The CyberWire Daily Podcast 12.2.22
Ep 1715 | 12.2.22

Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. Google announces new support for Ukraine. DDoSing the Vatican. Google supports Ukrainian startups in wartime.


Dave Bittner: Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. DDoSing the Vatican. Andrea Little Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran. Our space correspondent Maria Varmazis speaks with Brandon Bailey about Space Attack Research and Tactic Analysis matrix. And how Google supports Ukrainian startups in wartime. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 2, 2022. 

Cuba ransomware pulls in $60 million.

Dave Bittner: The FBI and CISA warned yesterday that the Cuba ransomware operations have taken, in aggregate, some $60 million from more than a hundred victims. The gang, it's worth noting, has no connection with the country, government or island of Cuba. Anyway, the Cuba gang has recently been deploying the RomCom malware. This is a custom remote access Trojan used for command and control. The gang also seems to be leveraging, as CISA and the FBI put it, industrial spy ransomware against its victims. An account of indicators of compromise and appropriate defensive measures organizations and individuals might take appear in the alert. Much of the intelligence on which the joint agency advisory is based derives from research by Palo Alto Networks, and CISA and the bureau cite earlier research by the company's Unit 42, which tracks Cuba's operators as the threat group Tropical Scorpio. 

Dave Bittner: Unit 42 wrote back in August, the Cuba Ransomware family first surfaced in December 2019. The threat actors behind this ransomware family have since changed their tactics and tooling to become a more prevalent threat actor in 2022. This ransomware has historically been distributed through Hancitor, which is usually delivered through malicious attachments. Tropical Scorpio has also been observed exploiting vulnerabilities in Microsoft Exchange Server, including ProxyShell and ProxyLogon. As is so often the case, the underworld is willing to learn from the best, which in a moral sense usually means learning from the worst. Unit 42 goes on to say, the ransomware group uses double extortion alongside a leak site that exposes organizations that have allegedly been compromised. That said, this group didn't have a leak site when first observed in 2019. We suspect the inspiration for adding one came from other ransomware groups, such as Maze and REvil. The Cuba ransomware leak site also includes a paid section where the threat actors share leaks that were sold to an interested party. Tropical Scorpio and its Cuba ransomware remain an active and ongoing threat. Check out the joint advisory on CISA's website and read and heed the whole thing. 

CISA releases three ICS advisories.

Dave Bittner: And while you're checking out CISA's website, do note that they have released three ICS advisories covering BD BodyGuard Pumps, MELSEC iQ-R Series, and Horner Automation Remote Compact Controller. If you use those, take the steps that are required to remediate the vulnerabilities that CISA has flagged. 

Google announces new support for Ukraine. 

Dave Bittner: There's been much discussion of assistance Western governments have rendered in Ukraine in cyberspace, including hunt-forward operations by U.S. Cyber Command. Kyiv also continues to receive support from the private sector. Google yesterday announced further measures it was taking to support Ukraine during the Russian invasion. Google and its employees are providing some direct financial support, some $45 million, as well as contributions of services in kind. Google's statement said, We're continuing to provide critical cybersecurity and technical infrastructure support by making a new donation of 50,000 Google Workspace licenses for the Ukrainian government. By providing these licenses and giving a year of free access to our Workspace solutions, including our cloud-first, zero-trust security model, we can help ensure Ukrainian public institutions have the security and protection they need to deal with constant threats to their digital systems. Other assistance includes a range of cooperative cybersecurity services and help combatting disinformation. The aid being rendered in information operations includes both action against Russian disinformation and measures taken to surface accurate information about the war. 

DDoSing the Vatican.

Dave Bittner: Euronews reports that the Vatican sustained a DDoS attack against its sites shortly after Pope Francis made public remarks interpreted as critical of Russia's war. The pope has singled out some Russian conscript formations as exhibiting significant cruelty in their operations. The DDoS attacks began Wednesday evening and were described as abnormal access attempts. The Vatican offered no attribution, but Ukraine's ambassador wasn't shy about fingering Moscow's operators, saying that the incident was a Russian cyberattack and entirely of a piece with other Russian actions during the war. The ambassador described the DDoS as the work of terrorists, which for a DDoS seems a bit overheated. 

Google supports Ukrainian startups in wartime.


Dave Bittner: Finally, to return to Google and its support for Ukraine, an unusual aspect of that support has been direct investment in Ukrainian startups. As Mountain View wrote, We also remain committed to supporting the Ukrainian startup ecosystem and its vibrant IT and software sector. Today we have announced the last batch of recipients of the $5 Million Google for Startups Ukraine Support Fund. Through this fund, we're allocating equity-free cash awards to support a total of 58 Ukrainian-founded tech companies. And we've been proud to lend our support to economic investment campaigns like Advantage Ukraine. The most recent round of awards announced yesterday went to a wide range of businesses, some providing educational services, others software, still others e-commerce and related solutions. The goal would appear to be long-term economic development, not short-term capacity building. Indeed, none of the recent 25 looks like a cybersecurity company. The funding, Google stresses, is nondilutive and so would leave the businesses under the control of their founders or other investors. Heartfelt good luck to them. 

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran. Our space correspondent Maria Varmazis speaks with Brandon Bailey about the Space Attack Research and Tactic Analysis matrix. Stick around. 

Dave Bittner: Our CyberWire space correspondent Maria Varmazis recently spoke with Brandon Bailey about the Space Attack Research and Tactic Analysis matrix, or SPARTA. Maria files this report. 

Maria Varmazis: In cybersecurity, we're no strangers to frameworks, matrices and guidelines to help organizations better identify threats, share information and harden defenses. And for the booming space industry, there's now a new cybersecurity matrix specifically for them called SPARTA, which stands for Space Attack Research and Tactic Analysis. To learn more about SPARTA, I spoke with Brandon Bailey, cybersecurity expert with the Aerospace Corporation. Brandon led in the creation of the SPARTA matrix and modeled it after MITRE ATT&CK. He mapped out and categorized the tactics, techniques and procedures that could potentially be used by threat actors to target spacecraft and space systems. 

Brandon Bailey: We felt like there's been a gap in the way people understand the way threat actors could potentially attack a spacecraft. So in my works over the past eight years or more, talking to your various entities about the way threat actors could essentially attack a spacecraft, no one really knows how. Like, how would they do it? Some people don't believe that it's possible. And so we figured out, OK, there's an inherent communication gap here where people aren't understanding how tactics, techniques and procedures could be implemented for a space system from a cyber perspective. So we looked at kind of what industry standard has been as it relates to communicating tactics, techniques and procedures. So MITRE put out a great framework, the MITRE ATT&CK framework in 2013, and it's been improved vastly over this nine-year span. If you go back and look at what was first published in 2013 to today, it's quite different. So our subdivision, the Cybersecurity Advanced Platform subdivision within Aerospace, we've been publishing data basically since 2019 in the open side - in the unclassified internet around cybersecurity space systems. 

Brandon Bailey: So typically what we see is there's been a lot of information about cybersecurity behind kind of closed doors and not really talked about for space 'cause, typically, what we've done is publish PDF documents that, you know, can't get updated regularly, can't be responsive to new threats and new TTPs and that type of thing. So we wanted to make something that kind of could live, be a living and breathing capability that we can update over time. And that's basically the - how we got to where we are, was years of research, again, to just space and cyber and defensive mechanisms and getting it into a digestible format, which we leveraged what we consider the industry best standard with what was set forth by the attack framework back in 2013. 

Maria Varmazis: Yeah. Excellent, yeah. And you mentioned years of work. And in that time, the landscape seems to have changed, or at least awareness seems to have changed, when things were sort of more theoretical, maybe when you began this project, and now they've become a lot more real. Is that sort of aligning with what you've seen, or do you feel like this is just sort of catching up to where things have always been? 

Brandon Bailey: So we don't have this in the IT - traditional IT, where we definitely have this large database of just past intrusions and past cyber events, right? We have just this huge database. And the attack framework actually documents a lot of that stuff in references since we have just tons of data. We don't have a huge database of those things on the space side. So we're kind of in this middle ground area where some things are theoretical - what's the art of the possible? - and then some things are, hey, this has been proven by threat actors, or now - or this has been proven in a lab environment in, like, the hack a site (ph) event at DEF CON, or this has been proven through some sort of cyber experimentation that we're aware of in our circles. So it's kind of a mix of, you know, we've got evidence of these things happening in the wild or we've proven it in a lab environment. And then there's a little bit of, like, well, we feel like this is possible based on our research. It just hasn't been proven necessarily yet. 

Brandon Bailey: But it's - a large percentage of what's in SPARTA has been proven in labs or in experiments, but not necessarily in the wild by threat actors yet. And that's kind of where - and so what we're trying to really get ahead of is getting that information out there, things that we think are possible or know are possible and what are the defenses? So that's the big, I think, benefit of the SPARTA stuff is more in the countermeasures and defenses that we've placed in there. It's not, hey, here's a problem. This is how someone could potentially attack you. It's here - yes, that's true, but here are the ways to defend against it. And that's what we put a lot of the research and work into the defensive side. 

Maria Varmazis: That makes sense to be proactive on that case. I mean, certainly there's been a lot more attention paid to this - to different threat actors and escalating threats. So it's good to get ahead of that. Could you talk a little bit about how it has been received in the time that you've been developing it and now that it's come out to the world? 

Brandon Bailey: So it's just been overwhelming success from a feedback perspective because, you know, it's - just hasn't been brought together like that. And what I say in a lot of the briefings and presentations that I talk about is cyber and space systems traditionally is really being considered as black box. It's the boogeyman that can get you as it relates to affecting your mission in a space context. And it's not really decomposed into the nuts and bolts, like we typically manage cyber for IT systems. So this just - it really helps with that. Decompose that problem into something tangible, it helps people understand in kind of layman's terms, as much as possible, how these can affect you and (inaudible). It's all about making something available and usable for the space cyber community, because I think it's a gap that needed filled, and we're going to continue to fill it, so... 

Maria Varmazis: That's excellent. And, Brandon, thank you so much for sharing about this. And I look forward to speaking with you in the future about how SPARTA continues to develop and be used in the industry. 

Brandon Bailey: Yeah, thank you for your time. Looking forward to continued collaboration. 

Maria Varmazis: If you'd like to take a look at the new SPARTA Matrix or contribute or provide feedback, you can go to For the CyberWire, I'm Maria Varmazis. 

Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is senior vice president for research and analysis at Interos. Andrea, it is always great to welcome you back. We are seeing some interesting movements around the world when it comes to, I don't know, the trickling down of cyber effects. I'm thinking specifically, we see Albania cutting off their diplomatic ties with Iran. What are you making of this? 

Andrea Little Limbago: Yeah. So, one, I think it's a very important area to keep an eye on as far as whether other countries start following suit. And I'll give you further context. Albania has declared that Iranian-linked groups, you know, attacked Albania. And in response, they cut off diplomatic ties. And then in response to that, more recently, the same group allegedly also attacked their national police - the Albanian national police system. And so... 

Dave Bittner: We're talking cyberattacks here. 

Andrea Little Limbago: ...Cyberattacks, yep. 

Dave Bittner: Yeah. 

Andrea Little Limbago: So we're seeing a, you know, range of tit for tat. But one - this is one of the first times where we've seen a government cut off diplomatic ties to another government for various kinds of, like, adverse cyber behavior. And as we've seen - I mean, we've seen - so many different times, we've seen, you know, the U.S. government say Russia, Iran or North Korea or whomever is responsible - and given that point - if you remember, a long time ago, like, five years ago, there was a - you know, for quite some time, governments didn't want to actually formally declare that another country was behind a cyberattack. It was something that just wasn't talked about openly. And really, over the last decade, we have done a now enormous 180 where several years, the attribution was never done. It's a slow trickle of attribution but still kind of keeping it somewhat vague so there wouldn't have to be any kind of diplomatic response. 

Andrea Little Limbago: Albania is one of the first, at least that I'm aware of, that has very bluntly declared attribution and had a consequence of that being a diplomatic action. And that's - you know, I think that's a pretty big deal. It'll be interesting to see how that then - you know, whether that escalates or - and we're still seeing it - you know, it hasn't, for sure, lessened the adverse cyber behavior going on. But we have not yet seen it extend beyond the cyber domain. And I think... 

Dave Bittner: Yeah. 

Andrea Little Limbago: ...That's the area to look at because it is very often - what's going on in cyberspace really is a reflection of broader - you know, of the physical world. And so we'll have to see if it does then translate it over and - I mean, it has diplomatic effects, but will there be even more in that regard? 

Dave Bittner: It's interesting that, you know, nations now have this new lever that they can pull in addition to, you know, economic or even military. I mean, does it provide them one more level of influence, you know, before you have to start, you know, slinging missiles over the border or sending troops or, you know, cutting off supplies, those sorts of things? 

Andrea Little Limbago: I think it could, and I think it will be interesting because we're also in an era where trade barriers and sanctions are also increasingly a lever, you know, as leading up into, you know - or hopefully, ideally, you know, offsetting any kind of military behavior. And so it could very well be that we see cyberattacks - response as diplomatic. If they're to continue, I would imagine one of the next components could be, you know, other kinds of sanctions and trade barriers as well, especially on the technologies, as a future - or as a further escalation of that. And that's - what's really interesting, and that's what we've seen - for military conflict and heightening of tensions, very often we see the - you know, starting more in a diplomatic area, see some have an economic impact and then to military. And ideally, those ones before are to prevent the military. And this could just be now part of the normal progression of severing of ties, where before it really wasn't. Before, there really weren't major diplomatic repercussions for groups linked to one government attacking another government. And I think other governments are paying attention to see what happens with this, to see whether it's something they want to do as well. 

Dave Bittner: Right. Well, and how interesting, because I suppose - I mean, is it fair to say that we're still in the mode where we're trying to establish what the norms might be? 

Andrea Little Limbago: Oh, we absolutely are. I mean, there was some progress on that leading up to about, you know, maybe around 2016, and then it really has almost flatlined since then as far as seeing progress on that. And we're seeing very different norms emerge, and that's something you and I have discussed in the past - but really are seeing the bifurcation of the norms amongst those that really want to put some low-hanging fruit for what cyber - for agreed-upon norms for cyber behavior, such as, you know, not attacking critical infrastructure, not having various kinds of civilian infrastructure attacked during wartime, like, those kind of things that generally have a good analogy to the physical world. And then there are others that really want to focus more so on norms as far as everything that goes on within their own country, that's within their own control, and then that actually tends to expand to other interests. And so there is definitely not agreed-upon norms and behavior at the global level. 

Andrea Little Limbago: I will say we just had a, you know, U.S. ambassador to cyber went through nomination, and so we now have - officially have that for the first time. 

Dave Bittner: Right. 

Andrea Little Limbago: And so that's Nate Fick, who is former Endgame CEO. And so we'll see. He's got a tough job for him in this - especially in this area of norms, to really help almost, you know, corral those like-minded countries towards area of, you know, solid cyber norms. And I understand that that may exclude some parts of the world that don't want to agree with - you know, don't want to adhere to some of those low-hanging fruit that many like-minded countries agree upon. So it'll be interesting to see what happens with that new rule. 

Dave Bittner: Yeah. All right. Well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Jeremy Kennelly and Sulian Lebegue from Mandiant. We're discussing their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind." That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.