A US EO addresses EU data privacy concerns. China’s favorite CVEs. Election security and credit risk. COVID phishbait. Notes from the hybrid war, including some really motivated draft evaders.
Dave Bittner: A U.S. Executive Order outlines U.S. and EU data sharing privacy safeguards. CISA, NSA and the FBI list the top vulnerabilities currently being exploited by China. A look at election security and credit risk to U.S. States. COVID-19-themed social engineering continues. Robert M. Lee from Dragos on securing the food and beverage industry. Carole Theriault interviews Joel Hollenbeck from Check Point Software on threat actors phishing school board meetings. And notes from the hybrid war - Killnet and U.S. state government sites, the prospects of deterrence in cyberspace and, finally, maybe the most motivated draft evaders in military history.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 7, 2022.
US Executive Order implements US-EU data-sharing privacy safeguards.
Dave Bittner: An executive order signed this morning by U.S. President Biden moves the U.S. and the EU closer to agreement on data privacy standards. It specifies the safeguards the U.S. undertakes to put in place pursuant to the agreement reached with the European Union in March of this year. The executive order specifically addresses European concerns about U.S. signals intelligence and other intelligence activities. It reassures the EU that the U.S. will conduct SIGINT only in pursuit of defined national security objectives and that U.S. SIGINT will be conducted with due respect for the privacy of individuals, whatever their citizenship. It also undertakes to establish safeguards and mechanisms to resolve any concerns or disputes over data handling and compliance.
Top CVEs exploited by China.
Dave Bittner: NSA, CISA and the FBI have issued a joint advisory on the top vulnerabilities being targeted by Chinese state-sponsored threat actors. The full list of vulnerabilities, including recommended mitigations, can be found in the report. Most of the CVEs can be solved by applying patches or updating to the latest version, and the alert also offers advice on configuring certain products to mitigate risks. It's working-level advice. It won't hold the interest of political scientists and international relations experts interested in Beijing's goals, motives and policies. But there's more than enough there to keep CISOs, SOCs, IT personnel and the C-suites and boards they work for informed and busy. Reading it is time well-spent.
Election security and credit risk.
Dave Bittner: Moody's Investors Service released a report detailing election risks as they relate to cyber risk. The service discusses how local governments are more exposed to credit risks as there's a shift from core services to election security and calls on state and federal funding to mitigate risk. National security officials are preparing for increased risk of cyberattacks and influence from threat actors who seek to erode confidence in election infrastructure in the U.S. Election interference can cause hindrances in policymaking, as focuses can be on political and social tensions and disrupting institutions' stability.
Dave Bittner: Differences in voting technologies across the country, as there there's no central election management system, change and affect cyber risk and exposure. Wide-scale interference at the federal level won't happen due to a lack of centralized election management. But local and state governments remain the focus of risk. Election-related cyberattacks would also be bad for local governments as well because that would require a shift from costs only allotted to operate the elections and not for a whole cyber response. So that would be a negative financial move.
COVID-19-themed social engineering.
Dave Bittner: Proofpoint has released research detailing how threat actors took advantage of the COVID-19 pandemic for personal gain. The report highlights how threat actors are creatures of opportunity, acting when a threat is of relevance to their audience. In this case, threat actors could cast a wide net as COVID-19 was relevant to the entire world. It was noted that the pandemic also provided a good background for any type of cybercrime. The pandemic was also a big change in both personal and business-related matters, and so social engineering tactics were found to target both.
Killnet and US state government sites.
Dave Bittner: CyberScoop has an update on how U.S. states, particularly Colorado, Kentucky and Mississippi, are recovering from the DDoS attacks that took some sites offline briefly this Wednesday. The incidents seem, for the most part, to have been quickly contained, but that hasn't inhibited Killnet, in an Ozymandian mood, from calling its action USA Offline. Some of the group's website defacements have displayed the Statue of Liberty in front of a mushroom cloud, the scene emblazoned with the motto F NATO. We're a family show, so they didn't really just say F, but you get the picture. It's low-grade vandalism. Killnet is generally held to be a criminal group closely aligned with Russian government interests. The Five Eyes' joint advisory of April 20, 2020, assessed them as much, stating, according to open-source reporting, Killnet released a video pledging support to Russia. Killnet claimed credit for carrying out a DDoS attack against a U.S. airport in March 2022 in response to U.S. material support for Ukraine. As a purely criminal group, Killnet would have to be assessed as a fizzle. They're unlikely to be making a living from DDoS and website defacements, but their operations make sense if they're functioning as an auxiliary of Russian intelligence services.
US cyber ambassador on deterrence and the state of Russia's hybrid war.
Dave Bittner: Ambassador-at-large for cyberspace and digital policy, Nate Fick, the first official to hold the new U.S. State Department post, was sworn in on October 4. Yesterday, he addressed journalists on, among other matters, the current state of Russian cyber operations in the war against Ukraine. He advocated extending deterrence across the cyber domain and is encouraged by the NATO unity he sees in this respect. He thinks deterrence seems to have inhibited Russian cyberattacks outside Ukraine. With Ukraine itself, he credited effective defense and close public-private cooperation with limiting the damage of Russian cyber ops.
(SOUNDBITE OF ARCHIVED RECORDING)
Nate Fick: The idea of extending deterrence into the cyber domain is an important one across many facets of American foreign policy, including Russia's war in Ukraine. I think that the degree of unity of purpose across the NATO alliance that we're seeing is encouraging. Cyber deterrence is a part of that, and to some extent it's working, right? We haven't seen a ton of lateral escalation using cyber means outside Ukraine by the Russians. Inside Ukraine is - one of the interesting success stories of, you know, early days, is the effectiveness of public-private partnerships on the ground with software vendors that have, in some cases, hundreds of millions of systems deployed in Ukraine and the feedback loop between them and the U.S. government on things like threat intelligence sharing and then pushing patches out to systems. I lived this on the other side of the table in the private sector for a long time, and I'm not accustomed to seeing it work as smoothly and quickly as it is right now.
Dave Bittner: That's ambassador-at-large for cyberspace and digital policy, Nate Fick.
Motivated draft evaders.
Dave Bittner: And finally, if you'll permit us a moment to talk about the kinetic world, Russia's partial mobilization has proved widely unpopular with the men whom it seeks to sweep back into the ranks. Estimates of the number who fled the country range from a low of 300,000 to a high of 700,000. We, of course, don't know the true figure - probably no one does - but it's certainly more than the Kremlin would wish. Two reluctant soldiers deserve some kind of recognition, however. They turned up at a beach on St. Lawrence Island, Alaska, after crossing the Bering Strait in a small boat, and they asked for and received asylum in the U.S. It's not clear how far they traveled across one of the nastiest stretches of water on the planet, but it's at least 36 miles from Siberia's Chukotka Peninsula. The Telegraph says they may have traveled about 300 miles in their crossing to Alaska. That's some motivated boating. Oh, and we're sure everyone is sending appropriate thoughts in the direction of President Putin on the occasion of his 70th birthday. We hear the celebrations have been muted.
Dave Bittner: Coming up after the break, Robert M. Lee from Dragos on securing the food and beverage industry. Carole Theriault interviews Joel Hollenbeck from Check Point Software on threat actors phishing school board meetings. Stay with us.
Dave Bittner: There have been recent reports of threat actors phishing school board meetings. Our U.K. correspondent Carole Theriault spoke with Joel Hollenbeck from Check Point Software on the issue. She files this report.
Carole Theriault: So today we are chatting with Joel Hollenbeck. He is head of engineering at Check Point. And we're talking about how local community and school board meetings have yet another threat factor to watch out for. So thank you so much for coming on the show, Joel.
Joel Hollenbeck: Yeah, thank you for having me this morning, Carole.
Carole Theriault: Maybe we could start by you setting the scene for us. What's been going on out there?
Joel Hollenbeck: In our threat research efforts around email phishing attempts explicitly, we discovered, you know, a new methodology that the threat actors are using. The latest one that we're seeing is that they're taking advantage of the recent interest in school board meetings, right? Folks are getting more involved in local politics, specifically around school board meetings. This has lead in from the - you know, the lead up to the pandemic and the response to COVID. But because of the interest in that, the threat actors are following there, and they are attempting to phish people that are interested in these meetings by sending specifically crafted invitations that have malicious intent. And they're having great success in doing so.
Carole Theriault: So maybe I want to join my local school board. And I've been looking out to be - for an invitation to get on there. Maybe I've been waiting for that. And what happens? So I get a kind of spoofed email type thing.
Joel Hollenbeck: Yeah, that's precisely what happens. The threat actors in this case are sending out spoofed emails, again, that have malicious attachments involved in them. Much like many of the other spoofing attempts or brand impersonation attempts that we see by the threat actors out there using this, you know, human hacking approach, they're attempting to fool the viewer of that email or that message or that communication into believing that it comes from authorative (ph), legitimate source. In doing so, you know, they're attempting to get under your risk radar, right? They're trying - you know, you trust it for a second because it looks legitimate. Therefore, I don't have to have my guard up when I click a link or I open up an attachment. This is coming from the school board, right? So I'm going to open this up.
Carole Theriault: Yeah. So listeners here now are forewarned, right? In this case, I'm guessing forewarned is forearmed. Is there anything that people can do to prevent becoming a victim of one of these? How do you watch out for it?
Joel Hollenbeck: Well, there's a number of things. I mean, first of all, I advise everybody to have an extremely healthy level of skepticism, if not downright cynicism, when it comes to cybersecurity issues. Make sure that you know who it is that you're talking to. Make sure that somebody else is in control of the account. Avoid clicking on links and opening up attachments. Like, for example, if you - you know, maybe - you know, we're all human, right? We do have needs, right? And we're going to do some shopping for Valentine's Day. Well, don't click on the link for - you know, the Build-A-Bear link that you may have gotten in the email. Instead, go to your search engine, and use one of the links there because a link that you get via email - even though you may believe it's from that legitimate source or even from a friend doesn't mean that that link isn't going to be malicious. So I think that going directly to the source, you know, reduces some of that risk.
Joel Hollenbeck: And the other part of it is, you know, not just being skeptical and, you know, using methodologies to avoid opening up these things that are potentially malicious. The more we're individually educated about the means and methods that the threat actors use, the better-prepared we are and the less skeptical we have to be. And it turns more into education. You can be aware of the factors that they use, the techniques that they use and how they roll through these like a Rolodex. And they constantly mix and match them and use the same tools over and over again. And realize that regardless of how they're doing it, you know, they're going after something that's going to create an emotional response, something that's going to, you know, cause the viewer of this message or the receiver of this message to have some sort of an urgent response
to it. And that's how they get under, you know, the radar. They get to the user. They get them to do something that, just as in a brief second, where they - you know, they feel like they have to do something urgently, or it's emotional. And that - it reduces your logic trained in your brain. You click on that link. You open up that attachment. And they got you.
Carole Theriault: Sage advice. This was Joel Hollenbeck, head of engineering at Check Point. Thanks for being on the show.
Joel Hollenbeck: Thank you very much.
Carole Theriault: And this was Carole Theriault for the CyberWire.
Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to welcome you back to the show. It strikes me that, perhaps, an area of critical infrastructure that doesn't get some of the attention of what I would call the more flashy things is food and beverage security, which, of course, is critical to all of our survival. What is the status of things when it comes to food and beverage?
Robert M Lee: So when we look at manufacturing at large to include food and beverage manufacturing, I would say that at one point in time, there was a lot of thought process put into those companies. And the security teams did good with whatever they had. I'm not saying - I mean, by any measure, manufacturing, food and beverage is not exactly at the top of spend and similar for global community. So let's not try to sugarcoat it. But those teams busted their tails to do what they could, which usually had a lot to do with segmentation - fire-walling things off, getting that segmentation. However - which, you know, honestly, is where a lot of industrial was. However, manufacturing, especially food and beverage, more so than most industries, digitized earlier. So they started taking advantage of that industry 4.0, digital transformation, call it whatever buzz word you want. They started taking advantage that journey earlier than, like, a big electric company or similar. And so you started to see remote connectivity and digital assets and similar a lot more in those environments.
Robert M Lee: What all that means is, we massively increased the risk with digitization and connectivity at a time that adversaries were targeting industrial systems specifically without adapting the actual security portfolio much beyond segmentation, maybe some targeted patching. And so what's happening is most food and beverage companies, at a board level, are becoming hyper-aware of this. I see board members and CEOs that are better informed on the cyber risk to manufacturing than some of the CIOs and CISOs that I sit down with. Like, it's fast in terms of its development. And the reason for that is there's a significant number of incidents that are happening because of that digitization and connectivity. And in every single one of the cases, the top two findings is, No. 1, the executives have a much rosier view of their OTC security program than reality. And No. 2 is they didn't actually have the data collection tooling deployed in the first place to actually get to root cause analysis, the data that they would need for the incident or questions they would have, regulatory questions, etc.
Robert M Lee: So their board members are sitting on other companies' boards that are going through these incidents and all the problems that come with them a lot more than is being discussed publicly, and they're driving those discussions on the other boards they sit on. That's kind of what's happening. And as a result, we're starting to see a lot of discussions about, cool, how do we do OTC security? How do we get in those environments? - etc. But there's still a lot of legacy challenges, and it's not a technology challenge. Usually, it's a cultural challenge, where maybe the manufacturing, the way that they do it is each plant has their own budget, and any security expenditures comes out of that budget, including the bonus structure that's going to go to your plant manager. And so you have some of these incentives that are misaligned with what you're trying to accomplish as a corporate risk and corporate governance. So a lot of those food and beverage manufacturers are starting to have conversations about, how do we centralize the budget for that security, even if the implementation is local, so that we can incentivize the right risk reduction across our company? And how do we get more insights in the challenges that we're facing other than board members sitting on one board talking to another board?
Dave Bittner: What, realistically, are the perils that these folks face here? I mean, obviously, you know, you've got things like ransomware shutting down production lines. Are there risks of, you know, bad food being sent out, people - safety issues?
Robert M Lee: Yeah, absolutely. So there's a broad range of things that can happen. But I usually like to focus the conversation on what things have happened, right? I don't want to - well, one day, these three state actors could team up and play volleyball and come after you.
Dave Bittner: (Laughter).
Robert M Lee: And it's like, that's not happening. Let's dial down the hype.
Dave Bittner: Right.
Robert M Lee: You know, I'm glad that there's good research about what could happen. But when you're at the place that we are in the community, let's focus on what has happened. Cover down the knowns. Then we can get to that, right? And so on those knowns, if you will, the No. 1 for that industry, for sure, is ransomware. It's happening way more often than as a public - I still see people on social media and stuff every now and then. They're like, we did it, guys. We, like, lowered ransomware with all these changes. And I'm like, no, people just stopped talking to you. That's still - it's still pretty hot out there. That's the No. 1. But I would say on that, the realization that it doesn't have to go through IT is one that is the big realization for them. There's a lot of legacy mindsets around, oh, well, here's our ERP or kind of the SAP system for scheduling. Yeah. If it gets hit, we go down. And, of course, you know, our IT network goes down, and we lose the ability to sell and do the production. And it's like, well, not only that, though, but you also have their AD infrastructure, Active Directory now, from IP, OT. And that's getting compromised and populating like a highway of death down in OT. Or you have your digitization, which is not only cloud access but integrators and OEMs. And they're getting hit directly and heading directly into the OT.
Robert M Lee: And so the idea that ransomware is important in manufacturing is a no kidding kind of statement. But ransomware specific and starting in OT is the one that they're starting to grapple with and understand. The second thing we see quite a bit of is intellectual property theft from state adversaries. But it's not intellectual property theft on things like recipes. It's not like, hey, what's the secret sauce of that new cereal? Like, that's not the discussion. The discussion about intellectual property theft in industrial usually - can be recipes, but usually, it's, how did you integrate an environment? How did you build this environment? What vendors that you choose? What physical parameters did you put in place? What control and instrumentation did you do so that you could take cheap-quality inputs and make high-quality, repeatable outputs? The industrial espionage is almost the ICS itself, not some recipe.
Robert M Lee: And then the third thing we see quite a bit of is mostly around, like, accidents and things happening, unintentional issues or random malware stuff. But what it is is people don't have the visibility in their environment to know how things are configured. And this the growing industrial automation complexity in these environments is making it where individual engineers and operators can't really troubleshoot things as well anymore, get to root cause analysis. So some of the security tools and things like visibility and network monitoring are providing as much resilience value as they are security value, which is a really good conversation. The fourth that we don't see a lot of but I am worried about is the one you hit on. We have seen safety-related targeting attacks. We've seen those incidents. I cannot stand in front of you and say that I've seen it in a way that is something that I think was intentional in food and beverage. But I am worried about once we get through those known scenarios, that is immediately where I'd focus people because of the safety impacts. And there's a lot of these producers that it's not just things like zero whatever. Like, there's beverage producers that you may know for certain soda products that actually make a lot of milk in certain countries or other things that are more perishable and important to the local ecosystem. And there's a lot of safety concern around the production of those facilities.
Dave Bittner: All right. Well, interesting insights, as always. Robert M. Lee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Jen Miller-Osborn from Palo Alto Networks Unit 42. We're discussing their recent work, "Russian APT29 Hackers Use Online Storage Services, Dropbox and Google Drive." That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.