CISA releases three ICS Advisories. Squealing cars. Rotate your secrets. Russian cyberespionage updates.
Dave Bittner: Security vulnerabilities in automobiles. CircleCI Customers should rotate their secrets. CISA a Director Easterly notes Russian failures but warns that shields should stay up. Attempted cyberespionage against U.S. National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space cyber. And The Guardian continues to recover from last month's ransomware attack.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 6, 2023. Happy Friday, everyone. Good to have you along with us here.
CISA releases three ICS advisories.
Dave Bittner: Let's open with a quick and easy one, courtesy of the good folks over at the U.S. Cybersecurity and Infrastructure Security Agency. That's CISA. The agency yesterday released three industrial control system advisories. They affect Hitachi systems. Visit cisa.gov for the details.
Security vulnerabilities found in automobiles.
Dave Bittner: Over the course of 2022, a security research team led by Sam Curry found vulnerabilities affecting vehicles from 16 leading car manufacturers. The manufacturers have since released patches for the flaws, and Curry's team earlier this week published an extensive writeup on the vulnerabilities. The type and severity of the vulnerabilities varied by model. In some cases, an attacker could unlock the car, start the engine, report the vehicle as stolen or track the car's location. In addition to vulnerabilities affecting individual cars, the researchers discovered API vulnerabilities that could grant an attacker access to sensitive company accounts. BleepingComputer notes that BMW and Mercedes-Benz could have been affected by company-wide single-sign-on vulnerabilities that might have enabled attackers to access internal systems.
Dave Bittner: So, of course, your tires squeal when you're peeling out, but your car might be squealing on you even if you drive like the little old lady from Pasadena. Scratch that. We just remembered that the little old lady from Pasadena was the terror of Colorado Boulevard. But anyway, squeal. Get it? Like the noise, and then squeal like snitching. Yeah. Get it? OK. I know that's unnecessary, but our Auto Parts Desk over on the editorial side loves the obvious explanation because they think everyone else is as slow on the uptake as they are. You've got no idea what we deal with around here sometimes.
CircleCI customers should "rotate their secrets."
Dave Bittner: Continuous integration and continuous delivery platform CircleCI has disclosed a security incident that began on December 21, BleepingComputer reports. The company hasn't released many details about the incident, but customers are asked to rotate any and all secrets stored in CircleCI as soon as possible. CircleCI also says that it's confident that the risk has been eliminated, and the company is working with third-party investigators to validate the steps and actions of their investigation. CircleCI concluded, while we are actively investigating the incident, we are committed to sharing more details with customers in the coming days.
CISA Director notes Russian failures, but warns that shields should stay up.
Dave Bittner: The Hill reports that U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly yesterday warned that, while Russia clearly miscalculated its decision to go to war in Ukraine, and that its cyber operations have fallen short of expectations, these shouldn't be grounds for complacency. She said, during a panel discussion at the Consumer Electronics Show in Las Vegas, it looks like it's not going to end any time soon. We need to continue to be vigilant, keep our shields up and ensure that we are putting all those controls in place.
Attempted cyberespionage against US National Laboratories.
Dave Bittner: And, as if on cue, there are fresh reports of Russian cyberespionage. First, Reuters describes a cyberespionage campaign carried out by the hitherto little-known threat group researchers track as Cold River. The group is circumstantially but convincingly linked to Russian intelligence services - possibly the FSB, although that's unclear, through its Russophone operations and location. The effort involved attempted social engineering of U.S. nuclear researchers at the Department of Energy's Brookhaven, Argonne and Lawrence Livermore National Laboratories. The campaign peaked in August and September as Russian President Putin's nuclear threats reached their peak. It's unknown whether the campaign enjoyed any success. Reuters says that both the Department of Energy and the FSB declined to comment.
Turla effectively recycles some commodity malware infrastructure.
Dave Bittner: Mandiant has found that Turla, a familiar threat actor associated with Russia's FSB, is piggybacking offensive cyber operations on some old commodity malware. Turla is using Andromeda malware distributed through infected USB drives to selectively install the Kopiluwak reconnaissance utility and the QuietCanary backdoor in Ukrainian targets. Re-registration of old, expired Andromeda domains has proven particularly useful. As Wired points out, Andromeda is a commonplace banking Trojan criminals used for credential theft. The researchers conclude, as older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts. The campaign represents the first time Mandiant has seen Turla in operation against Ukrainian targets during the present war. The group seems to be using earlier battlespace preparation to pick targets of strategic interest to Russia. But Turla also seems to be acting in haste and with the necessary disregard for operations security haste normally exacts in trade for quick results.
The Guardian continues to recover from last month's ransomware attack.
Dave Bittner: And finally, The Guardian continues to recover from the ransomware attack it disclosed on December 21, and the news outlet expects recovery to take at least a month. ComputerWeekly shares widespread speculation that The Guardian's coverage of Russia's war in Ukraine prompted the attack, stating, it can also be fairly said that reporting on major international incidents, such as Russia's war on Ukraine, may leave a title exposed to malicious actions by Russia-backed or aligned groups. We wish the Guardian a speedy recovery. Coming up after the break, Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space cyber. Stay with us.
Dave Bittner: According to the United Nations' Office for Outer Space Affairs, there are over 8,000 satellites orbiting the earth, about half of them active depending on their age, there is a whole spectrum of sophistication and security, or lack thereof, built into these devices. Our space correspondent Maria Varmazis spoke with the NSA's Diane Janosek about her research on the security of the objects in space.
Diane Janosek: My name is Dr. Diane Janosek. I currently work for the National Security Agency for the Department of Defense as a senior executive. But I'm talking here in my personal capacity on my research that I did for my Ph.D. in cybersecurity - was space security. And I just love this space, literally. So I'm so excited that you asked me to come talk to you today, Maria.
Maria Varmazis: I'm really thrilled to be speaking with you because this is such an exciting area. And that you have expertise in this is just fantastic. So one of the many papers that you published, one of the ones I wanted to talk to you about today, was about nanosatellites and your paper, "Nanosatellite Constellations Will Revolutionize IoT." And I'm sure our CyberWire listeners are familiar with IoT but probably a lot less nanosatellites. So can we start there? Just real basic, what do we mean when we talk about nanosatellites, and how are they being used?
Diane Janosek: So a nanosatellite is what you would think in terms of nanotechnology. They're small satellites. Usually, you think of big, huge satellites, you know, that could take up a whole room or the size of a house almost in terms of when it's being launched. A nanosatellite could be the size of a shoebox or they even say sometimes as small as pizza box. Nanosatellites - or CubeSats because sometimes they're in the form of a cube - they're ruggedized in order to be postured for the dense heat and the dense cold that you have in outer space. They're ruggedized enough to be placed into orbit for two to five years.
Maria Varmazis: In the context of IoT, how are they being used right now?
Diane Janosek: So this Internet of Things is now using the celestial-based nanosatellites constellation for access for the data transmission. If you think about it, you know, IoT devices are small things, right? They're security cameras, printers, conference room tablets, remote property sensors, coffee makers, doorbells, door openers. They have low bandwidth requirements, right? So you don't need huge systems to transmit that information. So there's - as long as you have the ability to transmit low density, a type of transmission of data, that's when you would look to nanosatellites.
Maria Varmazis: So as we scale up IoT connections, connectivity with all these nanosatellites in orbit, are we sort of scaling up also the threats that these IoT devices face? Like, are we ready to take all these on? How are we doing with that?
Diane Janosek: So people were not thinking before that a coffee maker could have the ability for someone to access your home network. But when it came to a coffee maker, the original ones had IoT capacity. They realized they could actually - someone from the outside could - physically outside your house could get access to what's going on inside your house on your home network. So IoT devices themselves - because it's usually, you know, not a lot of data, not a lot of sensitive data. You certainly wouldn't put your crown jewels on there. It should be OK. You don't need much security, right? The data is not worth that much money. Well, what happened was people realized, well, that can be true, but it also cannot be true. There was an incident with the casinos out in Las Vegas, and one of the casinos had a beautiful fish tank.
Maria Varmazis: Yes.
Diane Janosek: And that fish tank had an IoT thermometer. So it keeps - so the fish stay alive. Well, through, you know, fancy foot working and, you know, long lead time, the hackers were able to get through the thermometer of the IoT device on that casino. They went through about a couple of different systems to get to the financial side and their money systems and were able to hack it. That opened up a new paradigm because it realized it just opened up the aperture in terms of the landscape for vulnerability. And so they're not - people were not really thinking about that before. So that's where people started to think, oh my gosh, we better start thinking about cybersecurity and IoT devices because they're going to be connecting to something else that connects to something else. And then what it connects to may be worth a lot of money. You could have a lot of privacy data, could have a lot of sensitive information, trade secret information. So they realized, OK, they have to start thinking about embedding more security into IoT devices. So now companies are thinking that way. So cybersecurity on IoT devices is necessary. And it's necessary whether it's terrestrial-based internet or, you know, the satellite internet.
Maria Varmazis: Absolutely. And it's a great segue to a question I had. At the end of your paper, you wrote that you urge countries, especially the United States, to prepare in securing digital communications with nanosatellites and perhaps try to adopt something like a satellite IoT legislation, which would be maybe akin to the IoT Cybersecurity Improvement Act of 2020, which was aimed at improving baseline IoT security. What would you like to see in legislation like that or a satellite IoT legislation?
Diane Janosek: So nanosatellites have to be launched. If we make the launch process and the reentry process so difficult and so expensive, companies are not going to choose to work with the United States. So the way that it works now is wherever you are launched from, you're under the jurisdiction of that country. So what's ever launched on U.S. soil is considered to be under the jurisdiction of the United States. So if we make our control and regulation so much harder, we will not have that innovation in the United States. You might have the design in the United States, but then they take it somewhere else to launch it and to monitor it and to maintain it. And so you really do want to meet that sweet spot, right?
Diane Janosek: So at some point, there has to be a risk calculus for these launching of the nanosatellites where the regulation is not as high so that companies continue to do business in the United States and that the power of our innovation and our technical spirit and our tech savvy and our network security savviness and software security and cybersecurity - those companies can do that in the United States and launch and maintain it all the way through, you know, the lifecycle of that particular nanosatellite system. So that's what I would encourage. I would encourage less regulation on some of the smaller things so that we stay ahead of this game and that the United States stays postured for success.
Diane Janosek: If you're looking at a $4 trillion industry by the year of 2040, if they all pick up and they go somewhere else, it's not going to be very good for Americans, right? We want to keep that type of innovation occurring right here in our backyard and manage it. And, you know, we could impose some type of cybersecurity regulation in terms of the transmission of the data. But if they're somewhere else, U.S. regulation won't help anybody, right? You can't regulate a foreign country in terms of how they transmit and secure their information. So we want to keep them in the United States, encourage them to innovate here, encourage them to produce here, to launch from here, to transmit to and from here. And then, you know, keep that income and capitalism alive and just, you know, the innovative spirit and entrepreneurial spirit that we have in the United States alive.
Maria Varmazis: I really appreciate your perspective on this. And it's a fascinating field where, as you've noted, we're going to see a lot more - so much more growth and a lot more innovation. So watch the space space (laughter).
Diane Janosek: Watch this space of outer space.
Maria Varmazis: Exactly. Diane, thank you so much. I really appreciate you taking the time to speak with me today.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, welcome back. Always a pleasure to have you here. I want to check in with you on your outlook for 2023. As you and I record this, it is the beginning of the new year. What are you hoping to see happen this year?
Robert M. Lee: Yeah. In general, I hope to travel less and see my kid more. But in terms of...
Dave Bittner: (Laughter) Fair enough.
Robert M. Lee: Yeah, yeah. Maybe in terms of the security industry, I think that the macroeconomic condition and what that means for financing and venture capital and late-stage capital and similar - it's going to have a pretty big effect on companies. Kind of the last couple of years when interest rates were, you know, basically 0%, it essentially made for free money in terms of investment. And there was a mentality across a lot of tech companies, including cybersecurity companies, that you should do growth at all costs. And they were encouraged to do that. How fast can you burn through the money? How fast can you add growth? Because money is unlimited. We'll fund you. When the sort of economy and the financial markets then crashed, was sort of corrected, then you started seeing valuations adjust. And you started seeing a focus on efficiency. And you started seeing a focus of these companies of trying to rightsize their businesses for the new economic conditions.
Robert M. Lee: So when people look at that, I hear from, you know, young startup CEOs and others about, oh, yeah, this is a temporary blip, and then we're back to normal. I'm like, no, no, no, this is normal. Like, this is the normal period. The 0% interest rate, money is free was the abnormal period. You do have to have fundamentals and unit economics and an understanding of your business to be able to operate it. So what does that mean for the larger public? Well, it means that sort of the downside is you won't necessarily have as much innovation if there's not as many companies getting funded. There's going to be a same percentage maybe of innovative tech and companies but a lower number of those - right? - less funded companies, less new ideas. However, I think you will see companies also move to the side. There's a lot of companies that shouldn't have been funded that were the fifth, sixth, seventh iteration of the same idea in a crowded market or just a really niche thing that never had a market in the first place but was an interesting idea. And they were taking money from folks. They were hiring people and sort of taking oxygen out of the room, if you will, from those companies that were already doing well and should have been moving forward.
Robert M. Lee: And so I think you will see both pros and cons in that, I think the pro being the good companies will probably get stronger in this period and be able to attract the talent they needed and so forth. I also think some level of market correction is appropriate with salaries and so forth. That's not always an easy topic. Some people definitely are underpaid, but there are some tech companies that were way overpaying and inflating the rates where even local banks and utilities and others just couldn't afford cybersecurity talent because of the wage inflation. So I think we'll see corrections across the board.
Robert M. Lee: Again, what that means to everybody else is I also think that we will start to see opportunities open up that are more appropriate for people across the cybersecurity communities. We'll find people that unfortunately have a hard time - right? - and got laid off or similar, but I think they'll be able to bounce back quickly in this market and find more stable companies, better careers, better paths and be able to do some new and cool things. I also would argue that we should probably see a reduction in some of the silly stuff where, like, everybody has their own conference, everyone has their own podcast, everyone has their own swag store, everyone has their - like, it almost became all of the things around cybersecurity versus cybersecurity with some of these companies. And some of that can be fun to have around, and some of it can just be way over the top. And I think we may return to a bit of more normalcy, which especially for those that kind of do the conference circuit - I think that would be welcome for everybody. So anyways, I know that's not, like, cybersecurity. Like, well, what's the latest attacks? That's why I - you know, that's kind of all the normal stuff. I think what we're experiencing right now, though, is far more strategic for what the industry and community will experience this next year.
Dave Bittner: What about in your specific neck of the woods in terms of industrial security? How do you think things are going to shake out there?
Robert M. Lee: Oh, they're great. And so I really feel empathetic for folks in various industries and what they're going through. And so I don't want to be, like, popping bottles of champagne when other people are experiencing hardship. But from our standpoint, everything has been super good. First of all, industrial companies are weathering the storm and the economic conditions pretty well. You think about electric utilities, pharmaceutical companies, oil and gas companies, etc. are having - are needed by society, and so they're having good years. And so they have the resources to spend or most of them have the resources to spend on security.
Robert M. Lee: And then the other reality is most CEOs, board of directors and governments are realizing that most of the cybersecurity money has gone to the noncritical part of critical infrastructure, kind of the IT networks. They're very, very important, but not as important, not more important than the actual operations networks. And so that, you know, from the pandemic and remote working to digital transformation to ransomware, to name your flavor, there's a bunch of things and compelling events that highlighted to the executive staffs and government staffs around the world that OT wasn't getting the attention it needed. So we're seeing a boon, if you will, of investment into OT security, even as these conditions exist.
Robert M. Lee: So I think these companies will be very thoughtful about it. Like, don't expect the, here's my blockchain AI app. Like, ugh, get out. You know, they don't - they're not going to invest in stupid stuff. But they're - you know, I also - I have to apologize, too. I'll do a quick tangent. I know that there are certain things I'm not supposed to say on the podcast, like EMP, you know, EMP, blockchain, AI - you and I start getting angry emails every time listeners hear the letters.
Dave Bittner: The letters, Rob, the letters (laughter).
Robert M. Lee: (Impersonating Southern accent) Well, what are we doing about the EMP? And, like - all right, so - and everyone's like, why are you doing a Southern accent? It's because I'm from Alabama. Like, get over it. Anyway, so, the reality of the situation, though, is, yeah, there's a lot of investment going on in the industrial infrastructure as we would expect. But I do think that companies will be more thoughtful and precise about their other infrastructure stacks. As an example, if you already have 15 products deployed across your IT network, is that 16th really going to do a net risk reduction to justify the budget right now in these economic conditions? That's going to be hard to justify. But you only have a firewall for your OT network, it's probably pretty easy to justify the next two or three items in that spend.
Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. Find out more about sponsoring our programs at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday," and my conversation with Marisa Atkinson from Flashpoint. We're discussing RisePro Stealer and pay-per-install malware PrivateLoader. That's "Research Saturday." Check it out.
Dave Bittner: This CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.