The CyberWire Daily Podcast 1.13.23
Ep 1739 | 1.13.23

Updates on the hybrid war, and on the incidents at the Royal Mail, the FAA, and the Guardian. Royal ransomware exploits Citrix vulnerability. CISA’s annual report is out.


Dave Bittner: GitHub disables NoName accounts. Russia dismisses reports of cyberespionage attempts against U.S. National Laboratories. The Royal Mail cyber incident is now identified as ransomware attacks. An update on the NOTAM issue that interfered with civil aviation. A Citrix vulnerability is exploited by a ransomware group. CISA publishes its annual report. Bryan Vorndran of the FBI Cyber Division calibrates our expectations with regards to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. And Positive Hack Days and the growing isolation of Russia's cyber sector.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 13, 2023. 

GitHub disables NoName057(16) accounts.

Dave Bittner: We begin with some updates to stories we've seen break earlier this week. The first two come from the cyber phases of Russia's war against Ukraine. First, GitHub has taken down accounts associated with the Russian hacktivist auxiliary group NoName057(16). Again, we're simply going to refer to them as NoName. CyberScoop quotes a GitHub representative, stating, we disabled the accounts in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful, active attacks or uses GitHub as a means to deliver malicious executables. 

Dave Bittner: Like so many other Russian auxiliaries, NoName has specialized in DDoS attacks, and it's crowed high over them in its Telegram channel. The group's New Year's greetings show some representative crowing, stating, did any of us know at the start of the year that something like this would happen? Did we, ordinary programmers and difficult guys from the darknet, know that we would need to go to the real and digital frontiers? Did anyone know that the issues of protecting the motherland and the reeducation of the civilized world would be carried out by us as well, the NoNames ask rhetorically. No, no. No one knew. But the current situation has divided everything into before and after. We don't know how long the NWO will last, how many spears we'll break and how many bumps we'll hit. One thing we know for sure - we will win. We will definitely win. Even if the whole world is against us, they will lose for one simple reason. The right guys are not with them. And it's total. Holiday greetings. We all have strength and perseverance. There is nowhere to retreat. There will be no other motherland. Well, that's one way of looking at it. 

Russia dismisses reports of cyberespionage attempts against US National Laboratories.

Dave Bittner: And another note from the cyber front - Russia has taken exception to Reuters' report last week that the Cold River group has the Kremlin's fingerprints on it. Cold River, widely believed to operate on behalf of a Russian intelligence and security service, probably the FSB, has attempted to compromise workers at the U.S. Brookhaven, Argonne and Lawrence Livermore National Laboratories. Maria Zakharova, Russia's Foreign Ministry spokeswoman, harrumphed yesterday in a press briefing, the latest pseudo-investigation was unfortunately published by Reuters News Agency. There was no evidence given, no facts, she added, but did not further elaborate. Reuters stands by its story, as indeed Reuters should. 

Royal Mail cyber incident now identified as ransomware attack.

Dave Bittner: Our third update concerns the disruption of Britain's Royal Mail Service. Those disruptions to the U.K.'s Royal Mail service, first reported on Wednesday as a cyber incident, has now been identified as a ransomware attack linked to the Russian-affiliated LockBit gang, Computing reports today. The Telegraph broke the news of the confirmed ransomware attack yesterday with attribution to LockBit or an actor using the gang's encryptor. The attack was behind the encryption of devices used for shipping internationally, and ransom notes were reportedly printed on printers intended for custom dockets. The ransom note claims to be LockBit black ransomware with links to Tor sites used by LockBit operators and a decryption ID said by multiple security researchers to be unusable, Bleeping Computer confirmed yesterday. When Bleeping Computer reached out for comment, LockBit Support claimed that the gang did not attack Royal Mail, and they blamed it on other threat actors using their leaked builder. There is no end in sight to service disruption, stressed a Royal Mail spokesperson, the BBC reported last night. 

Update on the FAA's NOTAM outage: an outdated system and a damaged database file.

Dave Bittner: Computing writes this morning that the FAA continues to attribute Wednesday’s NOTAM outage to a damaged database file. A source speaking to CNN claimed that air traffic controllers recognized the system issue on Tuesday afternoon, intending to reboot the system during less congested hours on Wednesday morning. The reboot took place as planned, though the system still wasn't completely pushing out the pertinent information that's needed for safe flight. And it appeared that it was taking longer to do that, according to CNN's source, which led to the eventual grounding order. A senior government official cited aging infrastructure as a contributing factor, noting that the system is 30 years old and not scheduled to be updated for another six years, according to NBC News. 

The Guardian breach: Attackers access UK employees’ data.

Dave Bittner: In the long-running disruption of the U.K. news service The Guardian, the paper has confirmed that it sustained a ransomware attack last month. The Guardian Media Group's CEO Anna Bateson and The Guardian's editor-in-chief Katharine Viner sent an email to employees on Wednesday stating that the firm had suffered a highly sophisticated cyberattack involving unauthorized third-party access to parts of their network. The attackers were able to access personal data of the company's U.K. employees. Graham Cluley explains that the data included names, addresses, dates of birth, national insurance numbers, bank account details, salary information and identity documents such as passports.

Citrix vulnerability exploited by ransomware group.

Dave Bittner: This morning researchers at security firm At-Bay reported that they have reason to believe a critical Citrix vulnerability is being exploited by the Royal ransomware gang. Citrix disclosed CVE-2022-27510 on November 8, 2022. The vulnerability allows for the potential bypass of authentication measures on two Citrix products - the Application Delivery Controller and Gateway. At-Bay researchers last week observed what appears to be the first known exploitation of the flaw in the wild. The researchers recommend that organizations apply Citrix's patches and mitigations as soon as possible. 

CISA releases its annual report.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency yesterday released 12 industrial control system advisories. The agency also released its 2022 Year in Review. The report is organized into four topical sections - Cyber defenseRisk reduction and resilienceOperational collaboration and Agency unification. On that final point, the report explains, foundational to our success, the agency is unifying as one CISA through integrated functions, capabilities and workforce. The agency is building a culture of excellence based on core values and core principles that prize teamwork and collaboration, innovation and inclusion, ownership and empowerment, transparency and trust. 

Positive Hack Days and the growing isolation of Russia's cyber sector.

Dave Bittner: Brookings offers some reflection on last May's Positive Hack Days, the annual conference organized by the Russian security firm Positive Technologies, a company now under U.S. sanctions for its cooperation with Russian intelligence services. The essay sees an increasingly isolated cyber ecosystem in which the Russian cyber sector has now become a closed system with aspirations to self-sufficiency. The aforementioned Maria Zakharova called it the creation of a multipolar world, which is, as we've said before, one way of looking at it. 

Signing off until Tuesday.

Dave Bittner: Monday is the U.S. holiday that honors Dr. Martin Luther King Jr. And the CyberWire won't be publishing that day. We'll be back as usual on Tuesday. In the meantime, best wishes on the occasion to all who will be observing the holiday with us. 

Dave Bittner: Coming up after the break, Bryan Vorndran from the FBI's cyber division calibrates our expectations with regard to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. Stay with us. 

Dave Bittner: Kayne McGladrey is Field CISO at Hyperproof and is a senior member of the IEEE, the Institute of Electrical and Electronics Engineers. They recently released a global study titled "The Impact of Technology in 2023 and Beyond." I checked in with Kayne McGladrey for the details. 

Kayne McGladrey: Cybersecurity concerns have really increased overall since last year's report. Cloud vulnerability, for example - I think last year only 35% of people thought that cloud vulnerabilities were concerned. This year it's over half. It's 51%. Or mobile hybrid workforces, an enduring concern, actually - it's up to 46%, which was last year 39%. And that's interesting because work from home is not necessarily new. I just think that for budgetary purposes, many companies might have thought, oh, that'll be over soon. And then the final one I found to be particularly interesting is around datacenter vulnerabilities. And if we get really deep into the data underpinning the survey, that seems to be mostly from China, whereas if you think domestically in the United States, the predominant number of companies have moved to the cloud and to a hybrid working model. 

Dave Bittner: Oh, that is interesting that there would be a regional difference there. 

Kayne McGladrey: Yeah, it is. And I think it might speak really to defensibility as well. And if you think about it, when you look at datacenters, they're feeling a little antiquated at the moment given how many companies are moving to the cloud. That's causing a lot of vendors to update their tooling and technology and defensive mechanisms to be predominantly on cloud. And so the concern would be if you are still running on premises hardware and services, at some point, your vendor may no longer support those. And it becomes an incrementally harder situation to actually defend those with any level of adequacy. 

Dave Bittner: Yeah, that's interesting - kind of, you know, get on the bandwagon, or this train is leaving the station, right? You don't want to miss it. 

Kayne McGladrey: Absolutely. And I think that's where a lot of the vendor investment is going. And I think also that's where a lot of the cybersecurity frameworks and associated regulatory controls are moving towards - is the recognition that we used to do things that way. That was neat back in the day, when we used to have big iron on premises and you could stand up Windows servers and not secure them and then have a breach. That wasn't so bad. These days, that's no longer considered to be acceptable by organizations. And your regulatory entity will also beat you about the ears if you have that occur. 

Dave Bittner: Well, in terms of cybersecurity professionals, what are some of the other things that rose to the top here? 

Kayne McGladrey: So cloud vulnerabilities was definitely the No. 1. And I think that's really the narrative on software supply chain that we first saw hit the news in, like, mainstream news when SolarWinds occurred and then Log4j, where a lot of companies are starting to look in their supply chain and say, how much do we actually trust you? And we're seeing a lot of companies request a SOC 2 Type 2 report as proof that, hey, you're doing the cybers OK. But also in a lot of cases, that's pushing SaaS vendors to be pushed towards FedRAMP low-impact SaaS or FedRAMP moderate, not necessarily because they're doing business with the company, but - or with the government, I should say - but rather because, hey, it's hard to go get. And so if you're doing that well, you must be doing cybersecurity fairly well. The other thing that we've seen is that increase in hybrid and mobile workforce and concerns around there. And that comes to companies needing to really invest and continue to invest in adequate controls and measuring the effectiveness of this. And that's not just for cybersecurity controls. If you've got something like - if you look at data loss controls, which are not necessarily considered to be cybersecurity, there have been many studies showing that as employees are working more from their home devices, you can have those information leak on to those personal devices. And if that employee is considering departing, they might take that information with them. And if that's financial information that they could conduct inside trades on or if that's proprietary information that they could sell to a competitor or take to a competitor or even a sales book, really, those all become material concerns that companies have to cover down on, whereas previously, when everyone was inside the magical office and there was the super cool firewall around it, somehow that - we all put our heads in the sand and pretended that that didn't happen. 

Dave Bittner: You mentioned that this is an annual study that you all release. Are there any long-term trends that you're tracking here that you can see to give us some insight on some of the direction we might be headed? 

Kayne McGladrey: I think that if we look at the larger technology stack, I think that's illustrative towards where the world is moving. So in 2022, for example, and prior years, we've seen cloud and wireless technologies be continuing trends that are popular. Of course, initially it was 4G. This year it was 5G. Yes, obviously we've added yet another G to that stack. But also things like the investment in electric vehicles has been increasing as those have become more commercially viable. And, of course, when you think about electrical vehicles and the underpinning infrastructure of those, that becomes now an interesting question of how do you ensure that your users have security and privacy associated with those technologies? 

Kayne McGladrey: I think one that may be a - it shows up and then it goes away and it shows up again, is around augmented reality, virtual reality and the metaverse. I know that when we conducted this study in September of this year, metaverse was predicted to be one of the most important technologies in 2023. I think, since the collapse of FTX and the continued bear market in the crypto markets in general, metaverse, which is almost entirely blockchain-backed, is going to perhaps not be as important as would have been initially predicted when you look at the study. 

Dave Bittner: That's Kayne McGladrey from Hyperproof. The IEEE's report is titled "The Impact of Technology in 2023 and Beyond." You can find a link to that in today's show notes. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for interview selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Bryan Vorndran. He is assistant director of the cyber division at the FBI. Director Vorndran, thank you for joining us here once again. I wanted to touch base with you today on the IC3, which is the FBI's Internet Crime Complaint Center. Kind of set expectations - what exactly is the IC3 best used for, and what can you tell our audience about the best ways to make use of it? 

Bryan Vorndran: Dave, thanks for inviting me back. And it's a really good question, and one that we receive quite routinely. What'd I'd say is this. IC3 was initially implemented about 20 years ago when internet-enabled, computer-enabled fraud became a thing. And so certainly over those two decades, it has continued to grow and serve a meaningful platform, meaningful role in that it is a consolidation point for not only an internet-enabled, computer-enabled fraud, but it has also become a very, very heavily utilized reporting center for traditional cyber intrusions. When we look broadly across the data set, I would say between two-thirds and three-quarters of the data reported to IC3 still is computer and internet-enabled fraud, victimization complaints. And the other balance, 25% to a third, is traditional cyber intrusions. We always have thought that it's important to have one consolidated location for American citizens, whether corporate citizens or individual citizens, to have a place to report these crimes to. But I do think that IC3's role can never replace the role of an actual human contact. 

Bryan Vorndran: And so we do always encourage corporations and organizations to really maintain an ongoing, robust relationship with their actual cyber squad - their cyber investigative squad or the field office of wherever they're based. And that's really important because that cyber squad can become an active point and active center of gravity for any organization to share cyber threat intelligence. But more importantly, it's really important to have that relationship in place if an organization does become a victim. So we do encourage corporations and organizations to report to IC3 because it does serve as that consolidated point of data. But we also think it's actually just as important, if not more important, for organizations and corporations to have an ongoing relationship with their cyber investigative squad in their area that they reside, whether that's a major city or a smaller city. 

Bryan Vorndran: You know, one of the things we say is that every organization should have an active relationship with their FBI field office. They should have that point of contact written into their incident response plan. And they should actually exercise their incident response plan with their FBI POC in the office with them at that time. So hopefully, Dave, that gives you a little bit to think about and your audience a little bit to think about IC3's historic role, their current role, and then how that balances out with actually having a human contact. 

Dave Bittner: Is it fair to say that the IC3 tends to be a little more consumer facing, whereas the direct relationships with the field offices tends to be at more of a professional level? 

Bryan Vorndran: I think that's fair. I would want to give it a little bit more context and say that, you know, we would love - you know, we're a victim-centered organization. That's what we pride ourselves on. It's been the backbone of the organization for more than more than a century. But it's simply impossible for us to scale to every business who has two or three people or an individual household compromise of a computer. We would love to because that's what's in our DNA, but we just don't have the resources to do it. And so IC3 can serve as a very meaningful portal for those type of individuals to report to or those types of small organizations to report to and know that they're doing their part to facilitate an understanding of the larger threat picture. Whereas for corporations or large organizations, the FBI can scale to have personal and professional relationships with them and be actively involved with those organizations prior to an intrusion and during an intrusion. So hopefully that additional context helps round out the understanding. 

Dave Bittner: Yeah, it absolutely does. Bryan Vorndran is assistant director of the FBI's Cyber Division. Thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Mohammad Kazem Hassan Nejad from WithSecure's team. We're discussing their research, "DUCKTAIL Returns: Underneath the Ruffled Feathers." That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.