Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches Confluence. CISA advisory on voting system. "State-aligned" campaign tried to exploit Follina. "Cyber Spetsnaz."
Dave Bittner: Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches a Confluence critical vulnerability. CISA releases ICS advisory on voting systems. A state-aligned phishing campaign tried to exploit Follina. Is electronic warfare a blunt instrument in the ether? Verizon's Chris Novak stops by with thoughts on making the most of your trip to the RSA Conference. Our guest is Tom Garrison from Intel with a look at hardware security. And a Russia-aligned group says they're not just hacktivists. They're cyber Spetsnaz.
Dave Bittner: From the RSA Conference in San Francisco, the city by the other bay, I'm Dave Bittner with your CyberWire summary for Monday, June 6, 2022.
Ukraine offers an update on the cyber phases of Russia's hybrid war.
Dave Bittner: Ukraine sees itself as waging a defensive cyber war, leaving offensive operations to the Russian enemy and to, perhaps, various friendly governments from the West. In a briefing today, Victor Zhora, deputy head of State Special Communications Service of Ukraine, characterized Russian cyber operations during the war as unremitting but largely unsuccessful at crippling Ukrainian infrastructure. He also noted the high level of Russian disinformation operations, which extend not only to pushing specific lines of propaganda but also to denying Ukrainians the means to gain reliable information and communicate with one another.
Dave Bittner: The CyberWire asked Mr. Zhora why Russian cyberattacks against Ukrainian infrastructure haven't been a significant factor so far. Had Russia not attempted them? Or had Ukraine succeeded in stopping them? He answered that a kinetic attack is simply a more effective method of attack, and that's where the Russians had concentrated their efforts. He said Ukraine has successfully fended off cyberattacks against infrastructure and that it was very aware of the cyber risk to its power grid.
Dave Bittner: Ukraine has prevented, by swift action, an operation that would have deprived people of access to power. Mr. Zhora expects such Russian attempts to continue, and he's confident of Ukraine's ability to defend its power grid in particular. But he emphasized that Russia has focused on kinetic attack and that cyber operations, especially information operations, are being used by Moscow as a supporting adjunct to traditional military operations.
Dave Bittner: We were also able to ask about the operations in support of Ukraine U.S. Cyber Command alluded to last week. The operations General Nakasone mentioned last week to Sky News were, according to Mr. Zhora, U.S. operations, and Ukraine didn't participate in them. And so Ukraine is not in a position to comment on them. Mr. Zhora said he can add nothing to General Nakasone's statement.
Dave Bittner: He did say that Ukraine did not conduct offensive cyber operations. It does, however, conduct defensive cyber operations, and he said that cooperation with NATO was extensive and ongoing. Ukraine's lack of dedicated cyber units - by which he presumably meant organizations trained, equipped and authorized to conduct offensive operations - and its reservations about the permissibility of such operations under international law are the principal reasons for Kyiv's restraint in this regard.
Dave Bittner: We followed up with a question about hacktivism. If Ukraine doesn't conduct offensive cyber operations, what about hacktivist attacks on Russian assets? Are these conducted independently with Ukrainian guidance, direction or control? Mr. Zhora replied that the hacktivists were acting independently and were not under Ukrainian control. He also noted that hacktivism has so far not been very significant in its effects. Much hacktivism has gone into defacement of Russian websites. Reuters reported Saturday, for example, that the site belonging to Russia's Ministry of Construction, Housing and Utilities had been defaced with the slogan, glory to Ukraine. This particular ministry of negligible strategic significance was clearly a target of opportunity, hacked because it was hackable.
Dave Bittner: But the question suggested to him that the possibility of developing an offensive capability as a deterrent was worth serious discussion with partners and allies. He noted the difficulty under international norms of conducting offensive cyber operations, and he stressed that Ukraine aimed to behave responsibly and that Ukraine wanted to bring Russia to a similar responsibility in cyberspace. He thinks that the ways in which nations defend themselves in cyberspace will certainly change after this war and that Ukraine intended to be a full participant in that change, and he thought questions about responsible defense in cyberspace would be good ones to address to General Nakasone.
Dave Bittner: The existence of cyber forces do indicate a country's potential to defend itself effectively, but it's not yet clear how such potential can be used to build deterrence. Thinking about deterrence in this way will be among the matters countries will take up at the end of the present war.
Atlassian patches Confluence critical vulnerability.
Dave Bittner: As promised, Atlassian released a patch for Confluence vulnerabilities this past Friday. Atlassian's tools are widely used. The Record estimates that more than 200,000 enterprises use the company's products. CISA, which had on Thursday required all the U.S. federal agencies whose security it oversees to immediately mitigate the risk of compromise via the vulnerability by disconnecting affected versions of confluence from the internet, on Friday updated its direction. Per BOD 22-01 catalog of known exploited vulnerabilities, federal agencies are required to immediately block all internet traffic to and from Atlassian's confluence server and data center products and either apply the software update to all affected instances or remove the affected products by 5 p.m. Eastern Time on Monday, June 6, 2022.
CISA releases ICS advisory on voting system.
Dave Bittner: On Friday, CISA released an advisory on a voting system, specifically Dominion Voting Systems ImageCast X. CISA recommends election officials continue to take and further enhance defensive measures to reduce the risk of exploitation of these vulnerabilities. The advisory includes 13 specific steps CISA urges election officials to follow should they plan to use the Dominion system.
"State-aligned" phishing campaign tried to exploit Follina.
Dave Bittner: Proofpoint found targeted attacks that sought to exploit the Follina vulnerability. The company tweeted its discovery late Friday evening. They said, Proofpoint blocked a suspected state-aligned phishing campaign targeting less than 10 Proofpoint customers, European government and local U.S. government, attempting to exploit Follina. While Proofpoint suspects this campaign to be by a state-aligned actor based on both the extensive recon of the PowerShell and tight concentration of targeting, we do not currently attribute it to a numbered threat actor. Microsoft had released recommended mitigations on May 30, and the following day CISA urged users to apply those to their systems.
Electronic warfare: a blunt instrument in the ether
Dave Bittner: We return briefly to the hybrid war in Ukraine. Russian electronic warfare capabilities, which before the invasion of Ukraine had been regarded as national strength, have indeed been employed with effect in Russia's war. They are, however, being used as a kind of artillery in the electromagnetic spectrum. The preferred technique has been jamming as opposed to collection or deception, and that jamming has tended to be powerful and indiscriminate, pushing noise across wide swaths of the spectrum. The AP reports some use of electronic warfare for targeting, but the Russian main effort seems to be carried out by the jammers.
Dave Bittner: Finally, there's a new self-proclaimed crew of cyber commandos in action or at least a crew that says they're in action. Security Affairs reports that researchers at Resecurity have associated a threat group with Operation Panopticon, a nominally hacktivist campaign announced by a Russian group during the last week in May. That group styles itself the cyber Spetsnaz and identifies with the Killnet Collective.
Dave Bittner: Security Affairs explains, the actors are positioning themselves as an elite cyber offensive group, targeting NATO infrastructure and performing cyberespionage to steal sensitive data. The report adds, on June 2 the group created a new division called Sparta. The responsibility of the new division includes cyber sabotage, disruption of internet resources, data theft and financial intelligence focused on NATO, their members and allies. Notably, Sparta outlines the activity as a key priority today and confirms the newly created division is an official part of the Killnet Collective group. Based on the description, the actors call themselves hacktivists. However, it's not yet clear if the group has any connection to state actors. Sources interviewed by Security Affairs interpreted this activity, with high levels of confidence to be state-supported. Interestingly, the name Sparta, in context of the current Ukrainian war, is related to the name of a unit from the Donetsk People's Republic.
Dave Bittner: Spetsnaz is a Russian term for a special operations unit. Historically, the name was used most often to refer to the GRU's special operations forces. Western equivalents of Cyber Spetsnaz would be names like Cyber Commandos, Cyber Green Berets, Cyber Rangers, Cyber Seals, things along those lines. The name is grandiose. We shall see how far, if at all, the Cyber Spetsnaz lives up to its press releases.
Dave Bittner: Intel recently sponsored research by the Ponemon Institute titled "Security Innovation: Secure Systems Start with Foundational Hardware." To dig into some of the findings, I checked in with Tom Garrison, vice president and general manager of Intel's cybersecurity team in the client organization.
Tom Garrison: People are spending a lot of money. And there's - you know, research suggests that there's about $172 billion just this year that's going to be spent on cybersecurity and enhancing cybersecurity. So there's a tremendous amount of expenditures that's going on in the industry, which I think is fascinating. You know, we dove also into - I mentioned hardware-based security. And what we found was that only about just a little over a third of the respondents said they were currently - they had already adopted hardware-assisted security solutions, which isn't very high. I mean, as we all know, that, within the security world, if you are relying on a software-only strategy, you aren't as safe as you could be with a hardware-based one.
Tom Garrison: So with only a little over a third of respondents having already adopted, we know there's a lot more to go. But we are assured - you know, or reassured I should say - that about 47% or about - just call it half of the respondents that responded are saying that they're going to do so within the next six to 12 months. So while only a third have done it up till now, you know, half say that they have plans to do it within the next six to 12 months. So that's a good start.
Dave Bittner: Can we take a step back here and just provide some clarity on the definitions here? I mean, how do you and your colleagues at Intel define the difference between a software or a hardware approach?
Tom Garrison: Yeah, that's a good question. The way that we think about hardware-assisted approaches is to think about software-based solutions that don't rely only, obviously, as we would say, in software. So they know how to use the hardware capabilities that are built into the platform - for example, the ability to look for return-oriented programming attacks and to be able to use technologies that are built into the silicon, like control flow enforcement technologies. So this is a very technical way to talk about it, but these are features that are built into the platforms that can deliver on a very, very high degree of trust that you just can't get with software.
Tom Garrison: And there's a whole host of those, but it's important to understand that as we think about, like, supply chain attacks and other types of attacks, the attackers are looking for any exploit they can. And the good news is, with the hardware-assisted and hardware-based security solutions, this is sort of the bedrock with which security attackers really can't get underneath. So that's the challenge with software, is that anybody trying to attack a software-based solution, you know, if they're trying to attack the application, for example, once the application becomes more hardened and difficult of a target, they'll go underneath the application to, let's say, the operating system. Once the operating system gets really good and hard to attack, they'll go under the operating system to the VM and likewise. It just - attackers are constantly trying to get underneath the attack surface and all the protections that exist there. And so with hardware-based solutions, the good news is there's nothing below hardware. And so hardware can act as this bedrock with which then a security solution, both hardware and software-based, can be built upon with a high degree of trust.
Dave Bittner: So based on the information that you have gathered here, what's your advice? What should the security folks out there do?
Tom Garrison: Well, first and foremost is I would say ask yourself, do you know whether your machines are capable of the latest in security innovation? So basically, if your platforms are older than about three years old, you really should be considering refreshing those platforms. Newer platforms are considerably safer from a feature set standpoint.
Tom Garrison: The second piece doesn't sound really all that sexy, if you will, but it is very important. And that is, do you have a process to keep your machines updated on a regular basis? And as simple as that sounds, a lot of companies don't have a process where, every quarter or at least twice a year, they are taking all of the known vulnerabilities for that specific platform and making sure that the mitigations are loaded on that machine to keep it safe. And that is a big area that, again, doesn't sound that interesting. But it turns out to be one of the biggest single steps that you can have - having a process to keep those platforms updated.
Dave Bittner: That's Tom Garrison from Intel.
Dave Bittner: And joining me once again is Chris Novak. He's managing director of security professional services for Verizon Business. Chris, it's always great to welcome you back to the show. You know, as we head into this week of the RSA conference, I really wanted to check in with you. You're someone who's been around in this industry for a few years and have attended your share of RSA conferences here. What does this represent to you as sort of a marker point for our year and an event for the community?
Chris Novak: You know, I think it's - first of all, it's always a pleasure to be here. And I think, you know, when we look at RSA, it is, you know, really the bellwether. It is what everybody kind of rallies around in the security community. Whether you love conferences or not, there is a lot of great intellect and knowledge that comes together at those events. And obviously, you've also got to have a fair share of skepticism and paranoia, as I think most security professionals do, in knowing that there's probably some marketing silver bullets out there that aren't really silver bullets.
Chris Novak: But I think nonetheless, it's important to get a view on where, you know, innovators are going, where the disruptors are. You know, you always typically have kind of a camp of relatively mainstream approaches to security and then a camp that's looking to really say, how do I change things up? How do I make a name for myself? And I think, you know, an event like RSA is a good place to kind of see how all that comes together and see, you know, what the future might hold.
Dave Bittner: And we've had a break for a couple of years here with everyone hunkering down with COVID. But people are back in person this year. Is there an extra element that that adds to be able to see folks face to face?
Chris Novak: I think without a doubt, you know? And this is one of the things that I've had a long-held belief on - is that, you know, people are naturally social creatures. We like to interact with one another. And, you know, I think everybody has done a great job of trying to make things work during the course of the pandemic. And obviously, you know, the opportunity to come face to face - I think we tend to build better and more resilient relationships when we've had the opportunity to meet face to face, grab a lunch, grab a drink, grab a dinner. You build the relationship differently that way than you might do virtually.
Chris Novak: So I think for a lot of organizations, that'll be a big opportunity for them. And I also think you're going to see a lot of organizations that will probably have a better success breaking new ground when they have an opportunity to demo their new widget or service or whatever it might be in front of an actual live audience, where you can actually walk up, see it and touch it.
Dave Bittner: You know, for those folks who are new to the industry and maybe this is their first time at a conference of this scale, any tips or word of wisdom to have it not be so overwhelming?
Chris Novak: So I would say, you know, it's - the best advice I would give someone is, one, take a look at the conference agenda before you go. If you've never been there before, it will be wildly overwhelming. The venue is huge. The amount of people, the lights, the flashy objects - it can be extraordinarily overwhelming. I mean, you literally get a map when you enter. So I would say take a look at the agenda in advance, and try to map out what sessions you may want to go to. There are sessions that do actually fill up or sell out, and you might not get a seat if you haven't planned in advance or you haven't gotten there in advance. So I would encourage folks to really figure out what are the things that are really the most important so you can make sure you can map your schedule out accordingly for that. And, obviously, I'd be remiss if I didn't give a little plug for my session on Tuesday morning. So hopefully folks can come check that out as well.
Chris Novak: But yeah, definitely check out the session agendas and figure out what works for your needs. And I think it's also a great opportunity to network with people as well. There's an opportunity to meet with, you know, a lot of your vendors, a lot of your partners and really, you know, cover a lot of ground that maybe if you were to try to do that in person, especially in today's day and age with COVID, you might have had a much harder time traveling around and meeting all those people face to face, especially if a lot of people maybe are coming out that normally right now would be hybrid or work from home. They might not be entertaining in-person meetings otherwise, so this may be an opportunity for you to meet those folks face to face.
Dave Bittner: Yeah. I would add, also, don't be shy. You know, if you see somebody who you'd like to get to know, introduce yourself. I think most of us are happy to meet new people and happy to help folks who are new to the industry get a leg up. So don't hold back.
Chris Novak: Absolutely agree. That is definitely good advice. And I often find that a lot of people will come up to the expo booths. And, you know, we see, you know, folks from all different parts of their security career journey, from, you know, just breaking in to, you know, long-time veterans. And the one thing I do find is most folks are very accepting, very supportive and very much happy to have a conversation. You know, I tell people, you generally don't kind of end in - or find yourself into cybersecurity if it's not a thing you're passionate about. And you'll probably find a lot of people are happy to share how they got to where they are or what they're doing or where they might find, you know, interesting insights or creative opportunities for yourself.
Dave Bittner: All right. Well, Chris Novak, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.