The CyberWire Daily Podcast 10.31.22
Ep 1694 | 10.31.22

Copper smelter hit with malware. Notes from the hybrid war. Disinformation, not direct manipulation of results, the principal threat to US elections. Ransomware in Australia’s ForceNet. Threat trends.


Dave Bittner: A leading European metals producer is hit with malware; cooperative defense in cyberspace. A Ukrainian ally describes its exposure to Russian cyberattacks. Former U.K. Prime Minister Truss' phone may have been compromised. CISA sees a complex threat environment but no specific threat to U.S. elections. The Australian Defense Network sustains a ransomware attack. The three finalists in the DataTribe challenge share insights on the competition. Rick Howard previews the new season of "CSO Perspectives;" and a look at threat trends.

Dave Bittner: From the CyberWire studios DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 31, 2022. 

Leading European metals producer hit with malware.

Dave Bittner: Aurubis, Europe's largest copper smelting company, sustained a cyberattack last week, Reuters reports. SecurityWeek notes that the incident looks like a ransomware attack, although that hasn't yet been confirmed. The company believes it was targeted as part of a larger campaign against the metals sector. It responded by shutting down certain IT systems and isolating them from the internet. Its core industrial processes have continued to function. Aurubis said the production and environmental protection facilities at the smelter sites are running, and incoming and outgoing goods are also being maintained manually. Transitional solutions are being implemented to make the company's full services available to business partners again starting next week. Customers and suppliers can still reach their Aurubis contacts by phone. 

Cooperative defense in cyberspace. 

Dave Bittner: Turning to Russia's hybrid war against Ukraine, it's well known that countries sympathetic to Ukraine have contributed weapons, ammunition and other supplies to Kyiv's defensive war. They've also contributed cyber operational capability. The BBC was permitted a look inside U.S. Cyber Command's forward deployment to Ukraine and other countries threatened by Russian cyber operations. In their hunt forward operations, Cyber Command's teams concentrate on detecting threat activity and reporting it to their partners so the partners can themselves eject the threat actors from their networks. The combined operations the BBC described were conducted before Russia's February invasion, but they continued in country up until the eve of the invasion, at which point the team was relocated from Ukraine. While it was there, however, it contributed both to mitigation of SolarWinds' exploitation and Ukraine's preparation to withstand wiper attacks. The BBC points out that hunt forward missions are classed as defensive. But General Paul Nakasone, who leads both the military's Cyber Command and the National Security Agency, confirmed offensive missions have also been undertaken against Russia in the wake of the invasion of Ukraine. But he and others declined to provide further detail. 

A Ukrainian ally describes its exposure to Russian cyberattacks.

Dave Bittner: Varis Teivans, deputy manager of Latvia's Computer Emergency Readiness Team, described his country's experience of Russian cyber operations since the war against Ukraine began. In a conversation with The Record by Recorded Future, he said that the rate of cyberattacks against Latvia had increased by 30% since the war began in February. The Baltic country's experience has been a familiar one - nuisance-level, state-inspired nominal hacktivism, much of it by Killnet, has dominated the threat scape. These attacks have often shown poor intelligence preparation and often amount to nothing more than what Teivans characterized as PR, as in the publication of publicly available information with the claim that it had been obtained through hacking. 

Dave Bittner: The state organization's proper, the APTs run directly by Russian intelligence services, are of more concern. But while their aim and their planning are better than the hacktivist militia's, they, too, seem to have concentrated more on DDoS as a means of disruption. That could change as the war situation changes. Teivans said we are still at a stage where kinetic warfare is a priority for the attacking nation, while cyber is only a tool for threat actors to gain some economic and political advantage or a means to support kinetic operations. Despite a lack of results so far, Ukraine, NATO and the EU remain on alert for Russian cyberattacks on the power grid. 

Former UK Prime Minister Truss's phone may have been compromised. 

Dave Bittner: Russian intelligence services are believed to have successfully compromised former British Prime Minister Liz Truss' personal smartphone, The Mail on Sunday reported in an exclusive this weekend. The compromise is thought to have occurred while Ms. Truss was serving as foreign minister and continued through the summer's Conservative Party leadership campaign,  according to Reuters. The BBC says that Labour and Liberal Democrat members of Parliament have called for a government investigation. This would presumably extend to how any compromise was accomplished, what information would have been compromised and the extent to which officials use personal devices to communicate about official business. 

CISA sees a complex threat environment, but no specific threat to US elections. 

Dave Bittner: CISA Director Easterly urged election authorities to secure their systems and take steps to protect their operations from violence in what she characterized as a very complex threat environment. But she also said, CBS News reports, that, we have no information about specific or credible threats to disrupt or compromise election infrastructure. The Washington Post has spoken with a range of cybersecurity experts, and they are in general agreement that disinformation and not compromise or manipulation of the vote itself is the principal challenge the U.S. faces during the midterms. So beware of seditious and bogus narratives and their amplification by the credulous, the ill-intentioned and those just addicted to chatter. 

Australian Defence network sustains ransomware attack.

Dave Bittner: ForceNet, which the Guardian describes as a kind of internal social media platform for Australia's military, has sustained a ransomware attack. ForceNet is maintained by an external contractor, ABC reports, and that vendor initially said that no personal information had been exposed. Since that initial disclosure, however, the Australian government has begun to suspect that some private details, such as dates of birth and dates of enlisting, may have been stolen. 

Deep Instinct Threat Study.

Dave Bittner: And finally, Deep Instinct has published its 2022 Interim Cyber Threat Report outlining some of the top malware strains and exploited vulnerabilities they've been tracking. The majority, 44%, of ransomware campaigns were launched by affiliates of the Lockbit ransomware-as-a-service offering, while 23% were carried out by the now-defunct Conti gang. Emotet is still by far the dominant banking Trojan in the threat landscape, followed by NJRat at a distant second. 

Dave Bittner: The researchers also note that data theft extortion attacks are growing more efficient, stating, ransomware attacks remain a serious threat to organizations, causing business disruption and reputational damage. While it is not a new threat, ransomware has become easier to detect in the encryption phase. Threat groups are moving toward exfiltrating data earlier in their attack flows to demand a ransom for the leaked data instead of a key to decrypt. In the case of sensitive data exfiltration, there are far fewer remediation options. Several threat actors went even further, demanding a ransom from third-party companies if the leaked data has their sensitive information, as well. Threat groups operating ransomware campaigns are financially motivated and have begun to develop their own markets with easy-to-use query engines to find relative data from the leaks and purchase it. We saw this play out in July 2022 by a rising star in ransom operators, ALPHV, Black Cat, who introduced their new leak database. 

Dave Bittner: So the CDC market continues to mature. Keep your virtual eyes out for the crooks. 

Dave Bittner: Coming up after the break, the three finalists in the DataTribe Challenge share insights on the competition. And our own Rick Howard previews the new season of "CSO Perspectives." Stick around. 

Dave Bittner: It has become an annual tradition that the folks at startup incubator DataTribe hold their live DataTribe Challenge competition, pitting three finalists against each other in front of a live audience and a distinguished panel of judges. Up for grabs are $20,000 in prize money and for the winner, up to $2 million in seed capital. The CyberWire is a media sponsor of the event and has received seed funding from DataTribe. The three finalists this year are Web3fied, NorthStar and BalanceTheory. I spoke with the CEOs of each of these hopefuls to find out what attracted them to this kind of competition. Vinu Thomas is founder and CEO of Web3fied, a company focusing on changing user identification and digital assets certification, verification and validation using the decentralized system of blockchain and Ethereum smart contracts. 

Vinu Thomas: I think validation of an idea - right? - the validation essentially has come with the fact that we've even reached the finals, which is great. But the opportunity to present to the judges who are, you know, very well-respected individuals in the cybersecurity space, other investors, as well - so it gives me a true opportunity to get some sense on, hey, is this idea really going to take off? That's number one. Number two, I think, you know, the execution. So DataTribe is not just telling, hey, you know, yes, the prize money is great. But they're also, you know, coaching me. They're also educating me. They're also kind of opening new doors and helping me in the overall execution of, you know, moving it from, it's no longer idea; it's now a minimally viable product. It's an MVP. So how do we take that MVP and essentially make it to something that can be, you know, widely adopted and widely loved by, you know, customers and partners and everyone alike? 

Dave Bittner: Alex Moss is CEO at NorthStar.IO, a risk-based vulnerability management company. 

Alex Moss: Refinement in messaging, and I would say that's No. 1. We're a very technical organization. And we like what we've built. And we like what we're doing. And we like to talk about it. A lot of times, that doesn't translate to good marketing and good messaging. So we've worked very hard over the last year in refining our messaging and how we talk to people and kind of walking them down a path to understand how we can solve their problem quickly and get them to near-term ROI but also share with them the longer vision of how we can mature the solution to continue to extract value over time. And we're already seeing the results of working with the team at DataTribe in helping us further refine and craft that messaging so that we're able to help communicate the value, not smooth over the complexity but not highlight it when it's unnecessary. 

Dave Bittner: Greg Baker is co-founder and CEO at BalanceTheory, a company focused on helping organizations deal with emerging threats using technology and collaboration. 

Greg Baker: What our core mission is, is really uniting the world of cybersecurity in a way to operationalize that knowledge and allow people to take advantage of it for better defense that they can take to their enterprises. That is a type of model and a type of mission that, it really requires everybody to look at it and buy-in. And whether or not you're somebody that's an enterprise CSO looking at securing their internal organization better than it is today, or you're a service provider looking to build more intimate relationships with your clients to help them solve problems more rapidly, or you're an analyst group that is putting out thought leadership around new frameworks like Zero Trust that want to see the adoption level and help clients understand how to adopt it, higher education, the list goes on, really giving them a place to come in and build this community is key. So for us, as much as, you know, investment is fuel to help product develop faster and help strengthen that capability and add to that, it's really about spreading awareness and really getting additional eyes on the mission and getting additional eyes on the approach to really help build and formulate this thing that's not just for us as a product company or builder but really for the community at large. And we value everybody's opinion. We want the outcome of what we're working on to be something that really drives lasting generational change for those that are really - had made the opportunity to make cybersecurity their career and their self-mission and give them a home that allows them to learn, to share their insights, to share their knowledge and collaborate at scale and take that institutional knowledge with them throughout their life, throughout their career and throughout their journey. 

Dave Bittner: Our thanks to Vinu Thomas from Web3fied, Alex Moss from NorthStar.IO and Greg Baker from BalanceTheory for joining us. The DataTribe Challenge is coming up November 3. 

Dave Bittner: And it is always my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So it is Halloween as we air this. 

Rick Howard: Yes, it is. 

Dave Bittner: Which means a couple of things. First of all, you've crawled out of your crypt. You've crept out of your cave to join me today on I know what is one of your favorite holidays. 

Rick Howard: It absolutely is. It totally is. It is the Howard event of the year, absolutely. 

Dave Bittner: Right. Right. You're that guy in your neighborhood who goes all out, right? 

Rick Howard: Yes, I am. Yeah. 

Dave Bittner: You have your 12-foot-tall skeleton from Home Depot? 

Rick Howard: My wife forbade me from going near that aisle, all right? So I do not have that one yet. 

Dave Bittner: OK. I see. You're already - you're fully subscribed. All right. Well, fair enough. Well, but welcoming you back also means that it must be time for another season of "CSO Perspectives," which, of course, is over on the Pro side of the CyberWire. What do you have in store for us this season, Rick? 

Rick Howard: Yeah, we are back. "CSO Perspectives" is starting its 11th season if you can believe that. And the interns in the bowels of the CyberWire sanctum sanctorum, you know, they've been working on some fantastic stories. One is the current state of identity. I have an interview with the CEO of Ping, Andre Durand. And I don't know if you know this Dave, but he's been in the industry since the early 2000s. So he's seen a thing or two. And his vision of where identity is going is fascinating. 

Dave Bittner: Is there anything in particular that you're hoping to glean from that interview? 

Rick Howard: It's just that I wasn't paying attention to it, and where he thinks it's going to go, it's going to be much more personalized where he would like it to go, where we all own our own identity and we don't have to be captured by the big Silicon Valley giants. So it's - I hope his vision comes to fruition. We'll see. 

Dave Bittner: Yeah. What else are you working on? 

Rick Howard: So the interns are also working on a Rick the Toolman episode about how to apply MITRE ATT&CK in cloud environments. And this is one of my pet peeves because as an industry, we just aren't very good at it, and we should be. You know, if the bad guys are going to attack us using the MITRE ATT&CK sequences, why aren't they doing it in the cloud? We just don't see that much evidence of it. So we're going to talk about how we can get better at that. 

Dave Bittner: Is it cloud specifically, or is it coming up short with the MITRE ATT&CK sequence in general? 

Rick Howard: We just haven't seen a lot of reporting of, you know, known adversary groups, like the - you know, like the Bears, you know, going after the cloud environments. Now, they'd have to use different techniques, clearly - right? - because it's a cloud environment and not your data center. But there hasn't been a lot of reporting on that. And - but I think that's starting to change. And that's good news. 

Dave Bittner: Yeah, interesting. What else? 

Rick Howard: So we also did a all-hands call to our subject matter experts that regularly come to the CyberWire's Hash Table. We wanted them to discuss strategies for how security newbies could become CISOs sometime in their careers. And this was actually a topic suggested by one of our listeners. And we were only too happy to oblige this guy. 

Dave Bittner: Yeah, that's fascinating to me. I mean, how many people when they're starting out, do you think, have that CISO position - how many people you think set their sights on that? Is - do you think it's common? 

Rick Howard: I don't know. You know, when I was starting - and I always thought that that's the pinnacle. You know, if you get to be a CISO somewhere, that's probably the highest you're going to go unless you change careers. I'm not so sure that's the case anymore. But - and it's a really hard job, so it's not for everybody. So in that episode, we'll try to figure out - we'll try to lay out what's good and what's bad about it. And you can decide for yourself if that's what you want to be. 

Dave Bittner: It strikes me that with the short tenure we see from CISOs these days and the high turnover, be careful what you ask for, right? 

Rick Howard: Yeah, no kidding. Yeah, no kidding. 

Dave Bittner: Yeah, yeah. 

Rick Howard: Absolutely true. 

Dave Bittner: Speaking of CISOs, something that you and I talked about back at RSA were virtual CISOs. And I know you're going to talk about that, as well. 

Rick Howard: Yeah, we both noticed this kind of thing gaining ground at the RSA Conference. And so we're going to talk a little bit about it. And I think it signifies a major shift in what CISOs - in what the CISO's job is, right? It's not there yet. You know, there's still typical CISOs that we've seen before. But this virtual CISO job - you know, basically, a contractor comes in and fixes some things and then heads out the door. That's a different role. And we're going to talk about that. 

Dave Bittner: Yeah, interesting. You've got some good interviews coming up, as well. I know books are one of your favorite things in the world. And you've got a good author you're going to talk to. 

Rick Howard: Yeah. We've got an interview with Andy Greenberg about his new book, called "Tracers in the Dark." And I just finished reading this thing. It is the best cybercrime book I've read in the past 10 years. And it's about how law enforcement has cracked the blockchain in general and Bitcoin specifically with something called chain analysis. And if you thought you were anonymous using those tools, well, guess what, Dave? You're not, OK? 

Dave Bittner: (Laughter). 

Rick Howard: They figured out how to do all that. 

Dave Bittner: OK. 

Rick Howard: And so Andy covers many of the big cases that law enforcement have solved in the last five years or so. So it's just fascinating. 

Dave Bittner: Yeah. Andy is always a good interview and, of course, needless to say, a great author. Look forward to hearing that one. 

Rick Howard: Yeah. And so finally, for this week's show - we finally got to this week's agenda. We're doing a special for Veterans Day. That's veterans, not Veterans' Day, no apostrophe because according to the Department of Defense, this annual holiday is not owned by the nation's veterans. Everybody owns it. It's a day for honoring all veterans and the family and friends that support them. And our friend, Dave, Elliott Peltzman - he's our senior sound engineer here at the CyberWire. He really made this one special. We're both very proud of it. And I hope everybody will give it a listen. 

Dave Bittner: Yeah, well, definitely have to check that out. It is "CSO Perspectives." It is part of CyberWire Pro, which you can learn all about on our website, Rick Howard, always a pleasure. Thanks for joining us, my friend. 

Rick Howard: Thank you, sir. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, and Rachael Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly. Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.