Information operations and the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities actively exploited. TDI clarifies data incident. Robo-calling the Kremlin.
Dave Bittner: Russian information operations surrounding the invasion of Ukraine, VMware patches vulnerabilities. F5 BIG-IP vulnerabilities are undergoing active exploitation. The Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare: Truth, Tactics and Strategies." And robo-calling the Kremlin.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 19, 2022.
Russian information operations surrounding the invasion of Ukraine.
Dave Bittner: Mandiant this morning published an overview of the Russian information operations it's tracked during the run-up to Russia's war against Ukraine through the actual invasion and continuing until now. Senior analyst Alden Wahlstrom, one of the lead authors of this report, said that the research sought to exhibit how known actors and campaigns can be leveraged or otherwise refocused to support emerging security interests, including large-scale conflict. For years, analysts have documented that Ukraine, a key strategic interest of Russia's, is a testing ground for Russian cyber threat activity that they may subsequently deploy elsewhere. Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time, in whole or part, to target Ukraine. The operations exhibit a mixture of disinformation and disruptive attacks, mostly ransomware, wiper malware disguised as ransomware and nuisance-level distributed denial-of-service attacks. Defacement of Russian government websites began as early as January 14 of this year, with messages claiming theft and subsequent deletion of data. February 23, the eve of the invasion proper, saw a repetition of this style of attack. In this case, the defacements coincided with destructive attacks against Ukrainian government targets, using the NEARMISS master boot record wiper and PARTYTICKET wiper disguised as ransomware. And during the war itself on March 16, a deepfake video of Ukrainian President Zelenskyy appearing to announce surrender to Russia was distributed over compromised Ukrainian news sites. This incident coincided with another wiper attack. Some familiar threat actors have been in evidence. APT28 - Fancy Bear, the GRU - has been behind much of the Russian activity, and the allied Ghostwriter operators of Belarus' satellite intelligence and security services have also been active in the Russian interest. The Internet Research Agency, well-known as an election-meddling troll farm, seems to have resurfaced as Kiber - that is, Cyber - Force Z and resumed influence and amplification operations. And there have been the usual covert media outlets working under inauthentic persona. Kiber Force Z's style is as familiar as it is tasteless, featuring a Russian-uniformed Pepe the Frog. There's also been some nominally hacktivist activity conducted in support of Russia. Mandiant notes established hacktivist personas JokerDNR and Beregini have remained active in their targeting of Ukraine in the lead up to and since Russia's invasion, including through their publication of allegedly leaked documents featuring possibly personally identifiable information of Ukrainian military members. Additionally, newly established hacktivist groups - whose degrees of affiliation to the Russian state are yet unknown - like Killnet, Xaknet and RahDit have engaged in hacktivist style threat activity in support of Russia, including distributed denial-of-service attacks, hack-and-leak operations and defacements. There is, we think, a strong likelihood that these hacktivist personae are operating under the control of or at least direction of Moscow's intelligence services. The report concludes by offering its take on the outlook for influence campaigns aligned with Russian goals. Russian operators can be expected to continue to push disinformation with a probable assist from their satellite services in Belarus. China and Iran serve as allies of convenience, retailing Russian themes when it serves those regime's longstanding anti-Western strategic goals.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency released an alert, AA22-138B, Threat Actors Chaining Unpatched VMware Vulnerabilities For Full System Control, which warns that malicious cyber actors, likely advanced persistent threat actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. The alert adds, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.
Dave Bittner: In response, CISA has released Emergency Directive 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from federal civilian executive branch agencies to either immediately implement the updates or remove the affected software from their network until the updates can be applied. U.S. federal civilian agencies have until next Tuesday to identify and remediate the issues.
F5 BIG-IP vulnerabilities undergoing active exploitation.
Dave Bittner: Yesterday, CISA also issued Alert (AA22-138A) Threat Actors Exploiting F5 BIG-IP CVE-2022-1388, which warned that the flaw was being exploited in the wild, and advised users to either upgrade F5 BIG-IP software to patched and supported versions or, should that not be immediately feasible, to implement the three temporary mitigations F5 has provided.
Texas Department of Insurance clarifies facts surrounding its data incident.
Dave Bittner: The Texas Department of Insurance has distributed a fact sheet that clarifies a data incident the agency sustained earlier this year. It says, in January 2022, TDI found the issue was due to a programming code error that allowed internet access to a protected area of the application. TDI promptly disconnected the web application from the internet. After correcting the programming code, TDI placed the web application back online. The forensic investigation could not conclusively rule out that certain information on the web application was accessed outside of TDI. This does not mean all the information was viewed by people outside TDI. Because we could not rule out access, we took steps to notify those who may have been affected. While data could have been accessed by unauthorized personnel, TDI has investigated and found that there is no evidence to date that there was a misuse of information.
Robo-calling the Kremlin.
Dave Bittner: Finally, imagine a conversation that went something like this - what are you talking about, Vladimir Vladimirovich? There is no I.P. Freely here? No? Then why did you call me, Sergei Kuzhugetovich? - or words to that effect. Hacktivists looking for ways of throwing sand in the gears of Russian governance have established a website - wasterussiantime.today, according to Wired's story - where if you're of like-mind, you can place robot calls that connect a couple of Kremlin apparatchiki while you listen in as they try to figure out who called them.
Dave Bittner: The technology the hacktivist group uses is first cousin to that employed by the people who call you about extending your car warranty or getting credit card interest relief. Wired quotes one of the services organizers as explaining, this war started inside Moscow and St. Petersburg within the power circles of Putin, and that's who we want to annoy and disturb. So the effort is meant to be irritating and no doubt it is, but these aren't prank calls in the classical genre - like calling the local smoke shop inquiring whether they've got Prince Albert in a can and then saying, well, you'd better let him out; or like asking the bartender to page Amanda Huggenkiss (ph). The organizers decided against facilitating such direct interaction, which they deemed too dangerous to the participants who might inadvertently reveal their identity or location. What they did instead was to set up a program that would initiate a Voice over IP call, automatically dialing 40 of the leaked Kremlin phone numbers and merging the user into a three-way call with the first two Russian officials' phones that connect.
Dave Bittner: We're of two minds on this. On the one hand, it's difficult to summon much sympathy for robocalling or even hacktivism in general, which have typically been marked by poor control, bad aim and unintended effects. When Wired tried out the service, they found there were some difficulties connecting two Russian parties. Apparently, there are latency issues. There are also sources and methods issues. Christo Grozev of Bellingcat, and no stranger himself to prank calls, explained this particular downside to Wired. He said, whenever something like this becomes public, the whole department changes their numbers. And that's not good for investigations, including journalistic investigations. On the other hand, it's difficult not to appreciate what this group is doing, at least as conceptual art.
Dave Bittner: So for your consideration, a thought experiment - what if the prank calls weren't placed by various outraged randos, but by, oh, say, U.S. Cyber Command, known to many as a pretty low-latency outfit. We're fairly sure there must be some Title 10 authority for ordering two dozen anchovy pizzas for delivery to the Russian president's office; if, that is, you can still get a pizza in Moscow. So we say, Rear Admiral John Jack Mehoff (ph), call Fort Meade; America has need of you in this hour. And General Nakasone, you're welcome.
(SOUNDBITE OF RAMIN DJAWADI'S "MAIN TITLE")
Rick Howard: You're listening to the theme song of the HBO long-running hit "Game of Thrones," the unofficial anthem for the Cybersecurity Canon Project, the project designed to find the must-read books for all cybersecurity professionals because one of the greatest characters of all time, Tyrion Lannister, had this to say about reading books.
(SOUNDBITE OF TV SHOW, "GAME OF THRONES")
Kit Harrington: (As Jon Snow) Why do you read so much?
Peter Dinklage: (As Tyrion Lannister) Well, my brother has a sword, and I have my mind. And a mind needs books like a sword needs a whetstone. That's why I read so much, Jon Snow.
Rick Howard: Which means it's Cybersecurity Canon Week here at the CyberWire, where we are interviewing all the Canon Hall of Fame inductee authors for the 2022 season. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And today's book is called "Cyber Warfare - Truth, Tactics, and Strategies" by Dr. Chase Cunningham. Enjoy.
(SOUNDBITE OF RAMIN DJAWADI'S "MAIN TITLE")
Rick Howard: I'm joined today by Dr. Chase Cunningham, the chief strategy officer for Ericom Software. Congratulations on your selection to the Cybersecurity Canon Hall of Fame, and thanks for coming on the show.
Chase Cunningham: Hey, thanks for having me. I was very pleasantly surprised to notice that somebody read my book, much less that it made it into a Hall of Fame.
Rick Howard: (Laughter) So more than your mom read it. So that's good to know.
Chase Cunningham: Yeah. Right.
Rick Howard: So you're no stranger to the Cybersecurity Canon Project. Your graphic novels, "The Cynja: Volume 1" and "Code of the Cynja: Volume 2", were selected as candidates back in 2017 when they came out, and they are still great introductory books for children of all ages. The ideas in this book, "Cyber Warfare - Truth, Tactics, and Strategies", published in 2020, is a much broader concept. So why did you write it?
Chase Cunningham: Well, I didn't think that there was a whole lot of nonfiction books that were very accurate on the strategic sort of side of cyber warfare. And I also saw that there was a gap in folks looking at it from a real practitioner standpoint. There was a lot of kind of coverage media wise and whatever, but I didn't find anything where someone who had done the work had written a book about it.
Rick Howard: So you mentioned, like, strategically defending at the edge. Is that what you were talking about? You call it edge and entity security - EES. Is that what we're talking about here?
Chase Cunningham: I think that's the follow on evolution of moving past just strictly sort of human identity and access management. I think really what we're talking about there is everything nowadays has an identity - a router, a firewall, a thermostat, a user, a robot. You name it, we all have an identity. And it's going to operate on the edge of control. It's going to be some sort of digital entity. So then apply your controls that way.
Rick Howard: So when I was reading through the book and you were describing EES or edge and entity security, it sounded similar to the Gartner concept of SASE or secure access service edge. Are those two things the same thing or are they different?
Chase Cunningham: I think that they're in the same line and parallel. I think Gartner's approach is a little bit more limited because they're looking at the market specifics and which tools do what. For me, I was looking at the bigger, broad long-term implications there, but I don't think that they're totally orthogonal to each other at all.
Rick Howard: So they're in the same ballpark. And so the SASE model says, we're going to flip the architecture on its head. In the old days, like, when I was growing up, the security folks would manage the security stack behind the perimeter - behind the dead perimeter defense thing you were talking about. But with SASE and now edge and entity security, the architecture is flipping so that you hire a cloud provider to manage your security stack in the first hop from all of your devices, wherever they are - your employees' phones or, you know, laptops or cloud services - whatever they are. The first hop out to the internet goes through that cloud provider security stack. And then all you have to do is manage the policy. So how is that fundamentally different than this EES thing you're talking about?
Chase Cunningham: It's really not. I mean, I think that the interesting thing is the most difficult part of that problem you're talking about to manage actually becomes the policy. It's no longer that it's difficult to manage at the entity level because the entities kind of do what they do and they need to access things that they need to access. But the control plane is the policy engine, and if you don't have a really good policy engine, you can't keep up. And like you were saying, because we operate at scale and because we operate so dynamically, you have to be able to do that with automated solutions that have those capabilities.
Rick Howard: And I realize the policy would be complicated. But it's one policy scattered across all those data islands we're talking about. So presumably it makes it simpler. But I understand what you're saying. It doesn't make it easy, I guess, is the way to say it. It's still going to be a complex policy, right?
Chase Cunningham: Yeah, it's got to be accurate I think it's the most important part. The ease will come with rollout, but it has to be extremely accurate. And it's got to be something that's updated dynamically.
Rick Howard: So it's good stuff, Chase. And the book is excellent, so congratulations on that. This has been Dr. Chase Cunningham, the chief strategy officer of Ericom Software and the most recent author inductee into the Cybersecurity Canon Hall of Fame. Dr. Cunningham, congratulations, and thanks for coming on the show.
Chase Cunningham: Thank you so much. I really appreciate it.
(SOUNDBITE OF RAMIN DJAWADI'S "MAIN TITLE")
Rick Howard: For more information on the Cybersecurity Canon Project, go to your favorite search engine and look up cybersecurity canon - that's canon with one N as in canon of literature, not two Ns where you blow stuff up - and Ohio State University, the project's official sponsor.
(SOUNDBITE OF RAMIN DJAWADI'S "MAIN TITLE")
Dave Bittner: If you like what you hear and want to hear the full interview, subscribe to CyberWire Pro today to get access to the latest episodes of "CSO Perspectives," plus much more.
Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, I noticed that you have an interesting event coming up on your calendar here towards the end of May. You're taking a trip to Switzerland for a presentation. What's going on here?
Robert M Lee: So the event is the World Economic Forum's Davos conference. And so for a couple years now, I've been on the World Economic Forum in their electricity subcommittee and oil and gas subcommittees kind of evangelizing and talking about OT security and kind of helping those conversations. Luckily, those committees are made up of CSOs of other large infrastructure companies, and they're, like, super on top of it. So it's been very, very good interactions. Beyond me being kind of excited and humbled of like, oh, cool, I got into Davos, the thing that actually excites me is OT security got into Davos.
Dave Bittner: Right.
Robert M Lee: It's - I think it's less like, oh, we know who Rob was and it's more of like, oh, we need to talk about OT security. Is Rob the guy? Then fine, let's do that. But the focus is CEOs, board members, Parliament members, you know, world leaders, et cetera, are actually focused on, cool, we need to talk about world order. Russia-Ukraine conflict is going on. We need to talk about climate change and how we're going to get there. And we need to talk about OT security. It's like, oh, wow, you know, like, that's a kind of a level up of that discussion. And it feels kind of like a - almost like a coming out party globally on this topic of industrial security that we've been talking about for so long.
Dave Bittner: Yeah. I mean, can we touch on that? I mean, the fact that this has been elevated to this level overall, I mean, I think we could say a good thing. But you've been shouting about this from the sidelines for quite a while now. It must be gratifying for you that folks at this level are ready to hear what you have to say.
Robert M Lee: Yeah, it is. But I am immediately thinking about the next thing, which is great, we got their attention, now, how do we deliver? What I'm finding is that a global leader stage truly - I mean, like, when I - I still have conversations to this day with different government leaders and CEOs and whatnot anyways. And what's very, very common is they genuinely think the problem is already kind of solved, not realizing how bad of a place they're in. And what I mean by that is nobody thinks cybersecurity is solvable. They all understand it's a process. But they'll say, well, look at all these standards and these frameworks and these regulations. And look at this. I get these board slides with these FICO scores and this cybersecurity framework, heat maps and all this stuff, blah, blah, blah, blah. Look at all we're doing. And every conversation, I'm like, great. CISO or CSO or whoever is presenting it to the CEO, is that enterprise IT or is that the enterprise? Every time, oh, yeah, that's enterprise IT. And the CEOs will, like, look at me like, wait, no, no, no. That includes our factories. That includes our, you know, oil fields. That includes our substations. And the CSO - no, sir or ma'am, like, enterprise IT.
Robert M Lee: And it is a lightbulb moment for these executives, board members, world leaders, when they realize all the cybersecurity efforts, probably 95% of it, has been put towards the IT side of the house and not the operations technology side of the house, which is what's the critical part of that company and what's keeping that company in business. That's where the safety impacts can happen. That's where the revenue is generated. And for a CEO to realize that they're spending 10 times the amount of money on the website than they are the gas turbine is insane. But there are so many executives that are intimate on their business, and there's a lot of CSOs I meet that are not. I meet a lot of CSOs that are wonderful actually in the sectors we work. But you will find a lot of CEOs are like, well, here's the playbook to run or here's the cybersecurity (ph) framework or here's what we're going to do. And they're not really in tune with what the business is trying to accomplish. And so the big risk is that the CEOs get better educated on the OT problem and risk than their security staff. And then you're going to lose trust and you're going to see a flip in how those businesses handle that. And you don't want that. You want the internal experts to be the voice to the executives. You want the internal experts to be the people they turn to, not government vendors or standards bodies. But I think that's the risk.
Robert M Lee: But the opportunity is with an understanding of what hasn't been getting done, the security staff who are plugged in have an amazing opportunity to talk about where they need resourcing and what they're trying to accomplish and to not platinum and gold coat it but to get down to the couple things, like, the five critical things that you have to do inside of industrial operations environments. So we can really see an upleveling of security globally, but it's going to require real, candid conversations and no finger-pointing.
Dave Bittner: To that point, I mean, when you head off to something like this, to give this sort of presentation to this kind of audience, how do you calibrate what they're ready to hear?
Robert M Lee: So I don't (laughter). Usually, any time that I'm in an audience, and this is maybe what gets me critiqued but also gets me listened to I guess, is I just am transparent and candid. It's, hey, I don't really care if you're ready for this or not. Here's the problem. Because as much as I love - I think a lot of people in the infrastructure community sometimes will look at me as, like, I just love the infrastructure community. And that's true. But the real reason I love the infrastructure community is because they're servicing our citizens. And, like, I think about my family in Cullman, Ala., and the Cullman Power Cooperative delivering power to their house. And I'm not there to support Cullman Cooperative Power Company. I'm there to support the livelihood of my family that needs that critical infrastructure. If that means helping them, then, of course, I'm on board with that. And so - but if it means like, oh, I might insult somebody by telling them that they're not really doing good security work, that's not my concern. I'm happy just to have candid conversations. So just aligning on what we're talking about, being candid and transparent about the challenges but not blaming people, it's not your staff is stupid for not doing this. It's, hey, the world has changed, and we are going through a transformation. And you may have been fine two years ago doing this, but the world ahead of us is dicey. And these programs take a while to get off the ground. You need a start now, and this is what you need to do. I think that's a perfectly viable CEO conversation.
Dave Bittner: All right. Well, looking forward to hearing what you have to say. Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.