How a hybrid war spreads its cyber effects. Russian and Chinese cyber ops in Latin America. Greenwashing influence. Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.
Jennifer Eiben: Hi. This is Jen Eiben. I'm the senior producer and one of the founders here at the CyberWire. I'm really excited to share with you that our Women in Cybersecurity Reception is returning this fall. We started the event back in 2014 to bring women working in the industry together. We all know there's a need to increase diversity in cybersecurity, and we wanted to find some ways to help connect those already in the industry and encourage more women to join our ranks. Is your company also passionate about empowering women to succeed in cybersecurity? I'd invite you to join us as a sponsor. We have limited sponsor spots available. Visit thecyberwire.com/wcs to find out more. And thanks for listening.
Dave Bittner: Russian cyber operations in southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Rick Howard looks at risk probabilities. Dinah David from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j for vulnerabilities against Israeli targets.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 29, 2022.
Russian cyber operations reported in Southeastern Europe.
Dave Bittner: On Friday and Saturday, respectively, Montenegrin and Bulgarian officials accused Russia of conducting cyberattacks against their country's infrastructures. BNE Intellinews news reports, Montenegro's National Security Agency said on August 26 that several Russian agencies were behind a cyberattack on key IT systems of state institutions earlier in August. Outgoing Prime Minister Dritan Abazovic said that Montenegro was at the peak of a hybrid war, adding the following day, Bulgaria's former ruling Gerb party said it was attacked by Russian hackers, who aimed at publications on three specific topics on its social media pages. Earlier attacks, also attributed to Russian threat actors, had hit Albanian government services. All three countries have generally supported the cause of Ukraine in the present war, with Albania and Montenegro being particularly vocal in their support of extensive sanctions against Russia.
Dave Bittner: Public Administration Minister Maras Dukaj said on Twitter certain services were switched off temporarily for security reasons, but the security of accounts belonging to citizens and companies and their data have not been jeopardized. The state-owned power utility was among the services affected and has switched some automated services to manual operation as a precaution. Montenegro's attribution of the incidents to Russian cyberattack was direct and unambiguous. Metro News reports, the Podgorica-based Agency for National Security blamed hackers based in Russia for efforts to bring down government websites, communications and transport infrastructure. Airports and border crossings could all be impacted, it warned, adding, coordinated Russian services are behind the cyberattack. This kind of attack was carried out for the first time in Montenegro, and it has been prepared for a long period of time. According to an AP report cited by ABC News, a government spokesman said, I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.
The challenge of containing the cyber phases of a hybrid war.
Dave Bittner: What's being seen in southeastern Europe is a deliberate campaign. But there are also inherent difficulties in constraining cyber effects in a discriminating way. Modern Diplomacy has an essay that, while overstating the actual tactical and operational effects of cyber operations in Russia's war against Ukraine, points to the difficulty of waging cyber war in a discriminate fashion. Cyber effects easily cross borders, and the blurred lines between state and non-state actors render it difficult to apply familiar principles of war involving requirements that forces operate under effective government control. The essay singles out terrorists but might have with equal justice said criminals. And in hybrid war, other people's servers represent an irresistible temptation, practically what the lawyers call an attractive nuisance.
Dave Bittner: Concern about spillover is not, however, simply a matter of academic speculation or a priori probability. Switzerland's federal intelligence service is reported to be concerned about possible Russian exploitation of Swiss servers to mount interference campaigns against Western elections. The FIS didn't comment on the report directly, saying only, Switzerland, as a European nation and as part of the Western community, is a target of anti-Western influence campaigns promoting the Russian narrative.
Russian and Chinese cyber activity in Latin America.
Dave Bittner: Dialogo Americas reports increased Russian and Chinese efforts to establish a cyber beachhead in Latin America. Those efforts have been marked by Spanish-language disinformation campaigns, and in the case of Russia, a stepped-up tempo of privateering activity, for the most part by well-known ransomware gangs. Chinese efforts have been marked by an attempt at developing influence through technology exports. ZTE has been used to induce a dependence on Chinese tech in Venezuela, where it finds a welcome audience in the Maduro regime.
Dave Bittner: Russian military cyber personnel deployed to Venezuela in May of 2019 in the overt role of helping the country recover from the collapse of its power grid. Many of those personnel have remained.
Greenwashing influence operations.
Dave Bittner: Bloomberg reports that a bot-driven Chinese influence campaign has been running against Lynas Rare Earths Ltd., an Australian mining company engaged in the extraction and processing of rare earth metals in Australia and Malaysia. Bogus social media accounts circulate accusations of environmental irresponsibility on the part of Lynas, with a view to influencing Australian and U.S. public opinion. Rare earths are essential to the electronic and green energy sectors. Dominance of both sectors is a key, longstanding objective of Chinese policy. Green is good from Beijing's point of view, but to be realistic, it's good chiefly insofar as it's good for business, insofar as it provides a competitive advantage. As a policy commitment? Not so much.
Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.
Dave Bittner: Microsoft reports that the Iranian state cyberthreat actor it tracks as Mercury, and which others know as MuddyWater, Seedworm and Static Kitten, is exploiting Log4j 2 vulnerabilities in SysAid applications. All the targets have been organizations in Israel.
Dave Bittner: Microsoft says, while Mercury has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now. After gaining access, Mercury establishes persistence, dumps credentials and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on keyboard attack.
Dave Bittner: The campaign is another instance in the long running story of Log4j vulnerabilities. Experts predicted that exploits would be endemic for years until the vulnerabilities were worked out of the software supply chain. And this recent wave is entirely consistent with those expectations. We mention for disclosure that Microsoft is a CyberWire partner. So keep looking for the vulnerabilities in your enterprise. And this week, start with SysAid.
Dave Bittner: It is always my pleasure to welcome back to the show the CyberWire's own Rick Howard. He is our chief security officer and also our chief analyst. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So over on the company Slack channel this week, a bunch of us were discussing one of our favorite movies, which is 2012's "Zero Dark Thirty."
Rick Howard: I love that movie.
Dave Bittner: That was starring Jessica Chastain and, of course, the late, great James Gandolfini. And for those who don't know it, it's the movie about how the CIA found where Osama bin Laden was hiding after 9/11. And you were saying that there's a scene in that movie that directly applies to calculating cyber risk.
Rick Howard: Yeah.
Dave Bittner: I have to say, when I read that, I was a little bit skeptical, so...
Rick Howard: I get that a lot, Dave (laughter).
Dave Bittner: ...Explain for us, how does the decision to assassinate Osama bin Laden compare to calculating cyber risk?
Rick Howard: Well, I'm so glad you asked, right? So the scene in question is when Gandolfini - he's playing the CIA director at the time, Leon Panetta, and he's in a conference room with his staff asking them for a recommendation on whether or not Osama bin Laden is in the bunker. And he's looking for a yes or no answer. And one of his guys says that he fronted the bad recommendation about weapons of mass destruction in Iraq. And Dave, do you remember what the CIA thought back then about whether or not Iraq had WMD?
Dave Bittner: Yeah. I mean, my recollection is that the CIA director, George Tenet, told President Bush that this was a slam dunk, that these weapons were in country, and President Bush used that assessment as one of the main reasons to invade, right?
Rick Howard: That's right. That's exactly what happened, right? And so in the movie, Gandolfini's staffer says that because of that intelligence failure, that bad recommendation, the CIA doesn't deal in certainties anymore. They deal in probabilities, which, you know, that's the right answer, by the way. Just - it's just not a very satisfying one. And in the movie, in the scene, they go around the room and get a range of probabilities, from 60% to 80%, that Osama bin Laden's in the bunker. And then Chastain breaks into the conversation and says, the probability is 100%. And she says, OK, fine - 95% because I know certainty freaks you out, but it's 100%. I love that scene. Which, by the way, that's the wrong answer, all right? The probability was never 100%, no matter how sure she was with her evidence.
Rick Howard: So - but the CIA staffer was right. For really complex questions - like is Osama bin Laden in the bunker, and will my organization get hit by a ransomware attack this year - we don't deal in certainty. We deal in probability. So for this week's "CSO Perspectives" show, I walk everybody through that process of how you can assess the probability of material impact to your organization due to some cyber event in the next year.
Dave Bittner: Well, before I let you go, you have your "Word Notes" podcast. What is the phrase of the week over there?
Rick Howard: Yeah, so we're talking about a concept called sideloading, which is the process of legitimately - or illegitimately, depending on your perspective - of installing apps onto your smartphone without going through your vendor's app store, which might be a good thing for you because you can install any piece of software that you want. But it also opens up an attack vector for black hats to install Trojan horse malware onto your systems.
Dave Bittner: All right. Well, be sure to check that out. And of course, "CSO Perspectives" is part of CyberWire Pro. You can find out all about that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Dinah Davis: And it is always my pleasure to welcome back to the show Dinah Davis. She is the VP of R&D operations at Arctic Wolf and also the founder of Code Like a Girl. Dinah, great to welcome you back. There is a recent ransomware report that caught your eye, and there was - something they highlighted in here had to do with some myths when it comes to ransomware. What can you share with us today?
Dinah Davis: Yeah, there's this really interesting report from Coveware, and they highlighted something that I hadn't seen very much before, which is, you know, four myths of why you should pay ransomware. So you know, when they may be explaining to customers or when industry experts are telling people, don't pay the ransom, these are reasons why companies tend to come back and say, no, I need to pay the ransom for these four reasons or one of these four reasons, right?
Dinah Davis: The one is paying mitigates the risk of harmful impact to the party. So they believe that, like, if I pay the ransom, I get everything back. Even if they exfiltrated data, they're going to give it back to me, and then nobody's going to be impacted. The problem is, the moment the data is stolen, there's already liabilities - right? - even as simple as having to report to local governments that the data has been stolen. So the victim company may have to pay for credit protection and notify impacted parties that their data was stolen even if they get it back, right? So there's also nothing that will guarantee that the hackers will delete your data or even resell it after you pay. So not paying because you think you're going to not have impacted parties is - it just - it's not going to work for you - like, not a good reason.
Dinah Davis: The second reason companies often give for saying they should pay the ransom is to mitigate the potential for class action liability. That one was really interesting to me. I'm like, oh, I didn't know people, you know, were considering that as a reason they should pay. Issue there is there's no case law at all, especially in the U.S., to support that paying ransom will protect you from a class action lawsuit. And typically, if somebody is going to try and come after you with a class action lawsuit, they're going to do it whether you pay it or not. Like, the fact that it happened was enough for them to, you know, get on that bandwagon and try and make a buck.
Dinah Davis: So the next one is paying shows my impacted parties that we did everything to protect their data. So they're saying, like...
Dave Bittner: (Laughter).
Dinah Davis: ...OK. Like, you know, we did everything to try and protect your data. We even paid the ransom. Well...
Dave Bittner: Right.
Dinah Davis: ...Dude...
Dave Bittner: Except (laughter)...
Dinah Davis: Except you lost my data.
Dave Bittner: Right.
Dinah Davis: Except it's...
Dave Bittner: Right.
Dinah Davis: ...Already gone (laughter). Like...
Dave Bittner: Yeah.
Dinah Davis: ...What's going on here, right? So what they're saying is it's much more important to communicate to your impacted parties how the breach happened. They're saying that the better response is to be candid, to be honest, contrite, and then your impacted parties are going to, like, respect and appreciate your transparency a lot more. And I think, you know, that's definitely what we've seen in the media, right? People who try and squash it and quiet it down and just say, well, I paid, so we're good, haven't been getting as much good press as the people who have said, yes, we got hit. Like, it's very likely most companies are going to get hit by some kind of breach at some point, right? That's just how rampant things are. And it's much more important on how you're handling that afterwards now.
Dinah Davis: And then the last one goes right into that as well, which is paying will limit the brand damage from negative PR. Well, I think that just goes right back to what we were just saying, right? If you pay it and try and hide it a little bit more, it's not going to be good for you. It's better to just get it out there.
Dinah Davis: It was interesting 'cause one article I read said that the PR wave that happens when cybercriminals leak data that were previously stolen has a media half-life of six hours. So if you go out there and you say, look, our data was stolen, like, your half-life is six hours. It's going to be gone and done within a day or two, right?
Dave Bittner: Wow.
Dinah Davis: As opposed to the hacker coming out and said, hey, we stole your data - that lives on much, much longer, right? So you can scoop the criminal, basically, if you post that you've done it before they post that they're doing it to you.
Dave Bittner: Oh, interesting. And I suppose that - so by getting in front of it, you really can control the narrative.
Dinah Davis: Yeah, that's basically what they're saying because I think it's also, like, becoming more and more clear to people and just the everyday person that these things are going to happen to everyone. So a responsible company tells you as soon as they know and then manages the situation from there.
Dave Bittner: Yeah. All right. Well, interesting advice for sure. Dinah Davis, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called "Security Hah!" I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.