The CyberWire Daily Podcast 10.24.22
Ep 1689 | 10.24.22

US unseals cases against PRC intelligence officers. Daixin ransomware is an active threat. FBI warns of Iranian threat group. Iran’s nuclear agency discloses hack. Hybrid war and threats to infrastructure.


Dave Bittner: In breaking news, the U.S. unseals three cases against Chinese intelligence officers. CISA says Diaxin Team ransomware is an active threat. The FBI warns of Iranian threat group's activity. Meanwhile, the Iranian nuclear agency says its email was hacked. Norway is concerned about threats to oil and gas infrastructure. A drop in ransomware correlates with Russia's hybrid war. Ann Johnson from "Afternoon Cyber Tea" speaks with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. And cyber offense may be proving harder than thought.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 24, 2022. 

Breaking: US unseals three cases against  Chinese intelligence ops.

Dave Bittner: The U.S. Department of Justice, this afternoon, held a press conference to announce the unsealing of three cases against 13 Chinese nationals, including 10 Chinese intelligence officers. Attorney General Merrick Garland outlined the cases. 

Dave Bittner: The first involved charges against two Chinese intelligence officers, who allegedly bribed a U.S. citizen, an insider, to reveal sensitive and nonpublic information about the U.S. prosecution of a Chinese telecommunications company. In fact, the person they recruited was a double agent and not a genuine asset. The Justice Department declined to name the Chinese company involved in the prosecution. 

Dave Bittner: The second case involved the activities of a front Chinese academic organization, a fake think tank, that had allegedly been engaged in both theft of U.S. intellectual property and in the suppression of constitutionally protected free speech regarded as embarrassing to China. Four individuals were charged in that case. 

Dave Bittner: Finally, the third case, in which seven individuals were indicted, involved China's Operation Fox Hunt, a long-running program of forcibly repatriating Chinese who have emigrated to other countries and who are regarded as a threat to the reputation or security of the People's Republic. Chinese agents are alleged to have hounded victims and their families with physical intimidation, frivolous lawsuits, threats and other harassment, promising that these would not stop until the victims returned to China. 

Dave Bittner: Assistant Attorney General Lisa Monaco said the cases were all prompted by China's unrestrained pursuit of world power, especially world economic power, unconstrained by international norms or respect for other nations' sovereignty. And FBI Director Wray said that anyone approached by Chinese intelligence services could count on the full support of the bureau. 

CISA alert: Daixin Team ransomware is an active threat.

Dave Bittner: CISA has warned that the Diaxin Team, a criminal ransomware group, is currently active against U.S. organizations. The joint alert says in part, the FBI, CISA and HHS are releasing this joint CSA to provide information on the Diaxin Team, a cybercrime group that is actively targeting U.S. businesses, predominantly in the health care and public health sector, with ransomware and data extortion operations. 

Dave Bittner: The Diaxin Team, which is believed to deploy a leaked version of the familiar Babuk ransomware, is thought to gain access to its victims through vulnerable virtual private networks, that is VPN servers. They exploit either unpatched vulnerabilities in the VPN server or they use credentials they've obtained through phishing campaigns. So the episode reteaches two old, familiar lessons - keep your systems patched and up to date, and beware of social engineering. 

FBI warns of Iranian threat group's activity.

Dave Bittner: The FBI has  warned enterprises that Iranian hacker group Emennet Pasargad, a hacker group with ties to the Iranian government that tried to interfere in the 2020 election, is currently active. The bureau says it is engaged in hack-and-leak operations of a kind familiar from earlier election cycles. Decipher reports that the FBI says the group uses network intrusions along with information operations and fake personas that exaggerate and amplify the group's operations. They have also been seen exploiting vulnerability CVE-2021-44228, or Log4Shell, to get into a U.S. organization's server, GovInfoSecurity reports. The threat actors use open-source penetration testing tools, look for vulnerabilities in content management systems and websites running PHP code or those with externally accessible MySQL databases. 

Dave Bittner: If you think you know any of the folks involved in Emennet Pasargad, there may be a reward in it for you. The State Department has announced a reward of up to $10 million for information about members of the group. That particular reward is in addition to the cool 10 million already announced for information about two of the group's operators who are also on the FBI's most wanted list. 

Iranian nuclear agency says its email was hacked.

Dave Bittner: Iran has also been on the receiving end of a cyberattack. Radio Free Europe/Radio Liberty reports that Tehran's Atomic Energy Organization, the country's main nuclear agency, disclosed yesterday through state-run media that one of its email servers had been compromised. The disclosure came a day after Black Reward, which presents itself as a dissident Iranian hacktivist group, claimed on social media that it had gained access to the internal email system of Iran's nuclear power production and development company. The Atomic Energy Organization said that the motive of the hack was to attract attention. 

Dave Bittner: In a sense, that may be correct, insofar as Black Reward says it conducted the operation in solidarity with ongoing protests against the regime, doing it, the quotes the group as saying, for “women, life, and freedom.” Bloomberg says that an internal investigation of the cyberattack is underway. 

Norway concerned about threats to oil and gas infrastructure.

Dave Bittner: The investigation into the Nord Stream sabotage continues, but Norway is already seeking to improve the physical security of its North Sea oil and gas production operations. And the AP reports that Oslo hasn't been shy about naming Russia as the threat. It's noteworthy that seven Russian nationals have been taken into custody by Norwegian authorities in connection with their operation of drones over Norway. A small drone is unlikely to do much damage to oil infrastructure, but the drone activity has been so obvious that observers think the point is intimidation and not actual damage, drones having become the bugaboo of Russia's hybrid war. 

Cyber offense may be proving harder than thought.

Dave Bittner: Norwegian authorities are also concerned, according to the Record, about the risk of Russian cyberattack against its oil and gas sector, but there also seems to be a growing sense that such disruptive cyber operations may be more difficult to carry out than had been feared earlier in the war. Another piece in the Record suggests that the war so far suggests that cyber defenses are improving to the point where they are able to deny attackers success. And it may also be that Russia has so neglected its own cyber defenses in favor of developing an offensive capability that Moscow's own capabilities have been degraded by Ukrainian and possibly allied attacks. In any event, Russia has shown a willingness to hit Ukrainian infrastructure as hard as it can kinetically, but the once widely feared disabling cyberattacks against the power grid in particular have failed to materialize. 

A drop in ransomware correlated with Russia's hybrid war.

Dave Bittner: That's not to say that Russian cyber operators have been completely idle or that they've been the dog that didn't bark. But their operations - those by Killnet, to take a prominent example - have tended to look more like crime than disabling nation-state operations. Distributed denial-of-service - that is DDoS - and ransomware have been their characteristic modes of attack, and there are some indications that they've been pulling some of the gangs away from their usual activities. 

Dave Bittner: Digital Shadows late last week published its regular report on the state of ransomware, and the company noticed an overall decline in the incidence of ransomware attacks. The Telegraph yesterday published an appreciation  of those results, informed by conversations with Digital Shadows researchers. Part of the drop is due to the co-opting of Russian criminal gangs into Russia's war effort, diverting them from their customary criminal activities and onto targets more likely to have a combat payoff. Digital Shadows threat intelligence analyst Riam Kim-McLeod told the Telegraph the war is likely to continue to motivate ransomware actors to target government and critical infrastructure entities. 

Dave Bittner: Coming up after the break, Ann Johnson from "Afternoon Cyber Tea" speaks with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. Stay with us. 

Dave Bittner: Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on the CyberWire network. And she recently spoke with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Here's an excerpt from that conversation. 

Ann Johnson: So can we start with a little bit of historical context? Why do you think employers have had such a high bar of entry into their cyber programs? And what was the thinking from cyber leaders on the skill sets they needed in the past? 

Aj Yawn: Yeah, it's a great question. And I think the - there's a few reasons why. I think with the importance of cybersecurity and how cybersecurity has become so important to companies at the highest levels, where you're talking about cybersecurity at the board level - the SEC has recently mandated that companies of a certain size have cyber representation on the board. I think because we're seeing that cyber is so important, companies reacted to that with, oh, we need to hire unicorns. We need to hire people that are the perfect fit, that have all of these skill sets to build our cybersecurity programs because if we don't, we're going to fail since there's so many eyes on this. And I think that fear seeped into the hiring process and created these really high bars of entry for folks getting into the cyberspace because of that. 

Aj Yawn: I think also, you know, there's a ton of gatekeeping because of the challenges that people that, you know, kind of started this whole cybersecurity thing in sector - they had to go through a lot to get into the field. And now with the advancement of certifications and the boot camps and just the many different ways that people can get into the field, I think the folks that are in position to hire people into cybersecurity are looking for folks that went down the same exact path of them - the same exact schooling, the same exact background. 

Ann Johnson: So today, what do you think business leaders should be looking for, for balancing that need for mitigating the risk but also being more expansive and also not necessarily looking for this huge list of credentials? How do you think we can help business leaders balance that and what skills really are important? 

Aj Yawn: Yeah, I think one thing with cyber that I think is super important to look for if you're going to have a successful career in this field is you have to care. You have to actually care about this industry because it's hard. It's challenging. There's going to be things that you don't know, and you're going have to be very comfortable being uncomfortable. So really making sure that folks care about the job, they care about the mission that you all have from a company perspective in protecting the data that's there I think is really critical. 

Ann Johnson: But what programs or communities do you think that people who are trying to break into the industry should be leveraging? How can someone who's early in career market themselves to employers and how can they get the attention of employers? 

Aj Yawn: First and foremost, the LinkedIn platform is probably the most underutilized social platform out there when it comes to networking and building a brand that can help. And then the other thing that I would suggest from a tactical perspective on LinkedIn is to really reach out and try to get folks on calls, people that are in roles that you think you want to be in. If you want to be a pen tester, find a pen tester to talk to about what they do. Read their resume, read their background and just learn from folks that have been there and done that. 

Dave Bittner: Josh Ray from Accenture is a regular guest here on the CyberWire. And I recently spoke with him about threats to the satellite industry. Here's my conversation with Josh Ray. 

Josh Ray: What's the business imperative here, like, why organizations should care kind of about this topic? And I think it has a lot to do with the fact that this satellite infrastructure can be deployed, really, with significantly less terrestrial investment to rural or underserved areas across the globe, and I also kind of think that the redundancy component for companies and their communications from things like natural disasters, the ability to expand into new markets at lower cost, access to geographic regions where things may be problematic to lay fiber due to, say, natural topography or geopolitical instabilities. But also consider this - you know, we saw cloud as the first concept of virtualization into these centralized cloud services. We can really foresee spaceborne virtual visualization via, say, a satellite constellation, which will really enable this notion of supercomputing functionality and ultimately better efficacy and transmission paths for communication media. So that's kind of the business imperative. But, you know, really, with that comes this notion of an expanded attack surface. 

Dave Bittner: So what are some of the security concerns here? 

Josh Ray: Yeah, I was speaking with a colleague of mine, Chris Hudson, and, you know, we were kind of working through this. And broadly speaking, I think the threat vectors are things like, you know, the kinetic physical attacks. And you saw this with the Russian missile tests against Kosmos 1408. And then you have nonkinetic physical weapons - high-powered microwave, electromagnetic pulses, lasers, etc. And then you have this notion of cyber, of course, which I think is, you know, most applicable. But cyber really does present this lower barrier of entry from a threat capability standpoint. 

Josh Ray: And we've seen this, you know, rapid proliferation of commercial satellites and the demands for Starlink equipment and Viasat terminals, which has really given way to attacks like we saw during the Russian-Ukrainian conflict against the Viasat terminal. And this one was actually really interesting in the sense that, generally speaking, you know, a misconfigured VPN server was exploited that allowed access to the actual management terminal. So, you know, once the actor was able to gain a foothold there, they established some malware that caused the denial of service against the satellite software. So it wasn't necessarily the design of the satellite that was the problem, but absolutely, the satellite communications were affected. And this really illustrates an important point around interoperability and how this is very much a significant issue. 

Dave Bittner: Well, let's dig into that. I mean, where do we stand when it comes to those sorts of interoperability standards? 

Josh Ray: So you have the threat component, and then you also have this concept of ASI, or Adjacent Satellite Interference. And it also speaks to the rapid growth that we're seeing in this industry. So, for instance, as more satellites are emerging from, say, new countries and the commercial companies are driving growth, we see the potential for, you know, confusion around how we track satellites and understand the ownership, which could also cause a significant interference in the communications piece. 

Dave Bittner: Is this something where we're going to have to have international agreements? Is this an area for treaties? How do we come at this? 

Josh Ray: Yeah, I think that's a really important piece. I mean, there's going to need to be some things around regulations and governance. And there are some industry standards that are being worked on and some proposed legislation. But there really are no concrete, decisive standards of interoperability between space and, say, ground systems that are in practice. And this is a major concern, especially as the commercial entities are continuing to enter into the market - also an area where, you know, I would call for public and private sector to kind of really stack hands here so we can get the most, I'd say, commercially viable and secure outcome possible. 

Dave Bittner: Do you know of any specific, you know, events or incidents where, you know, an operator of satellites detects that someone is, you know, poking around, testing out to see if perhaps something might be vulnerable? Does that sort of thing go on? 

Josh Ray: Well, I think it does. And I think the Viasat piece really kind of highlights that - the use case that I mentioned before. But I think we're really going to start to see this blurred lines between commercial space and military space, right? So governments are already starting to seek guidance to see how they can actually get more remote sensing information from commercial suppliers. So if this happens, as, say, just a matter of course, you know, we think that the commercial satellites could be seen as potential military targets, even if its use was really purely for, say, a commercial application. 

Dave Bittner: Yeah, what an interesting thing to ponder, just from a critical infrastructure point of view. If you have that blurring between civilian use and potential military use, that really makes things fuzzy, doesn't it? 

Josh Ray: It absolutely does. And really, you know, one of the things that we take for granted very badly is this notion of GPS, right? We all leverage that every single day, but it can be manipulated, right? And we're starting to see more smart factories where robotics are being deployed for, say, cost cutting and for safety purpose, but imagine just rebroadcasting or spoofing GPS changes that could affect these robots or cause them to collide, you know? So a regular, you know, relatively straightforward attack carries with it a significant opportunity for revenue loss, property damage and physical safety concerns. And I think that, you know, really, from a cybersecurity perspective, there is a potential risk that, you know, as the application of satellite infrastructure becomes a lot more prolific, it's not treated in the same way that, say, your terrestrial IT infrastructure will be. 

Josh Ray: So what I mean by that is, you know, you think about something like a satellite terminal, which is designed to really purely communicate upstream and downstream to, say, a remote surface. And this is not something where the operators or the developers really have thought that it's going to be, you know, internet-enabled or part of that broader ecosystem, so you'll see things, probably, like, you know, just SSH or FTP-hosted devices which are not, you know, properly secured or patched. And it really makes me think about kind of the early days of OT security and IoT security, where we have to be thinking much more broadly now about not only just the communications mechanisms, but that broader supply chain and that ecosystem as well. 

Dave Bittner: Yeah, that's fascinating to consider. All right. Well, Josh Ray, thanks for joining us. 

Josh Ray: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today’s stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.