An update on the Hive ransomware takedown. More DDoS from Killnet. Advisories from CISA, and an addition to the Known Exploited Vulnerabilties Catalog.
Dave Bittner: An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike's Adam Meyers. If you say you're going to unleash the Leopards, expect a noisy call from Killnet. Our guest is ExtraHop CISO Jeff Costlow, talking about nation-state actors in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 27, 2023.
Hive ransomware gang taken down.
Dave Bittner: We begin, as we said we would yesterday, with the story of the international operation that took down the Hive ransomware gang's infrastructure. The U.S. Department of Justice has announced that a joint U.S. and European operation has taken down the notorious ransomware gang. Thursday morning, Hive's site was replaced with a notice stating, "the Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive ransomware." The European participants were, in addition to Europol, police in the Netherlands and Germany. The action was called "Operation Dawnbreaker." The U.S. Department of Justice characterizes Hive as a ransomware as a service operation that made heavy use of double extortion in its crimes. Hive was also notorious in its target selection, hitting among other victims, hospitals and schools. Its attacks against hospitals in some cases disrupted delivery of care.
Dave Bittner: The FBI has been quietly at work against the gang since last summer, infiltrating Hive, taking decryption keys and enabling Hive's victims to avoid paying the ransom the gang demanded. FBI Director Christopher Wray said at a press conference yesterday, "last July, FBI Tampa gained clandestine, persistent access to Hive's control panel. Since then, for the past seven months, we've been able to exploit that access to help victims while keeping Hive in the dark, using that access to identify Hive's victims and to offer over 1,300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments, cutting off the gas that was fueling Hive's fire." Reuters quotes Deputy U.S. Attorney General Lisa Monaco as saying, "using lawful means, we hacked the hackers. We turn the tables on Hive."
Dave Bittner: No arrests were announced, The Wall Street Journal notices. Director Wray said at his press conference, however, that Operation Dawnbreaker continues and is moving on to its next phase. Any arrests would presumably come in that subsequent phase, but most, if not all, of the perpetrators are in Russia and so may be effectively out of reach. Tom Kellermann, senior VP of cyber strategy at Contrast Security, yesterday emailed comments on what it would take to bring ransomware under control, stating, "the real challenge lies in the protection racket that exists between cybercrime cartels and the Russian regime, which endows them with untouchable status from Western law enforcement. We must recognize that the majority of the proceeds from ransomware allow for Russia to offset economic sanctions."
Dave Bittner: We might also mention the gang's usefulness to Moscow as privateers and auxiliaries, so it will probably be difficult to collar the Hive's worker bees unless, of course, they should flee mobilization and land in a place with an effective extradition treaty or, say, choose a foreign vacation spot unwisely. Where's a bad guy to go nowadays? Azerbaijan, perhaps, or Cuba if you can get there. Chad might be a possibility, but like Cuba, it's not really walkable. Later in the show, we'll hear from Adam Meyers from CrowdStrike for his take on the takedown, so be sure to stick around for that.
Killnet continues reprisals against German targets.
Dave Bittner: Turning briefly to the cyber phase of Russia's war against Ukraine, a Russian patriotic and criminal hacktivist group has conducted more DDoS attacks against targets in Germany, SecurityWeek reports. Germany's BSI security organization said the attacks hit, in order of priority, airports, the financial sector and federal and state administrations. The BSI attributed the attacks to Killnet, the hacktivist group that's functioned as an auxiliary to Russian security and intelligence services. The agency found the attribution difficult given Killnet's practice of broadcasting a call to hack that invites like-minded people to join in but concluded that the attacks were indeed the work of Killnet. As has generally been the case with earlier operations by the DDoS specialists, Killnet's attacks were quickly contained, produced minimal disruption and amounted to little more than a nuisance. The cyberattacks appear to have continued Russia's policy of punishing Germany for its decision to deliver Leopard 2 tanks to Ukraine.
CISA releases eight ICS advisories.
Dave Bittner: We conclude with some advisories from the U.S. Cybersecurity and Infrastructure Security Agency. CISA released eight industrial control system advisories yesterday.
CISA also adds an entry to its Known Exploited Vulnerabilities Catalog.
CISA also CVE-2017-11357 to its Known Exploited Vulnerabilities Catalog. Federal civilian executive branch agencies have until February 16 to check their systems and apply updates per vendor instructions. So feds, get patching.
Data Privacy Day is Sunday.
Dave Bittner: One last note before we go - this has been Data Privacy Week, and it all wraps up with this Sunday as Data Privacy Day. We'll be publishing a full set of advice and reflections from industry experts this afternoon. Keep an eye on thecyberwire.com, and greetings to all of you on the occasion. May what should be private stay private, and be careful out there.
Dave Bittner: Coming up after the break, CrowdStrike's Adam Meyers has insights on the Hive ransomware gang takedown. Our guest is ExtraHop CISO Jeff Costlow with insights on nation-state attackers in light of the ongoing Russian military operations. Stay with us.
Dave Bittner: The war that Russia is waging against Ukraine drags on, and that leaves many wondering what the long-term impacts may be for the global cybersecurity landscape. Jeff Costlow is chief information security officer at ExtraHop, and I spoke with him about the outlook for security professionals this year.
Jeff Costlow: We find ourselves in a shifting political landscape with all these actors. If you're previously aligned with Eastern Bloc countries, however you're working on that, things have changed a little bit. Power dynamics have definitely changed. And you might be - like, just even as a citizen, right? I feel like a lot of the attacks right now are coming from groups, cyber groups who are getting together to do - to, you know, just to try and take over things or cause nuisance to other countries that they're not necessarily aligned with, maybe to curry a little bit of favor. A lot of these groups are out there just conducting cyberattacks, somewhat of a nuisance, and I expect in 2023 that these will ramp up a little bit. If you need to curry favor with a new geopolitical ally out there, well, what can you do? You can, you know, do some - in the old times, they called it privateering, where you would actually go off and you were under the blessings of a state, but not necessarily noticed anywhere.
Jeff Costlow: And I feel like that's a lot of what's happening right now, is small groups under the auspices - well, we - as long as we do it against other countries, it's going to be OK. We're not going to get prosecuted for it, and we'll see what happens. And I think those actors are getting a lot more sophisticated because they have had the opportunity to have some free rein in some of these countries, and that's where I suspect that some of these attacks will ramp up, and some ransomware groups or groups who are just dedicated to committing nuisances are going to get better and better as their tools evolve. And that's a natural thing, that their tools will evolve and get better. So that's where we find ourselves early this calendar year, I think.
Dave Bittner: Are there things that you and your colleagues there at ExtraHop are tracking specifically? Are you seeing any shifts with the various data that you all keep tabs on?
Jeff Costlow: We've noticed a few upticks shortly after the attack, like most other people. Shortly after the physical attacks started, we've noticed a bit of things. But what - essentially what we're seeing is a lot of work towards, again, sort of nuisance attacks and some of these low-level attacks that are constantly there. They're just ramping up a little bit, and they do seem to be coming from different areas. And it's hard to distinguish some of the dedicated attacks and prototype attacks. These groups are getting better at it, trying to figure out what and how they're going to do or how they're going to conduct future attacks, and so you see some of these things, and it's a little hard to detangle what is the beginning of attack and what is a real attack given the resources that some of these groups have.
Dave Bittner: Are we seeing that any of these groups are distracted by what's going on between Russia and Ukraine? In other words, you know, perhaps they don't have the bandwidth for their criminal activity because they're taking care of things for their homeland.
Jeff Costlow: I think that's exactly it. I think that, again, to curry some favor or to say that, you know, I want to align with this particular geopolitical ally, and I will - therefore, I will direct my resources towards whoever the enemy du jour is today to curry a little bit of political favor. And I think that those attacks are - or those attacks and campaigns are being waged in different areas. It's a little hard to tell where exactly those are aimed. From moment to moment as the alliances shift and as things kind of settle out, I think we might see more sophisticated actors dedicating their attacks in certain areas.
Dave Bittner: For folks who have the responsibility of defending their own organizations, do you have any tips or words of wisdom for how they should be, you know, fine-tuning their own defenses given this reality?
Jeff Costlow: There is a lot of low-hanging fruit out there. I believe that many of these attacks will be coming from dedicated resources. And if you think about, if my job is to be a nuisance or just disruption, not necessarily even to make any money - but if my goal is disruption of the enemies of my new allies, there's a lot of things you can do, and there's a lot of older infrastructure. This is one of the things that we see all the time, is old legacy infrastructure gets attacked. And if it hasn't been patched in a while and it's not up to date, as are many - an example might be, you know, transportation, if you could disrupt the trucking industry in a certain country or the shipping industry or the train or the rails or something like that. And many of those systems run on legacy systems. If you can disrupt that, you can do an awful lot of damage really quickly. And that's the goal of some of these actors.
Jeff Costlow: And so my advice to any sort of defender is modernize as much as you can, get off some of the old legacy equipment. We've seen an awful lot of legacy protocols out there that should have been discontinued years ago - Telnet or SMBv1 being used across the internet and things like that. These are just too easy to disrupt and attack and take over. And I expect as these groups get better and better, they will be targeting some of these legacy protocols with some attacks that have been known for quite some time. And these could have a large consequence on anybody who hasn't modernized their infrastructure.
Dave Bittner: That's Jeff Costlow from ExtraHop.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: Continuing our coverage of the FBI's takedown of the Hive ransomware group, earlier today, I spoke with Adam Meyers, head of intelligence at CrowdStrike, for his insights on the operation.
Adam Meyers: Well, I think ultimately, it's good when we see an adversary get disrupted. But, you know, one of the things that we have to be careful of with this is that while it is a setback, they will still continue to probably operate, right? There were no arrests or anything like that. So they'll probably figure out a way to get back up and running in relatively short order.
Dave Bittner: Can you give us some of the background here on this particular group, the things that you and your colleagues there at CrowdStrike have been tracking?
Adam Meyers: Absolutely. So we've been tracking them since mid-2021. And they are known for hosting something that we call a dedicated leak site. And what that means is that they are doing data extortion. And they'll steal sensitive information from a target, and they will threaten to release it if they don't get paid. And when that ultimately happens, that is kind of how they generate their money. But they also are obviously tied to ransomware as well. There's a notorious ransomware known as Hive ransomware, which is used to encrypt files. So it's a kind of combination of both the encryption of the files and then the extortion of the data, the weaponization of the data.
Dave Bittner: When you look at the information that the FBI, the DOJ, the Secret Service and some partners, friends in Europe have published about this, there are some interesting aspects here that - it seems to me like FBI had access to some behind-the-scenes stuff with Hive for quite some months now.
Adam Meyers: Yeah, it seems that there were some servers that were being hosted here in the U.S. that the FBI was able to get access to. And in addition to monitoring the threat actor, they were able to even recover some of the cryptographic keys reportedly.
Dave Bittner: From your perspective, is it surprising that Hive wasn't on to that, that the FBI could have been in there doing their things and, from what we see here, doing so undetected?
Adam Meyers: Well, I mean, it is a lot of work to maintain the infrastructure and to, you know, have enterprises, have security operations centers. And they have IT security personnel that are just focused on protecting the enterprise. An organization like Hive doesn't necessarily have those resources. They are kind of more operating in offensive mode. So they - it's entirely likely and certainly it is evidenced by what happened yesterday that they weren't paying attention to that.
Adam Meyers: And one thing to think about with Hive is that this is what we call ransomware as a service. And so they are operating the backend platform, and then they have a number of affiliates that will use that platform to conduct their ransomware activity. By affiliate, I mean somebody that is going to - they decide they want to be engaged in ransomware. So they seek out groups like Hive. They get access to the platform, which gives them the ransomware tool, and in many cases, the data leak site, which is run by Hive. And in some cases also these ransomware-as-a-services also run the negotiation portal for the - negotiating with the victim. And these affiliates, for the privilege to use the platform, they typically pay 15 to 20% on the ransom demands to the Hive group. So they kind of get a piece of each ransom that runs through their platform. And they also have to pay a fee, kind of like a platform fee to even have access to the platform.
Dave Bittner: How big a player is Hive here when you look at the global ransomware market? Where do they sit?
Adam Meyers: They - you know, it oscillates. We have quite a bit of coverage in our - one thing that we call the e-crime index. But also there is - through our - we have intelligence reporting that shows kind of the changes week over week for our customers. And so, you know, Hive - and this varies from week to week, obviously. But, you know, I can tell you that, you know, in the most recent week, that Hive didn't really play as big of a role as some of the other ones - LockBit, ALPHV or Alpha, as we call it, also known as BlackCat, and Royal were some of the ones that were way more active in the last week. And this changes week over week. Sometimes these affiliates will move between different platforms, different ransomware-as-a-service platforms. So, you know, it's kind of tracking the platform is part of what we do, but also tracking those affiliates and which platforms they're using is also important.
Dave Bittner: To what degree do you think that this affects that global ransomware market? I mean, are some of the other ransomware-as-a-service providers looking over their shoulders a little more intently now?
Adam Meyers: I mean, I imagine that they're probably doing some hard thinking. One, about hosting any infrastructure in the United States, because that clearly probably was a factor here. But also looking at how can they better secure their platforms and their systems. But, you know, I think also they're more focused on generating revenue. Something like this may be a setback, but it's, you know, not necessarily fatal. As I said earlier, if there were no arrests, then, you know, they're still out there, they're still operating, and they'll rebrand and they'll figure out a way to get past this. And, you know, I think a lot of their affiliates, as long as it didn't impact their ability to make money, probably don't care that much.
Dave Bittner: Adam Meyers is head of intelligence at CrowdStrike. Adam, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Roya Gordan from Nozomi Networks. We're discussing vulnerabilities in BMC firmware that affect IoT and OT device security. That's "Research Saturday." Check it out. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.