The CyberWire Daily Podcast 10.12.22
Ep 1681 | 10.12.22

Caffeine in the C2C market. Refund-fraud-as-a-service. Costs of a nuisance. Staying alert during a hybrid war. Renewed Polonium activity. The Uber case's impact on security professionals.


Dave Bittner: Refund fraud-as-a-service. The costs of a nuisance. Remaining on alert during a hybrid war. Renewed activity by Polonium. Andrea Little Limbago from Interos discusses quantum computing policy. Our CyberWire space correspondent, Maria Varmazis, speaks with Dr. Gregory Falco on lessons learned from Russia's attack on Viasat. Reflections on the Uber case's impact on security professionals. And when it comes to phishing-as-a-service, we'll take decaf.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 12, 2022. 

Decaf, please.

Dave Bittner: We open with a look at the burgeoning criminal-to-criminal marketplace. Mandiant describes a phishing-as-a-service platform called Caffeine, which is surprisingly accessible and available to anyone on the internet who knows the URL for its website. As Mandiant explains, Caffeine is unusual in that it allows practically anyone with an email account to register with its services directly, bypassing the usual harum-scarum rigamarole of an underground forum or an encrypted messaging service or a JoeSentMe recommendation from some trusted hood. Caffeine is also unusual in that it offers templates designed for use against Chinese and Russian targets, which has tended, historically, to be uncommon. What that means is unclear, but it may be an early sign that the grip Chinese and, especially, Russian security services have on the cyber underworld may be slipping a bit. 

Dave Bittner: Caffeine also knows that it pays to stay close to the customer, a lesson they might have picked up, perhaps, from close reading of the popular business classic "In Search of Excellence." Mandiant researchers note that Caffeine's administrators announced several key platform improvements via the Caffeine newsfeed, including feature updates and expansions of their accepted cryptocurrencies. 

Refund fraud as a service.

Dave Bittner: There are some other relatively novel offerings available in the C2C marketplace. Security firm Netacea today describes refund fraud-as-a-service. Refund fraud can seem a relatively dimwitted scam, even by the low standards that prevail among criminals, but it is a problem for retailers. 

Dave Bittner: In its most common form, refund fraud involves asking for a refund on an item you, the fraudster, has no intention of returning. It became more common as e-commerce tended to displace in-person shopping during the COVID-19 pandemic. While the individual capers, the onesies and twosies of petty crime, can be small enough, little by little, they add up. Netacea points out that one hood took a guilty plea this past December in a case that involved defrauding one retailer of more than $300,000 over a period of three years. 

Dave Bittner: Netacea explains that the fraudulent refunds are outsourced to professional social engineers, who complete the bogus refund in exchange for their cut of the refunded value. Here's how it works. First, a customer orders something from an online retailer. Then the customer hands their order details over to the refund fraud service. The hired scammers initiate a refund request and inveigles the store into returning the money without receiving a return of the purchased item. And then the customer splits the refund with the criminal service and keeps what they ordered in the first place. 

Dave Bittner: Now, wait a minute, you say. Why would the retailer give a refund without getting the item back? Well, that's where the social engineering comes in. The refund fraud-as-a-service operator may claim that the item didn't arrive or that the shipment was incomplete - the box was partly empty. And there are a variety of ancillary support services that can be used to lend plausibility to the otherwise bald criminal narrative - forged labels, forged scans, infiltration or compromise of a delivery service and so on. 

Dave Bittner: A secondary C2C market has grown up around those support services, offering training and so on. The first line of defense is an informed and properly skeptical staff. There will almost always be some interaction between the criminals and customer service, and a well-trained customer service professional can become alert to the various forms of social engineering the return fraud-as-a-service operators depend on for success. 

Costs of a nuisance.

Dave Bittner: Killnet, the nominally hacktivist group that actually functions as an auxiliary of the Russian intelligence services, claims to have disrupted online infrastructure of JPMorgan Chase. SC Magazine reports, there was no evident effect on the financial services company, and Killnet seems, again, to have produced a fizzle. The announced attack comes a day after Killnet succeeded in briefly disrupting some public-facing websites at U.S. airports. Even such a low-grade nuisance-level activity exacts a certain cost on its targets. The Wall Street Journal points out that affected organizations still have to defend, investigate and communicate their response, even when the attack has a negligible effect. 

Remaining on alert during a hybrid war.

Dave Bittner: As sabotage of the Nord Stream pipelines and German railroad communication networks remains under investigation, The Telegraph reports, NATO has warned that sabotage could trigger the Atlantic Alliance's Article 5, the collective defense agreement under which an attack on one member is regarded as an attack on all of them. In the U.S., according to the Voice of America, U.S. officials cautioned against complacency. While Killnet's recent DDoS attempts have had negligible effect, organizations shouldn't rule out the possibility of major crippling Russian cyberattacks. 

Renewed activity by Polonium.

Dave Bittner: There's also some activity on the more traditional cyberespionage front. ESET researchers outline recent activity against Israeli targets by Polonium, an Iranian controlled threat actor that operates from Lebanon. Controlled by Iran's Ministry of Intelligence and Security, Polonium is a cyberespionage operation that specializes in backdooring its targets to extract information and maintain persistence. 

Reflections on the Uber case's impact on security professionals.

Dave Bittner: And finally, the case of Joe Sullivan, Uber's former security chief convicted for his attempt to cover up a 2016 hack, has affected the security community, specifically, C-suite security professionals. 

Dave Bittner: The Record by Recorded Future reports that CISOs now fear that CISO scapegoating may become more commonplace after the verdict, and this may prompt more preemptive whistleblowing from CISOs since, of course, no one wants a sabbatical in the correctional system. 

Dave Bittner: On the other hand, Security InfoWatch points out that CSOs have long been ripe for scapegoating. They quote Bob Hayes, managing director of the Security Executive Council and former CSO of Georgia Pacific and 3M as stating, "I don't think this is anything new. I just think it is a high-visibility incident with a different twist." He suggests that CISOs and CSOs should treat the case as a learning opportunity and go forth and do better. So should we all. 

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos discusses quantum computing policy. Our CyberWire space correspondent Maria Varmazis speaks with Dr. Gregory Falco on lessons learned from Russia's attack on Viasat. Stay with us. 

Dave Bittner: Russia's attack on satellite provider Viasat was certainly one of the more interesting cyber elements of Russia's hybrid war against Ukraine. Our CyberWire space correspondent Maria Varmazis checked in with Dr. Gregory Falco for lessons learned from the attack. 

Maria Varmazis: One of Russia's opening salvos in its war against Ukraine was its attack against the Viasat KA-SAT network. On the morning of February 24, 2022, a cyberattack disabled some Viasat modems in Ukraine, cutting off satellite communications for thousands right as Russian ground forces began their invasion. This attack also disabled thousands of wind turbine communication modules in Germany. Dr. Gregory Falco, assistant professor at Johns Hopkins University, studies space cybersecurity, and he and his team just completed a study about this attack in a paper called "Lessons Learned from the Viasat Space System Cyberattack." I recently spoke with Dr. Falco about the Viasat attack, how it worked, as well as key takeaways for aerospace. And here's some of our conversation. 

Gregory Falco: So the first thing that happened was actually possibly not even the attackers for the specific attack. And that happened number years ago when a VPN had a vulnerability in it that was disclosed widely - Fortinet specifically - and a whole bunch of credentials were leaked on the internet. So it happened a couple of years ago. It was attributed to a group called Groove, which was a rather new cybercrime group, also out of Russia or Eastern Europe - probably Russia - and they took credit for it. They were like, hey, look at this cool dump we have here. And they put it all on the hacker forums. 

Gregory Falco: And so we didn't see a lot of activity that was super public as major attacks that occurred out of that immediately after the 2019 segment. Fortinet did push an update to their VPN devices, and, you know, some people popped them in, and some people didn't. And that was the genesis of what we think was happening with the Viasat attack. And that's also why Russia may not have had the same level of impact that they may have wanted for the Viasat attack because some devices were patched and some were not. 

Maria Varmazis: OK. I was interested also in the collateral damage on the wind turbines in Germany, and I'm thinking about, OK, is there a unique risk profile when you're talking about the cybersecurity of a space system in this context? 

Gregory Falco: So I do see space systems generally as a field, as a single point of failure because they're pretty homogenous in how they operate. If you are attacking those devices, you're looking at thousands, tens of thousands of those devices. They all are operating exactly the same way. And if someone knocks it, they're all done. But one thing that's interesting about the space segment is really - end up having a lot of them. And also they end up being pretty critical for a whole bunch of different industries that you never would have even imagined, which is kind of where the wind turbine bit comes in for the Viasat attack, because Russia probably was not targeting these wind turbines, right? But collateral damage can get pretty significant when it comes to space systems. 

Gregory Falco: One thing that was kind of really unique and interesting about this attack was in doing some of the analysis on the different beam spots that were targeted by the attackers - and so for these space systems, yeah, you can characterize an attack and then target the overall space system, but you can also target specific individual assets by looking at where your signal's going. And so the attacker was pretty intelligent in this regard, where they were actually looking at - and we have a map in our little case study here. They were looking at a map of Ukraine and trying to choose the beam spots that were in Ukraine, and then they targeted those specific beam spots. And so if you look at the map that we have, we end up showing that there's a lot of these beam spots that have overlapping territory with Germany or with other countries that were impacted by this attack. And it's just the nature of the physics for how the beams were sent. The signal was sent down from the satellite to the modems. 

Maria Varmazis: Switching gears for a second - so there's a really great warning that you have in the paper, and I'm using warning very explicitly here, because it's - we're talking about dual-use technologies and what this attack means for the commercial sector. You make a point to put in bold - and I really appreciate this - that commercial technology that is engaged for both civilian and military purposes should be prepared to be treated as if they are military targets. What do you think this all means? What should the commercial sector take away from all of this? 

Gregory Falco: You know, there's some good posturing going on right now, but it is something where space commercial sector needs to be cognizant that even if they don't think that they're doing anything national-security-related but they may have some kind of government customer or some scent of, hey, we're doing something for public good, they're going to be targets, and it's also unclear right now what the U.S. specifically will do to protect those targets that are commercial assets. But as we may know in the cyber community more generally, commercial assets are not really fully aided by the government when it comes to protection, even critical infrastructure sectors, right? There's a support ecosystem that's there, but it's not like the military stands up all its operations to go protect Sony or whatever, right? So this is not the world we live in, in the U.S., where the government's just protecting every one of our commercial assets. And so you just got to be worried about this as a commercial space player now. Not only do you have to make sure your bird is flying and operational, but someone's after you probably. And I think this is a huge awakening to the space community because before, say, 2018, the commercial space community was not even thinking about this topic, generally speaking. 

Maria Varmazis: That was Dr. Gregory Falco from Johns Hopkins University. And again, the title of his paper is "Lessons Learned from the ViaSat Space System Cyberattack." For the CyberWire, I'm Maria Varmazis. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She is senior vice president for research and analysis at Interos. Andrea, it's always great to have you back on the show. You know, I've been talking to some folks recently about some of the technical aspects of quantum computing and sort of the horizon for where we are on that. But I know you've been tracking - there's been some movement when it comes to policy in quantum. What sort of things have caught your eye? 

Andrea Little Limbago: Yeah, and thanks for having me, Dave. It's interesting to see what's going on with quantum right now. The tech discussions on it have dominated, and that's to be understood. It's - you know, it's a nascent area with a lot of opportunity in there. But what's interesting is that just as nascent as the technology, policy is starting to actually look at what the roadmap might be for quantum. And so we saw earlier in May, the National Quantum Initiative, that was a presidential executive order, directive that was released really highlighting the essential role of quantum for national competitiveness, national security, economic security. 

Andrea Little Limbago: And so that was one of just - really kicked off a series, really, over the last few months where we saw CISA also release - do a press release - doing some guidance on how to prepare critical infrastructure for quantum computing and a world of quantum algorithms. And then we saw at NSA just in early September do a press release on how to think about a future where there might be quantum-resistant algorithms and what the requirements might be to live in that world securely. And the big concern for a lot of these from the policy side is how can you secure, you know, and to keep our data safe and maintain privacy at a time when there might be algorithms out there that can decrypt any of the general encryption that's out there? So there's a lot coming on. You know, and I think we'll probably see more. I think this is a growing trend. 

Dave Bittner: Yeah. I mean, it's interesting, too, that - I guess that we're seeing proactive measures here, that the policy isn't lagging in this case. 

Andrea Little Limbago: Yeah. And I think that's what's especially interesting to me. I for years shown a chart where you see, you know, technology exponentially exploding and policy basically being (laughter) a very flat line. 

Dave Bittner: Right. 

Andrea Little Limbago: And this is one of those cases where we're seeing, you know, policy starting to try and get ahead of where the technology's going - basically, you know, racing to the puck. One, it's very interesting. It's an interesting policy shift, you know, ideally, you know, something that will give us enough time to put some thoughtful considerations into it instead of being reactive. And so it's a much - you know, I think it's a really good, you know, harbinger of a more of a proactive policy when it comes to technological innovation. So I'm hopeful on that. I do have concerns whether - given that we still have policy debates over regular encryption right now still going on, we still have the Five Eyes with a directive basically wanting to have some form of a backdoor in encryption. 

Andrea Little Limbago: And so I do worry that some of the lessons learned from the various decades of crypto debates will actually trickle into the quantum discussion, as opposed to taking the lessons learned and building towards a future where, you know, we understand the necessity of really secure, you know, algorithms to help protect the data. I'll be curious to see how much of the crypto wars then become into, you know, quantum computing and quantum algorithms. We'll have to see on that. 

Dave Bittner: Do you sense any fear that we could experience an equivalent of a Sputnik moment here, where one of our adversaries makes a leap forward that, you know, is on a timeline that we weren't expecting? 

Andrea Little Limbago: So I think that is also what is sparking some of us that understand that whoever gets to it first and really has the capacity basically will be the ones that can decrypt a lot of the strongly protected data that's out there right now and give them a huge competitive advantage, both on the economic front and on national security. If you can no longer protect your - basically the crown jewels of your security or if companies can no longer protect their IP, that really is a game changer. So I do think that there's a strong movement, a strong understanding that this is something that we need to move to fast and move - but at the same time, given that there still is a horizon there, get the policy in place and get the resources in place to actually help target it towards some more effective policies in that regard and then also help allocate resources to help move towards that desired end state faster than the competitors. 

Dave Bittner: Yeah. All right. Well, interesting times for sure. Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.