Threats to US elections. Lazarus Group targeting energy companies. Gaming-related threats.
Dave Bittner: Nation-states are expected to target the U.S. midterm elections. North Korea's Lazarus Group is targeting energy companies. The Ukraine Ministry of Digital Transformation on cyber lessons learned from Russia's hybrid war; CISA flags 12 known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines are used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs and how enterprise executives are developing and finding talent; and a look at the top gaming-related malware lures.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 9, 2022.
Threats to US elections.
Dave Bittner: The Register reports that Mandiant says that they are highly confident that cyberspies from other nations may target U.S. elections this year. Mandiant said in their research, we have tracked activity from groups associated with Russia, China, Iran, North Korea and other nations targeting organizations and individuals related to elections in the U.S. and/or other nations with apparent goals ranging from information collection and establishing footholds or stealing data for later activity to one known case of a destructive attack against critical election infrastructure. Mandiant also said that they believe with moderate confidence that DDoS attacks, ransomware and other disruptive attacks will impact elections. However, compromising actual voting machines and the like is unlikely.
Lazarus Group targeting energy companies.
Dave Bittner: The North Korean Lazarus Group has been found to be targeting U.S., Canadian and Japanese energy providers, TechCrunch reports. The Cisco Talos group observed Lazarus using a Log4j vulnerability, known as Log4Shell, to compromise VMware Horizon servers. They then deploy VSingle or YamaBot malware to maintain long-term access. Talos researchers said, the main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions, targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.
Cyber lessons learned: the view from Ukraine’s Ministry of Digital Transformation.
Dave Bittner: The third and final day of the annual Billington Cybersecurity Summit met in Washington, D.C., on Friday, September 9, 2022. The day opened with a long session, partly in person, partly by video, on lessons learned so far during Russia's hybrid war against Ukraine. Mykhailo Fedorov, vice prime minister, minister of Digital Transformation of Ukraine, opened the discussion with a video that gave his perspective on the war. Ukraine, he said, has been fighting for both democracy and its survival as a nation. The war began in cyberspace before Russia's full-scale invasion, and Fedorov thinks that the first lesson to be learned is about the reality of Russian power. It's been generally overestimated. Both Russia's kinetic power and its cyber capabilities were believed to be greater than the war has revealed them to be. Russia's failure to achieve significant strategic effects in cyberspace can be attributed, in significant part, Fedorov believes, to Ukrainian defenses, which succeed in thwarting some 98% of cyberattacks daily. He strongly commended the IT army of Ukraine, which he characterized as enthusiastic volunteers eager to defend Ukraine's borders in cyberspace. He introduced a video that presented Kyiv's view of how things are going in cyberspace. Interestingly, that video made the case that the main contribution the IT army had made was in fighting disinformation and propaganda. And a great deal of that fight has been carried to Russian media.
"Be brave:" perspectives on the hybrid war.
Dave Bittner: The panelists who appeared in person - James Lewis, senior vice president and director of Strategic Technology Program at the Center for Strategic and International Studies, Dmitri Alperovitch, co-founder and chairman of the Silverado Policy Accelerator, and Georgii Dubynskyi, Ukraine's deputy minister, Ministry of Digital Transformation - also discussed lessons from Russia's hybrid war, but with the reservation, as Alperovitch pointed out, that it was premature to speak with great confidence of lessons learned. This war is still in its early stages. Dubynskyi said that the situation on the ground was difficult but that we are doing our best to drive Russia from our territory. Alperovitch said, the Russians have obviously made tremendous blunders. The Russian intelligence services have not been able to achieve significant successes after the first days of the war. He sees one early lesson is that it's possible to prevent the enemy from achieving strategic effects in cyberspace. And he would go on to add that it was, in any case, overly optimistic to imagine that it would be easy to achieve such effects.
Dave Bittner: Ukraine has been preparing for this war, in Dubynskyi's view, since Russia invaded Crimea. Ukraine had seen Russian preparations as early as October of 2021 but had been reluctant to fully credit Western intelligence warnings, especially from the U.S., that an invasion was in the offing. Dubynskyi said, but we saw preparations as early as October and November. The Russians began trying to enroll hackers that early, GRU, SVR and especially FSB. It was important, too, to make some friends. We didn't believe war would come, but we were a little bit ready.
Dave Bittner: It was in the first hours of the war that Russia enjoyed its most significant cyber success, notably in its attack on Viasat. Some of what the Russians did was impactful. Russia's ability to shut down Viasat modems in Eastern Europe temporarily downed Ukrainian military communications, but those communications were relatively quickly restored as Western companies provided alternatives. Alperovitch also noted the importance of information operations, stating, I was surprised there wasn't more of an attempt to shut down the Ukrainian internet. That Ukraine has been able to tell its story has been an enormous failure on the part of the Russians.
Dave Bittner: It's also been remarkable to watch how Ukraine has been able to continue rapid digital modernization during wartime. If there were one secret ingredient in Ukraine's ability to defend itself in cyberspace, Dubynskyi would identify it as the IT Army. While often characterized as hacktivists, a notoriously gnarly crew, as Lewis pointed out, the IT Army was also significantly formed from among IT professionals who wanted to contribute to the war effort. Dubynskyi said, people just came voluntarily on the street and asked to be given weapons, and people from the IT community also volunteered. We need active defense. We need to keep this guy busy. These are professional IT experts. They receive their targets through the Telegram channel openly. Those targets were official sites and particularly propaganda sites. The IT Army filled a gap left by Ukraine's failure to develop an offensive cyber capability. Dubynskyi offered some final thoughts. He emphasized the necessity of strengthened digital resilience, of close cooperation with friendly countries, engagement with Big Tech and getting the media involved in countering disinformation. He offered, do not allow yourselves to be threatened by Russia. And be brave.
CISA flags twelve known exploited vulnerabilities for attention and remediation.
Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency added twelve vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV). In accordance with Binding Operational Directive (BOD) 22-01, Federal civilian executive agencies whose security CISA oversees have until September 29, 2022, to take action to remediate.
Adapting anti-cheat engines to malicious purposes.
Dave Bittner: Eclypsium warns that attackers are targeting gaming anti-cheat engines to reach below a device's operating system and disable antivirus programs. Many modern game cheats are developed at the UEFI firmware level in order to avoid detection, and anti-cheat systems are increasingly being granted kernel-level privileges to combat them. Eclypsium explains, the anti-cheat engines in some games are more complex and powerful than the protections such as antivirus used to protect more traditional applications. This is because games have more vigorous requirements. Any manipulation of game data, such as modifying player stats, health or inventory, can fundamentally change the game. Just in the past few weeks, researchers have uncovered ransomware operators using vulnerable anti-cheat drivers from the popular game Genshin Impact. In this case, the attackers were able to use the anti-cheat drivers in order to disable antivirus service on a compromised host.
Games also serve as bait.
Dave Bittner: And finally, researchers at Kaspersky have found that Minecraft and Roblox are the most popular games used as lures for malware distribution, the Register reports. Kaspersky notes that both of these games are popular with children, who are more susceptible to fall for the attacks.
Dave Bittner: After the break, Steve Carter from Nucleus Security has thoughts on artificial intelligence. And Roland Cloutier, former CSO of TikTok, discusses working around the changing career fields and how enterprise executives are developing and finding talent. Stay with us.
Dave Bittner: Steve Carter is CEO and co-founder of vulnerability platform provider Nucleus Security. I checked in with him for a bit of a reality check on where we stand when it comes to artificial intelligence and machine learning.
Steve Carter: So we see AI in cybersecurity all over the place. Just about every product vendor out there is touting AI in their product. I just got back from Black Hat in Las Vegas, and every booth you stop at talks about how they're using AI in their technology. So I'm sure that's not just cybersecurity, but that's where we're at today. And that's why, you know, I kind of have these thoughts on how it might be a bit overhyped.
Dave Bittner: Can we start with some basics here in that I think there really isn't a standard, as far as I can see, as to what is considered AI and what is not. I mean, the - I guess it's a malleable term, particularly when you put it in the hands of the marketing crew.
Steve Carter: Absolutely. And I think what we see, at least in the cybersecurity so far, is probably best referred to as machine learning, which is really just a subset of artificial intelligence that helps us teach computers how to make specific decisions and perform very specific tasks well using training data. And, you know, it's worth mentioning that because machine learning has been around since the 1950s and '60s. And personally, I started - I took a course on machine learning in the late '90s in college. And so what's interesting is that those same machine learning algorithms from decades ago are still what's in use today, right? The big difference is that now software developers have really easy access to libraries and tools that implement these machine learning algorithms that - and those libraries and tools really didn't exist 20 years ago. So that's really the big difference.
Dave Bittner: So it's a matter of accessibility then that - and I suppose also the great leaps we've seen in processor power and, of course, the move to the Cloud.
Steve Carter: Yeah, 100%. You know, these days, it's really easy to pick up - to download a Python library. And within, you know, 30 minutes, if you're a developer, you can have some basic machine learning functionality in an application. And you just didn't have that ability years ago. And like you mentioned, along with, you know, the Cloud and accessibility there, that's really big the - been the big change. And then in terms of - you know, in terms of marketing, I think that there's maybe some perception out there by marketing teams that if you're not using AI or machine learning, that you're going to be perceived as legacy or old or maybe not innovating, which I think is a terrible way to look at technology in general and completely false.
Dave Bittner: So in terms of, you know, folks who are out there shopping around for this stuff, how do you cut through that marketing hype? Are there, you know, particular questions that you should be asking?
Steve Carter: Yeah. I mean, I think if you're really interested in the product and its AI capabilities, you really have to ask questions to the engineering teams behind those products around what specific functionality do they have that's using artificial intelligence? Because, you know, one of the things that companies do - and again, this is kind of pushed by marketing teams to an extent - they'll build, you know, a small bit of functionality in a product that leverages, let's say, a machine learning algorithm. And then they'll advertise their product as using AI, which is technically not false. You know, they're kind of just checking a box. But to your point, I think that you can have a conversation with the technical folks behind the product to really get an understanding to what degree is AI used and in what functionality in the product because it's generally not very clear.
Dave Bittner: Where do you suppose we're headed? You know, as we look towards the future, where do you think this is going to fit in?
Steve Carter: Yeah. I mean, I think every technology company should be looking at what they're building and where they're going to see if AI can be used in their projects. I think, you know, maybe it's - I want to say I saw a statistic recently about there was less than 50% of companies that have actually incorporated AI into their software products. So I think that a lot of companies are looking at this - looking at AI, trying to figure out, you know, can it help my business? Can it help my product? But it's - you know, they're figuring out that in a lot of cases that the answer is no. So I think over time, it's just more and more companies, technology companies, figuring out exactly what types of problems that AI does well at solving and which ones don't and really honing in on those that it helps with and investing there.
Dave Bittner: Yeah. I think a lot of folks are looking forward to the time when we get past that marketing hype. And, you know, it's a tool in the toolbox but maybe not one that's getting the emphasis that it gets today.
Steve Carter: Absolutely. Yeah. I mean, and that's really - that's where the market and technology companies need to go. And today, for example, AI is great at classifying data and identifying abnormalities in data, using pattern recognition. And so there are a lot of products where - that need that functionality. It's just that to many companies today, I think, feel the pressure to just check the box and advertise that they're using AI when actually they're not really using it in a significant way.
Dave Bittner: That's Steve Carter from Nucleus Security.
Dave Bittner: Roland Cloutier is executive adviser to the CEO at TikTok, where Roland previously served as chief security officer. He's also one of the judges of the upcoming DataTribe Challenge, which the CyberWire is a media partner for. I started my conversation with Roland Cloutier by asking him for his insights on attracting talent in a highly competitive marketplace.
Roland Cloutier: I think first you have to understand, you know, that the basic premise of what do you really need and when do you need it? You know, I often joke on this topic when we're having discussions in the industry on it about, you know, you probably don't have any firewall engineer Level 3s anymore, right? Those jobs don't exist. You probably have, you know, principal cloud engineers. You probably have risk analysts or critical incident response analysts or business resilience designers, right? It's a very different job field than it was 10 years ago, five years ago, in some, you know, areas, even two years ago. So you have to really understand what you need now, what you need just over the horizon and create that job family. I think that's No. 1.
Roland Cloutier: No. 2, when you've done that, understand what is the pathway to get there? What is - you know, if this was a sales organization, what's your pipeline? So where do you get your people? Where do you think you can get your people? And sometimes it's natively easy if you're in more, I'd say, of a critical infrastructure organization. You know, the military and government specialists that do this around the world, that's a great pipeline. And often people want to transition from military into a commercial job, and you can align there. Sometimes, nobody's doing this stuff yet. I mean, you might be doing some really cool stuff on data defense and access assurance that you're building your own system, so you're going to actually have to help a university design their program or two or three with them and use them as your pipeline over the next three to five years. So it really depends on what's in your program? What type of technologists, analysts or professionals you need?
Roland Cloutier: And I think the third thing is, how do you play for that long game? So how are you thinking about 10 years down the line? Now I know a lot of CISOs and CSOs. You know, the running joke is the average, you know, tenure is only 2 1/2 to three years. And there's a lot of truth in that. But your job isn't just about what you're delivering today. Your job is making your organization successful over the long haul, and whether you're in-seat or not doesn't matter. Making the executives that work for you today that will be the executive tomorrow successful tomorrow and that means planning for these things. So how are you thinking about not just universities but high school programs? How are you thinking about maybe even going further into the middle schools and preparing STEM around cyber programs that your organization can support? And whether that's financial support, you're lending technical support to those programs, volunteerism - there's a lot of ways to do it but getting sticky, again, in the pipeline of people learning STEM for cyber in these early programs. And a lot of great organizations are out there that are doing it. So you need to focus there.
Roland Cloutier: And like I mentioned, these jobs weren't the same that they were a year ago. So how are you preparing the people that are in-seat doing these jobs for the jobs that they'll have to do tomorrow? So your internal education and practitioner preparation programs have to be spot on. They just do. So if you have someone that is in a more of a legacy program or, you know, maybe it was a growth build program and now they're going to have to transition into an operations program, how are you preparing them internally to do that job? You know, we used to - you know, we used to say, well, you got to get past this and then take a SANS course and do this. But is that really what they need to be successful in any one of those job families? And so making sure that you have the talent pipeline, you have the talent on staff and you're creating educational programs internally for each one of them. And that may be, you know, I'm a - an analyst Level 3. In this discipline tomorrow, I want to be a director. What are the four steps I have to take to get there? And whether that's internal training or external training, you need to help develop that. And, you know, in my last job as the CSO for Bytedance and TikTok, we actually hired a leader on our - on the CSO directs organization to ensure that there was the capability to build educational programs in. So anyways, it's - I love that question because it's so broad, and you can go so deep in so many ways.
Dave Bittner: What about some of the, you know, so-called soft skills? I mean, I hear lots of folks lamenting that in a technical field such as cybersecurity, a lot of people would - they do themselves well to up their game when it comes to communications.
Roland Cloutier: Yeah. Dave, this is one of those you have to have those skills, and you develop them over time. It took me a while to learn them. I'll tell you that. You know, I came out of government law enforcement into this career field. So can you imagine stepping into a corporate environment and like, no, you will do this, right? Like that...
Dave Bittner: (Laughter) Just the facts, ma'am. Just the facts.
Roland Cloutier: Yeah. No. That's not the truth. Let's answer the truth at this table, right? So, yeah, soft skills are important, and I find mentorship in this area is great, at least how it worked for me. Like, you know, people - you know, how do you make yourself self-aware? Quite frankly, there's great programs. I did one at Babson College in Massachusetts at one point that took you through developing these type of soft skills for future leaders. But mentorship helps - people that hear you in the context of the job you are in or see you as, you know, as you are working that can give you that mirror you need some time and help educate you. I'm sure there's good books on it, but you're right. I mean, how to act appropriately, how to channel your internal thoughts into reasonable, articulable discussions externally, how to leave the right wake - I had a great coach once that said to me, Roland, it's not about if you're right or wrong. It's not about if you're good at what you do. It's about what's the wake you want to leave in the room that you're in at that time? Maybe you want people to know that you're serious and you can be a jerk if you need to be. And that's OK on occasion. But maybe you want people to say, that was a fair and reasonable conversation. I'd like to do more business with him, right?
Roland Cloutier: And so when you learn that it's about how you act and how other people perceive you and you can learn those skills, you get much better at it. And, you know, I'm not an expert in it. I'm still working on it, and I'm 50 years old. But it's certainly something, especially at the executive level, especially at the leadership and management level, that if you want to do this for a living, you have to be able to understand and work with other people.
Dave Bittner: Before I let you go, you are one of the judges of the upcoming DataTribe Challenge, where several startup hopefuls are going to be competing for some seed round funding. What draws you to this? Why is this something you want to invest your time in?
Roland Cloutier: Well, you know, I'm a proud member of what Jim Routh had called the 10% club at one point. Jim Routh - great CISO, who's retired and is now in the analyst community. And what that means is we take 10% of our time, and we dedicate it towards finding the thing that is going to - the next greatest thing that's going to help us and our industry going forward. And I've always been a big believer in that. How do you focus on that over the horizon control, need, technology that will solve my problems in the next two or three years? And so the fact that I get to sit and do these, that I get to sit on the judging panels is incredible because it's so important for us, as, you know, operational practitioners to understand what is out there, to understand - we have many needs. Not one thing meets all of our needs. Not one road map maps to all those needs over time. And our priorities shift and change as the threat surface changes, as the industry changes, as the products our companies are delivering to market change, our needs change. And so being in, you know, deep into the technology of these companies, understanding their - the reality of what they can or cannot bring to the defensive posture of any organization is super important, I think, to how any of us operate. And so that's why I'm so excited to be able to do this.
Dave Bittner: That's Roland Cloutier from TikTok. The submission deadline for the DataTribe Challenge is September 23. You can learn more at datatribe.com/challenge.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Deepen Desai from Zscaler. We're talking about their work "Return of the Evilnum APT with Updated TTPs and New Targets." That's "Research Saturday." Check it out. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Mo, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.