The CyberWire Daily Podcast 7.18.22
Ep 1621 | 7.18.22

Ukraine’s security chief and head prosecutor are out. Cyberattacks hit Albania. APTs prospect journalists. The GRU trolls researchers. CISA to open an attaché office in London.


Dave Bittner: Ukraine shakes up its security and prosecutorial services. Cyberattacks hit Albania. Advanced persistent threat actors prospect journalists. The GRU is said to be trolling researchers who look into Sandworm. Thomas Etheridge from CrowdStrike on Identity Management. Our guest is Robin Bell from Egress, discussing their Human Activity Risk Report. And CISA opens the liaison office in London.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday July 18, 2022. 

Ukraine shakes up its security and prosecutorial services.

Dave Bittner: The AP reports that yesterday, July 17, Ukrainian President Zelenskyy dismissed two senior members of his government, SBU Chief Ivan Bakanov, described as a childhood friend and former business partner of the president, and Prosecutor General Iryna Venediktova. The dismissals were prompted by concerns about treason and collaboration with Russian occupation forces. Zelenskyy said, in particular, more than 60 employees of the prosecutor's office and the SBU - the state security service - have remained in the occupied territory and work against our state. He added in his regular video address to the nation that such an array of crimes against the foundations of the state's national security and the links recorded between Ukrainian security forces and the Russian special services raise very serious questions about their respective leaders. What effect the shake up will have on Ukrainian cyber operations remains to be seen. We'll be following developments. 

Cyberattacks hit Albania.

Dave Bittner: Albania suffered a major cyberattack yesterday, Balkan Insight and other sources report. Government sources stressed the attacks' foreign origin and unprecedented scope. The Council of Ministers said in a statement, Albania is under a massive cybernetic attack that has never happened before. This criminal cyberattack was synchronized from outside Albania. Cybernews quotes the Albanian National Agency for the Information Society on the government's decision to shut down some of its online services. They say, in order to withstand these unprecedented and dangerous strikes, we have been forced to close down government systems until the enemy attacks are neutralized. Among the services disrupted are the websites of Parliament and the Prime Minister's office, as well as e-Albania, the government portal that all Albanians, as well as foreign residents and investors have to use to use a slew of public services. Services were still undergoing restoration today. Little information is available about the details of the attacks, and so far there's been no attribution. 

Threat actors prospect journalists.

Dave Bittner: Observers continue to comment on Proofpoint's study of attempts by intelligence services in Turkey, Iran, China and North Korea to either impersonate journalists or gain access to news media networks. BleepingComputer describes the attempts as preparatory activity intended to serve broader espionage campaigns, writing, the adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation. Their efforts include both spoofing and credit harvesting. 

Dave Bittner: Forbes sought advice from Proofpoint for media outlets and working journalists. Sherrod DeGrippo, Proofpoint vice president of threat research and detection, told Forbes, there are a number of ways journalists can protect themselves from APT attacks. One is for journalists and their associated outlets to understand their overall level of risk. For example, we've seen targeted attacks against academics and foreign policy experts, particularly those working on Middle Eastern foreign affairs. So individuals in this line of work should be particularly cautious. Another is if journalists are going to use email addresses outside of their corporate domain, such as Gmail or ProtonMail, they should list those publicly on their websites so public sources can verify whether or not it's a legitimate email. Conversely, experts approached by journalists should check the journalist's website to see if the email address belongs to the journalist. Proofpoint also suggested that all organizations try to arrive at some clarity concerning which of their people are most likely to receive this sort of attention, and that they tailor their training and other protective measures appropriately. 


GRU said to be trolling researchers who look into Sandworm.

Dave Bittner: Dark Reading reports that ESET, which will be offering a report on countermeasures to the Sandworm malware Industroyer 2 at Black Hat next month, says it's being trolled by the GRU. They write, the Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool, the very same tool the researchers had used to analyze the attacker's malware. ESET thinks this is no coincidence, but rather a right back at you from the Aquarium to let ESET know that the GRU knows what ESET is studying, and that the GRU doesn't care. ESET's Robert Lipovsky said, it's fairly clear the attackers are fully aware we are on to them and blocking their threats. They are maybe trolling us, I would say. Lipovsky also said the GRU deployed a Trojanized version of ESET security products in the course of its attacks on Ukrainian networks. He observed, they were sending a message that they were aware we are doing our job protecting the users in Ukraine. Yes, it's a dog-bites-man story, but worth following. In general, if you're interested in the GRU, you might well count on the GRU being interested in you. 

CISA opens a liaison office in London.

Dave Bittner: And finally, this morning, the Cybersecurity and Infrastructure Security Agency announced in an email to its media contacts that it will establish its first attache office abroad this month and that it will be located in London. The agency's announcement said, the attache office will serve as a focal point for international collaboration between CISA, U.K. government officials and other federal agency officials. The CISA attache will advance CISA's missions in cybersecurity, critical infrastructure protection and emergency communications and leverage the agency's global network to promote CISA's four international strategic goals - advancing operational cooperation, building partner capacity, strengthening collaboration through stakeholder engagement and outreach, and shaping the global policy ecosystem. 

Dave Bittner: CISOs first attache will be Julie Johnson, most recently regional protective security adviser for CISA in New York and also CISA's regional lead for federal interagency working groups. She came to CISA from the U.S. Department of State, where she worked on the Bureau of Intelligence and Research, Bureau of International Narcotics and Law Enforcement and Bureau of Educational and Cultural Affairs. Congratulations and best wishes to Ms. Johnson as she gets ready to get to work in London. 

Dave Bittner: Security firm Egress recently published a report focused on what they describe as human-activated risk, highlighting the security risks organizations face, particularly from non-technical employees and the tools they use on a daily basis - things like email. Robin Bell is chief information security officer at Egress. 

Robin Bell: The volume of email in the first place and the predicted volumes - I think it was 376 billion emails every day by 2025 is predicted, even with the shift of messaging systems like Slack and Teams being taken into account. So it's still a mindboggling number. And those are things that, you know, people have got to deal with. Every day you stand to an inbox flooded with email and try and sort out what you need to deal with and what's not relevant. 

Dave Bittner: You know, some of the things that caught my eye reading through the report here, you all pointed out that just over half of the IT leaders say that their non-technical staff are only somewhat prepared or not at all prepared for a security attack. What's causing that gap there? Why do we feel as though more folks aren't where they should be? 

Robin Bell: Email is just so prevalent in everybody's life. It's just - it's something that you use, whether you're in work, whether it's a home, whether you're organizing things for your kids' school. It's just used all day, every day, and it's just taken for granted. So people just see emails. They just respond to them, and they don't really necessarily think about the consequences of what that might be or clicking on links within emails. There's such a vast array of different technologies for organizations to work with, as well, to put in place mitigations for those. And they're not always very end-user-friendly. You know, they're - sometimes they're more administrative-based than user-based. 

Dave Bittner: Well, how does an organization best balance those two elements then, you know, the human element versus the technology side of things? What are your recommendations for dialling that in? 

Robin Bell: Well, user training is definitely a key aspect of that. And we have quite an extensive program of kind of internal training for colleagues just on how to spot phishing emails and emails that might lead to compromises and obviously not just in work but for home use as well, you know, think banking email into your personal email address. So that - definitely that aspect is a core way to help mitigate and manage that. But it's also - as I said, it's around having tooling that helps users make those decisions at the time that's something - they're about to make an action that could result in a compromise. I like the saying that - I don't know where it came from, but I'll pinch it anyway, that we're always just one click away from a breach. And that's the idea that there are so many users and so many emails, it only takes one mistake to result in a compromise or a breach. So having tools that can help users prevent, whether that's inbound and outbound, email threats at the time they're occurring rather than trying to deal with them later from a (inaudible). 

Dave Bittner: Where do you suppose we're headed here? I mean, is - you know, I can't think of anyone that I know certainly who looks forward to going through their email. You know, it seems like it's sort of a necessary evil we accept that, you know, we must do it. But nobody that I know enjoys it. And the security aspects are part of that. Is there any hope of progress in the future with that? Or does it seem like, you know, we've been stuck with email for all this time and looks like that's what the future holds? 

Robin Bell: Well, I mean, there's definitely a shift to more messaging type of communications in a lot of organizations. But they largely hold all the same - similar challenges as email does. You know, you still - you log in to Teams for example, and you can sit there with 50 different Teams channels pinging away nonstop all day and links being there and having external users that you're communicating with outside of your organization. So a lot of those risks also exist in those messaging platforms as well as email. 

Dave Bittner: What are the takehomes for you from this report? What are the things that you hope people take away from it? 

Robin Bell: I think it's - I mean, the key thing is that people make mistakes. You know, obviously, there are malicious actors out there and deliberately trying to compromise - whether that's trying to compromise your organization or whether they're kind of taking part in a scam to fraud to get some vouchers or something like that, those things happen. But it's more likely that it's an accident. You know, someone's not concentrating. They're working late. They've got an email through on the phone. It looks urgent and they click and respond. So as I said, having good training in place and making sure people understand the sort pressures colleagues have put on each other in order to get something done and what's acceptable and what isn't. But it's making sure that you've got tools that are kind of ubiquitous across the different environments you're using, whether you're using Outlook as a client or a mobile device and have advice on whether that email is a risk or not. 

Dave Bittner: That's Robin Bell from Egress. 

Dave Bittner: And joining me once again is Thomas Etheridge. He's senior vice president of services at CrowdStrike. Thomas, it's great to have you back. I want to touch today with you on identity management, which I know is something that you and your team there at CrowdStrike focus on. What can you share with us today? 

Thomas Etheridge: First of all, Dave, it's great to be back. Identity seems to becoming the new endpoint, so to speak. We've seen a huge influx of incidents over the last year. With those incidents and ransomware outbreaks, the big denominator is that most of them occur through the use of stolen credentials. So identity is increasingly more important from a security perspective based on the threat actors and the activities we see from an incident response perspective. 

Dave Bittner: And what sort of shifts are we seeing to improve our security in this particular area? 

Thomas Etheridge: In terms of security, Dave, there's a big focus around understanding identities, privileges, privileged accounts, who has them, whether or not they're compromised. And the concept of zero trust is becoming increasingly more important for organizations as they try to build out a framework that protects critical assets and infrastructure within their organizations. 

Dave Bittner: What sort of things are you and your team recommending here in terms of, you know, organizations who want to get on top of this? What's your words of wisdom? 

Thomas Etheridge: Well, first of all, there's a lot of confusion around what is zero trust. One thing we try to do is educate customers on what it is and what it is not. Zero trust requires that all users, whether in or outside of an organization's network - that they should be authenticated, authorized and continuously validated before being granted and maintaining access to certain systems and applications and the data that they're using - so really putting kind of a model in place that allows organizations to better get visibility into how identities are being leveraged in their organization, to monitor those and to make sure that, if a user needs to get additional privileged access to resources within an organization, that they're reauthenticated through a higher level of authentication to those assets. 

Dave Bittner: How heavy of a lift is that for organizations to, you know, to take that on? What's that transition period typically like? 

Thomas Etheridge: Well, I think the big thing is the cost and the time, you know, spent not doing it is way too risky. We've seen an 82% increase in ransomware-related data leaks. Sixty-two percent of the attacks we saw were malware-free attacks, meaning the threat actor was able to gain access to stolen credentials and use those credentials to gain access into an organization's environment. And we've also seen breakout time, which is a metric we've talked about before on this podcast, down to about 98 minutes. So organizations really have about a hour and a half in order to detect a malicious user using stolen credentials before that user can move to other assets in the environment and potentially deploy ransomware. So there really is a focus around the technology and the people in the process to try to improve visibility and control over this particular area. 

Dave Bittner: What's the outlook here? Are you optimistic that we're gaining ground on this? 

Thomas Etheridge: I am. I think this has been a huge topic in a number of the conferences recently that I've attended. A lot of organizations understand the importance of identity. We need access to identity data when we're performing investigations. And I think that's not lost on organizations. Identity management is not a new concept. It's been around for a number of years. But I think getting visibility and implementing controls like zero trust across organizations are things that companies and organizations can do to improve their overall capabilities to detect and respond to incidents when they do happen. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.