The cautionary example of a hybrid war. SentinelOne finds a Chinese APT operating quietly since 2012. A hardware vulnerability in Apple M1 chips. And go, Tigers.
Dave Bittner: Looking at Russia's hybrid war as a cautionary example. Russia warns again that it will meet cyberattacks with appropriate retaliation. China says us, too. NSA and FBI warn of nation-states cyber threats. SentinelOne finds a Chinese APT that's been operating quietly for a decade. An unpatchable vulnerability in Apple chips has been reported. We've got more interviews from RSA Conference, including FBI's Cyber Section chief David Ring and ExtraHop CEO Patrick Dennis. And the overhead projector said, go Tigers.
Dave Bittner: From the CyberWire studios at DataTribe, where we are happy to be back home in Maryland, I'm Dave Bittner with your CyberWire summary for Friday, June 10, 2022.
Looking at Russia's hybrid war as a cautionary example.
Dave Bittner: Business Insider reports that 17 senators, all Democrats, have signed a letter to the secretaries of Defense and Homeland Security, the director of National Intelligence and the directors of NSA and the FBI asking that they give due attention to protecting the 2022 midterm elections from Russian interference whether that takes the form of cyberattack or disinformation. They write, as the Russian invasion of Ukraine has led to an increase in Russian disinformation and warnings of potential cyberattacks, we urge you to ensure that your agencies are prepared to quickly and effectively counter Russian influence campaigns targeting the 2022 elections.
Dave Bittner: A statement from Russia's Foreign Ministry yesterday warned that Moscow will respond to cyberattacks, Reuters reports. Director of the Department of International Information Security of the Ministry of Foreign Affairs of Russia, A.V. Krutskikh, said, rest assured Russia will not leave aggressive actions unanswered. All our steps will be measured, targeted in accordance with our legislation and international law.
Dave Bittner: NBC News quoted the Foreign Ministry as accusing Washington of deliberately lowering the threshold for the combat use of cyber weapons. And the consequences of a lower threshold means that escalation will be the fault of the West. The Russian said the militarization of the information space by the West and attempts to turn it into an arena of inter-state confrontation have greatly increased the threat of a direct military clash with unpredictable consequences. A direct military clash would be kinetic combat.
Dave Bittner: The proximate occasion of the foreign ministry's warning appears to be this past weekend's website defacement of a second-tier Russian ministry's webpage to display the motto, glory to Ukraine. The rest of the world wouldn't regard nuisance-level hacktivism as a casus belli, but things look different from the Kremlin.
Dave Bittner: Mr. Krutskikh explained, I will emphasize what has already been said more than once. State institutions, critical and social infrastructure facilities, storage of personal data of our citizens and foreigners living in Russia are being hit. Officials in the United States and Ukraine are taking responsible for the sabotage. It is there that they categorically refuse to develop international legal foundations. They do not seem to fully realize how dangerous aggressiveness and encouragement of gangsterism, banditisma - that is, banditry - in the field of information security.
Dave Bittner: China has also commented with disapproval on U.S. Cyber Command's General Nakasone's allusion to having engaged in a full spectrum of cyber operations. The Register reports that Foreign Ministry spokesman Zhao Lijian said, the U.S. needs to explain to the international community how these hacking operations are consistent with its professed position of not engaging directly in the Russia-Ukraine conflict. He went on to object to American cybersecurity assistance to third parties generally or, as he put it, U.S. deployment of cyber military forces in some small- and medium-sized countries.
Dave Bittner: Mr. Zhao warned small- and medium-sized countries that accepting this kind of American security help is dangerous. He said, these countries need to keep their eyes wide open and beware whether such deployment could embroil them in a conflict they are not looking for, observing that cyber conflict could easily escalate into kinetic, even nuclear, war. The Register dryly notes that the two nations' very similar statements, made on successive days, may not be coincidental.
US NSA, FBI warn of nation-state cyber threats.
Dave Bittner: Speaking at the RSA Conference, NSA cybersecurity director Rob Joyce reiterated and updated warnings of the threat posed by both Russian and Chinese state-directed cyberthreat actors. Infosecurity Magazine says that Joyce paid particular attention to the wiper malware Russia deployed against Ukraine before and during its invasion. He also noted that Chinese cyber-espionage had grown in aggressiveness and rapacity. Joyce has long warned of the threat Moscow and Beijing pose in cyberspace. He sees the Russian threat as immediate and acute, the Chinese threat as a long-term problem. At an earlier RSA Conference, he compared Russian cyber operations to a hurricane, Chinese cyber ops to climate change.
Dave Bittner: The FBI added its own warnings of the cyberthreat from China to the conference. The Record quotes Elvis Chan, assistant special agent in charge at the bureau's San Francisco field office, as saying, "We've actually seen here in the San Francisco area an uptick in reconnaissance from Chinese advanced persistent threat actors specifically." The Chinese operators are particularly interested in industrial espionage. Chan says, "They are still looking to steal as much intellectual property as they can."
SentinelOne finds a Chinese APT that's been operating, quietly, for a decade.
Dave Bittner: Researchers at SentinelOne have identified a Chinese cyber-espionage threat group they're calling Aoqin Dragon that's been unobtrusively at work for the past decade. It's assessed as a small group that's been heavily active against Australian and Southeast Asian targets, mostly government, telecommunications and educational organizations. The threat actor has used a variety of techniques to obtain access to its targets since 2013, including document exploits and the use of fake removable devices. Aoqin Dragon has also used DLL hijacking, Themida-packed files and DNS tunneling to evade post-compromise detection. One of the hallmarks of the group's activity, insofar as social engineering is concerned, has been a heavy use of pornographic phishbait. SentinelOne thinks there's a good chance that Aoqin Dragon has some association with the group Mandiant calls UNSC94.
"Unpatchable" vulnerability in Apple chips reported.
Dave Bittner: TechCrunch reports that MIT researchers have found a hardware flaw in Apple's M1 chips. The researchers have found that point authentication codes, PAC, a hardware security measure that protects against code injection and buffer overflow attacks, can be bypassed in an exploit the researchers inevitably call PACMan. PACMan combines memory corruption and speculative execution to guess PAC values. There's a finite number of possible PAC values, which makes it possible in principle to brute force the values. But PACMan also depends upon other exploits against which the M1 is protected, and so it may not be as serious as it sounds. That appears to be Apple's view. TechCrunch quotes the company's statement. "Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
“Go Tigers,” it said on the overhead projector.
Dave Bittner: And finally, the borough of Tenafly, N.J., is recovering from a ransomware attack it sustained. The Tenafly Public Schools noticed an anomaly in their network and shut them down as a preventative measure. They subsequently found a ransomware infestation. Since the schools were offline, Google Workspace, Google Classroom, Google Drive and the other online tools students had grown accustomed to were unavailable. The schools had to cancel final exams, but they reverted to old-school instruction tech to keep the lessons going. The students found the overhead projectors especially cool, the Record quotes a school official as saying. So good luck to Tenafly. And we'll close by shouting a hard Go Tigers in the direction of Bergen County. Have a good summer, Tenafly High School.
Dave Bittner: Cybersecurity leaders are seeing unprecedented outreach and collaboration from federal agencies like CISA, NSA and the FBI. You'll often hear the phrase, cyber is a team sport, with the acknowledgement that working together is the best way, perhaps the only way to meet the challenge of the threats we're seeing. David Ring is section chief of the FBI Cyber Engagement Intelligence Section and FBI Cyber Division. I caught up with him at the RSA Conference.
David Ring: FBI brings a lot to bear against the threat. Of course, we work very closely with our critical partners in government, NSA, CYBERCOM, CISA, to bring a whole-of-government approach to the broader threat environment because, again, cyber is a team sport, right? We hear that a lot.
Dave Bittner: Yeah.
David Ring: And that's a mantra for the bureau, as well. Our goal is to ensure that all of the resources that the federal government has are brought to bear against the threat. In, you know, working with private sector, it's critical that we bring those resources in, as well, and that we're engaged early on. I'm an old CT guy, right? So I'll use (laughter) CT language. We try to go left of boom with these companies and identifying avenues where we can share, two way sharing of substantive information, intelligence that can point us in the right direction, or we can point them in the right direction, either one on one or more broadly.
Dave Bittner: What do you say to folks who may find themselves, I'm thinking particularly of those small and medium-sized businesses who may not think that they are up to the level where FBI engagement really makes sense. Can we - is that something you're looking to get past?
David Ring: It sure is. And frankly, like when you look at the victim space, those small and medium companies are really where the victim space is - right? - because they don't have the same resources that these giants have. And of course, we need to work with very large corporations, companies, infrastructure providers every single day to make sure that we're working the threat effectively. But from a day-to-day approach, we have to identify who our most systemically important partners are - right? - in the private industry space. And so those companies aren't always the huge ones that everybody thinks about. And we talk about some sensitive national security projects. We talk about COVID vaccine development and things like that. These are sometimes some smaller - or certainly, medium-sized companies are very involved. There are all sorts of sizes of managed service providers out there that we need to identify and go out and have those conversations with at the field office level. FBI has got 56 field offices across the country. That's part of our value proposition in working with private sector and countering cyberthreats. We're a deployed workforce across the country and frankly across the world, where we can have a technically trained cyber agent on somebody's doorstep in a very, very short time frame - we're talking hours versus days - in order to work with that organization. And if it's incident response or they're dealing with an incident or it's just, hey, we've identified that you guys are working on something that's really critical. If you - if that information was potentially disrupted or stolen, there's a national security implication. There's a public safety implication. We need to be out there with you and working through kind of those threats. And we can work with you to identify where some of those vulnerabilities lie.
Dave Bittner: It's really interesting to me to see, I guess, what I describe as a real shift in approach for organizations like the FBI. We're seeing it with CISA, as well, with outreach, even NSA, the outreach to the community. Things aren't as insular as I think people thought they were. And I wonder, you know, people might have had this notion of the kind of the big, bad letter agencies, but it shouldn't be that way. I mean, these resources are for folks to take advantage of.
David Ring: Yeah. I think that there's a stigma that - or a stereotype that we're trying to get away from. You see, you know, in TV and movies, the FBI raid jackets. They're kicking down doors. They're carrying stuff out of a...
Dave Bittner: (Laughter) Right.
David Ring: ...Building. They're putting up crime scene tape. And most organizations don't want that type of presence out there when they're dealing with this. That's not what the FBI does when we respond to a cyber incident. We take the cues from the victim organization, the targeted entity, and say, hey, let's have a phone call. We have questions that we are going to ask that's going to help us understand what you're dealing with. And hopefully, we can provide information that we have obtained via our investigations and our work with intelligence community partners and other government partners that can help you deal with the situation that you have, right? So our goal is to get away from that big, scary three-letter government agency stereotype that sometimes exists out there and say, no, we're truly here to help. I know that's an overused term. Hey, we're the FBI. We're here to help. But we truly are. And, you know, we're going to engage, as - you know, in as minimalist of a way that that organization needs, right? So we're not going to be rolling up in 20 black Suburbans and people pouring out (laughter) and making a big show of it.
Dave Bittner: Right, right.
David Ring: We're not going to walk out of the building with your servers, right? We're there to facilitate, assist and inform rather than be disruptive.
Dave Bittner: What's your advice for folks who are looking to start that relationship, to make that introduction? What's the best way for them to go about doing that?
David Ring: Yeah. So the best way is at the most local level possible, right? So again, 56 field offices and hundreds of smaller sub-offices that we call resident agencies across the United States. Work with your local contacts. It's out there. It's on the internet. You can reach out to your local field office. Have that initial outreach. Look into InfraGard programs. InfraGard is a public-private sector partnership that the FBI works with at every field office. They have their own chapters. It's a method to get through the door and start talking to your local FBI contacts. We have multiple agencies in field offices on cyber task forces where, you know, you've got local police, state police, other U.S. government agencies like Secret Service and others working together. If you've got a contact in those organizations, they can feed you into the FBI, as well. But the best thing to do is pick up the phone or pull up the email and reach out to your local FBI field office. And we'll reach back out to you. And we'll start developing that relationship. Oftentimes, that relationship blossoms. They feed us, feed folks back into my team here at headquarters, where we can engage at a more national strategic level as well.
Dave Bittner: That's David Ring from the FBI. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: It has been a busy, productive week at RSA Conference. Crowds are certainly down from peak attendance years, but by no means did the show feel under-attended. In many ways, it felt like a bit of a reunion. Patrick Dennis is CEO at ExtraHop, and we caught up yesterday as the conference was winding down.
Patrick Dennis: This is a bigger, more energetic show than I expected. I don't know what your experience has been, but people have been excited - everybody that I've met.
Dave Bittner: I would agree, and I had that same question of how many people are going to be here.
Patrick Dennis: And is it going to be strange?
Dave Bittner: Mmm hmm.
Patrick Dennis: And so my observation was, there are a lot of people here, and somehow we've navigated to a place where this felt like an honest-to-goodness, well-attended, well-put together conference. People took practical steps. And I had a great time.
Dave Bittner: Yeah, me too. What are you hearing from customers that you've met with? What sort of things are on their minds?
Patrick Dennis: So first and foremost - and this was consistent - I've talked to probably 30 customers for somewhere between a half-hour, 45 minutes each. It's pretty good sample - international, big, small. Without question, we're at the peak, at least from what I've seen, of tension between IT and security. Businesses are getting pulled into transformation initiatives super fast because of everything that's transpired in the world. And at the same time, work from anywhere has really challenged security teams, as has just the number of advanced threats, labor, all those things. And so there's a real tension there. There's pressure to move a business forward really fast and pressure for security teams to do that in a way that keeps people safe and secure, and it's tense and it's hard.
Dave Bittner: How are they reacting to that tension, to that pressure? What - you know, what are they seeing on the other side of it?
Patrick Dennis: So interesting, a - great question, right? The other thing I want to tell you is they're all very hopeful. I've been through cycles here where I've not seen hope. So even with that tension and that pressure, like, I have a ton of great stories that came from customers where they've been really successful. I think it's getting really practical. You know, there have been years where security and IT had trends and topics that were pretty big, maybe didn't land.
Dave Bittner: Yeah.
Patrick Dennis: I had a lot of very practical conversations this week. How can I make things better now? How do I make things better for my people now? What can I do to advance the business now? So there is a sense of urgency I haven't seen quite like this any time in the past.
Dave Bittner: Do you have a sense that the security folks are being supported by the higher-ups in the company, that there's a recognition of the investment that this requires?
Patrick Dennis: I think that's 50-50. So I feel pretty strongly about that particular topic.
Dave Bittner: OK.
Patrick Dennis: We have a lot going on in the world, right? We're recording this, there's still a war going on.
Dave Bittner: Yeah.
Patrick Dennis: It's been going on for over 100 days.
Dave Bittner: Right.
Patrick Dennis: And we still have security professionals that aren't getting the support that they need from their companies to make sure, you know - we'll use the CISA term - their shields are up. And there could never be a time where it's more obvious that people should at least be prepared. And so I think it's 50-50.
Patrick Dennis: I spent a fair amount of my time as a CEO trying to make sure we're asking customers to do that for their teams. I'm in an interesting chair, right? I'm the CEO of a security company, so we obviously care about security. But I still have my fiduciary obligation, my duty of care and my duty of loyalty...
Dave Bittner: Right.
Patrick Dennis: ...To our business as a security professional. And I know what I have to do to support my team. And I don't think people around the world are getting the same support that we offer our team. And it's probably 50-50 - still scary.
Dave Bittner: Do you sense that the relationship between IT and security is growing closer? Is the mandate coming down or bubbling up that that is where we need to go, and so the folks in those positions have to?
Patrick Dennis: I can think of two conversations I had specifically...
Dave Bittner: Yeah.
Patrick Dennis: ...That I'm going to use as the reference point for this.
Dave Bittner: OK.
Patrick Dennis: One was a leader, mid-level leader that had identified he could get leverage from the other group. So he walked across the aisle, and he said to IT, hey, your network team could help me a little bit on security. And my security folks know a little bit about a network. Neither of us are fully staffed. I'll help you a little bit if you help me a little bit.
Dave Bittner: OK.
Patrick Dennis: And they've reworked almost their entire investigation workflow as a result of it, turned it entirely upside down. They're using their IT network team almost as a kind of tier one. They're kind of adding them to that layer. Super effective. That was a very, very savvy mid-level leader that just saw a way to solve his problems. I had one other conversation where absolutely top-down, very large financial services company, top-quartile CSO, and was like, hey, I want to know we have the best protection that we can have. We're going to bring these two teams together. They're not going to do the same thing. And we're not even going to organize them as one single team. But we're going to make them sit together and kind of get the mission brief together, and they're both going to have a role to play. So I've seen it done both ways.
Dave Bittner: Is there a difference with - if someone is spinning up an organization today, a new effort, you know, new entity...
Patrick Dennis: Right.
Dave Bittner: ...Are they coming at it from a different direction than legacy companies?
Patrick Dennis: Certainly that mid leader example that I gave is a newer organization, a little more greenfield.
Patrick Dennis: OK.
Patrick Dennis: So they were trying to build that workflow kind of in an integrated way. The other example is a legacy organization. And what - I would argue that's a little bit more of like, hey, they're having to break some glass to put it back together again. They're solving it with budget. So interesting, right? Top-down, you can put a budget lever on it. And that CSO is using that budget lever a little bit with the two teams to say, like, neither of you have quite enough, but if you work together, you have plenty.
Dave Bittner: (Laughter) Right, right.
Patrick Dennis: Pretty cool - it was a creative solve.
Dave Bittner: That's good. Yeah, it's compelling. Yeah. Yeah. As you and I are here together at the RSA Conference, we are just about midway through this year, hard to believe, what are you...
Patrick Dennis: Gone fast.
Dave Bittner: Yeah, it really has. What do you see on the horizon? What do you think we're in for the rest of 2022?
Patrick Dennis: So we're also at the point where people are talking about the financial outlook. So if we kind of go back to this situation that we're in, which is maybe why it's unusual that I saw so much hope and optimism, right? We've also - we've seen a pandemic. We've seen a war. We have some uncertainty in the financial outlook. I think it's going to be a busy back half. I think it's going to be a busy back half. I don't exactly know which one of those dominoes is going to fall and how it's going to hit another domino. But there's certainly enough in the forecast to look out and say it's going to be really busy for cyber professionals. I think we're going to see some of the spillover, probably, from the war. I think we're going to see some just pressure in markets. That's always challenging for teams that are trying to find people to employ and build the team and build tools and products and capabilities. So I think there's going to be a lot of pressure in this back half. It's going to be busy.
Dave Bittner: What's your advice to folks, you know, having been here for these few days, having the conversations you've had, for the people out there who are trying to up their security game? Any words of wisdom?
Patrick Dennis: That tension I described between IT and security does nobody good. These leaders I described that are finding ways to build bridges between those two teams, those people are better off. Build the bridges, work together as a team. If you can do that and be practical in this back half of the year, facing some of the things we're going to face, you're going to be better off.
Dave Bittner: That's Patrick Dennis from ExtraHop.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Danny Adamitis from Lumen's Black Lotus Labs. We're discussing new developments in the WSL attack surface. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.