Tata Power sustains cyberattack. Influence operations and battlespace prep. Ransom Cartel looks a lot like REvil. Notes from Russia’s hybrid war.
Dave Bittner: There's been a cyberattack against Tata Power. The FBI warns U.S. state political parties of Chinese scanning. Russian influence ops play defense while China is on the offense. Ransom Cartel and a possible connection to REvil. Prestige ransomware is cited in attacks on Polish and Ukrainian targets. DDoS attacks interfere with Bulgarian websites. Grayson Milbourne of OpenText Security Solutions on SBOMS. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of zero trust. And Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine - probably.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 17, 2022.
Cyberattack against Tata Power.
Dave Bittner: In a story that's still developing, Indian energy company Tata Power disclosed on Friday that it had been hit by a cyberattack that affected some of its IT systems, the Record reports. The nature of the attack is unclear, but the company says its operational technology is still functioning. The Economic Times cites a senior official as saying that an intelligence input had been received about threat to Tata Power and other electricity companies. We'll be following the story and providing updates as they become available.
FBI warns US state political parties of Chinese scanning.
Dave Bittner: The Washington Post reports that the FBI has been alerting state Democratic and Republican Party organizations that they're the subject of increasing scans by Chinese intelligence services. The scanning, which the FBI was unwilling to discuss publicly given the sensitivity of the matter, seems to be reconnaissance and target development. A senior U.S. official told The Post that the bureau is working to get ahead of the opposition, stating the FBI is being considerably more proactive. It's part of a larger move that the FBI isn't waiting for the attack to occur. They're increasingly trying to prevent. The report follows other more public alerts concerning the probability of foreign influence operations directed against the U.S. midterm elections.
Russian influence ops play defense; China’s are on the offense.
Dave Bittner: Mandiant has released the second issue of its Cyber Snapshot report. Among the topics it takes up is the current state of influence operations. The researchers note that Russian state-sponsored threat actors are currently conducting widespread IO campaigns to bolster the positive perception of the Russian invasion of Ukraine to the Russian people. Meanwhile, China-aligned actors are carrying out information operations to sway public opinion against the expansion of rare-earth minerals mining and refining operations in the U.S. and Canada, likely as an attempt to protect China's heavy investments in rare-earth production. The researchers add, Mandiant finds that these kinds of campaigns are happening constantly. We regularly see new actors who operate on behalf of nation-states but have never before demonstrated a significant cyber capability.
Dave Bittner: As usual, the most insidious lies get a bodyguard of truth. Mandiant says the most effective information operations involve combining truth and lies, particularly through leaking stolen information. They state, the most concerning trends seen in the IO space concern hack-and-leak campaigns. Hack-and-leak IO campaigns are cyber operations in which an attacker breaks into a victim's network, steals sensitive, damaging data and leaks it publicly to influence a given audience. In many cases, hack-and-leak operators will alter the material they steal to make it seem even more damaging. These IO campaigns have had significant impacts in the past, including during the 2016 presidential election in the U.S. As an increasing number of actors adopt IO as a viable means to achieve their goals every year, campaigns will continue to evolve as their capabilities improve.
Ransom Cartel and a possible connection to REvil.
Dave Bittner: Palo Alto Networks' Unit 42 has published a report on the Ransom Cartel ransomware-as-a-service offering, finding that it has possible ties to the probably now-defunct REvil Ransomware gang. Palo Alto states, at this time, we believe that Ransom Cartel operators had access to earlier versions of REvil ransomware source code, but not some of the most recent developments. This suggests there was a relationship between the groups at some point, though it may not have been recent. REvil went into hibernation shortly before the ransom cartel activity was observed. The BBC reported on January 14 of this year that Russian authorities had arrested 14 members of REvil. In an unusual gesture in the direction of international responsibility and cooperation against organized crime, Russia's FSB said it had acted on information provided by U.S. law enforcement agencies. Russia's cooperation stopped short of extraditing anyone to the US. The U.S. at the time expressed polite, cautious optimism that perhaps Russia would begin cracking down on some of the cyber gangs it had long permitted to operate relatively unmolested. But few had any realistic hope that this would happen any time soon.
"Prestige" ransomware sighted in attacks on Polish and Ukrainian targets.
Dave Bittner: It certainly hasn't inhibited other Russian criminals and privateers. Microsoft on Friday reported detecting a novel strain of ransomware the company is calling Prestige. The campaign deploying Prestige has afflicted organizations in Poland and Ukraine, specifically targeting the transportation and related logistics sectors. The Microsoft researchers state, the enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment.
Dave Bittner: Who's behind the effort is unclear, but Microsoft sees some circumstantial signs of a connection to Russia, albeit those fall short of justifying an attribution. They state, the activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware, also known as HermeticWiper. HermeticWiper was used in the opening days of Russia's invasion of Ukraine against targets in that country and also in Latvia and Lithuania, Reuters observes. Microsoft is tracking the threat actor involved as DEV-0960. The attackers used stolen credentials to gain access to the systems they hit. There are indications that the credentials had been stolen some time ago in advance of the ransomware deployment, and this suggests that the attackers were timing the attacks for unknown reasons of their own. The ransomware infections were all accomplished within an hour.
Dave Bittner: Microsoft summarized the outlook for future attacks, stating, the threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. In their report, Microsoft provides hardening guidance to help build more robust defenses against these threats. In full disclosure, Microsoft is a CyberWire partner.
Distributed denial-of-service attacks interfere with Bulgarian websites.
Dave Bittner: On Saturday, Bulgaria's prosecutor general blamed Russian operators for a DDoS attack that distributed Bulgarian government websites. Radio Free Europe Radio Liberty reports that Prosecutor General Ivan Geshev described it as a serious problem, calling it an attack on the Bulgarian state. In addition to the president's office, the distributed denial-of-service attack paralyzed the websites of the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court. The attack traffic appeared to originate from the Russian city of Magnitogorsk. And the Bulgarian news service Dnevnik says that Russia's Killnet threat group claimed responsibility. Like Poland, Bulgaria has aligned itself with Ukraine during Russia's war.
Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine (probably).
Dave Bittner: And finally, SpaceX founder Elon Musk tweeted his intentions Saturday to maintain StarLink service to Ukraine, whether or not he gets paid to do it, stating, the hell with it. Even though StarLink is still losing money and other companies are getting billions of taxpayer dollars, we'll just keep funding Ukraine government for free. CNBC cautiously mentions that it's not clear that the tweet was free of sarcasm, and so perhaps it would be good to wait to see whether the subsidy continues. Mr. Musk did follow his original tweet with an indelicate remark to the effect that the comments on that particular thread amounted to a conspiracy theorist's unusually vivid erotic dream. An essay in TechCrunch argues, under the headline "StarLink isn't a charity, but the Ukraine war isn't a business opportunity," that the company should provide more transparency on costs and that governments should arrange support adequate to meet Ukraine's wartime needs. In a subsequent tweet, Mr. Musk explained his decision as coming down roughly to deciding that, sometimes you just need to do the right thing. Starlink has played a major role in sustaining Ukraine's communications during the present war. Sometimes you've just got to do the right thing.
Dave Bittner: After the break, Grayson Milbourne of OpenText Security Solutions talks about SBOMs. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of zero trust. Stay with us.
Rick Howard: I'm joined by Bryan Willett, the CISO at Lexmark. Bryan, thanks for coming on the show.
Bryan Willett: Oh, thank you for having me.
Rick Howard: So, Bryan, we're talking about zero trust today. And zero trust has been the buzzword phrase at all the conferences for a couple of years now. And like many security terms before it, like machine learning and AI and XDR and a bunch of others, the phrase has hit that phase in its own evolution from original great idea to vendors trying to implement it to marketing departments flooding the zone with it to the point where many security practitioners dismiss the entire concept as just marketing fluff. But you guys don't agree with that, right? Just because there's a lot of vendor marketing doesn't mean that the idea isn't sound.
Bryan Willett: I agree. It is a sound idea, and at Lexmark, we had been working on implementing zero trust for the past six years. You look at zero trust. It really describes the foundational principles of a well-operating security organization. And you combine that with other standards like ISO 27001 and CIS 20 or 18 - they really get in there and define what needs to be done. And with the CIS 18, it helps provide some priority on what you should go and tackle first in order to establish a mature security program. And I've told my team many times, while it's a journey and it's excellent practice, when it comes to the controls that we're going to implement, I do think it's important for them to be specific. Don't just tell me we want to implement zero trust, but be specific about the control that we need to implement.
Rick Howard: Well, let's talk about that 'cause in the original Kindervag paper - he published that in 2010. That's where most people point to for the original idea, although I would say that there was discussion about zero trust ideas before that. But Kindervag gets the credit for it. But in that original paper, he talks about only allowing access to the resources that the employee needs or the device needs or the application needs. How do you guys go about doing that at Lexmark?
Bryan Willett: It first started as, can I determine what assets are on my network? It was creating a CMDB database of all the assets on the network and then assigning an owner to every one of those assets. Once we knew we had the owner, then we started the process of making sure the asset was managed, making sure that we had monitoring on every one of those assets. And then one of the most controversial with the user population was removing admin rights.
Rick Howard: (Laughter) Indeed.
Bryan Willett: Yes. And removing those admin rights - that took quite the culture change in order to make that happen.
Rick Howard: Oh yeah. I'm one of those guys that I don't want admin rights 'cause I make mistakes all the time. So I think I'm one of the only CISOs that says, you know, please take me off. I don't want the finger pointing at me, OK, when something goes wrong.
Bryan Willett: And I'm right there with you.
Rick Howard: (Laughter). So, Bryan, now you're doing that for employees, and you're doing it for devices, and you're also doing that for application code to Lexmark rights and then code that you guys use, like third-party vendors, those kinds of things?
Bryan Willett: That's correct. So on the third-party suppliers, we've implemented a third-party risk management program where we put our suppliers through a set of criteria and questions to them to try and understand their risk posture, because we need them to protect the data, much like Lexmark's required to protect the data of our customers. And then on the products - very similar - it is zero trust in the aspect of we implement a security development life cycle on all of our products. We work very hard to ensure that any software that we include in the product, we understand the vulnerabilities in it. We patch those on a regular cadence. We look at the code that Lexmark develops, trying to ensure that the firmware or software in that product has been analyzed to look for vulnerabilities and address those vulnerabilities. And that's true of our legacy products, as well as any of the new products that we've developed, like our new Optra IoT platform.
Rick Howard: So are you guys doing that in-house? Like, are you writing code to manage all those entities? Or have you found a vendor that can help you do that or just some combination of all that?
Bryan Willett: It always depends on the channel that we're selling to. So we have both. We have our own software to manage the product, but we have third-party partners who may have software that they prefer to use to manage the products with their customers. And we also support them, as well.
Rick Howard: And then, you know, in these last five years, we've all branched out, and our data is everywhere. I call them data islands. We have - we still have the data centers. We still have mobile devices. But we're also in cloud. And a lot of us are using SAS applications now. So you're having to manage that in all these different places. Do you have a different zero-trust solution in all those locations, or is it one big one that handles everything?
Bryan Willett: Well, it's been great over the last - it's more than 10 years, but really in the last three years at Lexmark has been a concerted effort to move us to cloud overall. And during that effort, it has been an excellent opportunity to get rid of that technical debt that we had in the data centers to fully adopt the zero-trust model, especially from a network standpoint, as we had migrated to the cloud. So that's been a huge part of it. And then as you look at the risk associated with cloud, adopting a CNAPP platform has been very helpful for us, as well, where we get great visibility across all the clouds that we're in to the risks that are present and starting to work through any of those risks to lower our overall risk in the cloud.
Rick Howard: What does CNAPP stand for?
Bryan Willett: Cloud-native application protection platform. So it's a combination of your cloud security protection platform and your cloud workload protection platforms such that you can both monitor your active workloads and implement policy on your infrastructure as code as it's going into the cloud.
Rick Howard: So good stuff, Bryan, but we're going to have to leave it there. That's Bryant Willett, the CISO at Lexmark, a long way down the journey of his zero-trust implementation. Thanks for coming on the show, Bryan.
Bryan Willett: Thanks for having me.
Dave Bittner: And I'm pleased to be joined once again by Grayson Milbourne. He is the security intelligence director at OpenText Security Solutions. Grayson, always great to welcome you back to the show.
Grayson Milbourne: Hey, thanks, Dave. Glad to be here.
Dave Bittner: I want to touch today on SBOMs, software bills of material. There's some kind of an interesting historical precedent here that I know you want to touch on.
Grayson Milbourne: Yeah. So - well, let's just touch quickly on what the software bill of materials is. And then I think my analogy will make a little bit more sense, right? I mean, today what happens with software development is that a lot of times, you don't want to develop something new if somebody has already done the work. And so we see a lot of code reuse and especially within the open source code community. What this means is that, you know, my software - maybe I - you know, I'm a business, and I sell a solution. If that solution is partially my own ingredients and also several other developers' ingredients from different open source communities - or maybe it's a partnership, you know. Now it's not really just my project. It's really the combination of what I've put in, plus what I've put in from other pieces to support the overall solution.
Grayson Milbourne: And so the idea is that a software bill of materials is something that a potential purchaser of your solution could look at and say, ah, this is what goes into it. Or, you know, if you think about vulnerabilities that often can happen, this is a way that you can then track and understand what has been impacted because the idea is to get everybody to do this. But, you know, right now not very many people do. And I think this is kind of where, like, my analogy started off that I wanted to talk about - is the kind of the history of food labels. And I think today, everything has a label on it. I don't think you can go into a supermarket here - and outside of maybe the produce section, everything else that comes in a box has, you know, its own - its box of materials.
Dave Bittner: Right, right.
Grayson Milbourne: We call it just, like, the food label, the ingredients. But apparently, you know, the food label industry or, like, food labels as a whole is a relatively recent addition to how we purchase food and really didn't come up until, like, I guess the late to mid-'60s. And this was sort of in that transitionary period where food - we had more prepackaged food and there was more - perhaps not healthiest food, but a lot more food was coming in in packages that was - you know, was confusing to consumers. They wanted to know what's in it. And hence, the FDA creates, you know, this new mandate. And, you know, manufacturers have to list, hey, this is what's inside of it. And consumers get to then evaluate that and make the right decision for themselves.
Dave Bittner: So, I mean, using your analogy, extending your analogy, if you look at a food label, sometimes, it'll have things on there like artificial and natural ingredients, you know, where a manufacturer doesn't want to give up the secret formula for Coca-Cola or something like that. I mean, are we allowing for that with SBOMs, where perhaps there are some some trade secrets within the way people are putting together their software?
Grayson Milbourne: So I think, I mean, the goal of this is certainly not to to give away core IP of your technology. It's really more to expose when additional components that aren't your own have been added. So if it's something that I have developed entirely and my software company is as the sole proprietor of all of the intellectual property and we've reused no other code, then you know, the bill of ingredients is my software. But if I've included third-party libraries or if I've included, you know, third-party components or open-source components, I should list that and also version of that so that I know if, for example, like, you know, I'm using a specific version of DirectX in my video game, and now I've seen that there's an exploit for an older version, it just really helps us understand what's impacted.
Grayson Milbourne: And it's - it creates a solution to, you know, this knowledge that more vulnerabilities are going to be encountered, and we need a better way to react to it, especially if it's something very massive, like Log4j Jay was. You know, we're still not really seeing the entirety of the impacts of that vulnerability and how easy it is to exploit, largely because we don't have a great index of all the things that are using it. Or they were compiled using that Java library. So it's one of these things that if we knew, we could then more easily go after the implementations of software that are most vulnerable and reduce the overall risk associated when these inevitabilities happen.
Dave Bittner: Now, here in the U.S., my perception is that the federal government is really leading the way when it comes to mandating that. Is that a proper perception on my part?
Grayson Milbourne: Well, so I would say they're using their oversized influence. And, you know, the United States government is one of the largest software purchasers and has the largest buying power. And so, you know, they can start to say, we don't want to buy your software unless it comes with the software bill of materials. And so I think what we're starting to see - and this is largely driven by CISA. And CISA has really looked also at the the Log4j nightmare of a vulnerability. And how are they able to help businesses identify their risks? How were they able to, you know, help people update and address this vulnerability? You know, if we had SBOMs, it would be a much easier thing to do. But they know that, you know, there's not a mandatory regulatory agency or anything like that that mandates it. From what I've understood, the government's really looking at changing their purchasing process and trying to work with vendors and encourage software vendors to use SBOMs as a way to mitigate risk and to be more transparent about what's actually inside of your application.
Dave Bittner: So more of, I guess, a soft mandate in that it's not necessarily regulatory, but if you want to do business with the biggest customer, you're going to have to do this.
Grayson Milbourne: Yeah. And then, you know, my hope is that it kind of flows beyond that. And it could potentially be a competitive advantage, right? You know, a possible customer might be looking at my solution. They might be looking at somebody else's solution. If I say, well, yeah, I mean, we have very comparable things, but, you know, we also track our versioning and provide this additional telemetry about how our app is built. Let me tell you why that's important. And you have some peace of mind from your SOC team now - can say, oh, hey, this new thing was released. Let's look through the, you know, SBOM index software used in our business. And, you know, all of a sudden, in a very short amount of time, you can discover which, you know, may have been impossible to know before.
Dave Bittner: Yeah. All right. Well, interesting insights. Grayson Milbourne, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.