The CyberWire Daily Podcast 2.9.23
Ep 1757 | 2.9.23

Cyberespionage, from war floating to phishing. An update on ESXiArgs. Fresh sanctions against ransomware operators, and more takedowns may be in the offing.


Dave Bittner: War-floating; a phishing campaign pursues Ukrainian and Polish targets. Pakistan's navy is under cyberattack. A new criminal threat actor uses screenshots for recon. ESXiArgs is widespread, but its effects are still being assessed. The U.K. and U.S. issue joint sanctions against Russian ransomware operators. Robert M. Lee from Dragos addresses attacks on electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. And is LockBit next on law enforcement's wanted list?

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 9, 2023.


Dave Bittner: Examination of debris from the Chinese balloon the U.S. Air Force shot down off Myrtle Beach earlier this week continues. But the U.S. State Department has announced that the balloon was a surveillance system. The New York Times reports that it was a floating collection platform. Specifically, it was engaged in collection of signals intelligence, a capability that became known to the U.S. before the balloon was shot down and its wreckage recovered. Close flyby inspections by U-2 aircraft were able to determine that the Chinese system was set up for SIGINT as the balloon made its leisurely way from Montana to South Carolina. The U.S. statement said the balloons payload included antenna arrays likely capable of collecting and geolocating communications. And the craft packed enough solar panels to drive a large set of electronic sensors. All of this, the U.S. pedantically explained, was clearly for intelligence surveillance and inconsistent with the equipment on board weather balloons. The State Department, rather legalistically and humorlessly, observed that any company that made and operated the balloon was surely closely connected with the Chinese government. 

Phishing campaign pursues Ukrainian and Polish targets.

Dave Bittner: Ukraine's State Service of Special Communication and Information Protection State Cyber Protection Center - we'll just call them the SSSCIP - reports that a Russian cyber-espionage campaign is phishing for targets in the Ukrainian and Polish governments. The SSSCIP writes, UAC-0114, also known as WinterVivern, is a group of undefined individuals where Russian-speaking members are present, highly likely, whose activity targets the European government entities. Their recent campaign targeted Ukrainian and Polish government organizations, taking advantage of fake webpages impersonating the legitimate web resources of the Ministry of Foreign Affairs of Ukraine and the Central Cybercrime Bureau of Poland. The adversary TTPs are quite common and known for using email subjects related to malware scanning and benefiting from PowerShell scripts execution. 

Pakistan's navy comes under cyberattack.

Dave Bittner: BlackBerry blogged today about a new threat actor they've called NewsPenguin seen targeting Pakistani organizations using the upcoming Pakistani Navy's International Maritime Expo and Conference as a phishing lure. The actor attaches a malicious document utilizing a remote template injection technique and embedded malicious Visual Basic for Applications macro code to deliver the next stage of the attack, which leads to the final payload execution. The eventual payload contains an XOR-encrypted penguin encryption key, as well as the content-disposition response header name parameter set to getlatestnews during the HTTP response. Both of which contributed to the name given to the actor by the researchers. BlackBerry says NewsPenguin is a previously unknown threat actor, relying on unseen tooling to target Pakistani users and potential visitors of the Pakistani International Maritime Expo and Conference. There's no attribution so far, but BlackBerry thinks that NewsPenguin's motivation is espionage and not profit. 

New criminal threat-actor uses screenshots for recon.

Dave Bittner: Proofpoint reported yesterday on the activities of a threat actor they're tracking as TA866. They call the activity, first observed in October of last year, Screentime, and Proofpoint says it starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some cases, Proofpoint observed post exploitation activity involving AHK Bot and Rhadamanthys Stealer. Proofpoint designates TA866 as an organized actor able to perform efficient and effective tasks, given the resources at the group's disposal. 

ESXiArgs: widespread, but effects still being assessed.

Dave Bittner: A new version of the ESXiArgs ransomware appears to prevent data recovery via flat files. BleepingComputer reports that a second wave of the ransomware campaign began yesterday and that ESXiArgs developers have updated the malware to encrypt flat files. This means that the data recovery script released by CISA will likely no longer work on servers infected with the updated version of ESXiArgs. BleepingComputer adds that servers infected earlier may still be recoverable by using CISA's tool. CISA yesterday issued a guide for using the script. The Washington Post notes that the ESXiArgs campaign appears to have had a somewhat muted impact compared to earlier widespread ransomware or pseudo-ransomware campaigns such as WannaCry or NotPetya. Italy's National Cybersecurity Agency says, according to Reuters, that it's unclear who's behind the campaign. In particular, there's no obvious involvement of a state actor. 

UK and US issue joint sanctions against Russian ransomware operators.

Dave Bittner: This morning, the U.S. Treasury Department's Office of Foreign Asset Control and the U.K.'s National Crime Agency jointly sanctioned seven members of a gang that's operated the Trickbot malware. The individuals sanctioned are also involved with the Conti and RYUK ransomware strains. The National Crime Agency says the seven cyber criminals are now subject to travel bans and asset freezes and are severely restricted in their use of the global financial system. The U.S. Treasury Department drew particular attention to the way the Russian government has long provided a safe haven for cybercriminals. The U.S. Treasury Department said, in part, Russia is a haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the U.S., the U.K. and allies and partners. These malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K. Last month, Treasury's Financial Crimes Enforcement Network identified a Russia-based virtual currency exchange, Bitzlato Limited, as a primary money laundering concern in connection with Russian illicit finance. 

Is LockBit next on law enforcement’s wanted list?

Dave Bittner: These sanctions represent another action against ransomware, coming as it does on the heels of the international effort to disrupt the operation of Hive. There may be others to follow. CyberScoop reports some informed speculation that LockBit may be the next high-profile target. The Russian gang tooted its apolitical horn early in Russia's war against Ukraine, when many of its criminal colleagues were signing up as cyber auxiliaries for Moscow's organs. Yet it's been functioning effectively as a privateer, objectively at least supporting Russia's war effort. Lockbit's been doing some woofing about the Hive takedown. Representative is a tweet shared via VX-Underground in the last week of January, stating, nice news, I love when FBI pwn my competitors - which is one way of looking at it. But LockBit's gotten bigger and more irritating even as it's grown cockier. So good hunting, FBI, Interpol, Europol, NCA, and every police agency in Europe and North America. 

Dave Bittner: After the break, Robert M. Lee from Dragos addresses attacks to electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. Stick around. 

Dave Bittner: IoT devices giveth, and IoT devices taketh away. They can add functionality and convenience but also expand your organization's attack surface. Denny LeCompte is CEO at security firm Portnox, and I reached out to him for insights on IoT security segmentation strategies. 

Denny LeCompte: A lot of these devices are built to be cheap. They are not built to be secure. They're - you know, there's a, like, a manufacturing run, and they will ship these things, and there's maybe no security at all. It's gotten a little better, but that's from terrible to merely bad. It's not good at all. Right? You've got - you know, devices will be shipped with a blank password, a blank admin password. So if someone were to move into your - somehow get access to your network, they can log onto these things. And some of them are basically Linux computers so that it is possible for somebody to use that as a kind of base camp to then make other lateral moves to get to more interesting things. They don't really want your camera, but your camera is a beachhead into your network, and they can use that. So it is a real security threat and especially just because they are really not built for management the way a laptop or a server or firewall is. Right? So that's the problem for IT pros everywhere. 

Dave Bittner: Well, can you walk us through what the process is like when someone decides they want to do this? What's the best way to go about it? 

Denny LeCompte: Well, one of the first challenges, if you're going to do it, is figuring out what the heck is on your network. That's much more difficult than you would think, mostly because devices don't just sort of raise their hand and say, this is what I am. So typically, you have to do some sort of fingerprinting of the devices. And there's lots of ways to do this. There are some ways that are - can be intrusive where there's lots of scanning to figure it out. We all refer to it as fingerprinting because what you're trying to figure out is, from things about this device, like, what are the unique characteristics that tell me that this is, you know, a Sony Television or Vizio or, you know, that it's this particular model? That's what you want to know - what's on my network? - because if you can't identify, securing becomes very difficult. And how do I segment? How do I put the cameras over here and the, you know, TVs over there if I don't even know which is which because they're just a bunch of dumb IP addresses? 

Denny LeCompte: So you've got some intrusive, sort of aggressive scanning methods. You've also got some more passive scanning methods. You could do things like DHCP gleaning where, it turns out, the way a network device makes a DHCP request is often pretty unique, especially if you combine it with other things like Mac addresses. So there are databases full of Mac address. I mean, there are folks who - that's what they've done. They will go. They have, like, a whole run of Mac addresses that are assigned to a model of a particular device and so that you can then take the Mac address and sort of make a guess, and then if you combine it with DHCP information and maybe other information that it's - that as it kind of talks in the network, it reveals what it is. 

Denny LeCompte: So, like, our company has a - you know, is able to get, like, 95% accuracy. Like, other vendors can do this as well trying to figure out what it is. Once you know what it is, then you can set up your network so that you have, again, different - you know, different VLANs, different sections of your network that are very limited. And there is no reason that the - you know, the things that are in the - like, all the hand scanners don't need access to anything else in the network. So you can really constrain what they can do. 

Dave Bittner: How do you make sure that you're not inadvertently introducing any sort of friction for your employees here? 

Denny LeCompte: Well, that's where you need some sort of access control solution because if you make this too manual - right? - there would be an approach where you just manually do this. You're going to introduce a lot of friction because then, you know, that manual process is going to make it very difficult for everybody to log on. So you need some automation here. You need to be able to set up your devices so that all your laptops and users - probably you want to use certificates, digital certificates that sort of, like - that do raise their hand and say, this is what I am. I belong here. And you can compare them to, like, Active Directory or Google Workspace or some sort of other LDAP directory so that all of your users just get on invisibly. And so then it's IT's problem to worry about the devices. 

Denny LeCompte: And ideally what you want is to be able to do that fingerprinting and then have, you know, an access control policy that says, you know, only devices of this make and model are going to be allowed. And then the others won't. But if I can't quite tell what you are, then I'm going to put you in a quarantine VLAN, which is, you know, very restricted. And then you can maybe handle that manually. But you really have to have a lot of automation to make this possible at all. 

Dave Bittner: Are there any common pitfalls that you can help people avoid here, mistakes people make when trying to set something like this up? 

Denny LeCompte: To be honest, the biggest one we see is that people just think it's going to be hard, and then they don't do it. The number of customers we talked to have, you know, very little segmentation at all. The number of things that, you know, have wide access is much too high. So the main thing is you're going to need some sort of software solution. And probably the most common is people get things that are maybe more trouble than they're worth. They can nominally solve the problem, but in practice, it's so much trouble that they - again, they end up simplifying because they can enable simple policies to do what they want. So the thing that we would recommend to folks is to find a solution that has really low overhead, that - once you set it up, everything is just going to sort of happen in the background. And there's not going to be a lot of maintenance on your part. We have found, you know, cloud-based solutions are usually going to be much lower-maintenance in this regard than anything on premises. 

Dave Bittner: That's Denny LeCompte from Portnox. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it is always great to welcome you back to the show. We have seen several stories about folks going after power substations with guns and bullets and things like that. In fact, as you and I are recording this, there were a couple of gentlemen from Tacoma, Wash., who've been charged in an attack on a power substation. The story seems to indicate that they were basically going for a misdirection for another burglary. But people look at this in the news, and they see a pattern, that people are going after these substations in ways they hadn't before. I wanted your insights on this. As somebody in this critical infrastructure world, what's your take on what's going on here and the degree to which we should be concerned? 

Robert M. Lee: Yeah, well, first of all, they're idiots. And second of all... 

Dave Bittner: (Laughter). 

Robert M. Lee: The idea of people shooting at transmission equipment, power lines, etc., is old, right? It's not a new thing. Every utility - most utilities have to deal with that or dealing with people jumping across the fence to kind of steal copper out of substations to go sell for meth or crack or something. Like, it's - honestly, like, I care a lot about the cybersecurity considerations, and those are more impactful. Those are more strategic. But everybody deals with idiots in the utility industry, and it may not seem like a fun topic, but it's a real one. And there's no joke when I say that. It's actually a pretty common issue. 

Robert M. Lee: And, you know, going back to the days of like, even Metcalf, when we had somebody take a .50 cal and try to strategically shoot out substations and transmission equipment, this has been happening for a while. Hell, if you go out in certain parts of the country, you'll find people do target practice against pylons and transmission lines as an example. Like, it's just really stupid stuff, and it causes a lot of money and cost to the utilities, which goes right back to the rate payers. And so it's just a bad thing for everybody. 

Robert M. Lee: Now, the reality is I think some of this - you know, in this case, it may be misdirection. But some of the reportings that we're hearing has a very close tie to what we're seeing in a broader picture of kind of misinformation and amplification and disinformation, of conspiracy theories and so forth. I mean, there was a whole - like, 5G is going to, you know, load vaccines into your body and kill your kids, you know, kind of stuff. And power utilities and power lines are very closely associated. Oh, look at that tower. They're monitoring us. 

Robert M. Lee: I mean, there's been cases - I remember years ago that it was required by regulation to put up cameras to monitor unmonitored substation equipment, right? Just from a safety and environmental perspective, a utility - if it's an unmanned - I shouldn't say unmonitored - unmanned substation like this recent substation, put up a little camera to be able to remotely view it. You know, by regulation, you got to have positive control over it. And I remember folks looking at that, going, that's the NSA, and they're spying on us, and then, like, going out and, like, tearing down the camera system. Like, what are you idiots doing? And so... 

Dave Bittner: Right. 

Robert M. Lee: You know, I don't want to position mental health as anything other than deserving attention. But some of this isn't mental health. Some of this is just instability by people staying on the internet too long and diving into forums and so forth. So anyways, not to go on too much of a rant, but the reality is it costs a lot of money. That cost is borne by all of society. It's not a new issue, but I do think we're entering a new era of it where access to disinformation and misinformation and the amplification of it is going to see utilities get targeted more as people associate big government utilities, 5G, you know, all this stuff together. It's an unfortunate situation. 

Dave Bittner: I was looking at an article from KIRO 7, which is a local affiliate in Tacoma, Wash., and this line caught my eye. They said the damage to the Tacoma power substations alone is estimated to be at least $3 million. Repairing a single damaged transformer could take up to 36 months. Does that track with your understanding? 

Robert M. Lee: Yeah, depending on what was done, the cost could be on the low side. It can very quickly go well above 3 million. But the time does seem to be a little on the high side, but it's possible, given supply chain issues. So normally people talk about replacing key transmission equipment taking six months. That's not entirely true. You know, I think people are a little sheepish to communicate the exact amount of time. But generally speaking, most of the transmission equipment that we rely on is not built in America anymore. And so you're relying on other countries, sometimes competitive countries, to resupply that equipment. And even if they're trying to be helpful, even if they're trying to work with you, that can be a nine-to-12-month process. And then you got to talk about, you know, being able to transport this key transmission equipment, which is usually going be done by rail. And that takes time. And so, yeah, I think nine to 12 months to replace equipment is reasonable. I would say, again, with the supply chain issues that we're having, I could easily see that reaching into 18 to 24 months. Thirty-six, I'd have to understand more about exactly what equipment was shot up and why they're estimating 36. But again, when you're talking transmission equipment, if you're talking, like, transformers and so forth at that level, that transmission side of the house, that's a very long, very expensive process for sure. 

Dave Bittner: But it doesn't mean that the lights are going to be off for that long. 

Robert M. Lee: Oh, no. No, no, no. So this is - again, something I think a lot of people misunderstand about the electric system is the electric system is an incredibly complex - probably the most complex system humans have ever built. And there's a lot of redundancy built into it. Now, that's hard to believe when we see things like outages in Texas or you hear about the impacts of cyberattacks. It's like, well, how can that be? Well, there are weaknesses in the system, and smart understanding of that system can kind of find those pressure points. Again, one of the concerns about a cyberattack - everyone talks about, like, oh, we deal with hurricanes all the time. Cyber won't be that big of a deal. Yeah, but hurricanes don't choose their targets, and they're not strategic about it, and they don't come back, you know, sort of twice and hit all around the country at the same time. And so cyber as a tool can impact a heck of a lot more than weather and so forth. But weather and squirrels and idiots with rifles are a constant. And so it's a lower-impact, way-higher-frequency reality for these utilities. 

Robert M. Lee: But either way, going back to the discussion, the electric system itself - if you really don't know what you're doing, you would have to be astronomically lucky to be able to take down a decent portion of it, 'cause if a substation, as an example, goes down, we expect that to happen just from random things, if not weather events. So there's alternate routes. It's just like a network from a computer system perspective where there's different routes it can take across the environment. You might have localized outages. You might have a small town that can't get power restored for, you know, a couple of weeks at a maximum. But you're not dealing with months of outages, or you're not dealing with large portions of the electric system going down unless someone is strategic and thoughtful and kind of knows where those pressure points are. 

Dave Bittner: All right, well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.