The CyberWire Daily Podcast 9.20.22
Ep 1666 | 9.20.22

An overview of Russian cyber operations. The IT Army of Ukraine says it’s doxed the Wagner Group. Lapsus$ blamed for Uber hack. A look at the risk of stolen single sign-on credentials.

Transcript

Dave Bittner: An overview of Russian cyber operations. The IT Army of Ukraine claims to have doxxed the Wagner Group. Whodunit? Well, Lapsus$ dunit. Emily Mossburg from Deloitte and Shelley Zalis of The Female Quotient on why gender equality is essential to the success of the cyber industry. We got a special preview of Andrew Hammond from the Spy Museum interviewing Robert Gates on the 75th anniversary of the CIA. And a look at the risk of stolen single sign-on credentials.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 20, 2022.

An overview of Russian cyber operations.

Dave Bittner: Russia has long been known for the use it makes of criminal organizations, hacktivists, agents of influence and front groups in cyber and information operations. The Atlantic Council has published a study that draws attention to the complexity of these resources. While cyber and influence operations have clearly fallen short of expectations during Russia's war against Ukraine, they have nonetheless continued. The threat actors used by the Russians are varied, and the level of control they operate under ranges from toleration to inspiration to direct command. The report says, contrary to popular belief, the Kremlin does not control every single cyber operation run out of Russia. Instead, the regime of President Vladimir Putin has to some extent inherited, and now actively cultivates, a complex web of Russian cyber actors. 

Dave Bittner: The network includes cybercriminals who operate without state backing and inject money into the Russian economy, patriotic hackers and criminal groups recruited by the state on an ad hoc basis and proxy organizations and front companies created solely for the purpose of conducting government operations, providing the Kremlin a veil of deniability. This web of cyber actors is large, often opaque and central to how the Russian government organizes and conducts cyber operations, as well as how it develops cyber capabilities and recruits cyber personnel. 

Dave Bittner: The paper argues that there's a tendency for analysts to blur this complexity - an effective response to Russian cyber activity, particularly an active response like the forward and continuous engagement that U.S. doctrine envisions, needs to take this complexity into account. The criminal gangs operate under limited control. The intelligence and security organs are most closely directed. The Russian government has many internal teams carrying out cyber operations, notably the familiar ones deployed by the intelligence services - the SVR, FSB and GRU. 

The IT Army of Ukraine claims to have doxed the Wagner Group.

Dave Bittner: Ukraine has also been active in the cyber phases of the hybrid war. Mykhailo Fedorov, Ukraine's Minister of Digital Transformation, has reposted a telegram notice from the IT Army of Ukraine in which the hacktivist militia claims to have obtained detailed information about Wagner Group contract mercenaries. The post says the website of the Wagner Group, which collects Russian prisoners for the war in Ukraine, was hacked by the IT Army. We have all personal data of mercenaries - every executioner, murderer and rapist will be severely punished. Revenge is inevitable. And they close with glory to Ukraine. Glory to the armed forces of Ukraine. Ukrainska Pravda provides background. The Wagner Group has first increasingly served as a source of front-line manpower for depleted Russian infantry, and second has recently concentrated its recruiting efforts on Russian prisons, offering convicts pardons in exchange for active service. Reuters quotes U.S. estimates that put the private military company's prison recruiting goals at 1,500. The Wagner Group is said to have shown a preference for violent offenders in its jailhouse recruiting. 

Who dunnit? Lapsus$ dunnit.

Dave Bittner: Late yesterday morning, Uber published an update on the breach it discovered last week. They've developed an idea of who was responsible, and they've concluded it was Lapsus$. Uber thinks the hacker began by purchasing a password in a dark web C2C market, stating, an Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor's Uber corporate password on the dark web after the contractor's personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log into the contractor's Uber account. Each time, the contractor received a two-factor log in approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in. From there, the attacker pivoted around the network. Uber is still working to determine whether there was any material impact from the incident. Their updated report today offered a moderately optimistic interim conclusion. So far, they haven't seen any signs that the attacker got into either production systems or user databases. 

A look at the risk of stolen single sign-on credentials.

Dave Bittner: And finally, BitSight released research yesterday analyzing exposed public company single sign-on credentials. SSO is an authentication approach that enables users to use one set of credentials to authenticate with multiple applications. BitSight's research found steady growth in the availability of public companies' SSO credentials on the dark web, with more than 1,500 becoming available in June and July alone. There has also been a steady increase in the number of companies with credentials on the dark web. Industries found to be most impacted by compromised SSO credentials for sale include technology, manufacturing, retail, finance, energy and business services. BitSight says that SSO credentials can be hard to protect and are easily stolen. BitSight co-founder and CTO Stephen Boyer says, credentials can be relatively trivial to steal from organizations, and many organizations are unaware of the critical threats that can arise specifically from stolen SSO credentials. These findings should raise awareness and motivate prompt action to become better acquainted with these threats. 

Dave Bittner: Additionally, it was also noted that organizations with stronger cybersecurity - that BitSight has defined - were found to be less likely to have exposed SSO credentials. To prevent the risk of credential theft, BitSight recommends using adaptive multifactor authentication, which factors in geolocation, day and time, and suspicious activity, or universal two-factor authentication, which uses an origin-bound physical key. Other recommendations include limiting access to critical systems to only those who need it and managing risk from third-party vendors the organization uses. 

Dave Bittner: Coming up after the break, Emily Mossburg from Deloitte and Shelley Zalis of The Female Quotient on why gender equality is essential to the success of the cyber industry. A special preview of Andrew Hammond from the Spy Museum interviewing Robert Gates on the 75th anniversary of the CIA. Stay with us. 

Dave Bittner: Emily Mossburg is global cyber leader at Deloitte, and Shelley Zalis is CEO of Female Quotient, an equality services company. I recently spoke with Emily and Shelley on why gender equality is essential to the access of the cyber industry, and they shared some of their success stories as well. Shelley Zalis is up first. 

Shelley Zalis: The World Economic Forum just came out with the most recent gender equity report, and it says it'll take over 132 years to close the gender equity gap - 132 years. So what does that have to say? You know, in 132 years, we'll all be gone. 

Dave Bittner: Emily, what's your take there? I mean, I don't - you're not a person who I would suspect would be fatalistic about this sort of thing and wants to get in and try to make some meaningful change. 

Emily Mossburg: Yeah. And Dave, if I think about this from the lens of cybersecurity and the security space, clearly we've made some progress. We've seen an increase in women practitioners and professionals who are interested in this space. But the reality is we still have work to do. If we look at the workforce, the workforce is roughly, holistically, just under half female. But if we look at the cyber space, it's more like 24% or 25% of the cyber practitioners are females. So we've made some strides, but we still have a ways to go. And I think that there's a number of things that we need to think about around how we get more women into the field and excited about the field. And I think it's not just about looking for the right resumes and broadening our searches. I think that we need to think about the ways in which we're defining the roles in the cyber space. I think we need to think about the ways in which we are exciting people about what the opportunity looks like and making sure that we're truly bringing forward a more interesting space to a broader set of individuals - and in this case, females. 

Dave Bittner: Shelley, what about filling the pipeline - I mean, making it so that the young women who are coming up feel as though these careers are within the realm of possibility for them? 

Shelley Zalis: You know, it was so remarkable because it is about this next generation as well. And it's such a pay-it-forward moment because the women that we profiled - it was the most successful campaign that we actually ever ran. The campaign was so well received. It was our most successful campaign. The initiative in our social channels - women paid it forward. The buzz was remarkable. The women that we featured were so grateful. Our audience was so inspired. We're going to continue this series, but it also created such a buzz that so many other women in other categories wanted us to do the same thing. And so imagine if you profile 25 women in cybersecurity. Those 25 women want to then profile 25 women in their networks, who then want to profile 25 women in their networks - 25 times 25 times 25 times 25. That grows to an amazing community of paying it forward. The next thing you know, you have a vast community of generations that pay it forward, and that's just what happens. 

Shelley Zalis: And I think the inspiration of looking up to this cybersecurity network and what we saw at RSA even - the initiative where we kicked it off. I mean, it was just, for me, such a proud moment because I remember feeling - being an only and lonely in my field of market research and going to CES, where, you know, there was 150,000 people, less than 3% being women in tech. And I created the first, you know, girls' lounge at the time - now they're equality lounges - and, you know, inviting five women that became, you know, 25 women that became now 750,000 women across 100 countries. You know, that pay-it-forward moment - that power of the pack. A woman alone has power. Collectively, we have impact. It was that wow moment. 

Shelley Zalis: And then, of course, here at RSA, for the first time, it was that same feeling. We popped up this equality lounge with Deloitte. And I will never be able to be so grateful for Deloitte for what they did - that same feeling. All of a sudden, women in cybersecurity coming to cybersecurity RSA five to six years in a row and all of a sudden having this equality lounge pop up and women coming, saying, we had been showing up at RSA year after year. And all of a sudden, seeing this network of women in cybersecurity showing up at this space. It gave me shivers. They started to cry, saying, we never met other women in one location. And they said, this made us feel so proud and so inspired, and we don't feel alone anymore. And I said, oh, my God, that is how I felt the first time I had a lounge at CES. And these women started telling all the other women about it. And all of a sudden, five women, 25 women - and by the end of three days, it was the standing room only. And that's what it takes, just that consciousness. And it was - this is the inspiration. It takes being a first and taking that step out there. And you never know what happens. And that's what happened. And all these women in RSA, women in cybersecurity said, thank you, and we're so grateful. And it was that moment. Just one moment creates remarkable things. 

Emily Mossburg: This space continues to expand rapidly, you know, as technology evolves, cybersecurity evolves. And, you know, we've talked for years about the fact that it's not just a technology risk - it's a business risk. But we're really seeing that become real with the executives and organizations, which changes the stakeholders that we need to be able to communicate with. We need to be able to talk about cyber not just with the technologists, not just with the CIO, not just with the CTO, but in many cases, you know, it's now reaching the CFO and the CEO. That breadth of stakeholders, I think, really brings an opportunity for women in terms of playing a different role in the cyberspace than maybe traditional cyber roles - like, different than what traditional cyber roles have been. This gives them a new opportunity to broaden, to engage with a more vast set of stakeholders and, in some cases, raise the visibility and raise their profile in the process because of the fact that we've really got to get the message to a more senior level and at a more executive level. 

Emily Mossburg: The other element that I would bring into this, as we talk about the opportunity, is the fact that we all know there's a significant talent gap in cyber. We need to be exciting more women to join the field in order to address that talent gap. And that talent gap is not just in numbers. It's in the breadth of skill set. We've got to start to find that kind of connective tissue between what somebody has done in their past career or their past role and how that adds something to an organization's cyber program and the way in which they're managing their cyber risks. I think those are two really important elements to how we bring more women into the space and excite them. 

Dave Bittner: Our thanks to Emily Mossburg from Deloitte and Shelley Zalis from Female Quotient for joining us. 

Dave Bittner: Andrew Hammond is host of the SpyCast podcast right here on the CyberWire podcast network. In celebration of the 75th anniversary of the CIA, Andrew's special guest is former CIA director and former secretary of defense Robert Gates. Here's a special preview of that interview. 

Andrew Hammond: I'm just thinking about your career. You take over as DCI when the Soviet Union dissolves. You take over as secretary of defense when Iraq is unraveling and Afghanistan's not really going anywhere. So if you look at your career one way, it's very blessed. But if you look at that another way, you've taken over at some very challenging moments. So for any leaders out there that are listening, how did you deal with both of those tremendously complex and almost bewildering experiences? 

Robert Gates: Well, the most important thing is to surround yourself with really good people and not only people who are exceptional managers and leaders, but people who are intellectually honest people who will tell you exactly what they think. I've always believed having an inclusive and transparent decision-making process is really critically important, not only in terms of informing yourself about the different points of view and the different challenges and different ways to deal with the challenges but in terms of bringing people along, in terms of having them support whatever decision that you ultimately make. And I think the other thing that's critical is holding people accountable. I fired a lot of people when I was secretary of defense, and I don't think I ever fired somebody for not knowing about a problem. Mostly, I fired people because once they were informed of the problem, didn't take it seriously enough, whether it's wounded warrior treatment at Walter Reed or handling of nuclear weapons in the Air Force and things like that. 

Robert Gates: I think an inclusive and transparent decision-making process and keeping people informed of where you're headed, but also just people who will tell you what they actually think. Most bosses say they want that. Most people are gun-shy because they've heard bosses say that. Then they try it, and they discover, actually, he really didn't want to hear what I had to say. 

Andrew Hammond: (Laughter). 

Robert Gates: Maybe 95. 

Andrew Hammond: And just looking into the future, so 75 years - the CIA has came a long way. Where do you see it going in the next 75 years? 

Robert Gates: I think that the need for CIA today is as great as at any time in its history and will become even more important. For the first time since World War II, the United States faces powerful, revanchist states that are hostile to the United States. We face a global threat from two authoritarian, huge states, a number of other emerging threats. I think that the world in some respects has returned to pre-1914 of conflicting great powers seeking power and territory and influence and markets, and the United States faces a big challenge. And I think CIA will be a critical element in how the current and all future presidents deal with those threats in terms of real-world estimates of their military power, of their economic strengths and weaknesses, of their politics, of their intentions and those things. 

Robert Gates: One of the reasons CIA has survived is because presidents ultimately have recognized the importance and the value of independent intelligence unaffected by politics. Every director has been accused of slanting intelligence to support the president. The interesting thing is, I couldn't find a single president who would agree with that. They would all argue CIA went to extraordinary lengths to poke them in the eye and say, your policies aren't working. That's the mythology - that it's slanted and so on - but the truth is, one of the huge advantages we always had over the Soviet system was that our intelligence operations - our CIA - was independent of political control and could tell presidents when things weren't going well. 

Dave Bittner: That's former CIA director and former Secretary of Defense Robert Gates speaking with "SpyCast" podcast host Andrew Hammond. You can find more of that interview right here on the CyberWire podcast network. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.