The CyberWire Daily Podcast 12.15.22
Ep 1724 | 12.15.22

Updates on the cyber phases of a hybrid war. Alleged booters busted. Progress report from the US anti-ransomware task force. Suspicion in AIIMS hack turns toward China.


Dave Bittner: Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared and their sites disabled. A progress report on U.S. anti-ransomware efforts. Suspicion and a cyberattack against India turns toward China. Bryan Vorndran from the FBI's cyber division talks about deepfakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on their launch of the Historically Black Colleges and Universities Career Program. And the hybrid war and fissures in the underworld.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 15, 2022. 

A new cyberespionage campaign hits Ukraine.

Dave Bittner: Mandiant this morning issued a report on activity it was observing in Russia's hybrid war against Ukraine. It's a supply chain attack in which Trojanized Windows 10 installers are being distributed to Ukrainian targets. The researchers track the activity as UNC4166. And while they're commendably cautious in attribution, they do note that, significantly, there seems to be an overlap between this round of attacks and the target list of Ukrainian organizations against which the GRU deployed wipers early in the war. 

Dave Bittner: Mandiant says, while our analysts do not have enough info to attribute this operation to a previously tracked group, it has been active at organizations that were previously targeted by GRU-related clusters with wipers at the outset of the war. Of note, UNC4166 has actively targeted organizations that were historically victims of disruptive wiper attacks that Mandiant associates with APT28. APT28, of course, is our old, familiar friend Fancy Bear. As Mandiant observes, that's a GRU crew. This current round looks like cyberespionage as the activity observed appears to involve information theft. But, of course, information can be stolen for other purposes as well - sabotage, battlespace preparation and so forth. 

Dave Bittner: John Hultquist, head of intelligence analysis at Mandiant, emphasizes that this is a supply chain attack and, in that respect, at least reminiscent of the SolarWinds operation. He said in emailed comments, though it's hardly as technically sophisticated as SolarWinds, this operation is similar in that it appears to be designed to compromise a large set of potential targets, who can then be winnowed down for targets of interest. In this case, those targets are the Ukrainian government. We can't afford to ignore the supply chain. It can be used like a sledgehammer, or it can be used like a scalpel. 

Alleged booters collared, their sites disabled.

Dave Bittner: U.S. federal prosecutors in California and Alaska have charged six people with crimes involving booter services - that is, offers of DDoS attacks for hire. The charges allege violations, or aiding and abetting such violations, of the Computer Fraud and Abuse Act and conspiracy to operate a booter service. In addition to the indictments, the FBI also seized 48 domains allegedly used in the crimes charged. The takedown was an international operation. Europol announced that the action was part of Operation Power Off, a cooperative effort by U.S., British, Dutch, Polish and German law enforcement agencies against this particular segment of the C2C market. Europol also reports that a seventh arrest in the case has been made in the U.K. 

Dave Bittner: The U.S. Justice Department notes that there is a public outreach component to the operation. Justice says, in conjunction with the website seizures, the FBI, the United Kingdom's National Crime Agency and the Netherlands police have launched an advertising campaign using targeted placement ads in search engines, which are triggered by keywords associated with DDoS activities. The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe as well as to educate the public on the illegality of DDoS activities. 

Progress report on US anti-ransomware efforts.

Dave Bittner: CISA yesterday published a read-ou of the second meeting of the Joint Ransomware Task Force. Six working groups have taken up various aspects of the ransomware challenge, and they're worth quoting as they offer some insight into how the task force sees its mission. 

Dave Bittner: First, victim support - that's standardizing and synchronizing federal engagement with ransomware victims to offer services and assess any gaps to ensure that victims of ransomware incidents receive the necessary support to restore services and minimize damage. 

Dave Bittner: Second, measurement - that's collecting data and metrics that will improve the cybersecurity community's collective understanding of ransomware affecting U.S. organizations and trends associated with actors, victims and impacts, which will in turn inform U.S. government action to counter the threat, provide more actionable guidance and evaluate progress. 

Dave Bittner: Third, partner engagement - that's expanding operational collaboration and multidirectional intelligence sharing between JRTF members and nongovernmental partners, including the private sector and the international community, to more effectively prevent, detect and respond to evolving ransomware campaigns. 

Dave Bittner: Fourth, continuous improvement - examining and compiling lessons learned from recent ransomware incidents in key sectors to address gaps in coordination, increase effectiveness of information-sharing and improve the federal government's response and preparedness posture. 

Dave Bittner: Fifth, intelligence integration - leveraging the intelligence collection capabilities of all partners, process intelligence community analysis and manage intelligence engagement with international partners to drive the planning and execution of synchronized JRTF operations. 

Dave Bittner: And finally, campaign coordination - organizing existing interagency campaigns to disrupt ransomware actors and strengthen national cyberdefense against ransomware operations, while also collaborating with relevant partners on new campaign efforts. 

Dave Bittner: The Record cites comments by various officials to the effect that the task force is becoming the center of gravity of U.S. anti-ransomware efforts. Redacted's director of threat intelligence, Adam Flatley, gave the task force good reviews in emailed comments. He said, it's good to see that the JRTF continues to solidify its mission and build processes to support the mission. Both CISA and the FBI are well positioned to do great things in the cyberdefense space and important parts of the ransomware actor disruption space. Of course, a lot of gangland isn't easily within reach. Flatley observes, what remains to be seen is whether or not the JRTF will be properly empowered to truly leverage the whole of the U.S. government intelligence community to counter ransomware actors who operate from sanctuary in countries like Russia, where many ransomware gangs reside. 

Suspicion in AIIMS cyberattack turns toward China.

Dave Bittner: The Times of India reports that official opinion is turning toward Chinese operators as the leading suspects in the cyberattack recently sustained by the All India Institute of Medical Sciences. A source told the press, as of now, the server attack is suspected to have originated from a location in China and a location in Hong Kong. Theft of personal information has been the principal concern since the attacks began on November 23, NDTV writes

Hybrid war and fissures in the underworld.

Dave Bittner: Finally, it's well known that there had at one time been close relations among Russian and Ukrainian cyber criminals, geographically close and linguistically related as they are. Al Jazeera, however, describes the ways in which the war has broken many of those connections. Russia's war has moved its security and intelligence services to push for closer cooperation from the cyber gangs the Russian state had long tolerated. This has gone beyond privateering and advice on permissible targets. Many of the criminal organizations have been diverted from what had formerly been their moneymaking rackets and into making themselves a nuisance for Ukraine and its supporters. This trend has been clearest in the rise of distributed denial-of-service attacks. It's not entirely patriotic side-taking, however, although that certainly plays a part. There's also a sense in Russian criminal circles that they can now expect Kyiv's law enforcement and intelligence organizations to give them more hostile scrutiny than they receive from Moscow. Whatever they're up to, we say shields up, everyone. 

Dave Bittner: Coming up after the break, Bryan Vorndran from the FBI's cyber division talks about deepfakes. Our guest, Lisa Plaggemier from the National Cybersecurity Alliance, on the launch of their Historically Black Colleges and Universities Career Program. Stay with us. 

Dave Bittner: The National Cybersecurity Alliance is a nonprofit organization that promotes cybersecurity education and awareness. They recently launched the Historically Black Colleges and Universities Career Program, which aims to equip students with the necessary skills to navigate the search process for positions in security, privacy and risk, helping to build a pipeline of Black professionals to fill the cyber workforce gap. Lisa Plaggemier is executive director at the National Cybersecurity Alliance. 

Lisa Plaggemier: What we kept hearing over and over and over again, the constant theme - it wasn't like, oh, I really struggled with the academics or things like that. It was - you know, somebody said, my dad couldn't tell me not to wear an orange blazer to an interview. I didn't know what to expect in the interview process. I'd never written a resume before. I had imposter syndrome walking in the door of a career fair at my school. I didn't understand times zones, so when I got an invite for an interview in another time - from another time zone, I hadn't really kept a digital calendar before. I missed the interview. It was life skills things. It was things that - it was confidence. It was networking and having somebody to talk to. 

Lisa Plaggemier: You know, a lot of us who were blessed with parents that went to college - it's kind of dinner table conversation, how you might conduct yourself in an interview, how you write a resume, how you write a LinkedIn profile, like, what kind of questions you might get asked and what your answers might be to those questions in an interview. And so if you think about people who grew up without that, then there's a void there. And that's not necessarily a problem that you solve in some - you know, it's hard to wave a magic wand and, in some scalable way, fix that overnight. Those are one-on-one relationships. So that's what led us to the mentorship program, to offering the mentorship program. And then just as far as the workforce problem, attracting more kids to the - and I'll say kids because I've got kids college age. 

Dave Bittner: (Laughter). 

Lisa Plaggemier: There just isn't enough visibility of these careers. What they know is what they see on TV and the movies when it comes to cybersecurity. So how do we make it more real? How do we show them that there are people just like them, who look like them, working in these jobs and that there's a lot of job satisfaction working in cybersecurity? I know we all focus on, like, the burnout and everything, but at the end of the day, we're helping people. We're protecting assets and people. So a lot of that can be, you know, really rewarding for folks. So we have sort of mini career fairs, cybersecurity career fairs that we hold on campus. And those are the two main tactics on the program right now - are those in-person on-campus events where we have a series of speakers that are people of color who work in security and privacy, talking about their jobs, talking about what recruiters are looking for, what kind of skills they're looking for. You know, how are they hiring? And then the other tactic is that mentorship program that anybody can sign up to be a part of. 

Dave Bittner: What has been the response so far from those historically Black colleges and universities that you've reached out to? 

Lisa Plaggemier: Well, to be really honest, in some cases it can be really challenging to work with them because they are so under-resourced and understaffed. Just having an on-campus event, you know, when you have a commercial placement or career services office that only has one or two people in it - staff members, then I'm glad that we have the staff available to do, you know, more of the heavy lifting there because it's - you know, you're holding an event. So there's work to get done there. Generally, they've all been really, really positive. But when it comes to the logistics, like, we're there to help because a lot of them aren't super well-staffed. That's part of the problem, you know - is a lot of these schools don't get the resources that other schools get. 

Lisa Plaggemier: So hopefully, by driving this kind of engagement - you know, we've had employers take tours of some of the schools. We've had a few schools that have opened new cyber labs, and they're excited to show those off to the sponsors. And so hopefully we're doing more good beyond just the immediate interaction with the students. So far, we've been to Prairie View A&M, Saint Philip's College and Texas Southern, all in Texas, and then Southern University A&M in Louisiana. And next semester, we'll be going to North and South Carolina. We'll be going to NC Central, South Carolina State, Winston-Salem State, Fayetteville State and Claflin. That's about - I think it'll be the end of February or early March when we do our North and South Carolina road trip. 

Dave Bittner: For our own listeners, you know, folks who are out there and are inspired by what you're up to here, are there opportunities for people to contribute? 

Lisa Plaggemier: Yeah, absolutely. If you have an hour a week or an hour a month for a student, you can be a mentor. We've got a software program that runs the whole mentorship program - not completely hands-off, but it's pretty helpful. So we've got - if you go to and click on events and programs and scroll down, you'll see the HBCU program. And all of it is explained there including - there's a box for mentors. If you fill out that form on our website, that will get you in our communication flow, and we'll send you information on how to register in the mentorship platform itself. And then once you're in there, there's training on being a mentor. There's 12 different agendas that we've sketched out to guide your meetings with your mentor, just to act a guideline. But you can really do whatever you want with your time if your mentee has specific requests. 

Lisa Plaggemier: And so we've got over 100 people in there now that are actively having regular meetings. And some of the testimonial statements we've gotten from both mentors and mentees have been super-encouraging. So hopefully those students are, you know, getting the confidence they need to at least attend job fairs and put themselves out there. For a lot of them, just getting themselves into the room is a little bit of a challenge. It's just about confidence and their comfort level. 

Lisa Plaggemier: And so having a mentor to help you through all that - and we're allowing the students to stay in there through their first year of their job if they want to have a mentor because who amongst us did not have a whole bunch of questions that first year in our new job? So, yeah, we would love to see people sign up to be mentors. As we - the more schools we go to, the more kids are going to sign up. And it's great to have people who are there waiting to be matched with a student. You fill out a profile, and then an algorithm matches you. Or if you have a specific request, we could do that manually as well. Like, you want somebody in a particular stage or somebody that has a certain major or something like that. We can help with that. 

Dave Bittner: That's Lisa Plaggemier from the National Cybersecurity Alliance. 

Dave Bittner: And it's my pleasure to welcome back to the show FBI Cyber Assistant Director Bryan Vorndran. Director Vorndran, welcome back. I want to touch base today on deepfakes - certainly been getting a lot of attention in the news lately - and your take on this from your position there at the FBI. 

Bryan Vorndran: Hey, Dave. It's good to be with you today. You know, deepfakes are part of our normal dialogue here. And we actually refer to them as synthetic content. But at the end of the day, what they are are artificial intelligence, machine learning-enabled synthetic content that realistically depicts something that did not happen. You know, the advances in AI and machine learning techniques will improve the speed, the believability, the scale, the ease of use and the automation in the creation of that synthetic content or these deepfakes. And it's really replicated in high-quality videos, certainly pictures, audio and text of events, right? And it's becoming more and more of a prevalent conversation. And when we look at it from a traditional rule of law perspective, if we think about how we authenticate voices, obviously a deepfake voice and the need to authenticate that in real life for evidentiary purposes and the rule of law, it's becoming more and more of a prevalent conversation. 

Bryan Vorndran: I think most concerning to us is that the barriers to entry are decreasing rapidly for the creation of synthetic content and deepfakes. And so certainly your average person could use it for nefarious purposes, but also nation-state actors could use it to conduct malign foreign influence campaigns, or a cybercriminal could use it to carry out a social engineering campaign. As these barriers do decrease - right? - we will likely see or hear much more realistic audio and video that will truly be indiscernible to you or me. So, Dave, I'm also prepared if you want to talk about kind of what is the FBI doing about it, what can the FBI do about it and what should the public look out for but certainly can go back to you for any questions you have. 

Dave Bittner: No, I think that's a great place to go here. I mean, what are some of the practical ramifications and your guidance? 

Bryan Vorndran: So from an FBI perspective, the First Amendment gives all of us as Americans broad protections in terms of speech, right? So while creating a deepfake video is not in itself illegal, the creation of those videos or voices by a foreign power to influence American people is something we would definitely investigate. But again, because of the First Amendment, we are limited in what I would refer to as, quote-unquote, "stopping it." But we do partner up with other government organizations, researchers and technology companies to develop ways to detect the deepfake content. And that's really an area we're collectively focused on. 

Bryan Vorndran: You know, in terms of guidance for your listeners and what the public should look out for, you know, when you look at deepfake videos - and there are some on the internet - there will be visual anomalies. There will be discrepancies. There will be desyncing during the video. There will be tearaways between the audio and video where there is not syncing. There's also the ability to look at metadata, to find out how the files were created and where they were created. But the concern with metadata is it also can be manipulated, so it's not a reliable indicator. 

Bryan Vorndran: So, you know, just one quick example that we could give you - and it's an anonymized example - is, for example, a bank manager would receive a call from a director of a company that is a regular client and whose voice the bank manager recognizes quite well. So the director would explain to the bank manager that his company was about to make a large acquisition and that he needed the bank to authorize the large transfer. The bank manager would believe that the voice was authentic and speaking to the director of the company and subsequently authorized the transfer. So this is just one example of how these deepfakes and these synthetic content can play out and pose a number of threats to whether it's private business or whether it's the democracy of America. So certainly happy to take additional questions, Dave. 

Dave Bittner: So is this the matter that, you know, this new technology, this rapidly evolving technology, demands a higher level of scrutiny? You know, in other words, you know, that bank manager that you're talking about might not be able to rely on knowing the familiar voice of a colleague or a client or something like that. They have to respectfully ask for additional verification. 

Bryan Vorndran: Correct. And there will undoubtedly need to be evolutions in the due diligence processes for authentication, whether it's photographs, whether it's audio, whether it's video inclusive of audio across the business sectors, but also across the national security and traditional rule of law spectrum, to your point, because we'll need additional due diligence variables to make sure that what we think we're seeing or hearing is actually what we're seeing or hearing. 

Dave Bittner: At what level do you all at the FBI want to be informed about this sort of thing? If I - again, I'm that bank manager and I get a call. And I think it may be a deepfake. Should I make a call to my local FBI field office? 

Bryan Vorndran: Yeah, we would encourage you to do so. These threats are going to continue to grow. We're not saying that they're going to grow at the same exponential curve that the cyber threats have certainly targeted the United States and its equities, but they are going to continue to grow over time as the barriers to entry decrease and as the speed of the technology improves in terms of creation to deployment of the deepfake. And so we would encourage engagement with the FBI because we never know who the point of - who is behind the point of creation. And that could lead us to a nation-state actor that is conducting other more - far malign influence campaigns. And that's something very important to us. 

Dave Bittner: All right. Well, FBI Cyber Assistant Director Bryan Vorndran, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.