The CyberWire Daily Podcast 4.28.22
Ep 1567 | 4.28.22

Russia and Ukraine trade cyberattacks. Chinese intelligence services look at Russian targets. Five Eyes advise on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Name that mascot.


Tre Hester: Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advises on routinely exploited vulnerabilities. Linda Gray Martin and Britta Glade from RSA discuss what's new at the RSA Conference and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast, "Cyber CEOs Decoded," coming to the CyberWire network. And hey, kids, name that mascot.

Tre Hester: From the CyberWire Studios at DataTribe, I'm Tre Hester with your CyberWire summary for Thursday, April 28, 2022. 

Tre Hester: As Russia continues its firepower-intensive assault in eastern Ukraine and supplements them with attacks farther west, intending to interdict Ukrainian supply lines, where have the cyberattacks been? It turns out they've been made, but they haven't taken the expected form.

Microsoft summarizes the scale of Russian cyberattacks against Ukraine.

Tre Hester: So Russian cyberattacks have failed to develop into either widespread pests, like 2017's NotPetya, or locally disruptive attacks against critical infrastructure, like Russia's cyberattacks against portions of the Ukrainian power grid in 2015 and 2016. Both were expected, neither has materialized. This doesn't mean, however, that Russian cyber operations have been idle in the hybrid war against Ukraine. Yesterday, Microsoft released a detailed report on Russian cyberattacks against Ukraine. The accompanying blog post summarizes: quote, "Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine, including destructive attacks that are ongoing and threaten civilian welfare. The destructive attacks have also been accompanied by broad espionage and intelligence activities. The attacks have not only degraded the systems of institutions in Ukraine, but have also sought to disrupt people's access to reliable information and critical life services on which civilians depend and have attempted to shake confidence in the country's leadership. We have also observed limited espionage attack activity involving other NATO member states and some disinformation activity," end quote. 

Tre Hester: Redmond sees them as combat support operations key to events on the ground. Since the war isn't approaching its end, Microsoft argues that it's reasonable to expect more Russian cyberattacks and that we shouldn't assume that other countries, particularly NATO countries sympathetic to Ukraine, will continue to experience relative immunity to Russian cyberattacks. It's worth stressing such immunity as NATO countries have enjoyed is a relative immunity only. Russian cyberespionage and especially Russian privateering against Western targets have continued at their customary, familiar levels. Microsoft's recommendations will be familiar to any who have followed CISA's shields up warnings. 

Russian cyber capabilities should be neither overestimated nor underestimated.

Tre Hester: Microsoft's report is a useful reminder that while Russia's cyber operations have enjoyed less success than had been widely expected during the runup to the war, they've been neither completely ineffectual nor inactive. The Wall Street Journal offers a different perspective, this one from Ukraine, which has endured a much more protracted and intimate familiarity with Russia in the fifth domain. Victor Zhora, deputy chief of Ukraine's State Service of Special Communication and Information Protection, said, quote, "Russian cyber offensive operations likely reached their full potential, and we do believe the international community will be able to keep them at bay. They did not offer anything special during these two months," end quote. He sees this as indicating that cyber operations are difficult and take time to prepare, and that Russia has found itself unable to scale their cyberwarriors. Zhora acknowledged Russian capabilities and said that Moscow's cyber operations had paid particular attention to Ukraine's energy and telecommunication infrastructure. That attention, however, hasn't paid off for them in a big way, as both sectors have continued to function under stress. 

Tre Hester: The most important and potentially serious threat to Ukraine infrastructure was the largely contained use of evolved Industroyer malware against electrical power distribution. The U.S. linked the attempt of Sandworm - that is, Russia's GRU military intelligence service - an attribution that Russia has consistently denied with some show of indignation. Nozomi Networks yesterday published its assessment of Industroyer2. Whatever else the GRU operators who ran the attack may be accused of, shyness and reticence are not among them. 

Russia has also come under cyberattack during its hybrid war.

Tre Hester: It's worth noting that Russia hasn't been immune to Ukrainian cyberattacks - particularly intelligence collection and distributed denial-of-service attacks from Kyiv's IT army, a largely volunteer effort that responds to the direction of Ukrainian intelligence services. Wired reports that hacktivists, volunteers and intelligence services are all playing a role. Quote, "hacktivists, Ukrainian forces and outsiders from all around the world who are taking part in the IT army have targeted Russia and its business. DDoS attacks make up for the bulk of the action, but researchers have spotted ransomware that's designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks," end quote. 

Tre Hester: This kind of hostility is, for Russia, unfamiliar territory. Quote, "the attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware gangs have links to Russia and don't target the nation. Now it's being opened up. Russia is typically considered one of those countries where cyberattacks come from and not go to," Digital Shadows' Stefano De Blasi told Wired. 

Tre Hester: Ukrainian countermeasures shouldn't be underestimated either. At today's Global Cyber Innovation Summit in Baltimore, we're hearing that our Ukrainian colleagues, as Kyiv's cyber operators are being called, have been not only effective but absolutely heroic in defense of their country's networks. 

Chinese intelligence services are paying close attention to Russian targets.

Tre Hester: Researchers at Secureworks reported yesterday that the Chinese government threat group Secureworks calls Bronze President, but which is also known as Mustang Panda, RedDelta and TA416, has turned its attention to Russia, hitting Russophone targets with an updated version of its PlugX malware. This represents a shift in targeting. Mustang Panda had previously specialized in South Asian and especially Southeast Asian targets. The attention to collecting against Russia suggests that Beijing is closely interested in the progress of Russia's war against Ukraine. 

The Five Eyes advise us on “routinely exploited vulnerabilities.

Tre Hester: Five Eyes intelligence and security service have issued a Joint Cybersecurity Advisory that describes 2021's top routinely exploited vulnerabilities. Log4j, ProxyShell, ProxyLogon and ZeroLogon issues figure prominently in the list. The agencies who contributed to the report include the U.S. Cybersecurity and Infrastructure Security Agency, National Security Agency, the Federal Bureau of Investigation, the Australian Cyber Security Centre, the Canadian Center for Cyber Security, the New Zealand National Cyber Security Centre and the U.K.'s National Cyber Security Centre. 

Physical sabotage as cyberattack.

Tre Hester: Reuters reports that French authorities are investigating what appear to have been coordinated attacks of sabotage that physically severed lines delivering internet and telephone services in that country. Quote, "the French Telecoms Federation said attacks of vandalism had impacted telecoms networks in several regions," end quote. 

Name that mascot.

Tre Hester: And, finally, Task & Purpose reports that the US Air Force has a new mascot to help it with "marketing" and "brand awareness" for its cybersecurity awareness campaign, and that the Service is asking the Internet to help name it

Tre Hester: Dave sat down with Linda Gray Martin and Britta Glade from RSA to discuss what's new at the RSA conference and cybersecurity trends. Here's Linda to kick off the conversation. 

Linda Gray Martin: Oh, yeah. Well, you know, first of all, we're so thrilled at the prospect of planning to be back together in person in June. I think we're so ready for it at this point. And, you know, certainly, with the people that we're speaking to and interacting with on a daily basis, you can feel the excitement. It's like - it's two months to go. So I just thought, you know, we'd start by giving you a little bit of an overview of what you can expect... 

Dave Bittner: Sure. 

Linda Gray Martin: ...At this year's conference, if that's OK - maybe look at some of the new things. So first of all, just from a very operational point of view, when we last met in 2020, in person, the conference was five days, but it's actually going to be four days this time - so Monday to Thursday. And we've been thinking about shortening the event just by that one day for the last kind of two, three years. But we started to get direct feedback from our attendees that, you know, a lot of people would leave on Thursday. They want to be home for the weekend, which we completely understand. And I think with the pandemic, all the indications point to events being shorter in length. So it's a big change for us. But I do want to just point out to the listeners that we're not necessarily offering less content, we're just distributing it differently. But you're still going to get the same breadth and depth and quality and also, most importantly, just as many opportunities to earn CP credits. So it's very important for our community. 

Britta Glade: We very consciously, as Linda mentioned, you know, in shift to four days, we looked at how do we distribute time? How do we distribute engagement? The excitement for being back together again, we really have heavily valued the interactive opportunities, a lot of learning labs. They've always been super popular at RSA Conference. You'll see those distributed throughout the week, you know, starting bright and early 8:30 a.m. Monday morning with our track sessions as well as the labs. Birds of a Feather are distributed throughout the week. 

Britta Glade: Past years, we had, you know, kind of breakfast and lunch clumps, know that people value those small group conversations both for the conversation as well as meeting new people. At the end of the day, being at a conference, being physically, you know, together, eyeball to eyeball, that's the opportunity to shine in growing that network. So you'll see Birds of a Feather distributed throughout the week as well. So we've really - overvalued is the wrong word, but heavily valued the face-to-face networking, talk to people, build build relationships experiences across RSA Conference as a whole. 

Dave Bittner: You know, I think one thing that I'll add for folks who are getting together is that we've all spent so much time online together over the past couple of years. Don't be shy about introducing yourself to some of those people that you might know from afar or perhaps admire or look up to or just know their name. You know, they're going to be happy to see you. 

Linda Gray Martin: Hundred percent. I really - I think that's a really, really great point. I think, you know, we've learned talking to, you know, some of our closest colleagues that a lot of these people want to help others. They want to mentor people who are new to the industry or who have problems or challenges that they want to talk through. So, you know, I really believe that's a valid point. 

Britta Glade: Yeah. Or you're standing in line. Or you're sitting down, and the session starts in five, 10 minutes. Look to your right. Look to your left. Strike up conversations again. That's the beauty. And that's the secret sauce, I believe, of live events, that opportunity to grow, develop, network, to influence, to be influenced by others. And that's where we thrive as a community when we recognize the part that we play in the whole. 

Dave Bittner: Well, I know on behalf of myself and the group of CyberWire colleagues who are planning on being there, I'm looking forward to seeing both of you and all of our friends who we have not seen in quite a while. So we're only a few weeks away. We'll see you all soon. 

Linda Gray Martin: Thank you so much. We appreciate that. And we can't wait to see you, too. 

Tre Hester: That's Linda Gray Martin and Britta Glade from RSA. 

Tre Hester: Dave spoke with Marc Van Zadelhoff of Devo about their new podcast, "Cyber CEOs Decoded," Coming to the CyberWire Network. 

Marc Van Zadelhoff: Obviously, as a cybersecurity CEO, I think a lot about how I do my job and what makes it unique in terms of CEO roles. And I love giving advice and sharing best practices with peers in the industry, having been in cybersecurity for over 20 years. And that spawned the idea of let's do a podcast where I talk to other CEOs about what it's like to be a CEO and the nuances of that versus other CEO roles. 

Dave Bittner: You know, it strikes me that in cybersecurity, I think we hear a lot from the CISOs or even the CSOs, but I think the the CEOs tend to sit a little more quietly behind the scenes in a lot of companies. Are there unique stories that you're hoping to gather here from other CEOs in the field? 

Marc Van Zadelhoff: Yes. I think that there is a uniqueness to being a CEO in cybersecurity. In any other company you're thinking about your customers, your competitors. And then in the cybersecurity field, you have hackers as this total random, stochastic variable that enters into your role as a CEO, navigating how you push the company forward. And so I think there are a lot of interesting stories of the best-laid plans are foiled by some new idea that a hacker came up with, a new crisis that hits a new, you know, customer that is in trouble. And that makes it all quite unique to manage a cybersecurity company. 

Dave Bittner: What about that entrepreneurial journey itself? I mean, everybody has their own origin story, and there are different pathways to being the CEO. Is that something you're hoping to cover as well? 

Marc Van Zadelhoff: Yeah, exactly. There's a lot of interesting paths that I see as I've started doing this podcast. Some people spend their life in cybersecurity and always wanted to solve this problem, and others really come at it from the outside and enter into cybersecurity mid-career and just get a passion for it. I think what everybody notices is once you're in cybersecurity, it's, in a way, like a religion. And once you enter into it, as a CEO as well, you really get this passion for solving this societal problem that's bigger than a lot of passions that you feel in other roles. 

Dave Bittner: You know, one of the things that I really enjoy about your show is that because you are a CEO yourself, I think that leads to your guests really being open and honest about their journeys, and that includes some of the challenges and even failures along the way. 

Marc Van Zadelhoff: Yeah. I think it's really important and I think maybe that's the more contemporary CEO that is able to be vulnerable and really upfront about what it's like to have the job. And I think that's maybe hopefully - maybe it's my hope as much as the reality - speaking to where I think society is at, right? We're looking for authenticity. We're looking for people that are real. We're looking for people that don't just do their jobs but also have families and have things to balance. And I think all of that comes out as we have these discussions on the podcast. 

Dave Bittner: Can you give us a little preview of some of the conversations you're going to have? Who are some of the folks who are representing here? 

Marc Van Zadelhoff: First two are - one is with Brendan Hannigan, who is the CEO of Sonrai Security. They're in the cloud data and identity space. And they - Brendan has an amazing career - immigrated to the U.S. from Ireland and has run a number of companies, including Q1 Labs, which he sold to IBM. He was the general manager of IBM Security where he and I intersected - and then was an investor with Polaris and is now the CEO of Sonrai. Another one is Patrick Morley, who had a similarly interesting journey, ended up as the CEO of Bit9, which eventually became Carbon Black and went to IPO and was sold eventually VMware - so two really interesting stories of CEOs that have kind of navigated companies through various stages of fundraising, of M&A, of IPO and of sale. 

Dave Bittner: It also strikes me that it could be helpful for those people who are just getting their start in the industry to have a better perspective on what's going on in the minds of the people who are running these companies. As you're trying to make your way up the ladder, having these behind-the-scenes insights can certainly be helpful. 

Marc Van Zadelhoff: No, exactly. I think it's a way of getting mentorship to people that are making their way up into the industry. 

Tre Hester: Thanks again to Marc van Zadelhoff of Devo, who is the host of Cyber CEOs Decoded podcast, which is joining the CyberWire Network today. You can find the first episode of Cyber CEOs Decoded on all of your favorite podcast apps. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.