The CyberWire Daily Podcast 8.12.22
Ep 1640 | 8.12.22

The optempo of a hybrid war's cyber phase. Hacktivists as cyber partisans. Zeppelin ransomware alert. DoNot Team update. Rewards for Justice offers $10 million for info on Russian bad actors.


Dave Bittner: The optempo of the war's cyber phase and Ukraine's response. Organizing and equipping hacktivists. A joint warning on Zeppelin ransomware. An update on the DoNot Team. Rewards for Justice offers $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And hey, Mr. Target, pick one, OK?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 12, 2022.

The optempo of the war's cyber phase, and how Ukraine has responded.

Dave Bittner: The cyber phases of Russia's hybrid war continue, and attendees at BlackHat received a glimpse of how it's proceeding from a senior Ukrainian official who made a surprise appearance. Reuters reports on remarks delivered at the BlackHat conference in Las Vegas this Wednesday by Victor Zhora, deputy head of Ukraine's State Special Communications Service. He said that detection of cyberattacks had more than tripled since the war began in February and that they became particularly intense in late March and early April. Reuters summarizes Zhora as saying, Ukraine faced a number of huge incidents in cyberspace from the end of March to the beginning of April, including the discovery of the Industroyer2 malware, which could manipulate equipment in electrical utilities to control the flow of power. Zhora also acknowledged the pro-bono cloud services provided by Microsoft, Amazon and Google, which have helped the Ukrainian government back data up in physically safe servers abroad. 

Organizing and equipping hacktivists.

Dave Bittner: Partisans have been increasingly active against Russia during its war in Ukraine, and they've been working in both physical and cyberspace. The Record has an account of the work of Nikita Knysh, an alumnus of Ukraine's security service and founder of the cybersecurity consultancy HackControl. Knysh took it upon himself to support hacktivists, cyber partisans, who wish to hit Russian interests and assets in cyberspace. He sees cyber partisans as filling a Ukrainian capability gap. Knysh told The Record, I realized that we should take control of the situation. Our government didn't have a cyber army, so we built it ourselves. Part of enabling the partisans to take effective action is training them. A website Knysh established, HackYourMom Academy, offers a kind of handbook through cyber conflict, and it's available in Ukrainian, Russian and English. The Record writes, some lessons are simple - how to install an antivirus program, connect to a VPN or use a virtual machine. Others are more advanced, such as how to conduct distributed denial-of-service attacks or hack Russian cameras and Wi-Fi routers. 

Dave Bittner: Hacktivists and cyber partisans occupy a gray area similar to one their kinetic counterparts live in. Just conduct of a war generally requires that combatants use proper discrimination in their selection of targets and that they operate under some form of responsible command. In the loosey-goosey hacktivist world, it's not clear that these conditions are always or even generally met. Still, Knysh seems clearly right to maintain that enemy assets in cyberspace represent legitimate potential targets. He said, not attacking your enemy in cyberspace is stupid. In the past, soldiers destroyed logistics and production facilities, but now they also attack technology and information. 

Joint warning on Zeppelin ransomware. 

Dave Bittner: The U.S. FBI and CISA have released a joint advisory on Zeppelin ransomware developed from the Delphi-based Vega malware family, Zeppelin is a ransomware-as-a-service offering that's used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and especially organizations in the health care and medical industries. It gains access to its victims either through phishing or RDP exploitation of known SonicWall firewall vulnerabilities. Zeppelin is typically used in double-extortion attacks, exfiltrating files before encrypting them and so adding the threat of doxing to the denial of access to data. The advisory includes a comprehensive list of indicators of compromise, as well as recommended mitigations. 

Update on the DoNot Team, APT-C-35.

Dave Bittner: Morphisec researchers have published an updated and detailed account of the tactics, techniques and procedures of the DoNot Team, or APT-C-35, a cyberespionage operation that concentrates on military, government and diplomatic targets in South Asia and especially in India, Pakistan, Sri Lanka and Bangladesh. The researchers say, for initial infection, the DoNot Team uses spear-phishing emails containing malicious attachments. To load the next stage, they leverage Microsoft Office macros and RTF files exploiting Equation Editor vulnerability and remote template injection. The group has recently added new modules to its Windows framework. 

Dave Bittner: The DoNot Team is also known as Viceroy Tiger and has, as CrowdStrike and others have pointed out, an ambiguous connection with India. CrowdStrike entry on the threat group says, Viceroy Tiger is an adversary with a nexus to India with a long history of targeted intrusion activity targeting entities in a range of geographies and sectors. Industry reporting from 2013 linked the adversary to an India-based security company. Since that time, Viceroy Tiger operations have continued with the use of custom malware families with a heavy focus on targeting Pakistan, other countries in the South Asia region and China. 

Rewards for Justice offers $10 million for information on Conti operators.

Dave Bittner: And finally, the U.S. Rewards for Justice program has offered a reward of up to $10 million for information on a variety of bad actors, some of them connected with the Conti ransomware and privateering operation, or Conti alumni, depending on how you read the gang's present hibernation. In any case, it's the natural person and not the organization that's the target. The U.S. Department of State has tweeted its offer in both Russian and English, saying, the U.S. government reveals the face of a Conti associate for the first time. We're trying to put a name with the face. To the guy in the photo, imagine how many cool hats you could buy with $10 million. Write to us via our Tor-based tip line. 

Dave Bittner: The alleged Conti hoods who go by the hacker name Tramp, Dandis, Professor, Reshaev and Target are specifically mentioned and invited to turn their coats. Target is the one with the taste in hats Foggy Bottom admires. They say, if you have information that ties hacking groups such as Conti, Trickbot, Wizard Spider, the hackers known as Tramp, Dandis, Professor, Reshaev or Target or any malware or ransomware to a foreign government targeting U.S. critical infrastructure, you may be eligible for a reward. Target is the guy shown wearing the hat. There are no pictures of the other four. To judge from his picture, Mr. Target is a belt and suspenders kind of guy. In addition to the cool hat, he seems to be wearing the obligatory hoodie. Relax, Target. You can chill. Wear a chapeau or pull up the hood. Either one works, so don't be so nervous. The $10 million reward is twice what the Rewards for Justice program offered Monday for information on North Korean operators using cryptocurrency mixers like Tornado Cash to launder money. So that's twice the reward, which could buy twice as many hats. 

Dave Bittner: And it is my pleasure to welcome back to the show Robert Boyce. He is the global lead of cyber crisis and incident response services at Accenture. Rob, it's always great to welcome you back. 

Rob Boyce: Hi, Dave. It's great to be back. Thank you. 

Dave Bittner: So you are coming to us from the Black Hat conference there, and I wanted to check in on a couple of things - first of all, just your overall take of that conference this year. But then let's touch on some of the things you and your colleagues are up to from Accenture there. 

Rob Boyce: Sure. Great. Well, I guess first, my first impression is it's really great to be back. So we've missed this show for the last few years at its full capacity. And it seems like, you know, we have great attendance this year, a lot of people. And, you know, the sessions have been really fascinating. So it's been just great to be back. You know, my impressions so far of, you know, things - I think there's a lot of things that we've seen are, you know, pretty similar to what you would expect - a lot of new vendors, a lot of emerging technologies in the security space in the vendor hall and business hall. But one thing that I find a little interesting to me is we're still - you know, I feel like we're still solving problems that exist today, you know, like, where there are a lot of, you know, new companies emerging around ransomware resiliency and data protection and all of the - you know, the threats that we've seen over the last year and addressing that. And I've seen, you know, very few think forward-looking on, you know, what are the next level of threats? What do we need to be solving next? And so I find that a little fascinating. Yeah, but it's been - yeah, it's just as I said. It's just great to be back. 

Dave Bittner: Yeah, one of the things I enjoy about a conference like that is kind of walking around those booths that are at the far edges where you have, you know, the smallest booth where somebody has an idea that they think they're going to change the world with. And now, I know Black Hat has that Innovation section. Have you been through there? I mean, is that the place where you'd expect to see some of these emerging ideas? 

Rob Boyce: Yeah, for sure. It's almost like, you know, going to a grocery store, staying on the aisles on the outside as opposed to going through the middle because I do find that, you know, the vendors who are well-placed in the market already are the ones who have the big exhibitions in the front, right? And then the ones who are just emerging without the - you know, without the money, I guess, behind them yet on the outside are really, I think, the most fascinating ones to me where to spend some time and just learning about what they're all about. And so, yeah, we've seen - you know, I've seen a few that are thinking about things a little differently. We're seeing a lot of uptick, I think, with ICS security, OT security. A lot of vendors - I mean, there's a couple well-placed in the market. But there's so much work to do there that, you know, there's a pretty good focus on that, I would say, from some of the emerging vendors. Yeah. 

Dave Bittner: What is your strategy coming at a conference like this? You know, you've got a limited amount of time, so much to see, people you want to see. How do you juggle a schedule? 

Rob Boyce: Yeah, it's funny. We were just joking about this earlier. It's pretty impossible. So my strategy is there's always a few individuals that - or organizations or partners that I want to make sure I spend time with because they're, you know, super-meaningful to us as a partner. And they're, you know, leading the market in what they're doing. And then I always save time, a few hours a day, to just, as you were saying earlier, walk the floor and talk to the emerging vendors because I think, again, that's the space that interests me a lot of, you know, things that maybe I'm not thinking about right now or we're not thinking about as a community that - you know, there's a couple of smart people just putting together a really interesting concept, an interesting idea. 

Rob Boyce: So making sure you save time for them is really important and just - you know, just going and seeing their booth where it is. And, you know, they have no idea who I am, and I don't know who they are. But it's exciting to just to get to, you know, meet them and learn about what they're doing. And, you know, always, again, the thing that's most important to me being here is just a personal connection. It's just so nice to see people in person again. And you can learn a lot more about not just them but what they're doing and where they think there's issues and the problems they're trying to solve - just a 10-minute conversation as opposed, you know, to a 40-minute, an hour-long demo or something that's all virtual. So, you know, the high touch is really, really great. 

Dave Bittner: Is there anything in particular that's caught your eye as you've been walking around and meeting with people, any surprises or particularly interesting developments? 

Rob Boyce: Yeah. I think, you know, again, as I was saying earlier, I think the biggest surprise to me is we're still - a lot of people dealing with known problems, right? I haven't really seen a lot of, you know, companies emerging that are dealing with problems that really don't exist yet or thinking about, you know, what might be next around maybe personal data sovereignty or, you know, privacy or whatever the - you know, the next big thing is going to be. So that was a bit of a surprise to me personally. Yeah, and I think the other thing is - I think clearly it's maybe not a surprise - is probably makes a lot of sense with all of the focus that we've seen around critical infrastructure and a lot of the systems that are going to be supporting critical infrastructure, a lot of focus on how do we do that better as a community. So I thought that was really interesting to see, again, a few - a number of different players emerging in that space and really putting a lot more focus on how we can better protect, you know, national security and critical infrastructure. And I thought that was fascinating. 

Dave Bittner: All right. Well, Robert Boyce is Global Lead for Cyber Crisis and Incident Response Services with Accenture. Rob, thanks so much for taking the time for us. 

Rob Boyce: Of course - always happy to be here, Dave. Thank you. 

Dave Bittner: And joining me once again is Caleb Barlow. He is the CEO of Cylete. Caleb, always great to welcome you back to the show. I want to touch base today on the ongoing skills gap. You know, obviously, we've been through a lot with the pandemic the past couple of years, remote work and all that good stuff. Where do you think we stand right now? 

Caleb Barlow: Well, the easiest way to get a benchmark on this - and by the way, I'm just a fanboy of this website I'm going to mention - is called CyberSeek. And, you know, they've got this really cool map that tracks where there are open, unfilled cybersecurity jobs. You can even drill down into an individual state. And from their April 2022 heat map, they show we've got 700,000 open cybersecurity jobs in the U.S. and just under 1.1 million that are filled. So the net of this is we're only filling about 60% of the openings that we have in the cybersecurity space. 

Caleb Barlow: But, Dave, I think this is even more nuanced in that prior to the pandemic, there were several kind of cyber cities - right? - San Francisco, Boston, Tel Aviv, Washington, D.C. And, you know, you found smaller clusters in places like Atlanta, Austin, New York, where, prior to the pandemic, big security companies, big security operations, defense contractors typically only hired high talent in those cities in an in-office work environment, right? And we - you know, we all kind of know this. So if you're an employer in, let's say, Peoria or Rochester, you were able to hire locally, and you were probably able to get security resources at a significant discount over their Boston, D.C. and San Francisco counterparts. So this is what we would call a regional model, where cyber cities were driving a big part of this skills issue. Pandemic hits. Work from home opens up. And the whole thing starts to change. And now we've moved to a more national model, Dave, with some interesting implications. 

Dave Bittner: Well, let's dig in there. I mean, what does that mean for organizations these days? 

Caleb Barlow: Well, this has been a big windfall for big employers as they can suddenly get access to talent and a greater number of resources from anywhere because all of a sudden, if you're in a work from home culture, that security researcher in Rochester, N.Y., is viewed equally as that security researcher in San Francisco because nobody cares where they live. It's also been a - you know, a windfall for the talent living in these places because they can go from working in an IT department at, let's say, a local hospital to working for a Palo Alto or a CrowdStrike or a Google and probably see a pretty significant bump in pay. But it's a huge problem for local employers looking to hire. And it's moved a lot of resources out of critical infrastructure companies where we badly need them and into security vendors that are willing to pay regardless of where people live. 

Dave Bittner: So what's to be done then? I mean, how do we close that gap? 

Caleb Barlow: Well, we've got this new problem, right? Cybersecurity skills are now being hired on a national model versus a regional model. Everyone's competing with everybody else equally on talent. And that talent, by the way, doesn't care where they live anymore, so they're all, you know, moving to the beach - right? - or wherever they want to live. So, you know, if you're not a large vendor with big pockets, I think one of the things you've got to recognize is top skills like threat hunt and IR - you may need to outsource those skills because you simply may not be able to hire them regardless of what you're willing to pay or do. Highly experienced resources are simply going to cost more. But this also means that we have to start recruiting differently. And in particular, Dave, we've got to move from trying to recruit highly skilled talent to moving towards reskilling people. And I think a reskilling initiative is absolutely critical moving forward. 

Dave Bittner: Yeah. You know, I hear that a lot, that, you know, companies want their new employees to come in fully baked, and there really isn't enough emphasis on finding good people and training them from within. 

Caleb Barlow: Well, not only that, but our - you know, let's face it, in the cybersecurity space, we have a demographics challenge that we're always working on and I think we're making progress on in terms of being bringing more diversity into this workspace. But, you know, what I'm effectively saying here is in a lot of ways, we need to go out and hire some older talent - right? - that, you know, might have more experience, but not necessarily directly in cybersecurity. Maybe they're IT resources. I will tell you, I have personally had a lot of great luck with military veterans, older individuals, musicians. Oddly enough, musicians make amazing SOC resources because they know how to operate with precision, right? 

Dave Bittner: Right. 

Caleb Barlow: But we're going to have to really take all of that time and effort that we spend right now on - you know, on recruiters and, you know, just crazy amounts of money to try to bring people in and start to maybe put that into training and upskilling people that aren't the normal demographic of what we would hire. 

Dave Bittner: Do you think we're headed towards a new equilibrium here? How - any sense for our timeline? 

Caleb Barlow: Oh, I think we're already in it. I - there's no question in my mind that we are already in it. And, you know, what I hear, oddly enough, every day is the - you know, people reaching out in my network saying, hey, do you know anybody that fits this mold? And, you know, the funny thing with it is, Dave, a lot of times that mold is, you know, hey, I'm looking for top talent. You know, have they worked in one of these Silicon Valley companies - you know, a Facebook, a CrowdStrike, a Palo Alto? Do they have 20-plus more years of experience? I'm like, you can't afford that person. Even if you can find them, you're not going to be able to afford them. Like, how about you take a portion of that money and upskill either some of the people you already have or go look in your local community and find some people that, you know, maybe if they take a class or they're coming out of a class, you can give them six months of on-the-job training and then upskill them into these roles? The beauty there is they're probably going to cost you a whole lot less. They're going to be much more loyal employees and have far less retention issues than the others. And you might be able to solve some of the other challenges of, you know, the demographics and diversity of what you're bringing into your workplace. 

Dave Bittner: All right, well, interesting insights, as always. Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Ashley Taylor. She's a graduate student at the SANS Technology Institute. And the research is titled "Doppelgangers: Finding Job Scammers Who Steal Brand Identities." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.