The CyberWire Daily Podcast 5.2.22
Ep 1569 | 5.2.22

Cyber sabotage and cyberespionage. Updates on Russia’s hybrid war against Ukraine. REvil seems to have returned.


Dave Bittner: Cable sabotage in France remains under investigation. Spearfishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivism and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week's DDoS incident was retaliation for Bucharest's support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnapping. And REvil seems to be back after all.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 2, 2022. 

Cable sabotage in France remains under investigation.

Dave Bittner: The sabotage incident in which fiber-optic cables in France were cut, severing internet and telecommunications connections, is seen as exhibiting the vulnerability of infrastructure to physical disruption, CyberScoop reports. The incident remains under investigation. The sabotage is regarded as having been coordinated, but there's so far been no attribution. 

Spearphishing by Cozy Bear.

Dave Bittner: Cozy Bear, also called Nobelium or APT29, a threat actor associated with Russia's SVR foreign intelligence service, has continued to engage in cyberespionage against a wide range of diplomatic targets. The campaigns have achieved initial access through spearphishing, and they're marked, BleepingComputer reports,  

Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity.

Dave Bittner: Widespread and damaging Russian cyberattacks have yet to appear, but that's not entirely for want of trying. Nuisance-level distributed denial-of-service attacks have occurred, as have some relatively ineffectual wiper attacks against Ukrainian targets. Russia hasn't sustained any devastating cyberattacks either, but it's feeling the effects of a range of government-run and hacktivist attacks. Many of these have taken the form of doxing, and these too have been nuisance-level operations. 

Dave Bittner: But both the extensive participation of hacktivists and the novelty of the experience of coming under cyberattacks have, in the case of Russia, been striking. Russia had hitherto enjoyed a degree of immunity from criminal attack, for one thing. There were more lucrative targets elsewhere, many of the gangs were based in Russia and enjoyed Russian government protection, or at least benign neglect. And there's some opinion that they were deterred from hitting Russian targets by a fear of Russian ability to retaliate. Much of that immunity seems to have evaporated over the course of Russia's war against Ukraine. The Washington Post describes how this has changed. It's become, the headline says, a free-for-all. The article says, experts anticipated a Moscow-led cyber assault. Instead, unprecedented attacks by hacktivists and criminals have wreaked havoc in Russia. 

Dave Bittner: Particularly telling is a report from the Lithuanian security firm Surfshark, which has made a practice of tallying the number of leaked credentials and now finds that Russian addresses amount to more than half the world total. The Washington Post says, the number of presumed Russian credentials, such as those for email addresses ending in .ru, in March jumped to encompass 50% of the global total, double the previous month and more than five times as many published as were in January. They go on to quote Surfshark, saying, "the U.S. is first most of the time. Sometimes it's India. It was really surprising for us." All of this said, U.S. authorities continue to warn that Russia still poses a substantial cyber threat. C4ISRNet reports that testimony before Congress last week continued to emphasize that threat. 

Hacktivism and privateering.

Dave Bittner: No one has so far turned out the lights in Kyiv or Moscow, but a distinctive style of non-governmental activity has emerged. On the Russian side, this has been a continuation of the privateering that's long been in evidence. Some Russophone gangs, notably the Conti ransomware group, have expressed their patriotic adherence to Moscow's cause, but in general, they haven't enjoyed as much success as might have been expected. Criminal activity continues, but not with noticeably greater effect than has been seen before Russia's invasion of Ukraine. The gangs themselves have become targets of hacktivist reprisal, with the doxing of internal Conti chats being a prime example. Such doxing doesn't seem to have had much effect on Conti, at least in the near term, but the leaks may offer some useful insight into the gangs' organization and operations. 

Dave Bittner: The Ukrainian side has benefited from a surge of ideologically aligned hacktivism by Anonymous and others, who have received some encouragement and some targeting suggestions from the Ukrainian government via its volunteer IT army channels. An analyst at security firm Flashpoint told The Washington Post there are state institutions in Ukraine interested in some of the data and actively helping some of these operations. The Post quotes Distributed Denial of Secrets co-founder Emma Best as saying, "the sense that Russia is off-limits has somewhat expired, and hacktivism is one of the most accessible forms of striking at an unjust regime or its supporting infrastructure." 

Dave Bittner: Distributed Denial of Secrets is a hacktivist data dump site that has prominently displayed some of the hacktivist take from Russian organizations. It hasn't by any means confined itself to Russian government data, but such data have recently been prominent on the site. Emma Best calls much of the hacktivism a symbolic pantsing of President Putin, saying, he's cultivated a strongman image for decades. Yet not only is he unable to stop the cyberattacks and leaks hitting his government and key industries. He's the one causing it to happen. 

The legal and prudential limits to hacktivism.

Dave Bittner: A YouTuber is calling for other hacktivists to join in a distributed denial-of-service campaign against Russia. That call, Bleeping Computer points out,, not only violates YouTube's terms of service but would also be illegal in most jurisdictions. And that means not just Russian jurisdictions but jurisdictions throughout the rest of the world as well. 

Dave Bittner: The tool being recommended and offered to would-be hacktivists, the Liberator, is murky in its workings and provenance. Perhaps it functions as advertised, but it's difficult to be sure. Bleeping Computer quotes a comment on the relevant YouTube channel by a user who goes by the screenname Junk. He's sympathetic to Ukraine's cause but warns that Liberator is a closed-source tool that transfers information about a user's device to a disBalancer server and that it does so through a nonencrypted channel. Avast warned last month about the risks involved in using such tools for hacktivist purposes. The users expose themselves to considerable risk, and besides, it's almost surely illegal. 

Applying lessons learned from an earlier cyberwar.

Dave Bittner: In 2007, Estonia was the target of Russian cyberattacks that significantly disrupted the country's financial and commercial sectors. The campaign, while it did not extend to physical invasion, nonetheless foreshadowed Russia's operations against Ukraine. Estonia's perceived affront was the relocation of a Soviet-era war memorial, the Bronze Soldier, that Russian state-controlled media seized upon as evidence of persecution of Estonia's Russophone minority. Estonia learned from the experience and has since become one of the countries that punches far above its weight in cyberspace. It appears, NPR reports, that Russia's playbook has not changed significantly since 2007 and that the lessons learned since then have served Ukraine and others who've come under Russian cyberattack as well. 

Romanian authorities say last week’s DDoS incident was retaliation for Bucharest’s support of Kyiv.

Dave Bittner: Romanian authorities have attributed the distributed denial-of-service attack government websites experienced late last week to Killnet, a threat actor that specializes in DDoS attacks conducted in the interest of Russia, The Record reports. The attack affected Romania's ministry of defense, its border police, the national railway and the OTP bank. Killnet claimed that the attacks were a retaliation for Romania's support of Ukraine in the face of Russia's invasion. 

REvil seems to be back after all

Dave Bittner: And finally, there's more evidence that the REvil ransomware gang is back from what appears to have been a temporary break. Its Tor network returned, Bleeping Computer  says, but researchers were looking for code that could be attributed to the gang. Researchers at Avast found  code samples that seem to connect the new activity to REvil. Rebranding appears to be underway, but the gang seems careless about covering its tracks. 

Dave Bittner: Cybercrime often mirrors or takes inspiration from tried-and-true, real-world criminal techniques - things like identity theft, fraud or harassment. Our U.K. commentator Carole Theriault files this report on virtual kidnappings. 

Carole Theriault: Virtual kidnappings are nothing new. In fact, they've been talked about for decades. But it seems that they may be on the rise once again, according to the FBI. Now, a virtual kidnapping is where a scammer pretends to have kidnapped a loved one and tries to get someone close to them to pay the ransom as soon as possible in order to secure their release. Typically, the FBI said, the virtual kidnappers will request payment through a wire transfer and push families to act quickly. Of course, in these virtual kidnappings, the loved one has not been kidnapped, may be safe at home or driving to day care. And sometimes it's too late for you because in the panic, you paid the ransom. The FBI said, quote, "Virtual kidnappers can be very convincing, often representing themselves as members of drug cartels or corrupt law enforcement." The caller might allege, for example, your daughter has been kidnapped, and you hear a female screaming in the background. That would get me jumpstarted. Another variant of the fraud has a family member being held because he or she caused an auto accident, says the scammer, and is injured and won't be allowed to go to the hospital until damages are paid. Callers will typically provide the victim with specific instructions to ensure the safe return of a family member. Targets may even be ordered to stay on the line until the money is wired and safely transferred. The caller even might claim not to have received the money and demand more payment. Not fun. 

Carole Theriault: So here's the FBI advice on how you can help avoid virtual kidnapping scams. One is never post news of upcoming travel dates and locations online, like in your socials. Have a secret password that family members can ask for in an emergency to confirm that the loved one is really in trouble. I mean, my husband and I have a secret word to say, let's leave this party now because we're done. But I've never had an emergency one. The scammer knows virtually nothing about the kidnappee, or the purported kidnappee, such as what they look like, where they were picked up, where they were going, where they live. And if they do call, they tend not to use the kidnapped person's phone, so you can't just check the number. When they call you, they will, obviously, like any scammer, try to really push up the stress so that you act quickly and don't think clearly. And they will try and keep you on the phone until you agree to pay the money, which means that you can't get off the phone to call your partner just to find out that they are at home. And the scammer may request that the ransom funds be wired to multiple people in several small amounts. 

Carole Theriault: The FBI asks anyone who believes they are targets of a virtual kidnapping to call 911 immediately and ask that the FBI be informed. So in reading all this, I'm thinking who is likely to be targeted in this type of scenario? And this would be people that post way too much personal information on social media and share it with too wide a group. If this sounds like you, there's no shame, but this is maybe a really excellent time to go check your social media settings for every channel you use and check your contacts to make sure that all the information you're sharing is with people that you trust. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Rick Howard. He's the CyberWire's chief security officer and also our chief analyst. Rick, always great to welcome you back to the show. 

Rick Howard: Hey, Dave. 

Dave Bittner: So on this week's "CSO Perspectives" podcast - which, of course, is over on our CyberWire Pro side of the house - you are pulling out your Rick-the-toolman toolbox, and you are going to drop some SBOMs. 


Dave Bittner: Software bill of materials. What have you got for us? 

Rick Howard: Man, we were talking before the show. I wish I would've thought of that before you just said that. That would've been perfect for the episode. 


Dave Bittner: Right. Right. 

Rick Howard: And so you know, Dave, that the idea of SBOMs has been in the news of late, mostly, I think, because President Biden signed an executive order on cybersecurity last year that compelled the U.S. government to use this concept to manage all of its software. 

Dave Bittner: Yeah. And I noticed in some of the coverage you've been doing that you refer to SBOM as a concept and not a tool. Is that deliberate on your part? 

Rick Howard: Yeah, it is because, you know, we really don't have a standard SBOM tool or platform yet. What we do have is a bunch of developing standards and requirements for tools that will - they will - these will all help us reduce the risk of software supply chain exposure, although vendors are starting to sell these SBOM platforms. But the idea of an SBOM, at this point, is still more of a concept than a reality. 

Dave Bittner: So when does it actually become a reality? What is it, and what could that do for us? 

Rick Howard: Well, in its simplest form, an SBOM is a formal record containing the details and supply chain relationships of various components used to building software. They're, like, lists of nested software components designed to enable supply chain transparency. 

Dave Bittner: All right. Well, what problem are we trying to solve here? 

Rick Howard: (Laughter). 

Dave Bittner: And I guess on top of that, why is it so important that President Biden would include it in a presidential directive? 

Rick Howard: I know. It's amazing this kind of geek detail would hit his level, but - so let me explain it this way. According to a report by Synopsys this year, 97% of commercial code has an open-source component. And within that 97%, 78% of that code is based on - is - all of that code base is open source. OK. So that was a lot of numbers. All right. Let me just restate that. 

Dave Bittner: In English for me, Rick - in English. 

Rick Howard: Yes. Yes. 

Dave Bittner: (Laughter). 

Rick Howard: So here's what it boils down to. Almost all commercial software is over three-quarters open source. 

Dave Bittner: Yeah. 

Rick Howard: So let that sink in. So that means that we, as a community, really have no idea where our software component parts are coming from, who built them and whether or not the people who did build them are even maintaining them. And it opens the door for all kinds of supply chain attacks that we saw last year against victims like SolarWinds, Accellion and Kaseya. So this week on the show, we're going to break open the Rick the Tool Man toolbox, like you said, and talk about the current state of SBOM evolution. 

Dave Bittner: All right. Well, listen, before I let you go, you also head up our efforts on a fun little podcast that we call "Word Notes." And that is where, each week, you try to parse the word salad that we love so much in the cybersecurity community. What are you covering this week? 

Rick Howard: Yeah. You know, I love "Word Notes." And it's just 5 minutes each week, but it's eminently bingeable. And it takes on the word that we are all familiar with and explains it and tries to determine how it fits into the cybersecurity zeitgeist. You know, in the last month, we've talked about Shields Up and DMARC and Pegasus. But this week's word, though, is DevOps. And most of us probably think that phrase is relatively new - say, the last 10 years. But we've traced the origin all the way back to 1994. So... 

Dave Bittner: Really? 

Rick Howard: If you like this kind of thing, just come check it out. It's fun for newbies. It's fun for veterans. So just come and give it a shot. I think you'll like it. 

Dave Bittner: All right. Terrific. Well, that is "Word Notes." And of course, there is also "CSO Perspectives" over on CyberWire Pro. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.