Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection.
Dave Bittner: Lithuania warns of increased DDoS threats. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Are you a critical infrastructure operator? Well, CISA's got a tabletop exercise for you. Kevin Magee from Microsoft has advice for recent grads. A look back at the years since Colonial Pipeline with Padraic O’Reilly of CyberSaint. And sometimes ransomware is just a spy's way of saying, nothing up my sleeve.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 24, 2022.
Lithuania's NKSC warns of increased DDoS threat.
Dave Bittner: BleepingComputer reports that Lithuania's National Cyber Security Centre, the NCSC, has issued a public warning that the threat of distributed denial-of-service attacks is rising. The alert says, most of the attacks are directed against public authorities, the transport and financial sectors, leading to temporary service disruptions. The NCSC urges all managers of critical information infrastructure and state information resources to take additional security measures and to follow the NCSC recommendations for protection against service disruption attacks.
Dave Bittner: There's no explicit mention of Russian operations in the alert, but it's clear whence comes the threat. BleepingComputer notes that a nominally hacktivist group that claims to be acting in the Russian interest, Legion - Cyber Spetsnaz, declared in a Telegram post cyberwar against Lithuania and published an ambitious target list - Large banks, logistic companies, internet providers, airports, energy firms, mass media groups and various state and ministry sites. BleepingComputer reads the Cyber Spetsnaz as an offshoot of Killnet. Spetsnaz is the Russian term for its military special forces, throat-cutting operators who've inherited their tradition from the Cold War Soviet army. Rough Western equivalents would be Cyber SAS or Cyber Commandos or Cyber Rangers - a little grandiose and a little puerile and so far more than a little unearned.
Dave Bittner: The Cyber Spetsnaz declaration dates from Lithuania's decision to forbid shipments of sanctioned goods through its rail corridor to the detached Russian enclave of Kaliningrad. Reuters reports that Moscow has blamed Lithuania's action on Washington. The Russian Foreign Ministry said in a statement, the so-called collective West, with the explicit instruction of the White House, imposed a ban on rail transit of a wide range of goods through the Kaliningrad region.
Limited Russian success in the cyber phases of its hybrid war.
Dave Bittner: Microsoft's report, "Defending Ukraine: Early Lessons from the Cyber War," includes an account of Russian targeting in the cyber phases of its hybrid war against Ukraine. The report says, Russian targeting has prioritized governments, especially among NATO members. But the list of targets has also included think tanks, humanitarian organizations, IT companies and energy and other critical infrastructure suppliers. While Russian cyber operations have, as many have observed, fallen as far short of the widespread devastation of infrastructure as Russian-combined arms operations fell short of the conquest of Kyiv - both widely expected - they've enjoyed some success. According to Microsoft, since the start of the war, the Russian targeting we've identified has been successful 29% of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization's data, although, as explained in the report, this likely understates the degree of Russian success.
Another warning of spyware in use against targets in Italy and Kazakhstan.
Dave Bittner: Google's Threat Analysis Group reported late yesterday that spyware developed by the Italian firm RCS has been found in use against targets in Italy and Kazakhstan. Google says, today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android. We have identified victims located in Italy and Kazakhstan. Targets appear to have been infected by phishing or through the installation of malicious apps, and the malware comes in both iOS and Android versions. One surprising conclusion is that in some cases, the spyware operators worked with the victim's ISP to disable the target's mobile data connectivity. In some cases, RCS had earlier cooperated in its business with the now defunct Hacking Team. The tools RCS apparently sold to government customers were described last week by researchers at Lookout under the name "Hermit." TechCrunch reports that Google is notifying the victims it's been able to identify.
CISA's tabletop exercises.
Dave Bittner: CISA hosted a workshop Thursday providing an overview of the CISA Tabletop Exercises Packages (CTEP), an unclassified, adaptable exercise resource focused on facilitating discussion around a scripted hazard or threat scenario. Robert Lauer, the workshop facilitator, explained that the CTEP is designed to assist government and industry partners in developing your own tabletop exercises with pre-built templates. There are over a hundred scenarios to choose from that encompass both cyber and physical security. Several of them involve both. The CTEP exercise materials include a situation manual, an exercise planner handbook, a facilitator and evaluator handbook, and various templates that can be used throughout the exercise. The ultimate goal of the resource is to help facilitate understanding, identify strengths and areas for improvement and/or changes in policies and procedures.
Dave Bittner: GovTech reports that workshops on CTEP will be held monthly and hosted by CISA Exercises Infrastructure Security & Exercise branch, with participation from private stakeholders and critical infrastructure owners and operators. There is no registration required for these workshops which are open to the public. To use the CTEP exercises, however, you need a critical infrastructure community account on the Homeland Security Information Network. You can learn how to create an account on their website.
Cyberespionage uses ransomware as misdirection.
Dave Bittner: Finally, Secureworks reports that a Chinese threat actor it tracks as Bronze Starlight is conducting ransomware campaigns against selected targets, but that the ransomware is probably misdirection to cover cyber-espionage and theft of intellectual property. The researchers say the victimology, short lifespan of each ransomware family and access to malware used by government-sponsored threat groups suggests that Bronze Starlight's main motivation may be intellectual property theft or cyber-espionage rather than financial gain. The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.
Dave Bittner: One of the marks of Chinese official involvement is the distinctive loader Bronze Starlight uses. It's been seen before in other campaigns run by Beijing's APTs. Once the loader's installed, it decrypts and executes a Cobalt Strike beacon for command and control. At that point, the ransomware goes in and the data goes out, and it's Katie bar the door but too late. And the threat actors are far more interested in the data than in any ransom payment. Secureworks points out that good practices like keeping systems patched and up to date and monitoring your network traffic will help. And they provide a useful set of indicators of compromise. So, yes, indeed, Katie, bar the door.
Dave Bittner: It was just over a year ago that news of the Colonial Pipeline breach hit the newswires, and with it a flurry of activity, speculation and ultimately response. I wanted to get a reality check on where we stand a year out from that important event. And for that, I checked in with Padraic O’Reilly, co-founder and chief product officer at CyberSaint.
Padraic O’Reilly: In the wake of something like that, you know, major supply chain issue around something like gasoline, people were just shocked and confused and didn't understand the implications of it. And just - it was burbling into the public through mainstream media news outlets. And it's sort of difficult for people to understand what some of, you know, the announcements and press releases out of Colonial even meant, you know. What does it mean? OT is not IT, and operational technology and cyber to physical and all of these sort of terms of art in cyber confuse the public to some extent. So I think it was a really chaotic week or two.
Dave Bittner: Do you feel like ultimately, the messaging was correct, that the general public who's not steeped in this sort of stuff, do you think their understanding of it is accurate?
Padraic O’Reilly: No. No, because even among people who are more sophisticated, there's still a great deal of confusion, because - and I think that's just an artifact of our news cycles. They're so quick. And you need to talk a little more in depth about, you know, the context around an attack like that and what can be done going forward to get a better understanding. So, no, I think the public knows that some of our critical infrastructure is in danger of cyberattacks. And I think they just sort of live in that, you know, general, free-floating anxiety, so to speak.
Dave Bittner: Yeah. My recollection, one of the things that struck me was when the realization came out that, you know, one of the main things that kept Colonial Pipeline from getting the fuel flowing were billing issues, not...
Padraic O’Reilly: Right.
Dave Bittner: ...Necessarily technical, physical issues. It was just, how are we going to know who needs to pay for this?
Padraic O’Reilly: Right. Yeah. And the complexity of an operation like that, very hard to cover in a short format.
Dave Bittner: So in terms of response, I mean, let's start with the federal response here. How do you rate how they responded to this and the things that have been put in place since?
Padraic O’Reilly: I would rate the response highly, you know, in terms of, you know, the two directives and some of even the back, behind-the-scenes legislative activity, you know, senators sending letters and encouraging the Department of Energy maybe to get a little more involved, because long term, that's probably the solution. So I think the government did all the right things. The issue really is, you know, I think, is TSA prepared to deal with this problem at scale going forward? You know, you can outline guidelines. You know, there were a couple of directives that came out. They're pretty clear, but it's not very easy to implement all of that for all pipelines. And there's a great deal of haggling going on. So I think the response was great, but the implementation, not so much.
Dave Bittner: Where do you suppose we stand today?
Padraic O’Reilly: I think where we stand today is, you know, we're in a negotiating period between some of the pipeline operators and the TSA. The TSA does have the regulatory authority to levy fines, but they're not going to do so until they feel like industry is in a better place with respect to, you know, getting on the same page with the directives.
Dave Bittner: What do you suppose it's going to take to reach that level of alignment?
Padraic O’Reilly: I think a couple of things probably have to happen. Either the TSA has to get bigger, has to devote more resources to this, or the Department of Energy is going to have to become involved long term. Because this kind of reminds me a little bit of 2008 and when NERC CIP came out. There was a long period of, you know, how do we comply? How do we do this, you know? And it really didn't start to see the results of, say, NERC CIP compliance until, you know, a couple of years out.
Dave Bittner: Do you think we're on a realistic timeline here? I mean, is it reasonable that these changes, these adjustments in how things are done are taking as long as they're going to take?
Padraic O’Reilly: No. You know I - no. Because, you know, I'm in the business of helping companies, you know, comply more generally. And, you know, I just look at the other regulatory frameworks that the government has right in place, say, for example, you know, DFARS or CMMC for Defense Department subcontractors. It just takes longer. So, you know, even in directive one that came out, you know, they were like, we need a gap, you know, analysis within 30 days. I don't know that that's possible. You know, I see companies struggle to get their DFARS or the CMMC regulations in place in six months, you know, or longer. So I think maybe the timelines are very aggressive. I think that was probably intentional, to put everyone sort of on notice that this had to get done. But I think that'll probably be tweaked too in the long run.
Dave Bittner: How do you suppose this is going to inform, you know, the development of new infrastructure? As new pipelines are laid, as new, you know, when, as those upgrades happen, and not just to pipelines, are we going to have a different mindset going forward?
Padraic O’Reilly: I think there's already a different mindset among the, you know, system integrators and the companies that work with pipeline. You know, if you sort of listen to the thought leaders in that sector, they're already, you know, advising that new construction or new infrastructure should be, you know, built with new protections in place. You know, some of the - you know, some of the legacy infrastructure is pretty tricky stuff, as you know. You know, it's very hard to - it's a notoriously difficult problem to patch operational technology systems. So a lot of the companies that build infrastructure are mindful of that, and a lot of the consultants who put that infrastructure into place are mindful of that.
Dave Bittner: That's Padraic O’Reilly from CyberSaint. There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Kevin Magee. He's the chief security officer at Microsoft Canada. Kevin, always great to welcome you back to the show. It is hard to believe, but it is that time of year again, when the graduates are hitting the pavement looking for new jobs, and many of them want to enter this hot area of cybersecurity. I know this is an area that is important to you. You actually give a lot of your time to speak to some of these folks. What sort of things are you telling them, and what feedback are you getting?
Kevin Magee: Thanks for having me back, Dave. And thanks for investing some time discussing something really important to me, which is making sure that we're not only building the pipeline but we're getting these students out into the work world to start to close some of these gaps that we're seeing in not only talent but just in workforce. And it's one of my favorite things to do. I get asked to speak to a number of universities and colleges, primarily in Canada, more and more each year about, you know, how do you get that first job, or how do you hack your way into the security industry?
Kevin Magee: What I've really found is there's more than one skills gap out there, and I think the biggest one is that there are tons of incredibly talented aspiring cybersecurity professionals being graduated by colleges and universities across the country, but there's also these tons of open jobs. And CSOs are telling me they can't find the talent, but the students are telling me they can't get hired for these initial jobs. So I think this is the challenge that I'm really excited about trying to figure out how to overcome.
Dave Bittner: So what's the gap there? Why can't these two groups meet in the middle?
Kevin Magee: I think it's setting expectations. So the universities and colleges will promote how much money you can make in cybersecurity or how big of a demand it is, but that's for a fully proficient and fully experienced cybersecurity professional. And that's what the employers often want - is a fully proficient and fully experienced cyber professional. There's a gap of five years, and you'll see many of the students bring up the five-years-plus experience that's really causing this challenge.
Kevin Magee: And how do we get over that? Other industries like accounting or lawyers - they have to do an articling period. Doctors need to do residencies. Tradespeople need to do a period of time as an apprentice as well. There's no sort of transition period in the cybersecurity industry. So we're going to have to act like hackers as students - that's what I tell them - to figure out how you can find that first job and really hack that gap to your own advantage.
Dave Bittner: Yeah. It strikes me, too, that a lot of the businesses out there need to recalibrate their expectations as well to bring in those lower-level people and train them up, you know, do it in-house. Don't expect everybody to come in fully baked.
Kevin Magee: And part of that is we often promote the most technically proficient within our organizations to leadership roles, not those that are the greatest leaders and not those that can onboard talent, mentor talent and train talent. So that is one challenge, and we don't invest in a lot of our technical leaders in teaching them these skills as well. So a lot of this is going to fall to the student to figure out how to bridge that gap. Otherwise, they may find that they're not able to break into the career in cybersecurity or have to seek employment in another area of the industry to build up that experience before they're able to come back to security. And that would be a great shame.
Dave Bittner: For the students, I mean, is this a matter of getting the right certifications? Is this a matter of getting the right internships? I mean, what's your advice to them to get past those resume gatekeepers?
Kevin Magee: Yeah. I'll boil down a one-hour talking to a short clip for CyberWire.
Dave Bittner: (Laughter).
Kevin Magee: So one - explore your options. You know, the pandemic has moved a ton of content online. Conferences are online. You can start to see what people do and what their people are talking about, learning about the different roles and getting connected to some of those people, reaching out. Great resource, the CyberWire Career Notes - if you hear someone who just resonate that their job would be the perfect thing you'd like to do, why not reach out and say, I saw your presentation? Explain why you want to talk to them, and ask for their advice.
Kevin Magee: No. 2 is, you know, become an industry expert. You have to know your skills. But also an industry insider - you know, who are the thought leaders in the space you're interested in? Who are they talking to, and what are they talking about on Twitter? Who are they interacting with it? What conferences are they going to? What podcasts are they listening to? What books are they reading? This can be really key. I love "The Cybersecurity Canon." That is a great - if you haven't looked at that, give it a search. It's a great book intro reading list for those new to the industry. Start anywhere that interests you, and just build up your repertoire. And that could be from deeply technical books to Neal Stephenson. Nothing will get you further an interview with me than dropping a Neal Stephenson quote or two, I'm pretty sure.
Kevin Magee: We talked about deep reading the job descriptions to look for that five years of experience. How can you look at the or equivalent aspect of that and demonstrate the equivalent? Can you show a GitHub project? Could you get a certification or whatnot that could demonstrate that to the employers? These are the actions that you can take that can really make a difference. But the most important one is show me, don't tell me. Don't tell me you're a great communicator. Write me a cover letter. Send me a blog post you wrote. Don't tell me all the skills that you have. Send me your GitHub project to review. How can you show the employer that you really have the skills? Maybe it's a capture the flag event or whatnot as well - and not just tell them on a resume because loading your resume with keywords is really not going to get the attention, but some of these additional things really will. And those are all within your power to do as a student.
Dave Bittner: All right. Well, good advice, as always. Kevin Magee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Alan Neville from Symantec Broadcom. We're discussing "Lazarus Targets the Chemical Sector." That's Research Saturday. Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.