Notes on cyber phases of Russia’s hybrid war, including an assessment of Victory Day as an influence op. A look at C2C markets. And Spain’s spyware scandal claims an intelligence chief.
Dave Bittner: Russian television schedules were hacked to display anti-war messages. A phishing campaign distributes Jester Stealer in Ukraine. The European Council formally attributes the cyberattack on ViaSat. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang REvil does indeed seem to be back. More Joker-infested apps are found in Google Play. Ben Yelin looks at digital privacy concerns in the aftermath of the potential overturn of Roe v. Wade. Our guest is Nick Adams from Differential Ventures with a VC's perspective on what will drive continued growth in cybersecurity. And Spain's spyware scandal takes down an intelligence chief.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, May 10, 2022.
Dave Bittner: We begin with a quick note on Russia's hybrid war against Ukraine for useful context. More analysts see a growing possibility of outright Russian military defeat, even with Russia's war aims having contracted to the conquest of the Donbas. It's worth remembering that only 75 days ago, Moscow was demanding demilitarization and de-Nazification, effectively unconditional surrender as a precondition for negotiations with Kyiv. The post-mortems on President Putin's Victory Day speech agree that it's suggested a continuation of current war policy, a reluctance to ask more sacrifice from Russians and an insistence on NATO's ultimate responsibility for Russia's invasion of Ukraine. The big parade itself received indifferent reviews as a spectacle of menace, especially from the more gung-ho British tabloids, like The Sun, which packed as much derision as we think it humanly possible to achieve in its screamer headline "Vlad-tastrophe: Inside Putin's Damp, Squib Victory Day Parade from Tyrant's Feeble Speech and Hacked Live Feed to Slimmed Down Military." All that's missing is the cover version of "Sweet Caroline."
Dave Bittner: HackRead reports that yesterday, as the big victory parade was about to begin in Moscow, Russian television schedules were disrupted to display an anti-war message. The message said, on your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war. Children's television programs flashed shorter messages, no to war and the authorities lie. The messaging was fairly widespread. Most major Russian TV outlets were affected. There's no attribution yet. It could be hacktivism. It could be Ukraine's IT army. Or it could be a nation-state operation.
Dave Bittner: CERT-UA warns that a social engineering campaign distributing Jester Stealer malware is in progress. The phishbait used to induce Ukrainian targets to bite is a warning of a chemical attack. The phishhook is an XLS document with a malicious macro. BankInfoSecurity points out that one unusual feature of Jester Stealer is that it uses a Telegram channel, as opposed to more conventional command-and-control infrastructure, to deliver the information it collects. The malware itself is a commodity product freely traded in the criminal-to-criminal market. Again, there's no attribution yet. It could be state-directed, or it could simply be criminals seeking to profit from the unsettled state of a country under attack by a bigger neighbor.
Dave Bittner: The European Council today formally attributed the February 24 cyberattack against Viasat's KA-SAT network to Russia. The attribution was laced with condemnation. Interference with the KA-SAT network was one of the few Russian cyber operations of the war to, first, enjoy a measure of success. It was also, as the EU communique notes, one of the attacks that spilled over to nations other than Ukraine. The attack's timing suggests it was intended to serve as preparation for Russia's invasion.
Dave Bittner: Reuters reports in an exclusive that the U.S. administration is increasing its scrutiny of Kaspersky amid concerns that the security firm's widely used tools, already restricted from use within the U.S. government, could be exploited by Russia for intelligence and cyber operations during Russia's war against Ukraine. The departments of Justice and Commerce are said to be considering using national security measures put in place during the previous administration against the Russian software company. Kaspersky has long denied that it's susceptible to the kind of pressure from Moscow that Western governments have feared. Those skeptical of the company point to an obvious reading of Russian domestic law that requires companies to cooperate with the government in precisely the ways that have aroused concern. Neither Kaspersky nor the U.S. departments of Justice or the Treasury replied to Reuters' requests for comment.
Dave Bittner: President Rodrigo Chaves of Costa Rica has declared a state of emergency as the government works to recover from a Conti ransomware attack. According to BleepingComputer, Conti claims to have hit and taken data from the Costa Rican Finance Ministry, the Ministry of Labor and Social Security, and the Social Development and Family Allowances Fund. Other agencies whose operations are reported to have been affected include the Administrative Board of the Electrical Service of the Province of Cartago; the Ministry of Science, Innovation, Technology and Telecommunications; the Ministry of Labor and Social Security; the Social Development and Family Allowances Fund; as well as a variety of other government agencies. Conti is a privateering gang that says it hacks in the Russian interest as well as its own, but this particular campaign seems primarily financially motivated.
Dave Bittner: BlackBerry has released a report on DCRat, also known as DarkCrystal RAT, a discount commodity malware tool offered in Russophone criminal-to-criminal markets. It is, according to BlackBerry's researchers, the work of a lone actor offering a surprisingly effective homemade tool for opening back doors on a budget. It can be had for as little as six bucks - and even less when it's on special. Why it's so inexpensive is unclear. BlackBerry speculates that the developer may be more interested now in market share than immediate profit, or perhaps the work is more hobby than livelihood. In any case, DCRat is under active development and still on offer - dirt cheap.
Dave Bittner: The gang behind REvil is likely to be back. That's Secureworks's conclusion. Their researchers have found that samples of REvil obtained since the Gold Southfield group resumed operation last month strongly suggest access to the ransomware's source code. The malware also seems to be under active development.
Dave Bittner: The Hacker News reports that more Trojanized apps have been found in the Google Play Store, where they're seeking to spread to compromised Android devices. Joker has been used in apparently legitimate apps for billing and SMS fraud while also performing a number of actions of a malicious hacker's choice, such as stealing text messages, contact lists and device information.
Dave Bittner: And finally, the long-running spyware scandal in Spain has taken down one of that country's senior intelligence officials. The Washington Post reports that Paz Esteban is to be relieved as the director of the National Intelligence Center, familiarly known by the acronym CNI. The scandal is twofold, with both an intelligence and counterintelligence aspect. On the intelligence side, CNI has been criticized for its role in installing spyware in the devices of Catalan separatists. On the counterintelligence side, similar spyware was found in senior government officials' phones, including those used by Prime Minister Pedro Sanchez, Interior Minister Fernando Grande-Marlaska and Defense Minister Margarita Robles. That spyware, NSO Group's Pegasus tool, had been placed there by an unknown party, probably foreign. The first offense was illicit surveillance. The second offense was, why did it take CNI a year to realize that some parties unknown had access to senior officials' phones?
Dave Bittner: 2021 saw record levels of venture capital investment in cybersecurity, with Crunchbase reporting over $20 billion poured into the sector globally. We are well into 2022, of course, and for a reality check on VC activity, I checked in with Nick Adams, founding partner at Differential Ventures, a seed stage VC fund that invests in B2B data-oriented technology.
Nick Adams: Things are definitely cooling down, especially at the later stage of venture capital as capital markets come down. Certainly, private market valuations are quick to follow at the late stage of venture. Definitely seeing that in certain sectors like e-commerce and fintech. At the earlier stages, it's not quite there yet. You know, we invest in the seed and in Series A stage. There's definitely been a cooldown in activity, but valuations are still relatively high. But in the cyber world, things are definitely marching on at a pretty steady pace, and there's probably a few drivers of that just in terms of industry adoption historically, so catching up a bit, but also just some healthier market dynamics, again, in terms of the available capital still in the venture ecosystem and the, you know, pending challenges that remain just in the overall cybersecurity ecosystem bode pretty well for cyber to continue on at a stronger pace relative to some other industries.
Dave Bittner: Is it fair to say that there's an adequate level of funding available for those who are out there trying to make their mark in cyber?
Nick Adams: There definitely is, no question. The good thing about venture capital - good or bad thing about venture capital, depending on your perspective - is that the capital is pretty well-committed, so it's still out there for VC funds. So you know, angel investors, family offices, some corporates may pull back. But VC funds, for the most part, their capital is pretty predictable, and frankly, I think a lot of money has been sitting on the sidelines waiting for a bit of a market correction to pour into some of the more favorable spaces at better valuations than we've seen over the last few years. So I think there's plenty of money out there, and especially for some of these sectors that are still growing pretty drastically in terms of their actual business need in the enterprise and consumer markets.
Dave Bittner: Are there any common mistakes that you see, any pitfalls that people experience regularly?
Nick Adams: You know, I think one of the areas that we see from a technology perspective, particularly with our thesis around data, is kind of unfulfilled promise of data-driven solutions in cybersecurity. It really hasn't come to fruition, given the number of challenges just around data sets and the possibility for actually creating more cybersecurity risk with AI-oriented security solutions. So I'd be careful about how you position and go about building any cybersecurity solution that promises to be AI-oriented, machine-learning oriented because there are still a lot of complex challenges that haven't come to fruition around just the overall data sets and the risk that can come from how you train an algorithm down the road.
Dave Bittner: What is your advice for the folks who are out there looking for funding? What sort of words of wisdom do you have for them?
Nick Adams: Stay with it. I would definitely - cybersecurity is a unique beast in a lot of ways in that, historically, most funds that are going to be comfortable in this space investing at the seed or pre-seed stage are - have a more technical background. So certainly seek out those VC funds that understand cybersecurity technology more broadly - more in-depth, I should say. If you're later stage, at the growth phase of an organization - so you're going out for Series A and Series B - there's always growth-stage capital out there.
Nick Adams: Historically, Series A and beyond capital in cybersecurity in particular has been pretty heavily concentrated for some of the more focused and larger funds like Excel or NEA. I think at the pre-seed and seed stage, there are some more technical funds, like ours, that are interested in looking at technology and the team behind it that can build great solutions, maybe in advance of a whole lot of product-market fit proof points. So I'd definitely look for funds that know - that understand the technology and have good connections into go-to market strategy in the cybersecurity world, again, in a space that is largely worked on partnerships with a lot of the larger OEMs and resellers in the space - but increasingly seeing CISOs, you know, branching out and looking for more innovative early stage technology on their own. So I do think there's an opportunity to sell more directly before embarking on a well-informed partnership strategy in this space as well.
Dave Bittner: That's Nick Adams, founding partner at Differential Ventures.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more importantly than that, he is my co-host over on the "Caveat" podcast. Ben, it's great to have you back.
Ben Yelin: Good to be with you, Dave.
Dave Bittner: You know, you and I have talked about some of the, you know, digital exhaust that we leave when we're using our mobile devices and the ability for folks to de-anonymize that and track us and the policy implications of that. You know, in the news right now is this very important and big story about the leak of a Supreme Court draft potentially overturning Roe v. Wade. And this has created a strong response from a lot of folks on the privacy side of things worried that if someone were to get an abortion, that perhaps their phone would know that they did that even if they wanted to keep that private.
Ben Yelin: Right. So this is less of an issue about the underlying substance of whether you believe in the right to choose or not.
Dave Bittner: Right.
Ben Yelin: This is a story about data collection. And a lot of privacy and civil liberties advocates are worried that in states where abortion is going to be criminalized, there's going to be an effort to obtain very private and personal data from people in order to prosecute individuals for obtaining illegal abortions. It looks like with this Dobbs decision - that's going to come down probably in June - Roe v. Wade will be overturned. Abortion will be left up to the states. And states can criminalize abortion, at least according to the draft of this decision, in a variety of ways. And depending on the individual state, there are going to be some enforcement mechanisms in trying to figure out people who have had abortions or are planning on getting abortions for the purposes of criminal prosecutions. So there are a few very specific concerns about data collection related to abortions.
Dave Bittner: Yeah.
Ben Yelin: The first is location data. So there's going to be a movement in states that outlaw abortions for individuals to go to other states to obtain abortions. So far, there aren't laws on the books restricting people from this type of interstate travel. But there very well could be. And there's a lot of information about our whereabouts that's stored on our devices, whether it's powering Google Maps or any other maps application or many other services. And the fine print in those ULAs that none of us read allow companies to sell that information to other companies.
Dave Bittner: Right.
Ben Yelin: Those companies can make that information available to advertisers or whoever wants to pay for it. And maybe a state law enforcement agency or a local law enforcement agency would want to pay for that data to identify women who have traveled across state lines to obtain an abortion.
Dave Bittner: Right.
Ben Yelin: Of course, they say all - the companies will say all of this data is anonymized, but we've talked a million times about how you can really develop a dossier on an individual person.
Dave Bittner: Yeah.
Ben Yelin: If their device is always at the same address at night and always at the same address during the day...
Dave Bittner: Right.
Ben Yelin: ...You can pretty easily figure out who that person is.
Ben Yelin: Second concern is about search and chat histories. So companies like Google keep records of your Google chats. If you're having a conversation in one of these applications about getting an abortion, prosecutors could use these types of searches as evidence in a criminal trial. And this isn't entirely theoretical. In 2017, prosecutors used internet searches in the state of Mississippi to find out whether somebody was searching for abortion drugs. So they put that in their search bar. That was evidence that was obtainable with a subpoena. And prosecutors used that data as evidence of a fetal homicide in the state of Mississippi. So this is definitely something that does happen.
Ben Yelin: I think the creepiest, in terms of invasions of privacy, are these so-called reproductive health apps, which largely track menstrual cycles.
Dave Bittner: Right. I've seen a lot of call on social media of people saying, you know, delete your period tracking apps.
Ben Yelin: Yeah. I honestly think that would be a wise move if this is something that you're concerned about. There have been a couple of these applications who have already gotten pushback for playing fast and loose with this data. One of these companies, Ovia, was sharing aggregate data on some of their users' family planning with their employers. That happened in 2019. The FTC had to settle with an app, Flo. That app promised to keep users' data private, but then shared it with marketing firms, including Facebook and Google. You know, some people would say, how is this not covered by HIPAA? It is private health information. Well, these applications don't count as covered entities under HIPAA.
Dave Bittner: Right.
Ben Yelin: So they are not obligated to follow the terms of that law. So if you have that application downloaded, you use it, and you've accepted the terms and conditions, state prosecutors in some of these states that are going to outlaw abortion might use the data on these applications as evidence in a criminal trial based on whether you've missed certain menstrual cycles. This sounds very 1984. It is. I think this is why it's of such great concern. So I think regardless of how you feel on the underlying policy issue here, I think this is about an invasion of digital privacy for companies and law enforcement agencies collecting information that's just extremely personal.
Dave Bittner: Yeah.
Ben Yelin: And all of this is legal and is a practice that's relatively common.
Dave Bittner: Yeah, I mean, I think that's a really interesting point because, you know, the - law enforcement in the states who are we presume going to outlaw abortion would say, well, we're just making use of the tools that are available to us to enforce the laws that are on our books, and that is our responsibility to do so. So to me, what this - part of what this sort of shines a light on is that everyone needs to take a personal responsibility for their own digital privacy, that you can't just rely on regulation to - if this is something that's important to you - to potentially keep you safe from the type of surveillance that we're going to see out there, right?
Ben Yelin: Right. I mean, I think not just in this area, but in every other area, people have to be cognizant of the information they're storing on their personal devices...
Dave Bittner: Yeah.
Ben Yelin: ...And recognize how easy it is for that data to get into the wrong hands. Whether that's data brokers who are going to exploit your personal information to try to sell you stuff, or that's the government who's going to use some of the most intimate data imaginable to prosecute you under these new state laws, I think everybody has to take stock of exactly what they're sharing on these devices and on these applications. I mean, I think the legal system is not going to do it for us. There are very few protections against this type of mass data collection. So it really is up to individuals, and I think that's a message that privacy advocates are trying to get out there, that it is incumbent upon all of us to make those decisions for ourselves and for our loved ones.
Dave Bittner: All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.