Unrest in Iran finds expression in cyberspace. Cyber conflict and diplomacy. Cybercrime in the hybrid war. And there seems to have been an arrest in the Uber and Rockstar breaches.
Tre Hester: Unrest in Iran finds expression in cyberspace. Albania explains its reasons for severing relations with Iran. Cybercrime in the hybrid war. Rick Howard on risk forecasting with data scientists. Dave Bittner sits down with Dr. Bilyana Lilly to discuss her new book, "Russian Information Warfare: Assault on Democracies in the Cyber Wild West." And there seems to have been an arrest in the Uber and Rockstar breaches.
Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Monday, September 26, 2022.
Unrest in Iran finds expression in cyberspace.
Tre Hester: Protests in Iran continue, the New York Times and others report, and they've been particularly sharp in Kurdish regions. The proximate cause of the unrest was the death of a young woman in the custody of the morality police. Mahsa Amini, 22, had been arrested on charges for violating hijab regulations. Many of the protests have been led by women, and some smaller cities are said to be outside of effective government control. The Washington Post's coverage include video of street violence. Tehran has responded with force, but also by imposing sharp restrictions on online activity. The Record reports that the government has organized outages of mobile networks, WhatsApp and Instagram. The Record also reports that the Anonymous hacktivist collective last week disrupted some Iranian government websites. On Friday, in a gesture intended to offer support to Iran's dissidents, the U.S. Treasury Department relaxed sanctions in ways calculated to make it easier for U.S. tech firms to offer Iranians greater access to online communication. Iran's Green Movement of 2009 and 2010, which shook the regime, although it ultimately fell short of revolutionary success, is instructive here. That movement took place when Twitter was relatively young, and the dissenters made innovative and effective use of what was still a new and unfamiliar platform. It seems likely that Treasury hopes to remove any barriers sanctions might impose on such self-organizing opposition to the rulers of Tehran.
Albania explains its reasons for severing relations with Iran.
Tre Hester: The Washington Post this week interviewed Albania's Prime Minister Edi Rama on his government's decision to sever diplomatic relations with Iran over Tehran's large-scale cyberattack against Albanian IT infrastructure. Rama told The Post, quote, "based on the investigation, the scale of the attack was such that the aim behind it was to completely destroy our infrastructure back to the full paper age and, at the same time, wipe out all of our data. Our sense now is, first, that they didn't succeed in destroying infrastructure. Services are back. Second, data - yes, they took some but practically not of any particular relevance," end quote. He characterized the cyberattacks as aggression, not as destructive, of course, as bombing, but of comparable intent and comparably inadmissible under international norms.
Cybercrime in the hybrid war.
Tre Hester: Observers continue to expect a renewed offensive from Russia in cyberspace, but so far, that hasn't materialized. What is being seen, News24 and others report, is some apparently financially-motivated celebrity doxxing by Russophone gangs. In Ukraine itself, the Security Service of Ukraine reports having taken down a gang that was responsible for compromising almost 30 million accounts and earning roughly $380,000 in the process. BleepingComputer reads this as accounts belonging to 30 million individuals. The SBU says the hoods it took down were working for the Russians.
There may be an arrest in the Uber and Rockstar breaches.
Tre Hester: On Friday, the City of London Police tweeted, quote, "on the evening of Thursday, September 22, 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK's National Cyber Crime Unit," end quote. The police have been relatively closed-mouthed about the arrest and haven't publicly connected it with either the Uber or the Rockstar Games incident. As the Verge points out, however, circumstantially, the alleged crime looks like the Uber and Rockstar hacks, and the suspect looks like a LAPSUS$ operator. The Hacker News offers some informed speculation that the youth arrested was responsible for the Uber and Rockstar incidents. Without revealing the hacker's real identity, Flashpoint reports that the hacker known as teapotuberhacker was outed in an underground online forum. But the security firm urges caution in accepting the doxxing at face value. Flashpoint reviewed what it found in the, quote, "online illicit forum," end quote, and reported evidence that the person responsible for the Uber and Grand Theft Auto hacks. Quote, "on the day that the original post was made, Flashpoint analysts found that teapotuberhacker's real-world identity had been outed on an online illicit forum. In that thread titled, 'The Person Who Hacked GTA 6 and Uber is Arion.' The administrator for that forum claimed that teapotuberhacker was the same individual who had allegedly hacked Microsoft and owned Doxbin. Additionally, the administrator linked teapotuberhacker to other aliases like White and Breachbase and stated he was a member of LAPSUS$. While the tactics, techniques and procedures employed by teapotuberhacker are consistent with LAPSUS$, these communities will often make false claims against one another. Flashpoint analysts identified previous doxes where the content may vary on the same individual. These are typically curated by individuals within these communities and should be treated with a healthy degree of skepticism," end quote. Well, if it is the same young person, a youthful recidivist, we'll repeat the same thing we said in the spring - child, child, these wild ways of yours will break your mother's heart.
Tre Hester: Coming up after the break, Rick Howard on risk forecasting with data scientists. Dave Bittner sits down with Dr. Bilyana Lilly to discuss her new book, "Russian Information Warfare: Assault on Democracies in the Cyber Wild West." Stick around.
Dave Bittner: Dr. Bilyana Lilly is director of security intelligence and geostrategy at Krebs Stamos Group. She's author of the newly released book "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."
Bilyana Lilly: The elections in 2016 happened, and we saw Russia's interference in the elections. And we started to learn more and more about the different activities that were associated with Russia's interference during the elections. And we saw, if you remember, Dave, there were two APTs - APT20 and APT29. They breached the networks of the DNC, the Democratic National Committee. They exfiltrated data strategically as the election season was unfolding. And at that time, it seemed to me like the U.S. government was not prepared to address that particular interference and the hacking illegal operation. That's how we learned to call it afterwards. And we were rather reactive in our responses and in our management of the situation. And what's even more interesting is, before the elections and after the elections, we learned a lot more about the other activities that the Russian government has been sponsoring, like the disinformation operations, the trolls and bots on social media, the troll farms in St. Petersburg and other locations. We also learned that the Russian government has sponsored rallies in different states throughout the United States for and against the different candidates. So the range of activities was vast, and we didn't have a clear picture as we were going into the election season in 2016. So I wanted to understand after that experience, where else has the Russian government used similar tactics to interfere in democratic processes, and what can we learn from them so that next time this happens in the U.S., we can be better prepared to address it?
Dave Bittner: Well, how do you describe the current state of Russian information warfare? I mean, how do they go about doing the things they do?
Bilyana Lilly: That's a great question. So it's definitely evolved. When I discuss what information warfare is in essence, I always refer to the Russian doctrine of information warfare. They published a document in 2011 where they provided an official definition of what information war or information warfare is. The term, which roughly translated as information warfare - but in Russian, the term also may mean informational struggle - it's (speaking Russian). And it is described as constant confrontation between states, and that confrontation is conducted during war and peace for the purposes of eroding the decision-making apparatus of the adversary and eroding its capacity to conduct command and control operations. And it's also conducted for the purposes of inflicting damage on information systems. So there is an element of using cyber operations to inflict damage on your networks and your systems but also using psychological operations to inflict damage on the mind of your adversary, on the decision-making apparatus, but also on the population. So those are the elements of information warfare that the Russian - that are the core in Russia's modern version of warfare. But then in addition to that, there are a lot of Russian military scholars that have tried to describe, OK, how do we really operationalize this theoretical concept on the ground? And in addition to psychological operations and cyber operations, some scholars argue that to conduct information warfare, we have to also consider the associated operations, such as sponsoring of protests, coup d'etats, assassinations, economic sanctions, political pressure. And all of those activities together are associated with information warfare and help the Russian government to conduct it. So this is how I would describe the term.
Dave Bittner: And how do they compare to their peers? When we look around, you know, the globe, other folks who are engaged in these sorts of things, how does Russia rank?
Bilyana Lilly: I think Russia has a very good culture of already conducting specifically the types of hacking-like operations that we saw in 2016 and the point where - and the way they integrate cyber operations and strategic messaging campaigns or disinformation because they have units that do this together, like, for example, the GRU Russian military intelligence. And they are very good at doing that. And we have some examples in Ukraine. We have other examples in countries outside of the United States as well.
Bilyana Lilly: And in comparison to other nation-states, I have - from what I have read, the Russian government tends to use cyber operations and information and disinformation altogether as information warfare to try to inflict damage on the adversary while other threat actors or other states use similar techniques like cognitive warfare in the Chinese case and others to conduct damage or to influence more regional actors while the Russian government uses its tools to exert pressure on or influence on actors that are much farther away from its territory. And in the Russian case, they use it a lot for political purposes, while in other cases, we have political purposes, also economic espionage that is linked to those particular campaigns. I would say the Russians so far are probably the best at conducting this type of modern version of warfare.
Dave Bittner: In the book, you introduce a framework that you refer to as the CHAOS model. Can you describe to us what goes into that?
Bilyana Lilly: Sure. So CHAOS stands for cyber hype in media and associated operations. And with that model, I wanted to visualize in one simple figure all the different activities that the Russian government conducts during one information warfare campaign. And the purpose was so that we have a template that we can use to record each cyber - or each information warfare campaign and to compare and contrast between the different campaigns that the Russian government is involved in. And in this way, we can see whether they are any patterns, whether there are any deficiencies. And we can be able to address them better as we build Russia's playbook across different cases.
Bilyana Lilly: So with the cyber - with the first two letters, cyber and - basically the first two letters of CHAOS, cyber and hype - they stand for cyber and hype. I'm trying to capture chronologically all the cyber operations that have taken place during one information warfare campaign. And with hype, I'm trying to capture the volume of media articles in Russian state-sponsored media outlets that are available to the targeted population through which the Russian government is conducting its strategic messaging operations. So I tried to basically assess whether that volume changes as the information warfare campaign progresses. And then the associated operations are political, military, social and economic activities that the Russian government has supported to achieve the same objectives in the general information warfare campaign. So that's what CHAOS stands for.
Dave Bittner: You know, since the Russian invasion of Ukraine and the war there, I think folks who keep an eye on these things have certainly felt like they've learned a lot about Russia's capabilities or shortcomings when it comes to that. Have there been any revelations when it comes to information warfare, things that we've learned from what they have and have not been able to do in this particular campaign?
Bilyana Lilly: Absolutely. There is a lot that's coming out of the past six months. And I would say, first of all, I don't think cyber operations have been ineffective. We have some reports that suggest that I think cyber operations have been very effective in achieving some of the strategic objectives that they were set to achieve. In the beginning, there were two massive waves of DDoS attacks against banks in Ukraine as well as government structures. We have a lot of - we have VSAT technologies that were rendered inoperable for a certain period of time that affected the command and control of the Ukrainian military. We have Industroyer2 that could have wreaked a lot of havoc. We have a lot of new wiper malware that still there is a risk of it spilling across the borders. It's not as bad as NotPetya in 2017, but we're still facing a risk of this spilling out of Ukraine's borders and affecting other industries and other countries.
Bilyana Lilly: So I would say in many ways, we have seen a range of cyber operations that have been quite significant. I believe Victor Zhora, Ukraine's cyber tsar, one of the Ukrainian officials who is telling us a lot about the situation on the ground and specifically how warfare is conducted in cyberspace in Ukraine at the moment - he said that there were about 1,600 significant cyber operations that have taken place so far. And I think what we have to remember is that information warfare, very roughly defined as strategic messaging in cyber operations - it's only one component of warfare. And right now what we are seeing in Ukraine is a large-scale war on the territory of a European country. And this hasn't happened since the Second World War. We have tanks. We have artillery. We have soldiers. We have massive battles happening. It's - this is where the focus should be, not so much on cyber. And cyber is - in this particular case, it plays a supportive function. And so far, I believe it has showed that it has been effective where it's been needed.
Dave Bittner: Dr. Bilyana Lilly is director of security intelligence and geostrategy at Krebs Stamos Group. Her latest book is titled "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."
Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer, also our chief analyst and bottle washer. And...
Rick Howard: (Laughter).
Dave Bittner: Rick, I was looking at the call sheet this morning, and I discovered that Season 10 of "CSO Perspectives (Pro)" is coming to an end this week.
Rick Howard: It is.
Dave Bittner: There is much wailing and gnashing of teeth about that. We're going to have to wait an entire month for Season 11 to start. And that is a shame because you and your army of interns have really hit your stride this season, in my opinion.
Rick Howard: I appreciate that, Dave. Yes. And we may have to double the interns' bread and water rations down in the underwater sanctum sanctorum - OK? - 'cause, you know, they deserve it.
Dave Bittner: (Laughter) OK.
Rick Howard: So this season, we kind of blew by our 100th episode. We covered another tool from the MITRE ATT&CK folks called Attack Flow, which I really like. We talked about the fintech ecosystem, and then we had a detailed discussion about two first principle zero-trust tactics - privileged access management and crisis planning. And we finished up with a mini four-episode series on forecasting cyber risk that I'm really proud of, right? And this last episode in the series, I talked with two data scientists from a company called Cyentia about the current state of cyber risk forecasting. Their names are David Severski and Wade Baker, who, Dave, I think you may know him. He was one of the founders of the Verizon data breach report many years ago.
Dave Bittner: Oh.
Rick Howard: And so these two guys have some risk forecasting cred, as they say. So...
Dave Bittner: Yeah.
Rick Howard: It's a good interview.
Dave Bittner: Well, I see the name of this episode is "Two Risk Forecasting Data Scientists, and Rick, Walk into a Bar." That seems appropriate - perfect title there.
Rick Howard: I appreciate that. It's exactly what it is.
Dave Bittner: Well, congratulations on putting to bed another season of "CSO Perspectives (Pro)." What is going on the public version this week?
Rick Howard: Yeah. This episode is from November of last year, and it's the inaugural episode of the Rick the Toolman series, where I explain in simple terms that even senior security executives like me can understand the tools that their infosec teams are using on a regular basis.
Dave Bittner: I just want to note here that Rick the Toolman sounds suspiciously like Tim the Toolman Taylor from the long-running '90s TV show "Home Improvement." Is that what we're going for here?
Rick Howard: Yeah, it looks like I've been had. Yes, I myself was also a big fan of the series. And the way the show star Tim Allen used his apelike grunts to express his confusion or joy or whatever he's talking about, that kind of appealed to me. And I'll just say that I may appropriate those grunts in the Rick the Toolman series, you know, just saying. And so for this episode, we're explaining one of my favorite tools, the MITRE ATT&CK framework.
Dave Bittner: Well, lastly, what is the phrase of the week on your "Word Notes" podcast?
Rick Howard: We're covering a little infosec meat and potatoes, OK? Nothing sexy here, but this week the phrase is intrusion detection systems. This device has been a staple of the security stack since the '90s, and it was invented by the great computer scientist and cybersecurity pioneer Dr. Dorothy Denning back in the 1980s. So you don't want to miss that.
Dave Bittner: All right. Well, we can check it all out. CyberWire Pro is on our website thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thank you, sir.
Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.