The CyberWire Daily Podcast 7.7.22
Ep 1614 | 7.7.22

Chinese industrial espionage warning. Trickbot's privateering. Russian influence ops target NATO resolve. Cozy Bear sighting. Chinese APTs target Russia. NFT scams are pestering Ukraine.


Dave Bittner: The FBI and MI-5 warn of Chinese industrial espionage; revelations of Trickbot's privateering role. Russian influence operations target France, Germany, Poland and Turkey. Chinese APTs target Russian organizations in a cyberespionage effort. Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative; Ben Yelin speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act. And who would have thunk it, but NFT scams are pestering Ukraine.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 7, 2022. 

FBI and MI-5 warn of Chinese industrial espionage.

Dave Bittner: In a joint appearance yesterday at the London headquarters of MI-5, the British counterintelligence organization, the directors of MI-5 and the U.S. FBI issued an unusually direct and bluntly worded warning about the threat of Chinese industrial espionage, much of it cyberespionage. The effort is extensive, focused and marked by both close attention to detail and an unusually wide net. FBI Director Wray told an audience The Wall Street Journal described as composed of businesspeople, the Chinese government is set on stealing your technology, whatever it is that makes your industry tick, and using it to undercut your business and dominate your market. They're set on using every tool at their disposal to do it. China disagrees. A representative of Beijing's embassy in Washington, Liu Pengyu, complained of U.S. politicians who have been tarnishing China's image and painting China as a threat with false accusations. 

Trickbot's now more obvious privateering role.

Dave Bittner: IBM Security's X-Force this morning published an account of Trickbot's recent activity, the well-known Russian cybercriminal gang and its new interest in Ukraine. X-Force says following ongoing research, our team has uncovered evidence indicating that the Russian-based cybercriminal syndicate Trickbot group has been systematically attacking Ukraine since the Russian invasion, an unprecedented shift as the group had not previously targeted Ukraine. There's some overlap with other criminal gangs, including the perhaps retired but probably quietly returned Conti operation. IBM says, between mid-April and mid-June of 2022, the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193 and the Conti group has conducted at least six campaigns - two of which have been discovered by X-Force - against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail and Meterpreter. Ukraine is no longer on a near abroad do-not-touch list. IBM says, prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected. 

Dave Bittner: So Trickbot, up 'til now, known for its straightforwardly mercenary interest in banking Trojans and the like, appears to be a Russian privateer after all, an instrument of state power that's permitted to realize a profit from its operations. X-Force elaborates, the observed activities reported in this blog highlight the trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict. In addition to an announcement by the Conti ransomware group that they would act in support of Russian state interests at the beginning of the invasion of Ukraine, leaked chats between ITG23 members indicated that two senior individuals within the group had previously discussed in mid-April 2021 the targeting of entities that work against the Russian Federation and agreed that they were Russian patriots. Additionally, the executive director of Bellingcat claimed to have received a tip that a cybercriminal group was in communication with Russia's Federal Security Service, the FSB. The six campaigns X-Force has tracked show evidence of more precise targeting than Trickbot has typically shown, and that targeting aligns closely with Russian state interests. 

Dave Bittner: Establishing identity conditions for threat groups is notoriously difficult. They are protean, shifting, and their name is usually Legion. The Washington Post, for one, takes particular notice of some Conti veterans, either current gang members or alumni, who seem to be working for Trickbot. It's like an exorcism, really. It's hard to tell the demons without a scorecard. And far be it from us to offer His Infernal Majesty, prince of this world, advice, but even the demons have trouble telling themselves apart. Or so we hear. 

Russian influence operations target France, Germany, Poland, and Turkey.

Dave Bittner: Russian influence operations are now concentrating on opening fissures in NATO, Voice of America reports. Moscow's concentrating its efforts on what it perceives as high-payoff targets in France and Germany, whose governments are widely perceived as softer in their support for Ukraine than are NATO's more easterly members like the Baltic States and Poland and its non-Continental members - like the U.K., Canada and the U.S. - Poland, which shares a border and a complicated history with Ukraine, and Turkey, which controls access to the Black Sea. The efforts are very much in the Russian style, entropic and aimed at confusion as opposed to persuasion. 

Cozy Bear sighting.

Dave Bittner: CobaltStrike is often mentioned in dispatches as a penetration testing tool that threat actors often turn to malign use. Other such tools are also susceptible to abuse. Palo Alto Networks' Unit 42 reports that Cozy Bear, generally regarded as a unit of Russia's SVR, is deploying Brute Ratel C4, a pen testing tool in use since December 2020, in a range of cyberespionage campaigns. Unit 42 doesn't formally attribute the campaign to Cozy Bear, or even Russia, but it does offer circumstantial evidence that points in that direction. The particular style of attack, observers agree, is unusually stealthy and evasive. Unit 42 has some advice on what to look for. 

Chinese APTs target Russian organizations in a cyberespionage effort.

Dave Bittner: SentinelLabs reports noticeably increased Chinese cyberespionage activity directed against Russian targets. In this, SentinelLabs independently confirms recent reports by Ukraine's CERT of Beijing's interest in its sometime friends in Moscow. The relationship, again, is complicated. The report says, on June 22, 2022, CERT-UA publicly released Alert#4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government interests. SentinelLabs has conducted further analysis of CERT-UA's findings and has identified supplemental Chinese threat activity. And, of course, a de facto alliance or, better, an opportunistic collaboration of convenience in no way obviates the need for mutually suspicious partners to collect against one another. The report says, China's recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, ‘Space Pirates and now the findings here. Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time. It is a phishing expedition. The report concludes, we assess with high confidence that the Royal Road-built malicious documents, delivered malware and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there's been a continued effort to target Russian organizations by this cluster through well-known attack methods - the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage related, but the broader context remains unavailable from our standpoint of external visibility. So the enemy of my enemy is my friend, sort of, but only within certain limits. And the line is drawn somewhere on the other side of espionage. The five families arrange these things more amicably, although even there some wise guy might get whacked and end up in the Meadowlands. Forget about it, Jake. It's East Rutherford, or so we hear. 

NFT scams pester Ukraine.

Dave Bittner: And finally, hey, everybody. Dog bites man. Some NFT are scams. No, really, they are - attaching themselves like a nasty boil to the charitable body of Ukrainian relief efforts. The Ukrainian government and various celebrities in sympathy with the Ukrainian cause have sold NFTs, non-fungible tokens - and if you're unclear about what these are, find yourself a crypto bro and talk among yourselves - to raise funds for the Ukrainian military and various related causes. They've enjoyed some success, and success draws scammers the way meat draws flies. Investigators at the Ukrainian OSINT firm, Molfar, and the editors of the AIN News service have found that the NFTs in question are being flacked as Zelenskyy NFT, which depict the Ukrainian president as a range of superheroes - Avengers for the most part, as far as we can tell. The purveyors of these NFTs say they're IamUkraine studio. No one can really find out much about them beyond Molfar's claim that IamUkraine is a small group of Russians with one Belarusian tagging along. The outfit appears to exist only in its Zelenskyy NFT, and where the money you might spend on one of the tokens would go is anybody's guess. But it's a safe bet it won't be to anything anyone other than the proprietors of IamUkraine would recognize as a good cause. So keep your altcoins in your wallets, friends. The best NFT ever was one offered by Monty Python's John Cleese a year or so ago. He drew a picture of the Brooklyn Bridge and offered it up as an NFT. And who could argue with that? 

Dave Bittner: Matt Kent is the competition policy advocate for Public Citizen, a nonprofit consumer advocacy organization. My "Caveat" co-host Ben Yelin recently spoke with Matt Kent about the bipartisan American Innovation and Online Choice Act and the potential privacy and security benefits of the legislation. 

Matt Kent: So essentially, about two years ago, there was a big push for big tech accountability using the antitrust laws. And this is a bipartisan thing. Democrats and Republicans have slightly, I think, different reasons for opposing the big tech companies, but they coalesced around a series of bills in the House Judiciary Committee. There were, like - this was two years ago. There were wall-to-wall hearings, all kinds of legislative activity. It was really cool. Like, it was actually what congressional committees are supposed to do, right? They hauled in the tech executives. Like, Jeff Bezos had to answer questions in front of everybody. Like, it was great. And they produced, like, a very thorough, over-a-thousand-page report on the practices, the anti-competitive practices of the big tech companies. 

Matt Kent: So out of that effort came a package of six bills aimed at big tech accountability through antitrust competition. A lot has happened since those bills passed out of House Judiciary, ups and downs, but where we are now is two of those bills have really sort of taken the momentum and everything is largely settled on the Senate versions. So the two bills are the American Innovation and Choice Online Act. That's the Klobuchar-Grassley bill. You'll hear it referred to as the self-preferencing bill. But there's also the Open App Marketplace Act, and that's from Blumenthal and Blackburn. I just want to pause and say that the pairings on these co-sponsorships are just wild stuff. 

Ben Yelin: So for the non-legal people, that means you or I, as consumers, wouldn't have the ability to sue these tech companies directly for their anti-competitive practices. It would have to be instituted by the AGs or the DOJ. 

Matt Kent: That's right. That's right. So from that point, a lot of the arguments against the bill are, well, we're concerned that a sort of wild-eyed state AG would pick up a case that touches on content moderation or privacy and security, and through a series of bad decisions, you know, that's - that part is sort of murky in big tech's argument on exactly how these - the legal arguments on how this would bear out. But they're saying the whole thing would whiplash, and, you know, we'd no longer be able to moderate content. You know, we would be scared because of litigation, which is sort of a laughable argument when you think about (laughter) when you think about the resources that these companies have at their disposal. 

Matt Kent: There's also arguments that the bills would affect national security negatively. That has died down a little bit. You know, if you look at the text of the self-preferencing bill, there are many, many carve-outs regarding China, companies owned by China. I would say that it is well-covered in both the text of the bill and sort of the affirmative offenses - or affirmative defenses available to the companies that they won't have to, like, give over sensitive data to China or Chinese-owned companies. That was, like, a big part, I think, of the concern at committee, which is why a lot of these changes were made. That has died away a little bit when it became pretty clear that TikTok would be a covered entity under these bills, so they'd essentially be prohibited from doing the same practices as sort of the big four, ostensibly, American companies, although the question as to whether they act in the American interests all the time is an open one. 

Ben Yelin: Right. It sure is. As I know you to be a good prognosticator of what happens in Congress, what do you see as the major obstacles on the Senate floor, and then going back to the House side, and where do you see this going over the next several months? 

Matt Kent: Oh, Ben, if I knew, I'd be a much happier person right now. But, so... 

Ben Yelin: This keeps you up at night. 

Matt Kent: I mean, this - yeah, this is, like, the No. 1 thing, you know, I'm working on right now. And I would say the issue - it's sort of interesting. The issue is not whether they'd pass if put to a vote, because they would. They have, you know, at least 20 Republicans who would go and a bulk of Democrats. Like, I don't think there's any question. If forced to vote on this bill, like, looking at the polls and where big tech accountability stands, I think any sane chief of staff or member of Congress would understand that they need to support these bills if the vote is there. Now, the big question is convincing leadership to put these votes on the floor because there are some in the Democratic caucus who are concerned that, in their words, the bills would endanger their chances at the midterm - being forced to vote on the bill. Now, you know, we argue that this would help your midterm chances by showing voters that you're actually doing something about big tech accountability. I think, without, you know, naming names, some members of Congress are concerned that if they're forced to take this vote and vote in favor, they would lose significant fundraising support from big tech companies or consulting firms or just the whole sort of ecosystem. 

Dave Bittner: That's Matt Kent from Public Citizen speaking with my "Caveat" co-host Ben Yelin. You can hear an extended version of this interview on this week's "Caveat" podcast. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to welcome you back to the show. We recently had an announcement from CISA that they have expanded the Joint Cyber Defense Collaborative to include industrial control systems. This, of course, is your neck of the woods. I wanted to get your take on this development here. This is good news, yes? 

Robert M Lee: It's absolutely good news. And so, you know, I think when you look at what CISA has been doing really well since they started, is they're taking part in the community, right? It's not, let me speak to you from D.C. and the pulpit that is the D.C. bubble and try to tell an operator in California and Washington and Oregon, you know, how to do things, you know, without visiting them - 'cause that can come off very tone-deaf. But even when Chris Krebs was there, he was going to DEFCON and Black Hat and RSA. He was out in the community, right? And Jen Easterly has done exactly the same thing. Let me get out there, part of the community, be there, encourage people to join us, encourage people to cooperate with us, etc., etc., etc. So I don't look to CISA to solve the problem, which is where I think - you know, I'm not the person setting the rules for CISA, so it doesn't really matter, my opinion. But my opinion... 

Dave Bittner: (Laughter). 

Robert M Lee: ...Is I don't think CISA needs to be solving the problem. And I think Congress a lot of times looks to them to solve the problem. Oh, there was an attack. What is CISA doing about it? And I'm like, what? They're not an operational - like, the government isn't protecting day-to-day infrastructure. That's not how that works. It's on the asset owners and their vendors and community that they're leaning on. It's not like you're going to airdrop a team in from CISA to go do security operations at a power company for a month. That's not happening, and it should not happen. And so the idea that CISA needs to be doing everything and fixing everything, they're not resourced for that. And it's just not possible to scale that across all the different critical infrastructure industries. What CISA can do and what they do extremely well at is engage the community, level up the conversation, fight for resources for the community to do work that they need to do, provide best practices - basically set the rules of the game, but don't be a player in the game. And when you look at the JCDC, I was really excited to see it extend out to ICS because one of CISA's core mandates is the protection of critical infrastructure. And the critical part of critical infrastructure is ICS. And for too long, it's gotten a backseat to everything else. And it is infuriating. When I go to talk to electric companies and manufacturing companies and pharma companies and oil companies and everybody else, the private conversations is they're generally infuriated at how much attention get paid to a cloud provider or, you know, the latest vulnerability impacting Microsoft but not to industrial control systems. It's - you know, there's been an ICS-CERT, and it got taken away unceremoniously. And then we had an ICSJWG conferences, and they kind of got downplayed. And, like, it's always been, like, gambling infrastructure is more important than electric infrastructure. You know, it's like, what are you doing? You know, this is - you know, not everything is actually critical. And so to see JCDC and then Jen Easterly come out and talk about the importance of ICS, the focus on it, why we need to elevate this conversation, to me, that's perfect. I've already started hearing critiques of - yeah, but what is the JCDC even doing? Like, you know, sure, yet another information sharing group or operational collaboration or whatever - like, I think there's plenty of critiques to throw. But the reality is they're leveling up the conversation, and they're including ICS where it should be. We should be popping bottles and being happy about that. So I'm very excited that the conversation is getting started. But no, don't expect a government agency that's not resourced to fix your security issues, to fix your security issues with some new group. That's not the point. 

Dave Bittner: To what degree is there active collaboration within the ICS community? You know, your organization, other organizations who are listed as being some of the ones initially joining this effort, to what degree does that exist? 

Robert M Lee: Inside the JCDC today on the ICS level, not so much. I mean, it's just getting started. And I don't know - I mean, even though we're a part of it, I'm just excited about it. I don't actually know what their intention is fully with it yet. I think it's still getting baked a little bit, but I'm fully supportive of that. Inside of the ICS community, I would say it depends on the industry. As an example, in the electric community, and we always talk about them, but they've done a phenomenal job of setting up the E-ISAC, the ARC, the little informal information sharing group, sharing with the MS-ISAC, and the multi-states, you know. And so, like, there's a lot of sharing and collaboration and work. And I think what I tend to find is there's more actual collaboration when the government's not present than when they are. And so the forums for that sharing and the forums to their collaboration is actually not through government forums as much. I'd like to see that shift, but that's going to be based on building trust. 

Robert M Lee: As an example, if an electric utility or a manufacturer oil company tells something to CISA - CISA hasn't anything wrong. I'm not picking on them. It's just an example. If CISA were to turn around and that would end up in the media or that be shared out to foreign partners and so forth, you know, you're going to have information sharing dry up real quick. And so I think there's a trust-building exercise that's needed because there has been some historical mistakes, but no one in the infrastructure community had ever come across as just anti-that succeeding. Most of them are just so focused on doing the mission that if you're there to support the mission, come on board. If you're there to talk about one day how you might support the mission, sorry, we don't have time for it. And so nobody's against any of these things. It's just we want to stay focused 'cause we all have limited resources. And I do view, again, some of CISA's steps here recently as being very encouraging to the development of that interaction. 

Dave Bittner: It's a seat at the table, right? 

Robert M Lee: Exactly. Again, I mean, when we were talking about - and again, I - it sounds like critiques of CISA. It's really not, and it always comes off the way. I feel like I've always had to be like, here's why I love you, but let me give you one suggestion. Like, here's why I love you. 

Dave Bittner: (Laughter). 

Robert M Lee: You know, it's like... 

Dave Bittner: Right. 

Robert M Lee: They're amazing people there. But a great example of this is your - you know, we're talking shields up - phenomenal message out to the community. Hey, let's go - shields up, the war in Ukraine, et cetera, et cetera, et cetera. At the same time, though, when we've had major incidents and impacts of war like SolarWinds, it was almost no discussion about the ICS component of that. And so there's a lot of good messaging in general. But if you look at the ICS-specific part - again, the critical part of critical infrastructure - it's either usually absent, or it's such a broad-stroke brush of ICS that it doesn't actually apply beyond, like, an industry or two. And one of the things that I think is a really unique opportunity for CISA is, as it is the front door to government, it is the critical infrastructure agency, and there are, you know, 16 critical infrastructure groups or sectors, there should be a specialization on each sector at CISA to take anything that's coming out and be able to translate and go, hey, here's what that means, not for ICS, but here's what that means for positive train control systems on rail 'cause that's the type of ICS that we're concerned with - the safety impact. And here's what you do in PTC instead of what you might do in a gas turbine and an electric power provider. But instead, right now, we're in the phase of we either don't talk about ICS or we talk about ICS as this broad thing that doesn't really exist. And so I'm hopeful that CISA takes the opportunity to start developing expertise, individual sectors 'cause that's where they're going to show a lot of value. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.