The CyberWire Daily Podcast 2.3.23
Ep 1753 | 2.3.23

Cyberespionage, and ransomware as misdirection. A new Python-based supply chain attack. Traffic on the Static Expressway. KillNet continues to plague hospitals. And Telegram may be compromised.


Dave Bittner: CISA has released six ICS advisories. A look at a North Korean cyber-espionage campaign. ChatGPT and its attack potential. A new Python-based supply chain attack. There's traffic on the Static Expressway. ClickFunnels are seen and used for redirection. KillNet continues its campaign against hospitals. Ransomware as misdirection for cyber-espionage. Part two of my conversation with Kathleen Smith from discussing trends in the cleared space. Our guest is Eric Bassier of Quantum talking about the multilayered approach to ransomware protection. And Russian surveillance extends to Telegram chats.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 3, 2023. 

CISA has released six ICS Advisories.

Dave Bittner: We start today with a quick look at some patches that came out yesterday. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, released six industrial control system advisories on Thursday. They cover equipment from primarily Delta and Mitsubishi. It's the old familiar drill. Operators should review their systems and apply the patches in accordance with the vendor's instructions.

North Korean cyberespionage campaign.

Researchers at WithSecure are tracking a campaign by North Korea's Lazarus Group that's targeting health care research, a manufacturer of technology used in energy research, defense and health care verticals, as well as the chemical engineering department of a leading research university. One of the targeted health care research organizations was based in India. The attackers compromised their targets using known vulnerabilities in unpatched Zimbra platforms. The researchers believe the threat actors' motive is cyber-espionage. It's safe to assume, given the targeting and the Lazarus Group's involvement, that the kind of espionage in question is industrial. 

ChatGPT and its attack potential.

Dave Bittner: A survey by BlackBerry has found that 71% of IT professionals believe that nation-state actors are already using ChatGPT to assist in launching cyberattacks. BlackBerry says ChatGPT's ability to help hackers craft more believable and legitimate-sounding phishing emails is the top global concern at 53%, along with enabling less experienced hackers to improve their technical knowledge and develop more specialized skills and its use for spreading misinformation. The majority of respondents believe that ChatGPT still has more potential for good than for evil, although 95% of them think governments will need to regulate these types of advanced AI tools. 

New Python-based supply chain attack.

Dave Bittner: Researchers at Fortinet have discovered a malicious PyPi package called web3-essential that will download a malicious executable. The malware appears to be designed to steal login credentials and payment card information from browsers, including Google Chrome, Microsoft Edge and Firefox. The researchers note that the package was published on the same day that its author joined the repository and that given the frequency of this pattern of simultaneously joining and publishing, it may be a wise idea to take precautions for downloading packages published by newly joined authors. 

Traffic on the Static Expressway: ClickFunnels seen in use for redirection.

Dave Bittner: Avanan has released a report detailing a campaign leveraging ClickFunnels to bypass security measures. ClickFunnels are described as an online service that helps entrepreneurs and small businesses generate leads, build marketing engines and grow their businesses. Ill-meaning actors are taking advantage of the service's capability to create webpages and are creating malicious pages with redirects to malicious links. Targets receive an email requesting the review of a file providing a document review link. The email link opens a falsified OneDrive page with a get-document button that redirects to a credential harvesting page. This incident is a textbook example of the static expressway - hackers leveraging the legitimacy of sites for hidden, malicious purposes. 

KillNet continues its campaign against hospitals.

Dave Bittner: Becker's Hospital Review reports that Killnet has continued its attacks against hospitals in countries deemed hostile to Russia. The attacks - distributed denial-of-service attacks, for the most part - have afflicted medical organizations in the U.K., the Netherlands, the U.S., Germany, Poland and the Scandinavian countries. Why hospitals, one might ask. Probably because they're wreckable - that is, because they have large, difficult-to-defend attack surfaces. And then there's the possibility of terrorism they present. Interfere with them, and you'll frighten people. Killnet isn't discriminating, and it isn't sophisticated, but it's communicating. Be afraid is the message, and it's precisely the message Killnet's masters in the Russian intelligence service are interested in communicating. 

Ransomware as misdirection for cyberespionage.

Dave Bittner: Other cases that touch Russia's hybrid war are more complicated. The Russian-speaking ransomware gang LockBit continues its financially motivated campaigns, most recently against financial tech firm ION, where, Computing reports, the gang has demanded that it be paid by tomorrow. Canada's Communications Security Establishment warned that LockBit will almost certainly remain an enduring threat to both Canadian and international organizations into 2023. LockBit has taken care to position itself as a simple, apolitical criminal organization and not a cyber auxiliary working under Russian state supervision. But it certainly operates with the permission of and at the sufferance of the Russian government. And the relationship with that government is complex and imperfectly understood. Le Monde Informatique, for one, argues that not only Russian, but North Korean and Chinese services as well, are using ransomware as a cover for cyber-espionage. 

Russian surveillance extends to Telegram chats.

Dave Bittner: And finally, it may be that some platforms aren't as private as their users might hope. Telegram, a platform that's enjoyed a reputation for anonymity, seems to have been penetrated by Russian security services. WIRED reports that dissidents have been receiving police attention that seems to be accounted for only by Telegram's cooperation with the authorities. Chat with due caution, Telegram users. Some of the folks you've been chatting with have had their doors kicked in. And that probably is, as Pravda used to say, no accident. 

Dave Bittner: Coming up after the break - part two of my conversation with Kathleen Smith of, discussing trends in the cleared space. Our guest is Eric Bassier of Quantum, talking about the multilayered approach to ransomware protection. Stay with us. 

Dave Bittner: Digital backups have been around as long as we've had computers. I can remember making multiple copies of programs I'd written using cassette tapes back in the day and, later, floppies and external hard drives. And of course, today, there's a focus on the cloud. There is that old saying that history may not repeat itself, but it sure does rhyme. Eric Bassier is senior director of products at backup storage vendor Quantum, and I spoke with him about the renewed interest in tape backup systems. 

Eric Bassier: One of the longtime best practices in data protection was called a 3-2-1 data protection approach. And, I mean, this goes back, you know, 15 years or 20 years or more. And the 3-2-1 data protection approach calls for having three copies of your data. So you would want one primary copy of that data and then two backup copies, effectively. And you would want to have those three copies on two different types of media, and you would want to have at least one of those copies be off-site, OK? And that was for disaster recovery purposes. And so the 3-2-1 rule has been a longtime kind of best-practice rule - so three copies of your data, two different types of storage and then make sure at least one of those copies is off-site. 

Eric Bassier: Well, recently, both Quantum and other, you know, data protection vendors in the industry are kind of talking about a 3-2-1-1 multilayer data protection strategy, where it's three copies of data, you know, on two different types of storage, and we'll talk a little bit more about that. One of those copies should be off-site, but one should be offline, you know? One - and that's that last one that gets added. So the multilayered approach now is talking about - make sure you've got a copy of your data off-site. You know, in the event that there's a localized disaster and you need to recover, make sure you have one copy that's offline so that, if you do get hit with a ransomware attack or some different types of, you know, malware or cyber threats, you can recover a pristine copy of that data and, you know, get back to business quickly. 

Dave Bittner: And what are some of the available strategies there for storing data offline these days? 

Eric Bassier: Kind of interesting things we've seen in our own business and that we're seeing from our customers is a lot of large enterprises and even large cloud providers are turning to kind of a retro technology, which is digital tape - LTO tape. Tape is unique in that, you know, unlike disk-based storage systems or flash-based storage systems, tape storage systems, by their nature, are physically air-gapped. The data itself is stored on a magnetic tape, and it is physically separated from the device that's connected to the network, which in this case is a tape drive. 

Eric Bassier: And so we've had a lot of our customers - even those that have totally gotten rid of tape in their environment - looked at it now and with the - you know, again, strengthening cybersecurity being a top priority, they're starting to add tape into their environment and make a copy of data on tape. And that really serves as that copy that is - it's truly offline. So it's interesting that we've seen a bit of a reversal in the perception of it, where I think, for many years, tape was perceived as maybe not as relevant - you know, maybe a tertiary copy or something. But I think now it's being seen as increasingly relevant as a way to combat kind of this threat of - the cyber threats that are out there. 

Dave Bittner: You know, I'm an old video guy. I - admittedly, it's been probably at least a decade or so since I was in that world. But I remember there being, you know, tape robotic systems, where the tape - the swapping of the tapes was pretty much an automated sort of thing. Is that still in play? 

Eric Bassier: You know, like all other enterprise data storage technologies, the technology for that has evolved quite a bit. So I talk to a lot of customers and maybe old tape, you know - or people that use tape many years ago. And in their minds, they picture this huge, you know - I don't know - refrigerator-sized thing. 

Dave Bittner: Right. 

Eric Bassier: Right now, you know, we can - you know, small rack-mounted device, tape robotic system - three rack units can hold, you know, 50 tapes. So with current tape capacities, you're talking about, you know, well over a petabyte of data, you know? So even for smaller businesses, you know, it's a pretty small investment, pretty small footprint, and you can get that offline protection. 

Dave Bittner: And where do we stand in terms of speed? You know, obviously, tape is linear in its very nature. But, you know, if I want to restore my systems, I want to do it as quickly as possible. What's the state of the art there? 

Eric Bassier: Yeah. The tape drives - which are the device that can really read and write the data on the tape - the currently shipping generation is LTO-9, so that's the ninth generation of tape drives. And with each generation, the streaming performance of the tape drives has more or less doubled, you know? So like hard drives, like flash drives, we continue to improve the performance of the tape drives as well as the capacity of the tapes themselves. 

Eric Bassier: When I think about restoring from tape, I would generally say it will take, I would say, minutes to recover data from a tape robotic system. And, you know, obviously, it depends a lot on how much data you're recovering, how big is the data set, but it generally takes one to two minutes to load the tape, to rewind the tape and kind of get to that first bit of data. Once that happens, the tape drives can actually stream a huge amount of data very quickly. So, you know, that is - it's a consideration with tape. It does - it will take, you know, minutes to recover a small amount of data from tape. And, you know, if you have a huge amount of data to recover, it may take some time. But, yeah, that gives kind of a general sense of what to expect, anyway. 

Dave Bittner: Right. No, it's a mindset shift. I mean, and I'm - sort of experienced it in real time - that you're still not putting all your eggs in one basket but you're - it's a different way of distributing the risk than I think a lot of us have grown accustomed to. 

Eric Bassier: Yeah. And it's - you know, we started kind of talking about a multilayered data protection approach. I mean, I think that that's what we advocate. I think that's what is a best practice in the market. I think tape should be part of those multilayered data protection infrastructures. And, you know, I've had a lot of these sorts of conversations in the last two or three years, including - Quantum has done some webinars with an ethical hacker. You know, he now recommends this to all of his clients because he - you know, he was trying to figure out how to hack into a system like this. And he's - you know, he's stumped. He can't figure it out. So I do think it's - you know, what is kind of retro has become really relevant just because of some of its properties. And I don't want to gloss over - I think Quantum has really led the way here in terms of innovation in some tape software features that allow us to create that. In a sense, it's - kind of an immutable data vault, you know, is really what we've created with our systems. 

Dave Bittner: That's Eric Bassier from Quantum. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects," where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Kathleen Smith. She is the chief outreach officer at Kathleen, it's always great to welcome you back to the show. You know, in our previous segment, we were talking about some of the things that you've been tracking in the cleared community and helping folks find jobs - all that sort of thing. There were a couple of items that we didn't have time to get to, so why don't we just pick up there? What are some of the other things that you're looking at here? 

Kathleen Smith: One thing that I'm really noticing is a lot of people are looking at their overall career progression within the security cleared community. And I'm noticing that a lot more people are wanting to go into government work to be - work - excuse me, work specifically for government agencies to improve business processes and to also expand their overall career experience. I know several people, predominantly women, who are going from corporate world within the government contracting space into working for government agencies to build their experience, build their relationships and really bringing corporate experience to solve some of these difficult problems. 

Kathleen Smith: There was a very heated discussion today on LinkedIn about how, shall we say, backwards recruiting is within the government space - maybe specifically a jobs platform within the government agency space that is just not up to standards that we see in the corporate world. And I've seen a lot of people who are - who have been human resource professionals and government contract recruiters say it's time to take the leap, go into government agencies and really try to understand what the problems are and turn them around and see if we can speed up that process. As we know, that might take a little bit longer than just a year or two. 

Dave Bittner: When we say backwards, though, what exactly are people getting at here? 

Kathleen Smith: The application process to go in for a government agency is extensive. It's more extensive than you would find it for any company within the government contract space. And it is its own identity, as far as the kind of questions they ask. And it really doesn't go toward the skills that people need to do the work. It's more to fill out the bureaucratic dots and cross the t's and stuff like that. I'm sorry. I'm fumbling that one a little bit, but... 

Dave Bittner: You're being diplomatic (laughter), which I appreciate. 

Kathleen Smith: I'm trying to. I'm trying to - not trying to get myself out... 

Dave Bittner: No, I appreciate that (laughter). 

Kathleen Smith: I think it's also that, when I've talked to people, they've really said that it's not about recruiting talent. It's more about managing the bureaucratic process. And I think, when we're talking about making sure we have the best talent working for the government to support the mission, we need to make sure that we're doing a recruiting process, which is a conversation and an engagement, rather than making sure people are going through the specific paces to fill a job. 

Dave Bittner: Right. 

Kathleen Smith: The other thing that I'm seeing, which, you know, is something I enjoy seeing but I wish would speed up a little bit more is that there is a definite relationship between recruiting and business development within government contracting. And we frequently hear of government contractors not winning their recompetes or not winning proposals because they don't have a very competitive contract or a very competitive proposal they put through. And our recommendation is always make sure that you're talking to your recruiting department when you're going through your contract proposal process because, one, the recruiters will give you what the labor market categories are, and can you really find this talent? You know, I love salespeople. I love my salespeople, but, you know, they tell someone you can - we can get all of this. And then, when they go back to their recruiter... 

Dave Bittner: Right (laughter). 

Kathleen Smith: ...And the recruiter says, there's absolutely no way I can get a Java programmer with the full scope poly for $35 an hour. So... 

Dave Bittner: Right, right. 

Kathleen Smith: ...You know... 

Dave Bittner: We lose money on every employee, but we make up for it with volume (laughter). 

Kathleen Smith: Yes, yes. So I think the theme is I'm enjoying the fact that we're cross-pollinating between the corporate and government contracting space, and we're cross-pollinating between recruiting and business development. You know, when you're in an industry for over 20 years, you sort of wish some things would happen, and you sometimes have to stick around long enough to see them happen. But it's really great to see it. 

Dave Bittner: Yeah. It's interesting, you know, to your first point about the processing - the hiring process itself. I mean, it strikes me that there are already a lot of challenges of getting people into government space when it is so competitive in the private market. And we hear, you know, so many people leaving the government because of the opportunities in the private market. So any barriers you could remove there is going to be helpful, right? 

Kathleen Smith: It would be really great if we could remove some of these barriers. And it's a mentality that is there within the government agencies, not just the processes. And I think it's going to take more than just someone flipping the switch and making the government job board a little bit more effective. It's going to be taking the entire process and changing it. Now, I have seen some highlights or some areas where people have really changed this. Department of Homeland Security sort of started its own internship process and started its own hiring program. Several of the other agencies have said, you know, it's - the system is not moving fast enough. We need to do something on our own. And they do get approval to do it on their own. The challenge is is that not everybody knows this. But the other challenge is that they still have to submit through the government job board, which I think is the biggest problem. And that's just a personal opinion. 

Dave Bittner: Yeah, yeah. All right. Well, Kathleen Smith, thank you for sharing your insights, as always. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Tom Bonner and Eoin Wickens from HiddenLayer's SAI team. We're discussing their research on weaponizing machine learning models with ransomware. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.