Privateering goes fully political. Compromised robots? Conti’s campaign against Costa Rica. Cyberconflict along the Nile. A reset in the cyber insurance market.
Dave Bittner: The Chaos ransomware group sides with Russia. Hacktivists claimed to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed international cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book "Security Metrics, A Beginner's Guide." Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast "Security Cleared Jobs." And the cyber insurance market experiences a reset.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 18, 2022.
Chaos ransomware group declares for Russia.
Dave Bittner: Conti declared its alignment with Russia back in February, right after Russia invaded Ukraine. Its rivals in the LockBit crew tried to remain nominally neutral, saying they were apolitical and just wanted to make a dishonest buck. Now another ransomware gang, the operators of Chaos, has declared for Russia, Fortinet researchers report. It's customary for ransomware to include a message that normally demands a ransom and tells the victims how they can recover their files after paying. There's none of that here. This is the message Chaos has been displaying recently - Stop Ukraine war. F*** Zelenskyy. Don't go die for f***ing clown. You can see the truth here - with a link that takes the recipient to a Russophone propaganda site, the Information and Coordination Center. That page, which leads with the motto victory will be ours, explains its purpose in a Who We Are section. The site's goal appears to be recruitment of hacktivists and influencers. The site includes a list of resources currently being coordinated, and it offers other items like names of Ukrainian soldiers killed in action and the names of alleged Ukrainian war criminals.
Dave Bittner: Chaos, while it's a ransomware builder in the C2C market, clearly isn't a conventional ransomware gang. Fortinet concludes, the Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files. Finding them is a tall order for non-technical victims, which pretty much makes the malware a file destroyer. Clearly, the motive behind this malware is destruction. The politically inclined messages also indicate that the attacker is pro-Russian and frustrated with the current situation. And with the Chaos ransomware builder now readily available, its options allow anyone to create destructive malware. And with no end to the war in sight, FortiGuard Labs expects more malware like this to emerge.
Report: hacktivists claim to have compromised Russian-manufactured ground surveillance robots.
Dave Bittner: The Daily Dot reports that a hacktivist group, "CaucasNet," says it successfully compromised Tral Patrol 4.0 unmanned ground video surveillance systems. Hashtagging #OpRussia and #GloryUkraine, CaucasNet's Twitter feed crowed, we hacked the patrol robots of the Russian company SMP Robotics. Now we control the Robotics robots all over the world. We broadcasted the anthem of Ukraine and the Georgian song "300" on all the robots on May 9. Tral Patrol robots have been sold in many countries, but CaucasNet claimed in particular that they'd hacked the systems at Moscow's Sheremetyevo International Airport. The airport did not confirm any incident to the Daily Dot, saying only, Sheremetyevo International Airport does not confirm the fact of hacker hacking of the security system. Like most hacktivism, this amounts to a nuisance. This one should be received with open-minded skepticism.
Conti's ongoing campaign against Costa Rica.
Dave Bittner: Costa Rica continues to work to restore services in the country that were disrupted by Conti ransomware, and Conti continues its woofing about seeking to foment an insurrection in Costa Rica to help force payment. The government has been unable to collect taxes in the usual manner, and it's also having difficulty paying its employees. For its part, Conti has not only upped its ransom demand to $20 million, but claims to have insiders working for it within Costa Rica. A communique from the group, reproduced by Tech Monitor, said, we have our insiders in your government. I recommend that your responsible contact UNC1756. There is less than a week left when we destroy your keys. We are also working on gaining access to your other systems. You have no other option but to pay us. We know that you have hired a data recovery specialist. Don't try to find workarounds. I communicate with everyone in this business. I have insiders even in your government. I once again appeal to the residents of Costa Rica to go out on the street and demand payment. You are just forcing us to use terrible methods. Another attempt to get in touch through other services will be punished by deleting the key." The reference to UNC1756 is just made-up bragging since there's no record of activity under this particular classification. But CyberScoop reports that Costa Rica's president Rodrigo Chavez has led credence to the claim that Conti is getting some local help. The president said there are very clear indications that people inside the country are collaborating with Conti. Citing national security, he declined to give details.
Dave Bittner: Conti is a Russian gang, privateers who operate at the sufferance of Moscow and who have also declared that they intend to operate in Russia's interests during its war against Ukraine. So there's been speculation, The New York Times reports, that the campaign against Costa Rica is intended to punish that country for siding with Ukraine. But that seems implausible. While sympathy in Costa Rica has generally run against Russia's war, that's true of the world in general, and Costa Rica certainly hasn't been delivering crucial assistance to Kyiv. It seems more probable, as some sources tell The Times, that Costa Rica is a target of opportunity, still more easily caught while bigger fish grow warier and more inclined to spit the hook.
Claim: "international" cyberattack against NIle dam stopped.
Dave Bittner: Ethiopia says it's stopped cyberattacks on its Nile Dam and some financial institutions, the Addis Standard reports. Al-Monitor says that Egypt's government has not officially responded to Ethiopian accusations that it's behind any such cyberattacks. The Grand Ethiopian Renaissance Dam and the Nile water rights it affects have been a point of contention between the two countries.
A "reset" in the cyber insurance market.
Dave Bittner: And The Wall Street Journal reports that the cyber insurance market is undergoing a reset as it deals with a surge in costly ransomware attacks and concerns that Russia's war against Ukraine will spill over into cyberspace in a more significant way than it has yet to do. According to The Journal, direct written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year over year, according to information submitted to the National Association of Insurance Commissioners. That's because the carriers are charging more, not because they're expanding their coverage. The reset also includes more stringent requirements customers must meet before they'll receive coverage. Ransomware has continued to surge. A study by Cybersecurity Works released this morning finds a 7.5% spike in APT groups engaged in ransomware.
(SOUNDBITE OF RAMIN DJAWADI'S "GAME OF THRONES THEME")
Rick Howard: You're listening to the theme song of the HBO long-running hit "Game of Thrones," the unofficial anthem for the Cybersecurity Canon Project, the project designed to find the must-read books for all cybersecurity professionals because one of the greatest characters of all time, Tyrion Lannister, had this to say about reading books.
(SOUNDBITE OF TV SHOW, "GAME OF THRONES")
Kit Harington: (As Jon Snow) Why do you read so much?
Peter Dinklage: (As Tyrion Lannister) Well, my brother has a sword. And I have my mind. And a mind needs books like a sword needs a whetstone. That's why I read so much, Jon Snow.
Rick Howard: Which means it's Cybersecurity Canon Week here at the CyberWire, where we are interviewing all the Canon Hall of Fame inductee authors for the 2022 season. I'm Rick Howard, the chief security officer, chief analyst and senior fellow here at the CyberWire. And today's book is called "Security Metrics, A Beginner's Guide" by Caroline Wong. Enjoy.
(SOUNDBITE OF RAMIN DJAWADI'S "GAME OF THRONES THEME")
Rick Howard: I'm joined by Caroline Wong, the chief strategy officer at Cobalt and host of her own podcast, "Humans of InfoSec." Caroline, thanks for coming on the show.
Caroline Wong: What a pleasure to be here. Thank you for having me.
Rick Howard: You're quite welcome. So you wrote this book in 2011, and as near as I can figure, it's one of the first books published for the cybersecurity community that dealt with the thorny subjects of risk, metrics and analytics. Why did you write the book?
Caroline Wong: So first I have to say, Andy Jaquith...
Rick Howard: Yes.
Caroline Wong: ...Wrote a super good book about security metrics before this book. I was so honored that Andy wrote a little bit in this book as an introduction. I certainly want to respect the shoulders of giants that I stood on in order to produce this work. Andy had done excellent work in this area. And what I had an opportunity to do was to say, how do you take some of these really great ideas that, for the most part at that point in time - now more than a decade ago - were largely theoretical, and how do you put that into practice? And that's what I was very interested in doing. I had the privilege of working with Dave Cullinane when he was CISO at eBay, and together we in the team - we built this program. And I saw the value and the necessity of security metrics, not only to demonstrate the value of the program, but also to ensure ongoing investment. And it's a topic that has fascinated me throughout my career.
Rick Howard: For the first time in my career, I understand what a whisker chart is, all right, and how to read it, what linear regression is and how to easily build plots with the data in a spreadsheet. And I actually did some practice runs because of your book, Caroline, in Google Sheets to see if I could do it. And I'm here to say, if I can figure it out, I think anybody can do it thanks to your explanation. And the last one is, exactly what is logarithmic scale and why mathematicians use it. So just as an example, can you tell our listeners why do we use logarithmic scale in metrics and analytics?
Caroline Wong: These math things, these modeling things - they are tools for us to use. They are not by any means the end result. I think the simple description of linear versus logarithmic - it's kind of like the earthquake scale. You know, what's the difference between a size 7 earthquake and a size 8 earthquake? If I ask my 7-year-old daughter, what's the difference between the numbers seven and eight, she says that's not a very big difference. You know, seven is followed by eight. But if we're talking about logarithmic terms, then we're talking about a magnitude increase times 10. And so it's like just way bigger. And so it just depends on your dataset. It depends on the velocity at which your data is changing, whether it's useful to view it in a linear or logarithmic fashion.
(SOUNDBITE OF RAMIN DJAWADI'S "GAME OF THRONES THEME")
Rick Howard: That's Caroline Wong, the latest author inductee into the Cybersecurity Canon Hall of Fame, with her book "Security Metrics, A Beginner's Guide." For more information on the Cybersecurity Canon Project, go to your favorite search engine and look up Cybersecurity Canon - that's canon with one N, as in canon of literature, and not two N's, where you blow stuff up - and Ohio State University, the project's official sponsor.
(SOUNDBITE OF RAMIN DJAWADI'S "GAME OF THRONES THEME")
Dave Bittner: For those of us outside of the intelligence community, there's a bit of mystique around having a security clearance. What does it take to get one? What does it mean once you have one? And how does it affect your job prospects? Kathleen Smith is outreach officer at ClearedJobs.net, and Rachel Bozeman is director of talent acquisition for Consumer Cellular. Together, they're co-hosts of a new podcast called "Security Cleared Jobs."
Dave Bittner: Rachel, I think there's a perception that having a security clearance makes it so that when you're out there job hunting, that you will demand a premium. There are fewer people in that community. Is that an accurate perception?
Rachel Bozeman: No, I really don't think that it is. I think that's - you know, salaries are such a hot topic everywhere - outside of cleared, inside of cleared, everywhere. So I really - I think that's probably a misperception that's out there. Lots of the salaries that are set within the cleared space are either set by the government contracts, so there are salary ranges. And so a lot of people think, I can demand more having a security clearance. Well, you can't really demand more. You will probably get more because you have that upper-level skill set, but you also have that upper-level clearance. But it's also going to be limited on what the government contract award was. There will be other things. We've talked about this several times on the podcast, about - there might not be some leeway within the salary, but there are definitely leeways within the benefits that the company can offer. And then if you're working for the government in particular, then there's also ranges as far as that can be. Rachel, anything else on that?
Rachel Bozeman: I'd say ditto. I think it's - you know, it's coming in and being able to ask the questions, I think, is the big piece to it - understanding all of those different pieces when working the salary. But no, I think you outlined it beautiful.
Dave Bittner: Who are you all trying to target here with this particular podcast? Who's the ideal listener that you're focusing on?
Kathleen Smith: So we have actually really narrowly focused the audience to being security cleared job seekers who want to hear from cleared facilities employers. Rachel was one of our customers, as a cleared facilities employer beforehand. And fortunately for us and the podcast, she then left that space and is in the commercial space. So now I get to have a friend and not worry about showing favoritism to a specific client. Rachel, what do you think about some of the recruiters that we've interviewed for so far, as far as their advice to cleared security job seekers?
Rachel Bozeman: Their advice (inaudible)?
Kathleen Smith: Security clear jobs - yeah, the security cleared job seeker. Sorry.
Rachel Bozeman: Absolutely. So it's everything from resumes. It's how to talk about salary. It's all of those different - and they're really focusing on the culture because that's what has to matter. So when you think of the different type of roles, we talked about not limiting yourself to just a particular employer but really thinking about that diversity of different career opportunities that are out there. They've really focused on culture, why their organization matters, things that should matter to any job seeker, but especially in that cleared space, where you're thinking of the different opportunities and where you're going to land and where you're going to invest so much of your time. You spend more time, usually, with your work family than your personal family, or your family that you didn't get to choose. And so it's really important to understand that culture. What are the things? - their benefits...
(SOUNDBITE OF DOG BARKING)
Rachel Bozeman: ...Their - you know, are they a dog friendly employer...
Dave Bittner: (Laughter).
Rachel Bozeman: ...All of those different things that they offer there 'cause, let's just say, mine's dog friendly. I'm not as friendly right now because she does - she wants to interrupt all the time today. So...
Kathleen Smith: But that's another fun thing about the podcast. Pretty much everyone has dogs, (laughter) and so we have some dog component in absolutely every single episode so far.
Rachel Bozeman: They give a lot of great advice, you know? Just keep showing up. Just keep wagging your tail. Great things will follow.
Dave Bittner: Well, they're loyal. They're loyal for sure, right? (Laughter).
Rachel Bozeman: They are loyal. And they - most dogs can pass that security clearance check. So I don't know about mine, but most other ones could...
Rachel Bozeman: ...Certainly pass.
Dave Bittner: Kathleen Smith and Rachel Bozeman are co-hosts of the new podcast "Security Cleared Jobs."
Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.