The CyberWire Daily Podcast 8.16.22
Ep 1642 | 8.16.22

Russian cyberespionage and influence op disrupted. RedAlpha versus Chinese minorities and (of course) Taiwan. Evil PLC proof-of-concept. Cl0p takes a poke at a water utility.


Dave Bittner: Microsoft identifies and disrupts Russian cyber-espionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be weaponized. Ben Yelin has an update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility, one of them.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, August 16, 2022.

Microsoft identifies and disrupts Russian cyberespionage activity.

Dave Bittner: Microsoft yesterday outlined recent activity of the Russian government threat actor Redmond calls SEABORGIUM. The company's report begins, the Microsoft Threat Intelligence Center, MSTIC, has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns, leading to intrusions and data theft. 

Dave Bittner: As is typically the case, different researchers track this and possibly other related activities by different names. Microsoft says, SEABORGIUM overlaps with the threat groups tracked as Callisto Group by F-Secure, TA446 from Proofpoint and COLDRIVER from Google. Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group, tracked by Microsoft as ACTINIUM. However, MSTIC has not observed technical intrusion lengths to support the association. The group's targets have been found for the most part in the U.S., the U.K. and other NATO allies who support Ukraine during the present war. The report says, such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine. 

Dave Bittner: The group gains access through social engineering, phishing campaigns that have targeted both organizations and specific individuals. There is some appearance of linkage to conventional criminal activity, but this seems likely to represent either opportunistic collaboration with gangs or deliberate misdirection. The motives appear to be espionage and influence. The report states, SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations. 

Dave Bittner: SEABORGIUM's contribution to disinformation and information operations is interesting. The report says, in late May 2022, Reuters, along with Google TAG, disclosed details about an information operation specifically using hack and leak that they attributed to COLDRIVER/SEABORGIUM. Microsoft independently linked SEABORGIUM to the campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation. In the said operation, the actors leaked emails and documents from 2018 to 2022 allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit to build the narrative that the participants were planning a coup. The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach. 

Dave Bittner: Microsoft's report includes a caution against spreading the narratives that it links to the threat group, saying, while we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM's intrusion operations have yielded data used through other information outlets. As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not be releasing the specific domain or content to avoid amplification. 

Dave Bittner: What has Microsoft done to disrupt SEABORGIUM? They say, as an outcome of these service abuse investigations, MSTIC partnered with the abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM's activities. We mention in disclosure that Microsoft is a CyberWire partner. 

An update on RedAlpha.

Dave Bittner: Recorded Future this morning outlined recent activity by the Chinese government threat actor RedAlpha, an operation the company's researchers have been tracking since June of 2018. RedAlpha has recently been observed conducting large-scale credential theft. Its targets continue to be humanitarian, think tank and government organizations globally. RedAlpha's techniques involve a great deal of credential harvesting. Recorded Future says, our research uncovered the suspected China state-sponsored group RedAlpha conducting credential-harvesting activity targeting individuals and organizations globally, with a particular focus on civil society and government sectors. The group has used a consistent set of TTPs to register and manage large clusters of operational phishing infrastructure using a mixture of pages impersonating popular email provider logins and custom webmail login pages to mimic specific providers and organizations. Its objectives are consonant with those common in Chinese intelligence and security operations. Since 2015, the group has engaged in consistent targeting of individual citizens and groups associated with minority communities, many of which are subject to reported human rights abuses within China. More generally, Chinese state-sponsored groups continue to aggressively target dissident and minority groups and individuals, both domestically through state surveillance and internationally through cyber-enabled intrusion activity. This targeting of sensitive and vulnerable communities, many of which have security, budget and resource constraints, is particularly concerning. 

Evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized."

Dave Bittner: Claroty's Team82 research group has developed a novel attack that weaponizes programmable logic controllers in order to exploit engineering workstations and further invade OT and enterprise networks. It's a proof of concept that demonstrates what Claroty considers a hitherto unexplored vulnerability in PLCs. Claroty says, this technique weaponizes the PLC with data that isn't necessarily part of a normal, static or offline project file and enables code execution upon an engineering connection and upload procedure. Through this attack vector, the goal is not the PLC, such as it was, for example, with the notorious Stuxnet malware that stealthily changed PLC logic to cause physical damage. Instead, we want to use the PLC as a pivot point to attack the engineers who program and diagnosed it and gain deeper access to the OT network. The researchers emphasize that, all the vulnerabilities we found were on the engineering workstation software side and not in the PLC firmware. In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks. 

Cl0p gang hits English water utility.

Dave Bittner: And finally, the Cl0p group, after a failed extortion attempt, published stolen data from South Staffordshire Water, a utility that supplies water to Staffordshire and the West Midlands. Computing reports that the gang published data that included passport scans, screenshots of user interfaces and spreadsheets to a dark web dump site. Cl0p apparently believed it had hit Thames Water, a different utility, which may offer a partial explanation of why the ransom attempt failed. The systems have continued to deliver water safely and reliably throughout the incident. So some data was lost, but the water continues to flow. 

Dave Bittner: Enterprise technology management firm Oomnitza recently shared results from their 2022 Attack Surface Management Maturity report. I spoke with Arthur Lozinski, CEO at Oomnitza, for some of the highlights. 

Arthur Lozinski: Let me start with the 60% of organizations who have what we're defining as low confidence in their ability to manage the attack surface. The risk that the attack surface is both internally and externally showing is that the growth and the influx of technology is creating more challenges for IT teams and security teams when it comes to the security, of course, the compliance, the audit of that attack surface. And we see that from just continuing to increase because of the proliferation of that. With that, we found 53% of organizations are finding remote workers deviating from the security policy, which is a quite significant number. Eighty percent of organizations are pursuing a hybrid or multicloud strategy, which isn't surprising. But many of those organizations who have qualified and experienced staff, infrastructure and visibility - they're facing cloud protection challenges during this hybrid or multicloud strategy. And we found that really interesting because that is a significant number of the market who's going to continue spending on cloud and multicloud strategies. For them to raise their hand and say, we have misconfiguration, and we have control automation protection challenges, I think is quite showing of the current state of many IT teams around the world. 

Dave Bittner: Now, when we look at some of these numbers, you know, for example, starting with the fact that so many organizations have low confidence in their ability to manage attack surface risk, what do you suppose is the source of that? Is it lack of funding? Is it personnel? Where do you think that's coming from? 

Arthur Lozinski: We're facing a relatively new challenge. The influx of technology the way we've seen it today is a fairly new phenomenon. The service focus of IT professionals has really shifted. I think before, the IT-CIO team was always seen as a servicer of other business units and other lines of business. Our job was to make sure email was up and running, the CRM was up and running. We were taking requirements from line of business and implementing them. What has occurred during this influx of technology, where we've gone from simple things like servers - relatively - to clients, thinner clients over time, has now become all kinds of endpoints. It can be point-of-sale systems. Internal IT falls in that category. There's a ton of new networking equipment, from physical firewalls to switches to routers. There's only more of those coming online. 

Arthur Lozinski: We're seeing the same thing with infrastructure. We talked a little bit about the on-premise versus hybrid. But that's continuing to grow. Both the cloud infrastructure - and on-premise infrastructure, of course, is not going anywhere. And then there's an influx of the applications - not just the installed applications, but also the applications that live in the cloud, or the SaaS applications. And with the influx of all of this technology, the way to manage this has been from a service perspective. It's been tickets. It's been about business continuity, understanding relationship mapping of servers. But that relationship mapping, that business continuity process and the products available really aren't built to put the machines and the technology in the center of the workflow. Service management was built for humans to execute on the workflow. And I think that's causing many companies to have a less secure attack surface, less compliance, most likely not audit ready. And they're not providing a great experience for their either internal customers - their internal IT - or even their external customers. We think of retail environments and such. So I think it's the influx of technology and the old way of trying to solve the problem that's continuing to increase the challenges companies are seeing. 

Dave Bittner: That's Arthur Lozinski from Oomnitza. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story here from Wired. This is written by Lily Hay Newman, and it's titled "A New Jailbreak For John Deere Tractors Rides The Right-to-Repair Wave." What's going on here, Ben? 

Ben Yelin: So the right-to-repair wave has taken off, especially at the state legislative level and really among policymakers all across the country. You have all of these devices where individuals who aren't affiliated with the company that created the device don't have access to be able to make repairs. And that really hurts the consumer because if you have a tractor from John Deere, you can't just go to Bob's tractor fixer guy down the street as maybe you would have in a pre-digital age. 

Dave Bittner: Right. 

Ben Yelin: But you have to go back to the company itself, which can be burdensome. 

Dave Bittner: Expensive (laughter). 

Ben Yelin: Significantly pricey because they can, right? 

Dave Bittner: Right, right. 

Ben Yelin: So this story is about somebody who has tried to hack a way out of this right-to-repair problem. So it comes from a organization called Sick Codes, and... 

Dave Bittner: A hacker names - who calls - who goes by the hacker name Sick Code - just an aside here, I'm trying to think of besides hackers. I don't know - DJs and rappers - are those - the only two groups I can think of that go by... 

Ben Yelin: These type of stage names? 

Dave Bittner: ...Code names. Yes (laughter). 

Ben Yelin: That's true. Maybe characters on "The Wire" or other police procedural shows. They have those a.k.a. names. But yeah, very few of them have names as cool as SIC codes. 

Dave Bittner: Right. 

Ben Yelin: But this individual at a DEFCON security conference in Las Vegas presented a new jailbreak option for John Deere tractors that allows him and potentially millions of users to take control of many of their models through a touchscreen. So that would get around, at least temporarily, this issue of the right to repair. If there is a jailbreak where you don't have to go back to John Deere to repair your tractor, farmers are going to love it because then they can repair their devices more cheaply. 

Dave Bittner: Right. 

Ben Yelin: There is another side to this, though, that right to repair has become more than just a kind of practical desire. It's become a movement from a policy perspective. People really want laws passed to give consumers the right to repair their own products with a vendor of their choice. And something that's expressed in this article is just coming up with a hack that creates this sort of jailbreak might cut against that broader movement because you're only freeing somebody as it relates to this one particular device. Yes, you know, that might be a cyber vulnerability for John Deere, but it is limited to John Deere. I think what the right to repair movement really wants is something that's more all-encompassing, where we're not hacking device by device at presentations in Las Vegas. We're actually coming up with concrete policy changes to give people the option to have the right to repair. 

Dave Bittner: Yeah. 

Ben Yelin: So I think that concern is something that was expressed by people interviewed for this article. 

Dave Bittner: What about the point of view from a manufacturer like John Deere? They can come at this and say, look, this stuff is complicated. This software is - there's a lot to it, and we're just protecting our users from potentially bricking their own tractors by messing around, you know, in things that are - you know, they shouldn't be. 

Ben Yelin: Yeah, it's reasonable in one sense, and I understand John Deere's perspective. I think there is some truth in the fact that if you get access to the motherboard, so to speak, you're going to cause more harm than good anyway. What right to repair advocates would say is that should still be the choice of the consumer. The consumer should have the choice to assume that risk. If they know somebody who claims that they can repair software, it's the consumer's responsibility to do their research and make sure that person actually knows what they're talking about. It's not John Deere's prerogative to close off that avenue to every single alternative vendor. In this particular instance, John Deere might actually be thankful because this hacker seemingly exploited some vulnerabilities that now John Deere is promising to patch. So this might actually work out better for them in the short run. 

Dave Bittner: The old cat and mouse. Yeah. 

Ben Yelin: Yeah, it is a cat and mouse game. But in the long run, I think this illustrates again that we need, at least from the perspective of right to repair advocates, a broader movement where it's not some guy with an alias hacking every single company that - you know, let's be frank. Some of them are companies more prominent than John Deere, like a certain Apple. 

Dave Bittner: Yeah. Yeah. 

Ben Yelin: Apple computer, which has had many of these right to repair issues and lawsuits. I think the broader movement is to institute policy that gives consumers the affirmative right to repair so that we're not relying on people coming in and trying to hack into these devices. 

Dave Bittner: Yeah. All right. Well, it's an interesting development for sure. Again, this is an article over in WIRED written by Lilly Hay Newman. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.