The CyberWire Daily Podcast 4.27.22
Ep 1566 | 4.27.22

Russian privateering continues. Stonefly is straight out of Pyongyang, and the Lazarus Group has never really left. Foggy Bottom seeks (Russian) snitches.


Tre Hester: Heard on the Baltimore waterfront. Privateering against Western Brands. An update on sanctions and counter-sanctions. Stonefly, straight out of Pyongyang. Lazarus is also back, but not in the good way. Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, "The Art of Cyberwarfare - An Investigators Guide to Espionage, Ransomware, and Organized CyberCrime." And the U.S. Department of State has added six Russian GRU officers to its Rewards for Justice program.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester with your CyberWire summary for Wednesday, April 27, 2022. 

Heard on the Baltimore waterfront.

Tre Hester: We're attending the Global Cyber Innovation Summit today in Baltimore. And while all discussions are being held under Chatham House rules, we can say that discussions of Russia's cyber operations have turned on two general impressions. The first is that Russia has indeed conducted cyberattacks, notably the earlier wiper attacks, but that these attacks have not had the widespread effects of earlier Russian attacks. The second is that for reasons that are still imperfectly understood, cyber deterrence in this case seems to be working, and that this is the reason Moscow has been pulling its cyber punches. 

Privateering against Western brands.

Tre Hester: But, of course, cyber attacks can be deniable in the grey zone. Some recent ransomware attacks are being interpreted as privateering. Two groups in particular, the gangs behind Conti and Stormous, have been particularly active in the Russian interest. Conti, the better known of the two, has sustained doxing in compromise of internal chatter by hacktivists and probably Ukrainian intelligence services. But these seem to have not slowed it down. SecurityWeek  reports that at least 30 new victims of Conti have been claimed on the Gang's site in the month of April alone. 

Tre Hester: The other operation, Stormous, only came to prominence around the outset of Russia's invasion of Ukraine. The group has claimed, according to Security Affairs, to have successfully obtained access to some of the Coca-Cola Company's servers from which they've stolen some 116 gigabytes of information. Cybernews says that the file names mentioned by Stormous suggests that the gang is claiming to have taken, quote, "financial data, passwords, commercial accounts, email addresses and other data," end quote. Stormous a dubious reputation, but word on the street is that they're not what they claim to be. Their victims tend not to confirm the attack Stormous claims. And there's speculation, reported by SOCRadar and others, that Stormous is a scavenger operation. That is, they simply scrape up material others have dumped and represent it as their own. 

An update on sanctions and countersanctions.

Tre Hester: Oil exports have enabled Russia to preserve its economy from collapse, Foreign Policy explains, largely because customers have been soft on the sanctions they say they're willing to impose. Quote, despite predictions of doom for the heavily sanctioned Russian economy, nearly two months into Russian President Vladimir Putin's invasion of Ukraine, his country's oil exports to Europe and nations such as India and Turkey have actually risen. And its financial sector is so far avoiding a serious liquidity crisis." Quote, "sanctions may work in the long run, experts say, but for now, many of the same countries that are sanctioning Russia are still seriously undercutting their efforts by buying energy from them, in some cases in even larger amounts during April than in March," end quote. 

Tre Hester: For its part, Bloomberg reports, Russia has imposed counter-sanctions on both Poland and Bulgaria to punish them for their support of Ukraine, cutting off deliveries of natural gas to those countries. Neither Warsaw, nor Sophia, seem likely to knuckle under the pressure. The Register also reports, that the first significant Chinese company to shutter under operations in Russia is drone manufacturer DJI, which has also suspended operations in Ukraine. 

Stonefly, straight outta Pyongyang (or some comfy hotel in China).

Tre Hester: Two new reports of North Korean cyber activity were released today. Symantec is tracking a resurgence of cyber espionage by Stonefly, also known as DarkSeoul, BlackMine, Operation Troy and Silent Chollima. The most recent attack, which began in February, has been against, quote, "an engineering firm that works in the energy and military sectors," end quote. It's believed Stonefly exploited a Log4j vulnerability on a public-facing VMware View server. Stonefly pivoted from there to compromise 18 other systems in the network. Narrowly focused on technical intelligence, Stonefly makes heavy use of commodity malware. 

And Lazarus is back (and not in the good way).

Tre Hester: The other report on DPRK cyber ops comes from Zscaler, who's following the Lazarus Group's recent activities, an ongoing spear-phishing campaign whose phishbait is typically related to cryptocurrency and whose phish hook is concealed in a Lazarus-controlled Dropbox account. Correlation of domains identified earlier with the Lazarus Group led Zscaler to connect the campaign to Pyongyang's best-known threat actor. 

All you Russian snitches: Foggy Bottom wants to hear from you.

Tre Hester: And finally, the U.S. Department of State has added six Russian GRU officers to the Rewards for Justice program. The six Russian operators, all members of Unit 74455, also known as Sandworm, Voodoo Bear, Telebots and Iron Viking, are wanted in connection with the NotPetya attacks. The six GRU hoods are alleged to have been, quote, "members of a conspiracy that deployed destructive malware and took other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers," end quote. Information on the six can draw a reward up to $10 million. So step right up, Russian citizens. If you see something, say something. 

Tre Hester: Dave sat down with Jon DiMaggio from Analyst1 to discuss his new book, "The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime." 

Jon Dimaggio: You have to be really creative, meaning, you know, when we see these stories that are going across, you know, most newspapers and headlines, they're bad guys that have found really creative ways to break into networks. And one of the big differences to most threats out there, you know, these advanced organized threats, especially nation-states, you know, if you stop and you mitigate their attempts to get into your network - they're not done. They're going to come back a different way. There's a human behind it. And, you know, they call them persistent threats for a reason. So you have to treat them differently. 

Jon Dimaggio: And so when I say, you know, sort of the art of that, you have to think like a bad guy out of the box. You can't just wait for automation to tell you that there is a bad event taking place. You have to go in and hunt for a human 'cause that is literally what's behind it. It's a human behind a keyboard that is being creative and finding ways to get around your defenses. So you can't rely on automation for that. You as a threat hunter, as a defender, you have to proactively go and search for these things. And in doing that over the years, you know, I just found that a lot of - and I don't mean this in a negative way because it's the way that we teach cybersecurity today - is a lot of, you know, analysts, they just - they rely too heavily on, you know, security resources and tools to alert them that something bad is happening. And the reality of it is, is that often, bad guys get into your network, and then they use the tools that are already there, and there's never an alert that's going to go - even going to go off. So whether it's finding a new, creative way to exploit a vulnerability in your network or whether it's, you know, finding legitimate use of tools that do bad things, you have to go hunt, and you have to be creative about it. And it changes. You have to change with the bad guys, and you have to be creative on how you do that. So that's why I felt like the word art, if you will, was the best description of the content of the book. 

Dave Bittner: Yeah. What do you hope people take away from the book? When they are done reading and they put it down, what lessons would you like them to have learned? 

Jon Dimaggio: That is a great question, Dave. You know, I think that if I - if there's one thing I would want analysts to take away from this is to change their mindset on how they look at threats and how they track those threats. And what I mean by that is, you know, the reason that there are so many organized attackers that have success is because we think too much about defending from a traditional aspect. And the - I guess the one thing I would want analysts to really do is to remember that there is a difference between an advanced attacker and your traditional attack. And though it might only be 10% of the activity that you - or less that you see a year, those advanced attacks have to be treated differently because it is a human behind it. And, you know, when you analyze these real-world threats, you have to really take in and assess, is this - you know, is this something that is a small-level, day-to-day attacker? Or could this be, you know, a cybercriminal gang? Or could this be a government state-sponsored threat? And, you know, I teach in this book how to actually profile, though, when you do have an attack, and how to take that data and reverse it to use against your adversary to learn and create intelligence about them that you can now defend with. So I really want to change the thought process that analysts have when they see threats. You know, like any job, I feel like we just get, you know, too almost bored with what we do, and we just get too content, and adversaries are not. So I really want - you know, I want to inspire analysts to use the methodology and the resources that I talk and teach about in this book in their day-to-day job and to remember to be creative and to hunt for threats and to not sit and wait for things to appear on a screen to tell you that something bad is happening. 

Tre Hester: That's Jon DiMaggio from Analyst1. 

Tre Hester: Dave recently sat down with Richard Hummel of NETSCOUT to discuss their biannual threat intel report. 

Richard Hummel: In this report, we talk about the triple threat. And we've been talking about triple extortion now for the past year, year and a half. And what this is, is adversaries typically involved in the ransomware game - either ransomware as a service or deploying it themselves - have been adding tools to their portfolio that they can then apply more levers and get people to pay that ransom. And so the idea of triple extortion is ransomware followed by data theft and holding that data hostage and then following it up with a DDoS attack to deny services at the actual network layer or systems and services that you might be running. And so we're seeing more and more of these adversaries get into this triple extortion game. And even worse, we're seeing some ransomware gangs realize that DDoS in and of itself can be a tool to be able to extort victims of payment. And so as we start to see more of this, these ransomware operators are very sophisticated. They're good at what they do. And you can just look at their revenue return to realize that. What happens when they start getting into these more sophisticated DDoS operations and applying that same kind of sophistication? And so this is a phenomenon that we expect to see continue. 

Dave Bittner: Yeah. One of the things that caught my eye in the report was just how inexpensive DDoS-for-hire services have become. Can you give us some insights there? 

Richard Hummel: So this was actually an eye-opener for myself as well. In fact, you know, I was talking to somebody similar to you, Dave, and we were getting on the topic of this DDoS for hire or what the costs are. And I had somebody come to me and say, hey, what is the average cost of a DDoS attack? And my gut reaction was 10, 20 USD. And I didn't really know. And when I started looking, did anybody else know? Was there blogs? Was there reports? There's not a lot of people that talk about this. And so I put on my little gray hat. I got my malware lab out, and I said, all right, let's go spelunking. And so I logged into about 19 of these DDoS-for-hire platforms. And it turns out that all 19 of the ones that I looked at, they have a free tier of service - free tiers to launch things like DNS amplification, NTP, CLDAP and even some of the TCP-based stuff. And so the barrier to entry is no longer present. There is zero reason to keep somebody from launching a DDoS attack. It used to be you had to have a crypto wallet, or you had to have some know-how, or you had to install a tool. But now all you have to do is get a VPN connection or a Tor browser, find one of these DDoS-for-hire platforms and input an IP address of your victim and boom. There you go - barrier to entry, gone. 

Dave Bittner: Yeah. And I suspect - I mean, that could tie directly back into what we were talking about with the ransomware gangs because if I can, you know, send a warning shot across their bow with a free DDoS attack that I've gotten from someone else, you know, that could rattle their cage a little bit. 

Richard Hummel: Absolutely. And a lot of the DDoS attacks we see associated with this triple extortion or these ransomware operations, they do look like they're sourced from booter stresser services - another name for DDoS-for-hire platforms - because we look at the duration of these attacks, we look at the types of attack vectors, the bandwidth, the throughput, otherwise known as volume and speed. And we can look at all of these things in concert, and we can look at it across the entire global footprint. And now we can say that, look, all of these have a similar pattern. They have an upper bandwidth. They have an upper throughput. They have average durations that are much shorter than something sourced from a botnet. Now, that's not to say you can't use botnets from these platforms, but by and large, the DDoS-for-hire platforms use reflection amplification. And so a lot of times, yeah, in these triple extortion events, you'll see these booter stresser platforms being used as part of that toolkit. 

Dave Bittner: And where do we stand in terms of defending against these sorts of things? What is the state of the art there? 

Richard Hummel: So knock on wood here, but the vast majority if not all of the DDoS attacks so far that we've seen come from these DDoS for hire platforms - these booter stresser services - can be mitigated by just being prepared and having some form of defensive protection mitigation posture in place. Now, a lot of people say, hey, I have a firewall. It's going to protect me. Maybe it might protect you from some of these attacks, but what happens when your state cables fill up? Or, you know, maybe I have IDS IPI, so I'm going to detect these, and then I'm going to offload the traffic. But the thing with DDoS is it's very fast and very furious. Is that going to happen fast enough to be able to keep your services online, to keep that lag out? If you're a service provider, how do you handle that, right? You don't want lag. You don't want your customers to have connection issues and drop issues because that's what generates user complaints. And then all of a sudden, you have users going elsewhere for their services. So the key here is preparation. Preparing is 80% of the battle when it comes to DDoS. And if you understand that you will be a target at some point, whether you are the direct target or you are collateral damage, DDoS attack traffic will hit you or affect your life at some point in time. Understanding that and realizing that and then taking steps to prepare against it are going to go a long way to be able to protect you against these kinds of attacks. 

Tre Hester: That's Richard Hummel from NETSCOUT. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.