Wipers, tak; grid takedown, nyet. Twitter 0-day exploited before patching. NHS 111 recovering from cyberattack. Notes on the C2C underworld.
Dave Bittner: Shifting cyberthreats during Russia's war against Ukraine. A Twitter exploit may have compromised more than 5 million accounts. A cyberattack disrupts NHS 111; developments in the C2C market. An alleged Russian cryptocurrency exchange operator is extradited to the U.S. Rick Howard looks at FinTech. Andrea Little Limbago from Interos on industrial policy and the tech divide. And a crypto mixing service has been sanctioned by the U.S. Treasury Department.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 8, 2022.
How cyber threats have shifted during Russia's war against Ukraine.
Dave Bittner: The opening phase of Russia's hybrid war was marked by a series of wiper attacks that, at the time, seemed to foreshadow a more extensive cyber campaign to come but failed to live up to the promised menace of the preparation. ESET's Threat Report T1 2002 offers some perspective on the early attacks, some of their after effects and their less than fully successful successor operations. ESET says, on the eve of the Russian invasion of Ukraine, ESET researchers discovered new data wiper malware deployed in Ukraine on that day, which was installed on hundreds of machines and at least five organizations in that country. The attack came just hours after a series of distributed denial-of-service onslaughts knocked several important Ukrainian websites offline. The data wiper was first spotted just before 17:00 local time, 15:00 UTC, February 23. ESET researchers assessed with high confidence that the affected organizations were compromised well in advance of the wiper's deployment. The early access and staging are significant insofar as they indicate Russian preparation for hybrid combat. Another familiar attack failed, even with the malware in question being deployed in a new version. The Sandworm threat actor, also known as Voodoo Bear and for some time identified as Unit 74455 of the GRU, had been active with some success against sections of the Ukrainian power grid as early as 2015. It attempted to hit high-voltage electrical substations again in early April of this year but without success.
Dave Bittner: ESET says, for over five years, ESET researchers have wondered why Industroyer, as sophisticated as it was, was never deployed again. This April, the wait was over when we collaborated with CERT-UA to respond to a cyber-incident affecting an energy provider in Ukraine and helped to remediate and protect this critical infrastructure. The collaboration resulted not only in the disruption of the attack but also in the discovery of a new Industroyer variant, which we, together with CERT-UA, named Industroyer2. In this case, the Sandworm attackers made an attempt to deploy Industroyer2 against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families, including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. ESET researchers don't know how attackers compromised the initial victim, nor how they moved from the IT network to the Industrial Control System network. If successful, this attack could have left 2 million people without electricity, claimed Farid Safarov, Ukraine's deputy minister of Energy. As it was, the attempt failed.
Twitter exploit may have compromised more than 5 million accounts.
Dave Bittner: On Friday, Twitter disclosed a cyberattack that compromised some users' personal information. "In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email address or the phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability. But it turned out that a threat actor had exploited the vulnerability to collect personal information before Twitter applied the patch and was now offering the stolen data for sale. Twitter is in the process of notifying affected users. BleepingComputer reports that some 5.4 million accounts were scraped for personal data before the vulnerability was fixed.
Cyberattack disrupts NHS 111.
Dave Bittner: A cyberattack against a third-party provider has disrupted Britain's National Health Service's NHS 111 online service, an advice and scheduling platform designed to make it easier and quicker for patients to get the right advice or treatment they need. Advanced, a digital services provider for NHS 111, detected the attack on Thursday. The BBC says the target of the attack was the system "used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions." The Guardian reported on Saturday that the government was organizing a coordinated resilience response and that recovery might well take into this week. There's so far been no public attribution of the attack, but The Telegraph says that an unnamed nation-state is suspected. Investigation, like recovery, remains a work in progress.
Developments in the C2C market.
Dave Bittner: There are two noteworthy developments in the criminal-to-criminal marketplace. First, as BleepingComputer reported on Thursday, a service that calls itself Dark Utilities offers command-and-control-as-a-service for criminal clients. Researchers at Cisco Talos described the service as a platform that provides full-featured C2 capabilities to adversaries. It's marketed to the underworld as offering affordable remote access command execution, distributed denial-of-service attacks and cryptocurrency mining operations on infected systems. Subscribers can get command-and-control-as-a-service for an initial fee of just under 10 euros. Dark Utilities has some 3,000 active subscribers.
Dave Bittner: In another C2C subsector, the initial access broker marketplace where stolen credentials are hawked, the Genesis Marketplace is said to deliver its wares with sophistication and polish. Researchers at Sophos describe the service, which has been active since 2017, as follows - Genesis, called Genesis Marketplace or Genesis Store or Genesis Market - the site refers to itself inconsistently - is an invitation-only marketplace. It sells stolen credentials, cookies and digital fingerprints that are gathered from compromised systems, providing not just the data itself, but well-maintained tools to facilitate its use.
Alleged Russian cryptocurrency exchange operator extradited to the US.
Dave Bittner: On Thursday, Alexander Vinnick finally arrived in the U.S., extradited from Greece. Mr. Vinnick, the U.S. Department of Justice announced Friday, faces money laundering charges in connection with BTC-e, an exchange that allegedly catered to the criminal market. Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department's criminal division said after more than five years of litigation, Russian national Alexander Vinnick was extradited to the United States yesterday to be held accountable for operating BTC-e, a criminal cryptocurrency exchange which laundered more than $4 billion of criminal proceeds.
Crypto mixing service sanctioned by US Treasury Department.
Dave Bittner: And finally, in a cyber-related designation, the U.S. Department of the Treasury this morning added Tornado Cash to the department's specially designated nationals list. Tornado Cash is a virtual currency mixer, and the Treasury Department has concluded that this particular mixer is implicated in laundering the proceeds of cybercrime. In particular, Reuters reports, the department is concerned about the uses North Korea's Lazarus Group has made of Tornado Cash. The immediate effect of the sanctions, CoinDesk notes, is that U.S. persons will no longer be able to use the mixer. This is the second virtual currency mixing service Treasury has sanctioned for connections with North Korea. Blender.io came under sanction early this past May.
Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So on your "CSO Perspectives" podcast this week, you are highlighting a topic called Fintech, and that phrase pops up all the time as I'm reporting the news. But I have to admit that I am less than crystal clear on exactly what it means. So can you clarify it for us here? What's going on?
Rick Howard: Sure. So it's a - kind of, like, a general term, this "x-tech," quote-unquote. You know, it's new technology that seeks to improve and automate services, like, in various sectors. You've heard of agritech for agriculture, edtech for education, adtech for marketing. Fintech is for financial services. The FinTech ecosystem has been around for years, but just recently, venture capitalists have been investing huge wads of cash into FinTech startups to take advantage of this new thing called Web 3.0, all this new innovation going on there, which is essentially taking the middleman out of the equation, like the banker, and maybe using blockchain technology to do it. So in this episode, I'm going to talk to two FinTech experts because I had no idea what it was until we started talking about this.
Dave Bittner: (Laughter).
Rick Howard: They're both from Akamai, so they'll tell us what's going on.
Dave Bittner: Shouldn't it be Fine-Tech (ph)? It's financial? Like, I don't mean to be pedantic, but maybe a little bit (laughter).
Rick Howard: Maybe Fine-Tech, yeah. It is spelled FinTech, yeah.
Dave Bittner: It is spelled FinTech. It's financial. I guess if you called it Fine-Tech, people would think it was about finding people, so - all right.
Rick Howard: The two Akamai guys said it was FinTech, so we'll go with them, all right?
Dave Bittner: Yeah, no, no. I definitely bow to their expertise.
Rick Howard: (Laughter).
Dave Bittner: All right. Well, that is for our CyberWire Pro subscribers. What's going on over on the "CSO Perspectives" public podcast feed?
Rick Howard: Yeah, so that's the ad-supported side where we are publishing old episodes of the Pro version. And this week, we're talking to Bob Turner, the education field CISO at Fortinet, and Kevin Magee, the Microsoft CSO for Canada, about how they talk to their customers about orchestrating the security stack. And that particular subject never gets old. There's always something new going on there.
Dave Bittner: Yeah, absolutely. All right, well, last but not least, how about the word of the week over on the "Word Notes" podcast?
Rick Howard: Well, Dave, I may have mentioned on this show from time to time, you know, that I regularly get my backside kicked by 7-year-olds playing my favorite video game, "Fortnite."
Dave Bittner: Yeah.
Rick Howard: And it has occurred to me that maybe my losing record is not because I'm such a bad player, but maybe it's because the 7-year-olds are cheating, OK? I'm just saying, how could they be that good, OK? I'm just saying (laughter).
Dave Bittner: Oh, Rick. Poor, poor, sweet, innocent Rick.
Rick Howard: (Laughter) OK, well, so for this week's phrase on "Word Notes," we're talking about anti-cheating software from the gaming vertical, so that should be fun.
Dave Bittner: All right, very good. Once again, Rick Howard is the host of "CSO Perspectives." That is part of CyberWire Pro. You can find out all about it on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is senior vice president for research and analysis at Interos. Andrea, always great to welcome you back to the show. I want to touch base with you today on some of the things we're seeing when it comes to industrial policy and how that intersects with some of the work you're doing as a social scientist. There's some interesting developments going on around the world.
Andrea Little Limbago: No, there really are and, you know, for a long time, industrial policy really isn't the most exciting thing to be discussing. And really, what we mean by that really is, you know, is more so government intervention in different aspects of the economy for any, you know, national security or economic security purposes and really having a bit more of a hand in there as opposed to, you know, the complete, you know, free range of the market. And what we're seeing a lot is, you know, largely driven by national security, is the steep rise of technology companies that are getting sanctioned due to national security concerns.
Andrea Little Limbago: And so that's exactly where that intersection is, is that the technology concerns over surveillance, data access, data manipulation - the tool being used to help protect against that in the United States and Europe is industrial policy via a range of sanctions. And so that, you know, is really a fascinating area to be looking at and, you know, from 2019 to 2020, about 350 different Chinese companies were sanctioned by the United States alone and by the Department of Commerce alone. So that's not even counting some of the Treasury sanctions. This was solely from Commerce. And a large part of those were technology companies.
Andrea Little Limbago: And then, we're seeing, you know, with Russia's invasion of Ukraine, we really are seeing that - sort of the foundation that was established with the approach to China being applied to Russia. And there's over 600 different companies now, Russian companies, have been sanctioned by the U.S. since Russia's invasion of Ukraine. The U.K. has sanctioned over 100 different Russian companies. And so it's not just - you know, it's not just the U.S. doing this. We're starting to actually see - in the case of the Russian sanctions, much greater coordination from, you know, Australia, Korea, across the EU in pursuing various kinds of sanctions to serve as a symbol of, you know, support for Ukraine and then also to harm both the Russian economy and Russian technology, and that's what we're seeing, is that many of the Russian companies are starting to have hard time getting access to certain parts that they need because of this strategy. The FCC in the U.S. has listed Kaspersky as a national security threat. Prior...
Dave Bittner: Right.
Andrea Little Limbago: ...To that, it was only Chinese companies that the FCC had listed. And so that's a shift now. And again, whether - there's a whole school of thought that wants more information on that and so forth. And that is - certainly is understandable. And, you know, hopefully more information will be coming out in those areas. But regardless - and this is what the government has stated as a concern, as their law and as their - and for, you know, partners they're willing to deal with. And so it does have economic implications and implications, you know, for really technology writ large and for what kinds of technologies are allowed in a corporate infrastructure.
Dave Bittner: Yeah, it's fascinating to me. And one of the elements I find interesting is that there seems to be the political will, I guess, combined as part of the national security interest that there's going to be a little bit of pain here, you know, as the U.S. decouples from some of the Chinese providers for 5G technology and as the EU decouples from Russia for some of their, you know, fossil fuel needs. That's going to require some adjustments, and things may cost more. It may be harder to get things, but that's the value balance and equation that the nations are making.
Andrea Little Limbago: It is, and it's interesting how much support there has been, you know? You know, I think with Russia and Ukraine, you know, it's a very visible, you know, and existential reason that, you know, the various countries are willing to take some pain.
Dave Bittner: Right.
Andrea Little Limbago: But it's also that they are - the fear of, you know, Russian expansion and dependency on a country that is acting that way. I think on the side of 5G, you know, there has been a whole lot more pushback, especially, you know, from those who are going, you know, to have to actually implement, you know, the rip and replace of Huawei for instance.
Dave Bittner: Right.
Andrea Little Limbago: And the government did, I think, something along the lines, like, 1.8 billion in the U.S. to help offset those costs. And then just recently - maybe even in the February, March timeframe of this year - the private sector came back and said, well, you know, our initial estimate was off. It's something closer to, like, 5.7, I think, billion...
Dave Bittner: (Laughter).
Andrea Little Limbago: ...To rip and replace.
Dave Bittner: But who's counting? Yeah.
Andrea Little Limbago: Yeah, but who's counting? Yeah. So, you know, there's - you know, the government is providing some support, and that's why the government has to sort of - to offset some of this. And to actually get compliance, government does need to, you know, combine the carrots and the sticks in this area. You know, Japan has provided, you know, a couple of billion to their own domestic champions as well to facilitate their replacement of the Chinese technologies. And, like, to your point, I mean, it's very, very expensive. And I imagine, you know, along the lines of, you know, oil and gas in Europe, you know, they'll be increasing, you know, support in that area. You know, and not even adding on top of this thing, in the past we've talked about collective resilience. And this is exactly where, you know, allies and trusted partners are so important that, you know, the U.S. has offered, you know, additional natural gas, and that comes with some concerns over, you know, environmental impact and so forth.
Andrea Little Limbago: But almost putting that aside - which you can't really put it aside - but just, yeah, at a higher level, it does show, you know, greater willingness of the U.S. to support Europe to offset some of their own costs as well on that, and looking at this much more so as, you know, we're only as strong as - you know, as the collective group. And if we can help build that resilience across like-minded countries, that will help offset a lot of costs as well because it is - it's going to be expensive. It's going to - you know, it's not going to be easy and, you know, it's going to be disruptive. And at the same time, if there can be, you know, replacements from - you know, the U.S. can't, you know, create a replacement all on its own. UK can't create replacements all on its own. You know, Japan, Korea, Australia can't on their own. But doing it together can make it - can help offset some of the pain a whole lot more and hopefully build, you know, even more secure networks.
Dave Bittner: Yeah, absolutely. All right. Well, Andrea Little Limbago, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.