the incident occurred the day after the exchange announced it was halting operations for residents of the Russian Federation. 

Tre Hester: Russian organizations have come under hacktivist assault. The Record summarizes recent activity by OldGremlin and NB65 against a range of Russian interests. NB65's motivation in particular are clearly and explicitly expressed in terms of opposition to Russia's war against Ukraine. 


Tre Hester: The University of Toronto's Citizen Lab describes CatalanGate, a spyware campaign against targets associated with Catalonia. Quote, "The hacking covers a spectrum of civil society in Catalonia, from academics and activists to nongovernmental organizations," end quote. Citizen Lab adds, quote, "Catalonia's government and elected officials were also extensively targeted, from the highest levels of Catalan government to members of the European Parliament, legislators and their staff and family members. We do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government," end quote. One noteworthy feature of the campaign is what Citizen Lab calls its, quote, "off-center targeting." That is, the operators of the intercept tool pursued, quote, "spouses, siblings, parents, staff or close associates of primary targets," end quote. This can be a way of getting information on targets who might otherwise be inaccessible. Most of the targets were infected with Pegasus, a smaller number with kangaroo. 

Industrial Spy says it caters to its victims’ competitors.


Tre Hester: A new criminal-to-criminal market has open for business. BleepingComputer reports that the new criminal market, Industrial Spy, trades in stolen data. Some of those data seem to have been culled from dumps associated with earlier ransomware attacks. The site markets its services to businesses who compete with victims whose data Industrial Spy trades. 

More on what’s been learned from Conti’s leaked chatter.


Tre Hester: BlueVoyant this morning offered a summary and analysis of the leaks that have emerged from the Conti ransomware gang since the onset of Russia's war against Ukraine. Quote, "Conti is a ransomware-as-a-service group first noted by security researchers in May of 2020. It has since risen to one of the largest and most active ransomware groups currently operating," end quote. 

Rewards for Justice offers $5 million for tips on DPRK cyber ops.


Tre Hester: The U.S. State Department has offered a reward of up to $5 million for information on a range of Pyongyang's prohibited activities. State is asking for information under its Rewards for Justice program, quote, "that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyberactivity and actions that support WMD proliferation," end quote. 

Exercise Locked Shields begins tomorrow.


Tre Hester: And finally, appropriately, given Russia's ongoing hybrid war against Ukraine, NATO's Tallinn-based Cooperative Cyber Defence Centre of Excellence will kick off Exercise Locked Shields 2022 tomorrow. The annual cyber exercise will give the Atlantic Alliance an opportunity to train for cyberwarfare and assess its readiness for conflict in the fifth domain. 

Tre Hester: The CCDCOE explains that this exercise is built around a topical scenario. Quote, "according to the scenario, a fictional island country, Berylia, is experiencing a deteriorating security situation. A number of hostile events have coincided with coordinated cyberattacks against Berylian major military and civilian IT systems. The exercise planners draw on the current geopolitical situation to develop realistic and challenging scenarios that take into account the current security environment, where cyber incidents are unlikely to happen in isolation and are employed as part of a wider geopolitical strategy," end quote. That current geopolitical situation is obviously Russia's special military operation against Ukraine. 

Tre Hester: Participation in Locked Shields is not confined to NATO military organizations. Government agencies and groups from private sector also participate, since a whole-of-alliance defense would seem to require a whole-of-nation approach from the alliance's members. Good luck, and good learning. 

Dave Bittner: The Threat Intelligence team at Egress Software Technologies have been tracking a 232% increase in phishing attempts impersonating LinkedIn. Jack Chapman is VP of threat intelligence at Egress, and I caught up with him for the details. 

Jack Chapman: We quite often analyze the threats and trends, mostly to see what the attackers and bad guys are and how they're attempting to manipulate and target organizations. And there's quite a clear uptick in terms of impersonation targets. And with that, it normally goes in terms of quite a event-driven basis. And what we're seeing is quite a lot of new templated attacks that are featuring LinkedIn as the impersonation. 

Dave Bittner: Well, can you take us through how exactly it works? How are they coming at their victims? 

Jack Chapman: So they're quite often coming at the victims as focused on the job element. We believe it's sort of a link to the culture we're in where everyone seems to be looking for a new job at the moment and very much focused around either new job matches or you've appeared in so many profile searches for a week - so just really playing on people's curiosity. It's on - someone's been looking at my profile. Therefore, I want to know who. And on this - on sort of a similar vein, the other half, the sort of LinkedIn attacks we're seeing - it's very much - there's this new job opportunity. Someone's offered you a new job in this area. Click here to see more information. So it seems like it's very much sort of playing on the human element of curiosity. 

Dave Bittner: Now, if I were the victim of one of these attacks, would the message come to me through LinkedIn, or would it come through my regular email account? 

Jack Chapman: So the majority that we see are coming through the email account as that's the easiest way for attackers to automate these sorts of attacks. So you just receive an email. And what we've seen with these attacks - quite often they're coming from some compromised sources. So they're coming from sort of legitimate email accounts that have been compromised before. And then basically get one, and it's a perfect sort of LinkedIn email with all of the proper logos. It's all very professional-looking. And the interesting thing for us is just the impersonation on how they're actually using genuine email filters, for instance, of LinkedIn itself. 

Dave Bittner: When you say legitimate email from LinkedIn, I mean, is that so it appears as though the email is coming from LinkedIn, the company proper? 

Jack Chapman: So they're not doing a spoof. So it doesn't say from However, all of the logos, the sort of sign-off at the bottom, the alias name of the email, almost every other element of the email appears to be legitimately from LinkedIn. So it's a very good and professional template of that attack. 

Dave Bittner: And so what happens if you click through to the link? Where does it take you next? 

Jack Chapman: It then takes you to a credential harvesting site - so essentially a fake LinkedIn login page or, in some cases, a fake Microsoft login page. And the purpose of these attacks are essentially in order to scrape users' credentials. Now, that's nothing new in that sense. That's by far the most targeted sort of outcome of a phishing attack at the moment. The interest thing there is how it's targeting both Microsoft as well as LinkedIn credentials. That's quite often based on sort of password hygiene, people who use the same for both. 

Dave Bittner: Now, one of the things you point out in the research here is that you've seen a real increase in these attacks. Any insights onto why the focus on using LinkedIn as the lure? 

Jack Chapman: I think it's got something to do with this post-COVID world we now live in. It's sort of the Great Resignation that we're now facing where a lot of people are reassessing their career goals. A lot of people are looking for new work, potentially even remote working from different countries, for instance. And I think this uptick of activity has sort of inspired the criminals to refocus on LinkedIn. We know through some of our other research that impersonation targets typically go through a two- or three-year cycle, and this seems to be LinkedIn's time to be impersonated again. So it coincides quite nicely with world events and the way we're changing how we work and what we prioritize in work. And the criminals are making the most of that. 

Dave Bittner: How do you recommend that organizations protect themselves against this? 

Jack Chapman: I think first and foremost, it's the understanding of the risk and not sort of having a blame culture against individuals. It's far easier to remediate any risk or any threat if people come forward and say, I've received this, or I think I've made a mistake here. But at the foremost is ensuring you've got the right technology in place, the right policies so that if a human does make a mistake, it mitigates the impact to your organization, and lastly, to ensure you're working with your people and making them aware of these threats. 

Dave Bittner: That's Jack Chapman from Egress Software Technologies. 

Dave Bittner: And I'm pleased to be joined once again by professor Awais Rashid. He's the director of the Center for Doctoral Training in Cybersecurity at the University of Bristol. Awais, it's always great to have you back. I wanted to touch today on supply chains and particularly risk management when it comes to supply chains. I know this is something that you and your colleagues at University of Bristol have your eye on. What can you share with us today? 

Awais Rashid: So this is really potentially one of the kind of biggest frontiers for cybersecurity at the moment, because threat actors are increasingly targeting extended supply chains and potentially abusing client-supplier trust to conduct compromise of existing systems. And we don't have to go far to think of an example. You know, SolarWinds has been in the news very much, where, actually, the supplier of a security product was compromised as a way to then reach into the companies to which they were supplying that particular security service in the first instance. 

Awais Rashid: And this is one of the big concerns at the moment that governments have about attacks against supply chains that may, for example, compromise critical infrastructure, that may have large-scale, you know, impacts on all sorts of systems. So one of the things that we have been doing at the moment is really looking at what kind of advice and guidance actually exists in, for example, the U.K., U.S. and the EU regarding cybersecurity supply chain risk management and where really we need to focus as a research and a practice community to improve our practices around this particular area. 

Dave Bittner: You know, we're seeing lots of movement here in the U.S. when it comes to a software bill of materials. Do you think that's a good move? 

Awais Rashid: I think it's an interesting direction to go, to think about really thinking of a software bill of materials. But I think there is even a step before that in the sense that when we look at all this work, we find that there are often very, very contrasting interpretations of what constitutes a supply chain. So depending on where you're getting your guidance from, which particular kind of national or regional authority - U.K., U.S. of the EU - and which sector you work in, you may have very, very different interpretations of the supply chain. So some people think of supply chain as only the hardware that you are sourcing. You referenced just now software. Some people may include software in that. But what about your third-party services, like your cloud provider, for instance, and all those things? What about your security services, your cybersecurity services that are coming in and all those kind of things? Then you are handing off, for example, particular types of security operations to a third party whom you're commissioning to do that work. And the interesting thing is that at the moment, we don't really have a very consistent definition of what constitutes a supply chain. And as a result, if you are at the other end as an organization that is trying to understand what the risks are, you may not have a very good appreciation of the gaps that it may leave in your cybersecurity strategies when you're trying to craft your approach to how do you manage these risks. 

Dave Bittner: It strikes me that one of the challenges is deciding how deep you want to go down the path. You know, like, you hear - I guess - you know, there's the analogy that, you know, a bridge collapses, and it's because there was a defective bolt, you know, that was made decades ago, you know, in a factory far away. And, you know, I wonder for security how that analogy plays out. You know, how far down the line do you go? How far is reasonable when it comes to risk management? 

Awais Rashid: And it's really a very, very hard question to answer. And that's why I started the discussion by saying this is potentially the new frontier for cybersecurity because the challenge exactly we have is that how far do we assure, but how do we then ensure that those assurances are trustworthy in the first instance? So in this case, for example, again, with the current geopolitical situation, you would have heard about, you know, kind of chip manufacturing sovereignty and all those kind of debates that are going on in the media at the moment. So you can go as far as, you know, who is kind of, you know, manufacturing the chips, and what kind of features that exist on the chips. But how do you actually make sure that what you're, you know, kind of 10, 15-removed supplier is telling you is actually trustworthy? And how do you actually ensure that all of that can be fully tested across the supply chain? 

Awais Rashid: And it's a non-trivial problem because when we think of supply chain, we think that it's kind of a singular thing. But if you're at a large organization - for example, you are running a critical infrastructure - you don't have a singular supply chain. Depending on the systems that you're running, you've got potentially many, many supply chains for those systems that are coming in, and they have all sorts of combinations of hardware, software services, even sort of people, you know, subcontractors providing services into your environment. And that makes things very, very complex. 

Awais Rashid: So in an ideal world, I'd like to tell you, we have the perfect answer. But one of the things that we have discovered is that at the moment, even the kind of depth and breadth of coverage that is offered by authorities and the sectors in this area varies really, really greatly. It also depends on what your regional focus is or what your regulated requirements in the environment in which you are operating. But as, for example, you know, organizations become increasingly more and more global and we rely on a global supply chain, it - all of this becomes very, very complex, resource-intensive and costly to assure. And that's really why we need to have some kind of a more consistent way of understanding what are the risks in the cybersecurity supply chain, and how do we manage them? But we have a long way to go. 

Awais Rashid: We have developed a first taxonomy in this area. It is publicly available, but I see that very much as a first step rather than the end game, as a start of a conversation about saying these are the kind of things we all need to consistently think about. And I know that in the U.S., CISA are doing some very interesting work in this area as well. So all of that has to come together in a cohesive manner. 

Dave Bittner: All right. Well, professor Awais Rashid, thank you for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they are co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening, and we'll see you back here tomorrow.