The CyberWire Daily Podcast 6.30.22
Ep 1610 | 6.30.22

Killnet hits Norwegian websites. Hacktivists tied to Russia's government. Looking ahead to new cyber phases of Russia's hybrid war. C2C market differentiation. Gennady Bukin, call your shoe store.


Dave Bittner: Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation; C2C commodification extends to script kiddies. Andrea Little Limbago from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on breach communication. Roscosmos publishes locations of western defense facilities and subsequently says it sustained a DDoS attack.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 30, 2022. 

Killnet hits Norwegian websites.

Dave Bittner: Killnet, operating again as the Cyber Spetsnaz, yesterday announced a campaign against Norway in its Telegram channel. The post led with a doctored photo of Norway's Foreign Minister Anniken Huitfeldt, in which she's called Mrs. Error and made up to look like the Disney villainess Maleficent. Good morning, Norway, the introductory text read, all units to battle. This was followed by a list of Norwegian targets. The Russian complaint against Norway, as the Barents Observer reports, is that Norway isn't permitting Russian goods to transit Norwegian territory en route to the island of Svalbard via the Russian port of Murmansk. Thus, it has some similarity to the Russian complaint against Lithuania, which had prevented shipment of some goods to the non-contiguous province of Kaliningrad and which also attracted the attention of Killnet. Svalbard is under Norwegian sovereignty, but a treaty guarantees Russian coal mining operations on the island. Members of Russia's Duma have questioned Norway's sovereignty given what they call Oslo's violations of the Svalbard treaty, and the AP reports that Norway's ambassador to Moscow was summoned to the Russian Foreign Ministry to give an explanation of Norwegian policy. The cyberattacks claimed by Killnet have been distributed denial-of-service incidents. Several sites were disrupted for a matter of hours, but Norwegian authorities said the effects were limited and have been largely mitigated. Norway's NSM attributed the attacks to a criminal pro-Russian group and are investigating the group's possible ties to the Russian government. 

Hacktivists tied to Russia's government.

Dave Bittner: Bloomberg reports that XakNet, a nominally independent pro-Russian hacktivist group that's denied answering to Moscow, may in fact be tied to the Russian government. The source of the attribution is Mandiant. John Hultquist, Mandiant's vice president of intelligence analysis, says, it's important we scrutinize the actors who claim to be Russian hacktivists because the intelligence services regularly use that facade to carry out their operations. If we wait until after a major attack to ask who is really behind these personas, it may be too late. This is unsurprising. Russian intelligence and security services have long operated nominally independent hacktivist groups. Guccifer 2.0 sanctions during the 2016 U.S. elections are an example of the practice. The group was eventually associated with the GRU. 

Looking ahead to possible new cyber phases of Russia's hybrid war.

Dave Bittner: While Russian cyberattacks have, like Russian ground forces, fallen far short of expectations in terms of effectiveness, if not in terms of effort, NATO continues to prepare for renewed cyber offenses that could extend beyond the borders of Ukraine. Such cyberattacks as have extended to NATO members have not succeeded in achieving more than a nuisance level of effort. But Protocol discusses Russian capabilities with a variety of cybersecurity experts who say that desperation could drive Russia to attempt more extensive and more destructive cyberattacks. The views of former U.S. Cybersecurity and Infrastructure Security Agency director Chris Krebs are representative. He told Protocol, once they start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, hey, wipe off the sanctions. How are they going to do it? It would be a highly visible, likely destructive attack. So shields up. 

Dave Bittner: Looking ahead to such an eventuality, NATO this week announced plans to increase resilience and organize a rapid-response capability to address Russian cyberthreats. Why major destructive Russian cyberattacks have yet to materialize remains open to debate. The Jerusalem Post reviews two of the leading explanations floated by experts at CyberWeek 2022 in Tel Aviv - overconfidence and poor preparation. If you expected quick victory, you might want to leave infrastructure you, as an occupier, might like to use intact. Or if you're serious about cyberwar, well, that takes a serious investment, and that investment may have fallen short. 

Amunet as a case study in C2C market differentiation.

Dave Bittner: Digital Shadows this morning updated its account of Amunet, an English-language cybercriminal forum launched in January 2022. Researchers have discovered a road map for 2022 on Amunet, explaining how the site plans to branch out as the year progresses. The road map highlights the January launch, followed by an intended launch of a leaks circle in March, described as a project for visualization of leaked sources, which has not been identified by researchers. This is followed by the intent to launch their own cryptocurrency in May 2022, which has not been seen in the forum as of June, barring one post in early May explaining that those who shared leaked databases would earn forum credits that can be exchanged for cryptocurrency. In July 2022, the forum is anticipated to see the addition of a leaks detector that checks for emails and corporate domains in leaked databases. The final stop on the road map is set for October 2022, coined as a time back machine, which is described as a couple of hacking forums returned as snapshots for public observation. While researchers regard Amunet in its current state as unremarkable when compared to other forums, those intended upgrades could be enough to lure threat actors into using it. The observations also provide an interesting perspective on how criminal groups try to differentiate themselves in the C2C market. 

C2C commodification extends to script kiddies.

Dave Bittner: Avast has published a study of the way in which teenagers are earning money in the criminal-to-criminal cyber underworld market. The researchers found a malware-as-a-service family whose operators spend a lot of time on Discord and seem to have an unusual set of interests. The criminal vendors offered some of the usual wares like info stealers, crypto jackers, ransomware, password scrapers and so on, but their hearts appeared to be elsewhere. Their offerings instead emphasized features like stealing gaming accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser with Pornhub. That is, Avast points out, the puerile stuff you'd expect from teenagers. It's a side hustle done for pocket money and for the LOLs, but it remains criminal, nonetheless. Shame on you kids. You're going to break your mother's heart. 

Roscosmos publishes locations of Western defense facilities…

Dave Bittner: Roscosmos, the Russian space agency, released overhead imagery and the geographical coordinates of a variety of Western installations online Tuesday. Dmitry Rogozin, head of Roscosmos, explained, the entire conglomerate of private and state orbital groupings is now working exclusively for our enemy. He added in his Telegram channel, today the NATO summit opens at Madrid, at which Western countries will declare Russia their worst enemy. Roscosmos publishes satellite photographs of the summit venue and the very decision centers that support Ukrainian nationalists. At the same time we are giving the coordinates of the objects, just in case. The photos and geolocations include the venue in Madrid, where the NATO summit met, the Pentagon, the White House, various British government buildings in central London, the German Chancellery, the Reichstag, NATO headquarters, other government buildings in Paris. None of these locations are secret, which makes what Mr. Rogozin thinks he's up to a bit of a puzzle. The just in case sounds menacing, but it's difficult to see what such a case might be. Anyway, he's displeased with the support Western space companies and agencies have rendered to Ukraine, and he's got the pictures to prove it, darn it - whatever those pictures prove. 

…and subsequently says it sustained a DDoS attack.

Dave Bittner: And finally, yesterday, according to the Wall Street Journal, Roscosmos press chief Dmitry Strugovets Telegrammed that the agency had sustained a distributed denial-of-service attack. You'd think he'd be quick to point the finger at NATO and Nazis and the like, but no, not this time. It's kind of a mystery. Mr. Strugovets said it had been successfully repelled, and that it originated from the Russian city of Yekaterinburg. As TASS has been authorized to disclose, after Roscosmos had posted satellite images of NATO's decision-making centers, the state corporation's website came under a DDoS attack. Unlike in March and April, this time, the attack did not come from overseas, but from our own city of Yekaterinburg. How such an attack might be staged through Yekaterinburg is unclear, although the city is the setting of the sitcom that features Gennady Bukin, Russia's Al Bundy. So it's got that going for it, which is nice. But seriously, the sitcom is called "Happy Together." It's a pretty good show based on the iconic American program "Married with Children." Seriously - shoe salesman? Check. Two kids? Check. Dissatisfied wife? Check. Dog? Check and double check. Football star in high school? Check-a-roony (ph). OK, futbalist is soccer player, not American football player, and Gennady was probably a fullback and not a halfback like Al, but close enough for government work. Anyway, Roscosmos - that's a government agency, right? Well, just looking at some latitude and longitude numbers here, we're looking at 56.8431 north and 60.6454 east. Seriously, we just googled it just in case. 

Dave Bittner: When a breach occurs and you find yourself in the heat of the moment with all of the emotions that come with that, communications are key. Our own CyberWire chief security officer Rick Howard checked in with Cody Chamberlain from NetSPI about that. 

Rick Howard: I'm joined by Cody Chamberlain. He's the head of product at NetSPI. Thanks for coming on the show, Cody. So NetSPI is a penetration testing company, but today we're talking about breach communication as part of any organization's resilience strategy. And we've come a long way, Cody, from the early internet days when nobody would admit in public that they had been breached, you know, for fear it would damage their reputation. That changed in 2010, around there, when Google admitted that the Chinese government had penetrated their networks in something called Operation Aurora. And that single event, coupled with a bunch of breach notification laws in almost all the states, changed the landscape. And today, it seems there is some organization every day announcing they've been breached somehow. But it doesn't mean that they're good at it, right? So there are plenty of examples of organizations that seem to have a handle on breach notification and others who appear to be making it up as they go. So let's start there, Cody. What is breach communication, and why should organizations put resources behind it? 

Cody Chamberlain: When you look at breach responses or breach communications, there's really the two pillars. There's the things you have to do and the things that, you know, you should do from a client or customer perspective, respective of what industry you're in, what compliance requirements you have. There are certain things you're just going to need to provide at certain times. On the other side, you have your customers, and you want to provide a very high level of customer service and retain your customers. And doing so and communicating with them with empathy and transparency is really key. And those are the two things that I really see as the most important kind of pillars of communication. 

Rick Howard: So in order to be good at this stuff, it goes without saying that you have to prepare for it, that responding to a breach should be part of the company's overall crisis management plan. So what should security leaders be thinking about here in terms of incident response? 

Cody Chamberlain: At the end of the day, plan the work, work the plan, right? And that's really key 'cause practice makes perfect and taking the time to develop the IR policies, not just in your CISO (ph) organization, but with your public relations team, your communications team. We're not always known in security as being great communicators, especially on a customer perspective. When you do tabletops, when you do policy development, there's no emotion involved, right? It's a Tuesday afternoon. We're being proactive. But in the moment when you are leading this incident response or you're the CISO or whatever and you realize this is a real breach, a real incident, emotion is going to take over. We're human. I think a lot of us have been in the room when we've seen somebody jump to the best-case scenario or they jump to, oh, it's OK because the firewall is there and we're segmented, only to realize later that the segmentation roles are a little more porous than maybe we thought through testing. So by really building that structure, building those processes, knowing here's who we're going to work with if things get really bad, when we have to kind of break glass and helicopter the third party in, trusting that process, and the more you do that, the more you develop that and have confidence in that process, I think the less emotion is going to take over, which helps. This isn't something that's probably an enjoyable exercise, right? I don't think anybody likes preparing for the bad thing. But it's the reality of the industry. And like you said, it happens more and more and more - to make sure we are fully prepped. We just do. We have to practice. We have to focus and do that in a way that we can be resilient against what are some extremely motivated attackers it seems. 

Rick Howard: One thing practicing an incident response plan does is get the executives in the mindset of when they will go public with the information. And you can either go public early without having a complete understanding of the incident and then, you know, later get accused of holding information back or even lying when the new facts emerge down the line. Or you can wait until you have almost a complete understanding of what happened, but then you get accused of withholding information from your customers. So how do you advise your security leaders on this concept when you're out talking to them about this? 

Cody Chamberlain: I'm sure I'll get some eye rolls, and it's like, it depends, right? 

Rick Howard: That's the answer I get from everybody I talk to. It depends on the situation (laughter). 

Cody Chamberlain: Yeah. It depends on the situation. The reality is a lot of organizations at the end of the day are going to have specific requirements. And that's really unfortunate for organizations who want to be very customer focused. I think having empathy with your client or your customers saying, hey, this is what we identified. We hear you. We understand, you want to know X. We're investigating X, and we have these experts involved or whatever - just being transparent with what you're doing, I think, helps appease that. 

Rick Howard: Yeah. I was going to say, you guys advocate transparency for all organizations doing this stuff. And I think you're right that you'll get cut some slack because you tried to do the right thing. You may not have gotten it completely correct. But you were being transparent with the information you - and tried to communicate that as a series of things as you go through the crisis. Is that what you mean by transparency? 

Cody Chamberlain: That's exactly it, you know? And again, you're going to be constrained, right? There's certain things that you're not going to be able to share - but acknowledging that as well, right? Like, these are the things we just can't share. It could be a legal issue. It could be a law enforcement issue - but again, acknowledging that, showing, like, that empathy of, like, I understand what you're going to want to know. 

Rick Howard: All good stuff, Cody, but we're going to have to leave it there. That's Cody Chamberlain. He's the head of product at NetSPI. Thanks for coming on the show. 

Cody Chamberlain: Thank you. It was a pleasure. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is senior vice president of research and analysis at Interos. Andrea, always great to welcome you back. There is this notion of borderless data, this idea, I suppose some would say, you know, there's that whole data wants to be free, and the internet connects the world. But we're seeing some evolution there, yes? 

Andrea Little Limbago: Yeah. You know, I think for the longest time - and this was especially, you know, some of the foundational aspirations of the internet, what - we're for a global free and open internet. That's the aspiration. And I think that still remains the aspiration in many segments of the tech sectors. But the reality is that governments actually do have a say and that borders actually matter a lot. And, you know, it's almost this interesting juxtaposition right now where borders have never mattered so little and yet so much at the same time. 

Andrea Little Limbago: And what I mean by that is we see, you know, Russia's invasion of Ukraine. There's a lot of territorial disputes coming in. And so territory really is coming back into something that's extraordinarily important and a driving factor among geopolitics. You think about and China, Taiwan as well. We think we can - you know, there are many, many examples along these lines where borders increasingly matter. But then at the same time, you know, with the internet, you know, borders didn't matter at all. And you could see - attack a country from overseas. You don't need to actually be present there. And so there's that interesting juxtaposition going on where borders don't matter, and they matter a ton. 

Andrea Little Limbago: And then you overlay that now with a lot of these data localization and data sovereignty laws that are - really been emerging over the last decade across the globe. And those are really reshaping just what the experience is with data and changes from one where I'm sitting to where someone in the EU is sitting to where someone in Nigeria is sitting to Brazil. We all have - you know, if we all went on a different social media - or to the same social media site, we'd have a different experience on it. And what comes along with that is both, you know, aspects of censorship, but then also aspects of requirements for data to be stored and actually to be stored locally as opposed to being able to flow freely across borders. And that's where some of the big changes are really coming in that - you know, there are gradients of it. Some - in some countries, there's cross-border data flow controls, you know, almost writ large, and for others, it's - for, you know, a small sliver, such as for health care information or something that - you know, the most personal of information and data. So it's a great variation popping up in that, but it's really impacting just how data can flow, and it's really impacting organizations' data strategies for - you know, for multinational corporations. 

Dave Bittner : Is there a bit of cat and mouse here? I mean, I think about the increasing ease with which people can access, you know, satellite internet around the world. And could that be an end-around to some of the nations that are trying to restrict access for their citizens? 

Andrea Little Limbago: Yeah. So I think that that's a good way to put it because I think there will always be citizens trying to work around it. And we've seen that over time, right? So even in the most restricted areas, systems are finding a means to work around and access data. And I think that will always be, perhaps, one segment of society. But that isn't necessarily what global corporations can pursue when they - you know, if they're thinking about their global footprint, what their strategy is going to be for - you know, for data minimization, what they're - where they should be storing things. And so I do think for that segment of society that wants to find that workaround, that they'll continue to try and do that. But for the corporations that have to stay within the legal frameworks of the - you know, of the sovereign area that they're in, you know, they can't necessarily do that. 

Dave Bittner : You and I have talked in the past about this idea of a splinternet - you know, that we could end up with regional versions of the internet. To what degree is that playing out? 

Andrea Little Limbago: Yeah. I mean, I think we're seeing that increasingly happen. I mean, even in the U.S. right now, there's an executive border - or executive order - that's being passed around. It has not been actually passed. It's been draft versions circulating that would try and limit various kinds of U.S. citizen data from falling in the hands of potential adversaries. And depending on what that - and that's - that's something to keep an eye on. Where the U.S. has strong been a big proponent of cross-border data flows and so forth, even the U.S., you know, is starting to rethink some of those strategies. 

Andrea Little Limbago: And it's not just - and that's in large response to what's going on across the globe and what's going on in the EU. You know, a lot of the companies in the U.S. already have to be GDPR compliant because they need to actually, you know, have economic activity in Europe. And then they see what's going on as far as just the - what happens with unchecked data flows is becoming a larger national security and economic security issue. And so the response - so as we continue to see various kinds of, you know, data breaches, data theft, you know, destruction through wiper malware, you know, governments are stepping in. And one path they're pursuing is - you know, more so is localized data storage. You know, in the past... 

Dave Bittner : Right. 

Andrea Little Limbago: ...The thing is that the pendulum kind of swings, right? So, you know, initially, it was storing everything on premise. Then with cloud computing, you could, you know, store wherever you want across the globe, not even know where - not even know exactly where it might be. And now it's kind of swinging back, like, oh, maybe we should reign that a little bit and actually know... 

Dave Bittner : (Laughter). 

Andrea Little Limbago: ...Where the data is. 

Dave Bittner : On second thought... 

Andrea Little Limbago: (Laughter). 

Dave Bittner : ...It might be a good idea for us to know where our data is. Yeah. 

Andrea Little Limbago: Yeah. And it does - you know, it introduces different threats, right? So, you know, in the U.S., you know, if data - you know, Canada has some data localization laws. That's probably not viewed as, you know, much of a threat, you know, for companies, having to store data in Canada. If it turns out it has to be somewhere that may not be as friendly to the United States, or it may not be in a place that protects, you know, human rights as well, you know, that becomes a much bigger issue. So even the implementation of these laws has different meaning, even if they're the same kind of laws, depending on where they are. 

Dave Bittner : All right. Well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner : And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner : The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.