A new RAT from Beijing. Muslim hacktivism in India. Ukraine reports a GRU spam campaign against media outlets. A Moscow court fines Wikimedia. And that UK cyber disaster was just a promo.
Dave Bittner: A Chinese APT deploys a new cyberespionage tool. Hacktivism roils India after a politician's remarks about the prophet. Ukraine reports a massive spam campaign against the country's media organizations. A Russian court fines Wikimedia for disinformation. From the NSA's Cybersecurity Collaboration Center, our guests are Morgan Adamski and Josh Zaritsky. Rick Howard sets the cyber sand table on Colonial Pipeline. And the Martians haven't landed. And the Right Honorable Mr. Johnson is still PM.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 13, 2022.
Chinese APT deploys new cyberespionage tool.
Dave Bittner: In a report this morning, Palo Alto Networks' Unit 42 outlines the recent activities of Gallium, a Chinese government threat actor particularly active against selective targets in Australia, Southeast Asia, Africa, and Europe. Gallium has also been associated with Operation Soft Cell, a campaign against telecommunications providers. The recent operations Palo Alto describes are distinguished by their employment of a new, difficult-to-detect remote access Trojan named PingPull. They're also marked by an expansion to sectors other than telecommunications, specifically government organizations and financial services. Palo Alto has shared detailed findings with fellow members of the Cyber Threat Alliance. The company also extends special thanks to the NSA Cybersecurity Collaboration Center, the Australian Cybersecurity Centre and other government partners for their collaboration and insights offered in support of their research.
Hacktivism roils India after politician's remarks about the Prophet.
Dave Bittner: Remarks by a representative of India's ruling party, the BJP, have prompted a defacement campaign against websites belonging to Indian diplomatic, academic and agricultural organizations. The actions, organized by the hacktivist group DragonForce Malaysia, are organized around the message for you is your religion and for me is my religion. The Times of India quotes the Director of Research and Operations at the Centre for Research on Cyber Intelligence and Digital Forensics as saying, correctly, "website defacement is the lowest form of cyberattack. Data theft, particularly financial data theft and personal data, will impact people and the banking sector. Companies and government organizations must step up cybersecurity." The remarks themselves by Nupur Sharma were taken by many Muslims, including Muslim governments, to be defamatory, blasphemous and intolerable.
Ukraine reports a "massive" spam campaign against the country's media organizations.
Dave Bittner: An email from the Press Office of Ukraine State Service of Special Communication and Information Protection on Saturday warned that a massive spam campaign against media outlets had begun. Over 500 destination email addresses have been identified. The emails contain an attached document, opening which may initiate downloading of CrescentImp malware. Specialists warned that cybercriminals have been increasingly resorting to email spamming from compromised addresses of public institutions. If you fall victim to a cyberattack, please contact CERT-UA immediately. The activity is tracked by UAC-0113, attributed to the Sandworm group with a medium certainty level. As reported earlier, this group was involved in orchestrating a massive attack on the energy sector of Ukraine in April. Sandworm is a Russian threat actor associated with Russia's GRU military intelligence service and perhaps best known for its role in the 2015 and 2016 cyberattacks against sections of Ukraine's power grid. The group has also been fingered for the 2017 NotPetya pseudo-ransomware attack and 2018's Olympic Destroyer incident. The payload in the spam emails appears to exploit the Folllina vulnerability in the Microsoft Windows support diagnostic tool to install a downloader for CrescentImp malware. CrescentImp's provenance and functionality are unclear, BleepingComputer reports, but CERT-UA has provided indicators of compromise to assist in CrescentImp detection.
Russian court fines Wikimedia for "disinformation."
Dave Bittner: The Verge reports that a Moscow court has fined the Wikimedia Foundation five million rubles - that's about $65,000 - for its reporting on Russia's special military operation, the war against Ukraine. Wikimedia is appealing the fine. Stephen LaPorte, associate general counsel at the Wikimedia Foundation, said, "this decision implies that well-sourced, verified knowledge on Wikipedia that is inconsistent with Russian government accounts constitutes disinformation. The government is targeting information that is vital to people's lives in a time of crisis. We urge the court to reconsider in favor of everyone's rights to knowledge access and free expression." Wikimedia also argues that Russia lacks jurisdiction.
The Martians haven’t landed, and the Right Honorable Mr. Johnson is still PM.
Dave Bittner: And finally, you know the lore about Orson Welles and his Mercury Theater of the Air broadcast of the War of the Worlds back in 1938. It came in the form of a series of fictional breaking news alerts that interrupted what appeared to be a regular music program. The breaking news bits were a lead-in to a conventional radio drama narrated by Mr. Welles. The Martians' landing site was transposed from England to Grovers Mill, New Jersey, in Mercer County, not far from Trenton. The broadcast said it was fiction, but not all the listeners got the word, and there was a minor panic over a Martian scare. That panic wasn't as big as later legend had it, but some people were certainly spooked. Anyhoo, there's been sort of another War of the Worlds scare. Only this time it was in the U.K., and it involved an ad that announced a - wait for it - cyberattack. Be vigilant, be ready, and above all, remain calm. The Undeclared War coming soon to Channel 4 and All 4, Channel 4 tweeted above a promotional video that showed what appeared to be a GCHQ warning delivered by the Right Honorable Andrew Makimbe, Prime Minister.
Dave Bittner: Apparently some viewers were confused and carried their confusion to Twitter. iNews quotes one such viewer, "I saw this and was really confused whether it is real or not. Wasn't really explained and then announced 'Undeclared War' on screen. Don't know if this should be on TV or not." Others, without acknowledging any such confusion on their part, were nonetheless moved to express concern for their neighbors, lest the British public be led astray. One such concerned subject asked, is it not against Ofcom rules to broadcast an advert or feature that could be mistaken for a real-life news emergency broadcast? The Undeclared War advert might have just breached that.
Dave Bittner: We know, we know. Twitter is an unfiltered sluice through which the random thought that forms within the private mind finds immediate, public global expression. But some people were apparently confused. There's always someone who doesn't get the word, right? Adrian Lester, the actor who plays Prime Minister Makimbe, pointed out, I'm not actually the prime minister. I'm an actor. And anyway, I don't have blonde hair. Ofcom, the Office of Communications and the U.K. equivalent of the U.S. FCC, is looking into the matter. In any case, there's no need to start hoarding canned goods and the other familiar impediments of civilizational collapse, like shortwave radios, ammunition and a rowdy dog. And if you're keeping score at home, the Right Honorable Boris Johnson is still Prime Minister.
Dave Bittner: The U.S. National Security Agency has been actively engaging with private industry. And one of the ways that happens is through NSA's Cybersecurity Collaboration Center. At last week's RSA conference, I sat down with Morgan Adamski, the center's chief, and Josh Zaritsky, deputy chief operations officer of the Collaboration Center, for insights on their mission.
Morgan Adamski: So the Cybersecurity Collaboration Center really is the external facing organization of the Cybersecurity Directorate at NSA. And it is meant to essentially harden and defend the defense industrial base at scale. And we knew that this was a critical mission when we set up the Cybersecurity Directorate at NSA because if we're trying to protect the most critical weapons' platforms, systems, networks, you can't just focus on the big DIB primes or the big companies or the platform itself. You have to really secure the entire supply chain and all the companies that underpin it because that's what our adversary is targeting every single day.
Dave Bittner: Can you give us some insights as to bidirectional that happens in a practical point of view, the behind-the-scenes workings of it?
Josh Zaritsky: So one thing that's fairly universal across much of NSA, I think, is that no two days are going to be identical. So, you know, it depends a lot on what's going on. But really the focus is on bilateral, bidirectional sharing. So it's not just us pushing information to partners. It's not just them pushing information to us. It's a collaboration. It's a dialogue, both of us talking about what we're seeing, what we're concerned about, how to mitigate various threats, and really trying to take on the shared challenge of defending against, you know, foreign threats to our defense industrial base.
Dave Bittner: Have you seen any resistance from the organizations - or maybe wariness is probably the better question? Do you have to prove to yourself that this is going to be mutually beneficial, that this is a - as you say, a bidirectional relationship?
Morgan Adamski: Absolutely. I think that was the first step, right? You know, when we went to a lot of our industry partners and we said, hey, we want to partner with you, and we want to share intel, they were like, OK. All right. All right, we'll see, right? You know, and we're going to do that. And we hope it works. And so we started off small, right? We just started to share information and say, here's the type of things that we think would be beneficial to you. Is it? Some of our partners came back and said yes. And some of our partners said, no, that's not what I really need. And we were constantly evolving. And so, you know, it was a degree of - it's definitely a degree of trust. It's a degree of humility and recognizing that we're just trying to get this right because we know it's important that we do. But I think most of our partners have really been encouraged by what we've been trying to do in this space. And so we see more and more people wanting to partner with us in different ways. And so I think that's an encouraging metric.
Dave Bittner: Well, it also strikes me that, I mean, so much of our critical infrastructure, when it comes to cyber, is in private hands, right?
Josh Zaritsky: Yes, absolutely. And of course, at NSA, our focus really is on the defense industrial base. They're not necessarily the broader critical infrastructure.
Dave Bittner: Right.
Josh Zaritsky: But, yes, I mean, I think what we recognize is there's no way government can solve this problem. It requires that collaboration. The networks are owned, operated and defended by the private sector. And it's our responsibility to do everything in our power to arm them with the information they need so that they can do that job.
Dave Bittner: Are there things that you all have learned along the way in terms of, you know, we had intentions to do this in the beginning, but in our interactions with the folks out there, we've had to make some adjustments?
Josh Zaritsky: Yes. Every day, every event is another learning experience. When the center was getting off the ground was when the Nobelium incident from last year - I try not to refer to the company, how everybody describes that incident because, you know, it was a much larger event. But obviously, yeah, so that was one of the things that really sort of defined how we began interacting with some of these companies and understanding the types of information that was going to be most useful. And then we've had, you know, various Microsoft Exchange exploits. We've had, you know, some high-profile compromises of various organizations and ransomware attacks and various things. And each one of those is a little bit different. And we understand, you know, what kind of information that we might have is going to be most useful to each of our partners, which types of partners are going to have the insights that are, you know, the most relevant to informing the broader community of, you know, getting our arms around the scope of the incident so that we can take the right steps necessary to mitigate or mediate.
Morgan Adamski: And I would just offer, you know, one of the things that we've really learned and benefitted from over the last year and a half - and you've heard it a little bit from Chris Inglis and Jen Easterly and our director Rob Joyce - is really how we play off of each other from an interagency perspective, right? So, you know, especially the center was really stood up and hit the ground running during SolarWinds. And you - whether we're - we say it's fortunate or kind of unfortunate - right? - you've had things like Log4j and you've had the Nobelium compromise. And what we've really learned in the interagency is how to interact with each other and how to play our best positions. And so, you know, when we talk about the Cybersecurity Collaboration Center and our emphasis on the DIB, very rarely do adversaries just target the DIB. Right? They're targeting large-scale sectors and using the same techniques. So how can we take what we're learning with the DIB and give that to CISA to push to the other sectors, right? We want to be able to protect critical infrastructure at scale, and we're going to need to be able to take those insights from those deep technical conversations and push it across.
Morgan Adamski: We also have a fantastic relationship at the center with the FBI, right? You know, the FBI is able to get to any doorstep in an hour, right? But sometimes when the FBI shows up, it's a hard conversation to have because they're asking for things, they don't know what to share, right? And so we've built fantastic relationships with the field offices, with FBI Cyber under Bryan Vorndran. How do we interact, how do we share information in real time, but how do we all benefit from the data we're getting for different authorities and capabilities?
Dave Bittner: How do you measure success? As time goes along, how do you, you know, quantify the impact that you're having?
Morgan Adamski: So that's a tricky question for all of us - right? - because our goal is to make sure things don't happen.
Dave Bittner: Right.
Morgan Adamski: So how do you measure something that doesn't happen?
Dave Bittner: Right.
Morgan Adamski: It's great. That's awesome.
Dave Bittner: (Laughter) I know.
Morgan Adamski: But...
Dave Bittner: Congratulations. We spent all this money and nothing happened.
Morgan Adamski: Yes, yes.
Dave Bittner: We're doing a great job (laughter).
Morgan Adamski: That's not the metric people want all the time.
Dave Bittner: Right.
Morgan Adamski: But here's what we see in National Security Agency - right? - is, you know, our goal is to frustrate the actor and make it harder on them. So when we see actors having to change their techniques, having to create bespoke capabilities or having to invest in something and not just use the simplest thing on their shelf, that's a good metric for us to know that we're making it harder on them. When we see the Defense Industrial Base and we are able to take a domain and pass it through our protective DNS and block and protect thousands of companies at once, that's a good metric of success. And so, you know, we're constantly figuring out what they are. The fact of the matter is, is we know we're moving in the right direction.
Dave Bittner: Morgan Adamski is chief of NSA's Cybersecurity Collaboration Center, and Josh Zaritsky is deputy chief operations officer.
Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, always great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So for this week's "CSO Perspectives" episode, you are dusting off your trusty cyber sand table.
Rick Howard: Indeed I am.
Dave Bittner: And you're going to be talking about an infamous breach from days gone by. Before we dig into that, though, let's revisit here - what, exactly, is a cyber sand table, and what makes it useful?
Rick Howard: Well, thanks, Dave. And I got the idea of a cyber sand table for my old military days, OK? So we used these sand tables after we completed a field exercise. It was kind of a physical model of the terrain we were all playing in, and sometimes they were really fancy. But most of the times, the sand table was a piece of dirt on the ground, and we use rocks and twigs and things to represent the forces and obstacles both sides were contending with. And we tried to capture the lessons learned by rolling through the exercise step by step, watching what the red team did and then studying how the blue team reacted because, you know, it's hard during the heat of battle to take a beat and think about what you were doing wrong in the moment so that you won't repeat that mistake in the future.
Rick Howard: The last time you and I talked about sand tables, I said it was like how Tom Brady, probably the greatest NFL quarterback of all time...
Dave Bittner: (Laughter).
Rick Howard: We look forward to your letters (laughter).
Dave Bittner: Yeah. Yeah. Johnny Unitas would like a word, but go ahead.
Rick Howard: Anyway, his normal practice is to review game films and look for previous mistakes so he can learn from them. So for cybersecurity, I think we can learn a lot by studying some of the famous breaches in our history to see what mistakes can be avoided in the future.
Rick Howard: The last time, we put the infamous OPM breach on the sand table, which you should definitely go check out. But for this episode, we are examining the Colonial Pipeline attacks of 2021.
Dave Bittner: So why choose Colonial Pipeline? What makes that event particularly useful?
Rick Howard: Well, we are focusing the analysis through a resilience lens because here we have Colonial Pipeline the company responsible for some key U.S. critical infrastructure, namely the gas pipeline. I don't know if you knew this, Dave, but it carries roughly 3 million barrels of fuel a day over about 5,500 miles from Houston to New York and connects directly to several major airports, including Atlanta, Nashville, Charlotte, Greensboro, Raleigh-Durham, Dulles and Baltimore-Washington. In other words, this is how your airports on the East Coast get their jet fuel. And if you remember, thousands of gas stations on the East Coast didn't have any gas for over a week after the double extortion attack by the cybercriminal gang DarkSide. So if your resilience first principle strategy says that you will continuously deliver the intended outcome - in this case, fuel delivery - despite adverse cyber events, the Colonial Pipeline response was a big whiff. So in this episode, we're going to try to discover the reasons why.
Dave Bittner: All right. Well, that is "CSO Perspectives." It is part of CyberWarrior Pro. You can learn all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.