The CyberWire Daily Podcast 7.15.22
Ep 1620 | 7.15.22

Criminal gangs at war. A "cyber world war?" A new DPRK ransomware operation. Media organizations targeted by state actors. NSA guidance on characterizing threats and risks to microelectronics.


Dave Bittner: Gangland goes to war. Is there a cyber world war in progress? Ukraine thinks so. A new North Korean ransomware operation is described. Media organizations remain attractive targets for state actors. Betsy Carmelite from Booz Allen Hamilton on planning for post-quantum cryptography. Our special guest is CISA director Jen Easterly. And NSA releases guidance on characterizing threats and risks to microelectronics.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 15, 2022. 

Criminal gangs at war. 

Dave Bittner: The most notorious early adherent to the Russian cause among the cybergangs was the now possibly defunct, dispersed and rebranded Conti, which on February 25 announced its full support of the Russian government and promised to use all the resources at its disposal against enemy infrastructure. This prompted a wave of doxxing in which disaffected and possibly foreign Conti collaborators released the gang's internal chatter through their ContiLeaks account. Cyjax, which was following developments, notes, this leak caused significant unrest within the group, with the ContiLeaks account itself tweeting, we know everything about you Conti. Go to panic. You can't even trust your gf. We against you. Conti itself did a bit of backpedaling for damage control, backing down from its promise of unconditional cyberwar to a more measured claim that it would only target Western warmongers. But the reputational damage had been done and may have contributed to the gang's subsequent hibernation. 

Dave Bittner: On March 4, shortly after Conti's ill-advised patriotic screed, researchers at Cyjax noticed another leak-and-dump operation targeting a different Russian gang, Trickbot. The leakers tweeted under the name Trickleaks, and the main point of their doxing was to expose and close connection between Trickbot's criminal operators and Russia's FSB security service. Trickleaks announced itself to the world with the tweet, we have evidence of the FSB's cooperation with members of the Trickbot criminal group, Wizard Spider, Maze, Conti, Diavel and Ryuk. The close collaboration between gangland and the Russian security service isn't surprising, but Cyjax thinks the degree of organization and interconnection among apparently disparate criminal groups is useful news that will help organizations defend themselves against organized cybercrime in the future. Gangland seems to have more mutual dependencies than had been generally appreciated. 

A "cyber world war?"

Dave Bittner: Wondering if we're in a cyber world war seems a bit overheated, and cyberwar isn't, after all, as damaging as a full kinetic war, even when cyberattacks have kinetic effects. But in terms of scope, the name doesn't seem too far off. For example, Canada's communications security establishment yesterday warned that the current Russian cyberthreat is not to be underestimated. The National Post quotes a CSC Report as saying, the scope and severity of cyberoperations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources. The most immediate threat is heightened cyberespionage, but attacks against critical infrastructure are also held to be a real possibility. Canada has been an early, consistent and strong supporter of Ukraine during the present war. Canada is also home to a large Ukrainian diaspora. 

Dave Bittner: Politico has a long interview with Yurii Shchyhol, who directs Ukraine State Service of Special Communications and Information Protection, the SSSCIP, which Politico describes as roughly equivalent in terms of its responsibilities to the U.S. Cybersecurity and Infrastructure Security Agency. The article aims to describe what it characterizes as a generally successful Ukrainian defensive effort in cyberspace and summarizes the Ukrainian view of how to fight Russia in cyberspace. First of all, isolate it, and deny it access to resources and technology. 

Dave Bittner: Tracing the history of the cyber phases of the hybrid war, Shchyhol says that Russia's cybercampaign preceded the physical invasion by more than a month. He says, for Ukrainians, the first cyber world war started on January 14, 2022, when there were attacks launched at the websites owned by state authorities. Twenty websites were defaced, and more than 90 information systems belonging to those government authorities were damaged. Attacks against Viasat ground terminals disabled the satellite-borne internet provider a matter of hours before the invasion itself. 

Dave Bittner: Shchyhol thinks the Russian cybercampaign has been well-resourced but also that it's used familiar tools. He says, in terms of their technical capabilities, so far, the attackers have been using modified viruses and software that we've been exposed to before, like the Indestroyer 2 virus, when they targeted and damaged our energy station here. It's nothing more than a modification of the virus they developed back in 2017. We all have to be aware that those enemy hackers are very well-sponsored and have access to unlimited finances, especially when they want to take something off the shelf and modify it and update it. He emphasized the importance of denying Russia access to the civilized world's security companies and IT infrastructure and in restricting Russia's participation in international IT organizations like the International Telecommunications Union. 

Dave Bittner: He had some interesting, if guarded, disclosures about the cooperation Ukraine is receiving from NSA and U.S. Cyber Command, which he described as constant synergy, and explained that, like in further supply of heavy weapons and other forms of weaponry, the same is true for cybersecurity. We expect that level of assistance of those supplies will only increase because only in this manner can we together ensure our joint victory against our common enemy. Above all, Shchyhol warns against any relaxation of vigilance. He expects the war to continue and that operational pauses happen in cyberspace, much as they do in physical space. So just because Fancy Bear hasn't turned the lights off in Kyiv or London or Toronto or New York - or not yet, at least - don't get cocky, kid. 

A new North Korean ransomware operation.

Dave Bittner: Microsoft describes an emerging North Korea ransomware operation it tracks as DEV-0530 that's using a relatively new strain of ransomware called H0lyGh0st. The blasphemous name, Microsoft points out, is the hood's own choice, not Redmond's. DEV-0530, a provisional designation assigned until more is known about the group, is noteworthy in that it appears to be entirely financially motivated and in that it selects small and mid-sized businesses as its target. MSTIC, The Microsoft Threat Intelligence Center, assesses that DEV-0530 has connections with another North Korean based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel. While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM. 

Dave Bittner: The gang's communications with its victims and others cop an altruistic and humanitarian line, claiming to be helping its victims improve their security posture as if they were white-hat pentesters and to be contributing to an egalitarian leveling of rich and poor to the advantage of the poor as if they were Robin Hood. The group is asking for between 1.2 and 5 Bitcoin in ransom, roughly 25,000 to $104,000 at current conversion rates. But so far, Microsoft says their wallet seems to have remained empty even though DEV-5300 has shown a willingness to negotiate their asking price. 

Dave Bittner: Pyongyang has long used cybercrime as a source of income to redress the financial pressures it labors under due to the decades of international sanctions that have crippled the DPRK's economy. It's even more difficult to separate North Korean intelligence and security services from criminal activity than it is to tell the Russian privateers apart from the Russian organs. But this latest campaign is sufficiently ambiguous to suggest that it might be the work of a gang that's obtained access to some state actors' tools or even the work of state actors who are moonlighting for personal gain. North Korean state actors have usually cast a broader net. This campaign seems more tightly focused in its target selection. The activity remains under study, but in the meantime, Microsoft has offered indicators of compromise and some advice for defenders. 

Media organizations targeted by state actors.

Dave Bittner: Late yesterday Proofpoint released a study of recent activity by state actors directed against media organizations. The researchers find that China, North Korea, Turkey and Iran have been particularly active in prospecting media organizations. They say Proofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives. Journalists' social media accounts have been of particular interest to the threat groups. 

NSA releases guidance on characterizing threats and risks to microelectronics.

Dave Bittner: And finally, right out of Fort Meade, the U.S. National Security Agency has released new guidance on the classification of threats and risks to the microelectronics used by the U.S. Department of Defense. The document - "DoD Microelectronics: Levels of Assurance Definitions and Applications" - outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include application-specific integrated circuits, field programmable gate arrays and other devices containing reprogrammable digital logic. Levels of assurance come down to three basic elements, NSA explains, and those are consequence, threat and mitigation. The guidance addresses all three and seeks to do so in a rigorous fashion. The document will be of immediate interest to providers and users of microelectronics and of more general interest to anyone concerned with risk management. 

Dave Bittner: Jen Easterly is director of the Cybersecurity Infrastructure and Security Agency, a job for which she was sworn in a year ago. In her time as CISA director, she's led a team focused on the cybersecurity of the nation, guiding the mission of protecting both the public and private sectors. I spoke with Director Easterly earlier this week. 

Jen Easterly: Well, first of all, it's great to be with you, Dave. And I just have to say thanks because you all reached out to us to actually put our alerts on CyberWire. And we are huge fans of the CyberWire. And it's terrific to actually have that as an additional platform for people to get our alerts. So we try and get them out as often as - and in various different ways and various different platforms, but fantastic to be part of the CyberWire family. And you guys reached out, and so I really appreciate it. 

Dave Bittner: Well, we're very excited about the collaboration as well and just, you know, hoping it continues to lead to more good things. You know, there's been commentary about using the phrase shields up with the initiative. And I have to say that as someone who grew up watching "Star Trek: The Next Generation," it resonates with me, and I get it. Not everyone has been a big fan of that. What's been the feedback so far with shields up? 

Jen Easterly: Not everyone's been a big fan 'cause they don't like "Star Trek" or they don't like shields up? 

Dave Bittner: Well, I think there's a little bit of the "Star Trek" thing, but I think maybe what people take issue is more that it's kind of a binary thing. They're either up or down. And the natural question is, will they ever be down? 

Jen Easterly: Yeah, no, it's a great question. You know, we started this - a little bit was my kind of obsession with "Star Trek." But we started this as a way to signal a sense of urgency to our stakeholders, from our critical infrastructure owners and operators to our partners at the state and local level, that this was a different situation. And we wanted to be able to provide a message that could be received and absorbed by all of our stakeholders, you know, to include the American people, business owners large and small, chief executive officers, the technical community. And we wanted a pretty simple way of doing it. And that was this sort of shields up. I think, you know, to get to your question - and I've been interrogated on this before by others - at the end of the day, I think we all realized that shields up has to be the new normal. What we've been focused on over the past couple years, certainly motivated by the attacks that we've seen from nation-states and cybercriminals and certainly the scourge of ransomware over the past couple years, is the need to collectively raise our game in cyber and to recognize that this is not a government thing. This is not an industry thing. This is not an individual thing. It's a we're all in this together, and we all have responsibility to implement the basics of cybersecurity controls, cyber hygiene for the good of the nation. And so, you know, Chris Inglis and I wrote an op-ed on this. Essentially, shields up is the new normal. So the question is how do we actually distinguish from being at our highest level of urgency to a shields up, which is, yes, we can let our incident responders and our SOC personnel take vacation once in a while because what we don't want to have is vigilance fatigue. And as the head of America's cyber defense agency, Dave, I'm particularly worried about that. 

Dave Bittner: Yeah. 

Jen Easterly: I want to make sure that my great network defenders, my threat hunters, my vulnerability management folks, my incident responders are not burning out. And so, ultimately, I think we need a way to calibrate what the threat is, whether it's at a significantly high level based on what we're seeing from the intelligence community, our industry partners, or is it a level of what I would call guarded, which is - we always need to be at some level of alert for cyberthreats, but we don't need to be at our highest level of alert. And so that's what we are looking to create, essentially, a national cyber alert system. And this is - the thinking on this, Dave, was very informed by my time in the financial services sector where the FS-ISAC, the Financial Services Information Sharing and Analysis Center, had a mechanism to say, OK, we are at this level. We are going to move to this level. These are the things you should be doing at this level. And then we're not going to stay there forever. We're actually going to come together and decide, do we stay? Do we go up one? Do we move down one? And so we'll never be at, you know, level green. 

Jen Easterly: Well, I think we always, as a nation need to be guarded, but then we need to calibrate. When do we move to elevated? When do we move to critical? And we need a disciplined and rigorous way to say this is why we're moving and signal to the American people and to critical infrastructure owners and operators, this is what it means. And this - these are the actions that you should be taking. And I think part of that is clarity of communications that technical folks have not always been awesome at. And it's one reason why we are working so hard to make sure that we are communicating with clarity and with a way that distinguishes the various audiences that we need to communicate to, whether it's the business community, the technical community, the individual. And so we're really putting a lot of effort in communications, and the cyberthreat advisory system will be a piece of that that I think will be value added. 

Dave Bittner: Could you give us some insights as to what goes on behind the scenes at CISA in terms of collaborating with the various other government agencies to help spread the word and get this information out to the public? 

Jen Easterly: Yeah, absolutely. You know, one of the things, Dave, that motivated me to come back from the private sector to government was the impression I had as a member of critical infrastructure, owner and operator doing cybersecurity within Morgan Stanley, was the government was just not as coherent as it should be, could be to the private sector and the partnership that needs to be forged to be able to protect and defend critical infrastructure that Americans rely on every hour of every day. And I had seen, you know, different products coming from different parts of the government and sometimes sending a slightly different signal. And one of the things that we are really trying to work hard on is - and hopefully you've seen this in the alerts that you all publish on your platform - is almost all of our advisories now, Dave, are joint. We do them with FBI. We do them with NSA. Sometimes we'll do them with a sector risk management agency like Energy or Treasury, if it's specific to those sectors. We'll often do it with our international partners, which is terrific because it sends that common signal that here is the guidance that we're putting out. It's informed by the full federal cyber ecosystem and some by the international cyber ecosystem. And so that is one of the real behind-the-scenes pushes that we've been very focused on over the past year is much greater coherence. 

Jen Easterly: The other thing that we're really focused on is making sure - and this is also informed by my time in the private sector - that everything we put out is timely, is relevant, is actionable. When you're a network defender, whether it's at the state or local level, whether it's in a small business, a large business, you want the information that you get to be something that you can actually do something with to help secure your network. And so we are very focused on making sure that everything we put out is of value and is timely. 

Jen Easterly: And one of the things that I would say to your audience is, please continue to give us feedback. We are the newest agency in the federal government. We are a startup agency. We are evolving. And my general view in life is we need to treat feedback as a gift and approach everything we do with a sense of gratitude and a sense of humility. We need to realize that we are part of a community, which is awesome. And I'm sure you recognize this, right, Dave? I mean, the cyber security community is in many ways really magical, incredibly focused, dedicated, imaginative, creative people who, whether they work in the government or whether they work in industry, are very mission focused and like to solve hard problems. So we need to approach all of this as a community. 

Jen Easterly: So we're looking to add value. We are looking to collaborate with all of our partners. But behind the scenes, we're very focused on being coherent and being value added. So please continue to give us feedback on these advisories because we want to make them useful to the community. 

Dave Bittner: There is much more to my conversation with CISA Director Jen Easterly. We'll be sharing the full interview as a "Special Edition" in your CyberWire podcast feed. And you can also find it on our website, Our thanks to Director Easterly for spending the time with us. 

Dave Bittner: And I'm pleased to be joined once again by Betsy Carmelite. She is a principal at Booz Allen Hamilton. And she is the federal attack surface reduction lead. Betsy, it's always great to have you back. I want to touch base with you today about where we stand when it comes to postquantum cryptography. 

Betsy Carmelite: Sure, Dave. So I think where we - where I want to start around this is really to touch on why we started looking at this this concept. Obviously, quantum technologies are going to offer fundamentally new ways to obtain, distribute and process information. But Log4j and that cyber incident signaled a growing need for postquantum cryptography. And in this case, many organizations were using Log4j and were victim to that visibility struggle. It was hard to scan and hard to - scan for and hard to find. And so with complex systems, it's hard to have the visibility of your software inventory. If you translate that undertaking to discovering every type of cryptography being used by every business unit and third party and organizations, it's overwhelming. 

Betsy Carmelite: However, it's vital to avoid being vulnerable to future attacks because although quantum computers' current abilities are more demonstrative than immediately useful, we see their trajectory suggesting that in the coming decades, quantum computers will likely revolutionize numerous industries, from pharmaceuticals to materials science, and eventually undermine all popular current public key encryption methods. So organizations are going to need to react not just to quantum threats but whatever comes next. And there's this agility that's going to be needed. It's going to be key, such as, for example, the ability to modify algorithms quickly to counter a quantum-based attack or adopt new encryption methods. 

Dave Bittner: So where do we stand when it comes to this sort of preparation? Are we in a place where people can put this stuff into motion? 

Betsy Carmelite: I think where we've come at it is looking at how the adversary and what adversaries are really emerging to understand the threat first and foremost. And so which major players are out there in quantum computing? And there are definite things that can be put in place. But really, I wanted to touch on some of the implications from a national security standpoint and that threat. We did release a report called "Chinese Threats in the Quantum Era." And Chinese threat groups will likely soon be able to collect encrypted data with long-term utility, expecting eventually to decrypt it with quantum computers. So one of the reasons why we embarked on this report was we wanted to know how and when Chinese cyberthreats might be shaped by this change to help our clients and organizations manage their changing risk profile. 

Dave Bittner: And so what are your recommendations there? 

Betsy Carmelite: We identified two main areas of data confidentiality threats related to this adversary. First, there will likely be an increase over this decade in the theft of data that can be used for quantum simulators. And organizations with this sort of data that attackers seek tend to be involved in research-and-development-related work, such as pharmaceuticals, biology, chemistry, materials science. And many of these organizations in the government, commercial and academic sectors are already using this sort of data for simulation using classical computers. So we are looking at likely targets aligning with Chinese economic and national security priorities. 

Betsy Carmelite: Second, there will be likely increased theft or interception of encrypted data with long-term intelligence value. And although stolen data tends to have a limited shelf life, some may be useful for a state adversary for more than a decade in the future. And examples include business strategies, trade secrets, biometric identification markers, Social Security numbers, weapons designs and the identities of human intelligence officers and assets. So if an organization holds that data, that data that must be kept secret for more than 10 years, the process of securing it really must start now. And there are a few things now that we've identified for organizations that they can do to ensure their infrastructure and data are protected. 

Betsy Carmelite: While quantum may not pose a direct threat to most organizations for at least a decade, developing and deploying certain critical mitigations like post-quantum encryption will also likely take at least a decade. And so there are some things to do to manage strategic risk. Around cyber threats, it's important to conduct threat modeling, to assess changes to organizational risk, develop an organizational strategy for deploying post-quantum encryption - that's that agility I referenced - and then really understand and educate on quantum computing. Changes in quantum computers will likely appear dramatically rather than as some smooth roll or evolution. And so that creates substantial exposure to, as we say, strategic surprise as a major source of risk. And a failure to understand and monitor the growing significance of quantum computing maybe right now, because it seems so far off in the future, really could result in missed opportunities to make necessary proactive risk decisions. 

Dave Bittner: How heavy a lift is it? At this moment, if I wanted to, you know, switch over to using encryption that was post-quantum ready, what am I in for? 

Betsy Carmelite: Well, I think the first step in that heavy lift is taking stock of - for an organization to take stock of their crypto inventory, really discovering where you have instances of certain algorithms or certain types of cryptography, understanding, you know, how strong or not and vulnerabilities within that cryptography. So that's really the first step, and that's a lot of work. So that's what we're really recommending if organizations are looking to take a first glance at how they can get ready for this next decade. 

Dave Bittner: All right. Well, Betsy Carmelite, thanks for joining us. 

Betsy Carmelite: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.