The CyberWire Daily Podcast 2.14.23
Ep 1760 | 2.14.23

Blender is back, but now DBA Sinbad (still working for the Lazarus Group). Cyberespionage notes. Hacktivism. ICS threats. Valentine’s Day scams.


Dave Bittner: Blender reappears as Sinbad. A Tonto Team cyberespionage attempt against Group-IB is thwarted. DarkBit claims responsibility for a ransomware attack on Technion University. An overview of ICS and OT security. Ben Yelin looks at surveillance oversight at the state level. Ann Johnson from "Afternoon Cyber Tea" speaks with Marene Allison about the CISO transformation. And it’s Valentine's Day - that annual holiday of love, chocolate, flowers and online scams.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 14, 2023. 

Sanctioned "Blender" reappears as "Sinbad."

Dave Bittner: You may remember Blender, a cryptocurrency mixer used by North Korea's Lazarus Group as a money laundering tool. It was effectively driven out of business in May of last year by U.S. Treasury Department sanctions. It has now, however, apparently been reconstituted, researchers at Elliptic report, under the name Sinbad, and it's once again at work for the Lazarus Group. Elliptic says Sinbad was launched in early October 2022 and, despite its relatively small size, it soon began to be used to launder the proceeds of Lazarus hacks. Tens of millions of dollars from Horizon and other North Korea-linked hacks have been passed through Sinbad to date and continue to do so, demonstrating confidence and trust in the new mixer. Like Blender, Sinbad is a custodial mixer, meaning that its operator has full control over the cryptoassets deposited within it. 

Tonto Team cyberespionage attempt against Group-IB thwarted.

Dave Bittner: Group-IB says its employees were targeted by a phishing campaign launched by the suspected Chinese threat actor Tonto Team. During the summer of 2022, Group-IB employees received phishing emails with malicious Office documents crafted with the Royal Road weaponizer, which is often used by Chinese state-sponsored actors. The emails were meant to deliver Bisonal.DoubleT, a strain of malware exclusively used by the Tonto Team. Group-IB's security solution flagged the emails as malicious. During their investigation, the security firm found that it had been targeted by the Tonto Team in 2021 as well. These attacks were also unsuccessful. The researchers note that most Chinese state-sponsored threat actors are focused on conducting espionage or surveillance. 

DarkBit claims responsibility for ransomware attack on Technion University.

Dave Bittner: Technion University in Haifa, Israel, fell victim to a ransomware attack that forced the shutdown of all of the school's communication networks on Sunday, The Jerusalem Post wrote. A new ransomware group, “DarkBit,” has claimed responsibility for the cyberattack, ARN reported today. The university tweeted Sunday, the Technion is under cyberattack. The scope and nature of the attack are under investigation. The group behind the attack, DarkBit, is asking for 80 Bitcoin - or approximately $1.7 million - from the university, with a threatened 30% increase in the demand if the ransom is left unpaid for 48 hours. DarkBit appears to be motivated by anti-Israeli or pro-Palestinian sentiment. The Israeli National Cyber Directorate confirmed that they were connecting with Technion University administrators to get a full picture of the situation, to assist with the incident and to study its consequences, The Jerusalem Post reported Sunday. 

Cyber phases of Russia's hybrid war.

Dave Bittner: KillNet, the prominent hacktivist group serving as an auxiliary of Russian intelligence and security forces, continues to attempt distributed denial-of-service attacks against NATO sites. Most of these have been of short duration and little effect, but there was some inconvenience caused to the Atlantic Alliance's earthquake relief efforts. The hacktivism has been far from one-sided. Dark Reading reviews the history of hacktivist actions rallied loosely around the hashtag #OpRussia. They've consisted largely of distributed denial-of-service attacks, defacements, media hijacking and data breaches. 

Dave Bittner: Ukrainian news reports that the U.S. Agency for International Development, USAID, will allocate $60 million to Ukraine in support of efforts to protect the country's infrastructure from cyberattacks. Attempted Russian cyberattacks against infrastructure have not been confined to Ukraine. Politico cites Dragos CEO Robert M. Lee to the effect that the Russian Chernovite threat group undertook preparations against roughly a dozen U.S. electrical and natural gas facilities early in Russia's war against Ukraine. Lee said, this is the closest we've ever been to having U.S. or European infrastructure - I'd say U.S. infrastructure - go offline. It wasn't employed on one of its targets. They weren't ready to pull the trigger. They were getting very close. He suggested that successful public-private cooperation played a role in protecting U.S. infrastructure. 

Dragos releases its ICS/OT Cybersecurity Year in Review for 2022.

Dave Bittner: Dragos has published its ICS/OT Cybersecurity Year in Review for 2022. The report found that ransomware attacks against industrial organizations nearly doubled last year, with 70% of these attacks targeting the manufacturing industry. The report states there were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of LockBit Builder and the continued growth of ransomware as a service. Dragos observed ransomware trends tied to political and economic events, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions. 

Dave Bittner: The security firm also discovered two new threat actors in 2022 - Chernovite and Bentonite. Chernovite is the developer of Pipedream, an ICS attack framework that Dragos says represents a substantial escalation in adversarial capabilities. The framework was likely developed by a state-sponsored actor, but Dragos says it doesn't appear to have been deployed in the wild yet. Chernovite and its Pipedream tool are the ones seen in preparations for actions against U.S. infrastructure during Russia's war against Ukraine. Bentonite is a threat actor that's been opportunistically targeting maritime oil and gas, governments and the manufacturing sectors since 2021. Dragos says Bentonite conducts offensive operations for both espionage and disruptive purposes. Dragos, as a policy, doesn't attribute activity to particular nation-states, but the researchers note that Bentonite has overlaps with the threat actor tracked by Microsoft as Phosphorus, which Microsoft has tied to the Iranian government. 

Valentine's Day and romance scams.

Dave Bittner: And finally, it's Valentine's Day. Did you remember? If not, hit those e-commerce sites that offer immediate delivery of candy, flowers, articles of apparel and the like. And, hey, we reminded you. You're welcome. 

Dave Bittner: So again, today is the annual holiday of love, and the scammers are using that to their advantage. Bitdefender shared yesterday that just approximately 83% - or just over 4 out of 5 - Valentine's Day spam emails, on average, are scams. This statistic is pulled from Valentine's Day-themed spam emails analyzed by Bitdefender from January 22 through the 8 of February this year, with a considerable spike observed between the 6 and 8 of this month. English-speaking countries are by far the primary target of these attacks, with 45% targeting U.S. inboxes. Gifts and adornments for your loved one are a major subject of these emails, though people looking for love appear to be favorable targets as well. So love by all means, love, but with the mind as well as the heart. Sure, they may say that love may be blind, but we think maybe it's just squinting. 

Dave Bittner: Coming up after the break, Ben Yelin looks at surveillance oversight at the state level. Ann Johnson from "Afternoon Cyber Tea" speaks with Marene Allison about the CISO transformation. Stay with us. 

Dave Bittner: Microsoft's Ann Johnson is the host of the "Afternoon Cyber Tea" podcast. And in a recent episode, she spoke with Marene Allison about the CISO transformation. Here's part of that conversation. 


Ann Johnson: I'm Ann Johnson. And on today's episode of "Afternoon Cyber Tea," I am joined by Marene Allison. Marene is currently an advisory board member for Covenant Technologies, which is a leading IT and cybersecurity staffing firm, and also advisor at Balbix, a leading cybersecurity posture automation platform. Prior to Marene's current role, she was the vice president and chief information security officer for Johnson & Johnson and has had a magnificent and storied career in the military, in intelligence and technology and in health and life sciences. Welcome to "Afternoon Cyber Tea," Marene. I am absolutely thrilled to have you on. 

Marene Allison: Oh, Ann, it's great to see you. 

Ann Johnson: What excites you about the technology we have today and the promise of the technology today? And on the flip side of that, what do you worry about? What do you think the criminals can do based on the technology we have - we are leveraging today? 

Marene Allison: I have seen technology change all the way from RACF and mainframe computing and no internet to internet, voice over IP. And it would be very easy for us in security to worry about all the gremlins that are going to be there. I think we have to understand how the gremlins might attack the technology. But if we were to do that, we'd still have rotary phones, and we'd have no connected computer devices. And we can't. We have to lean into the future, and especially as data and AI and ML become the way of the universe. 

Marene Allison: But think of what can happen. A doctor can read - I think I saw - 80,000 articles in their entire life. But can you imagine what a computer can read and all the data it can pull forward? So when - as we're trying to solve disease states, you're going to have to have this huge computing power that's going to be able to look at all this data and look at correlations like humans can never look at correlations. Yes, maybe with 5G or quantum computing, it's oh, somebody's going to crack encryption codes. Yeah, they will. It just is going to happen. Let's plan for it. And let's move to the future, where we can overcome that because, when you can use quantum for bad, you will also use it for good. In security and in health care and banking - all the different areas - it's going to help us as well as create a potential risk. But we've lived our entire lives. And for centuries, that's how people have lived. You see the new risk, and you move through it to protect. And that's what we do as cyber professionals. We get to come up with all those solutions now. 

Ann Johnson: What does it take to be a CISO today? There are some folks that feel like, being a CISO, you need to be deeply technical. There's other folks that believe you need to be a really great business person. But what are the requirements? What does it take today to be a CISO - to talk to the board, to talk to regulators, to even be external and talk to customers and partners? 

Marene Allison: Yeah, you know, we grew out of being security engineers. And so a lot of us that are at the senior levels of the CISO ranks - we started out as security engineers. But the ones that have risen into the large company CISOs, it's because they understand the business they're in. And, you know, for a while there, CISOs were - 18 months was as long in the CISO suite. All of my engagements have been - I had one for three years, but, for the most part, 10-year engagements. And the reason is is understanding the business and what it's doing and why it's doing it. And it's also understanding regulatory. You have to be a Jill of all trades. It can't be one thing. And the folks that are very IT security engineer-focused also have to understand that we're the department of yes and here's how, not the department of no. And that's where the CISOs become enablers of their business so that they can lean in. 

Ann Johnson: Why are you optimistic about the future of cyber? What would you send off our audience with? 

Marene Allison: You know, I'm so optimistic - is because of the youth - the people coming up in the industry. I came in with an electrical engineering degree. There was no cyber. And if I can do it, then what can you imagine that the individuals that are in college today or technical school today or military are going to bring to the table in 20 years? And so I love the talent that's out there and growing this talent and seeing where they're going to go. And I truly believe in it. And, you know, as a gray-haired, you know, moves on to an advisory role, I'm just excited about this exuberance and intellectual capacity of the next generations coming after us. 

Dave Bittner: You can hear the rest of this conversation as part of the "Afternoon Cyber Tea" podcast. You can find that on our website,, or wherever you find your podcasts. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting bit of business that came to my attention from a friend of the show, Cyrus Farivar, a journalist - and he wrote - I actually found this over on Mastodon. Hey, this might be our first Mastodon link, Ben. Says... 

Ben Yelin: Ah. All right. It's a new day. 

Dave Bittner: That's right. He says, Maryland has proposed a state-level privacy technology board, which would act as a watchdog similar to Oakland's Privacy Advisory Commission. He says, I think, if enacted, it would be the first state-level board of its kind. So you and I are here in Maryland, so yea us (laughter), but... 

Ben Yelin: Always good to see our great state taking the lead on something like this, yeah. 

Dave Bittner: That's right. So can you unpack what is going on here, Ben? 

Ben Yelin: Sure. So this is a proposed piece of legislation currently in front of the Maryland State Senate. The sponsor is a guy named Charles Sydnor, who's really been a leader on these issues. He was previously a member of the House of Delegates. So this bill would create what they call a privacy technology board. It would be a multi-stakeholder board within the State Department of Public Safety and Correctional Services. So you'd have representatives from the Police Association, Sheriffs' Association, Department of Corrections, from privacy and civil liberties groups - really running the gamut in terms of representation. And the board, once it's convened and adopts rules for conducting its business, would evaluate and would have authority to approve or disapprove the purchase, use or continued use of surveillance technology by law enforcement agencies. So that would really give this new governing board a little bit of teeth. So a law enforcement agency would have to obtain authorization from the board before they accept any state funds, federal funds or any other private donations for acquiring new surveillance technology or using that technology or using existing surveillance technology or the information from that surveillance for a purpose not previously authorized by the board. 

Ben Yelin: There are a couple of exceptions here. One of them, I think, is a commonsense exception for exigent circumstances. There's some type of ongoing investigation, terrorist attack - people's lives are at stake, and there's some type of technology out there that would allow law enforcement to do its job, then an exception could be made, and there would be post hoc approval on the part of this privacy board. Then the other is for large-scale events, of which there are certainly many in the state of Maryland, and it makes sense why you might want to deploy novel surveillance methods for that. But you would only be able to use that surveillance technology to respond to that exigent circumstances or that large event. Then, it would have to go through the normal authorization process. I don't like to handicap legislation, but I happen to know a good deal about how the Maryland General Assembly works. 

Dave Bittner: Yeah. 

Ben Yelin: And sometimes it takes like two or three years to get your good idea across the finish line. They meet in three-month sessions, and you kind of take trial runs with various bills. And I think that's kind of what's happening here. You introduce it. You get it in front of a committee. This is going to be - there's going to be a committee hearing on this bill. You kind of take the temperature of how various stakeholders would feel about this. I think we'll learn from this committee, hearing how local law enforcement agencies would react to something like this. I'm going to go ahead and guess negatively. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And you kind of take a measure of whether this would be a feasible policy idea in the long run. So whether or not it passes this year, I think this certainly raises the prospect that we could see something like this get enacted in Maryland in the near future, and it could be a model for other states. This - what are we calling it? - a Mastodon? A... 

Dave Bittner: Yes. It's a toot. 

Ben Yelin: ...Toot. 

Dave Bittner: Yes. It's a toot. Yes (laughter). 

Ben Yelin: Yeah, they really picked the worst name for that. But this toot notes that the city of Oakland has a similar privacy advisory commission, but we have not seen it at the state level. Yeah, I mean, this is going to be - there are going to be entities who fight this tooth and nail... 

Dave Bittner: Yeah. 

Ben Yelin: ...Largely with the context that there is a major violent crime problem in the state of Maryland at present. And, you know, this would make life marginally more difficult for law enforcement. But I certainly think it's a very promising idea. 

Dave Bittner: So this would aim to come at sort of day-to-day surveillance - your - you know, using facial recognition on your pole cameras that you have out on the street - that sort of thing. 

Ben Yelin: Exactly. Or, you know, if there's, like, a new type of infrared technology or a new, novel license plate reader. I mean, any novel surveillance method - a stingray device - that hasn't previously been used and adopted by law enforcement would have to go in front of this multi-stakeholder review board. 

Dave Bittner: Would this have any effect on federal agencies operating within the state of Maryland? 

Ben Yelin: I don't think it does because this applies to state and local law enforcement agencies. 

Dave Bittner: I see. 

Ben Yelin: The Maryland state government does not have jurisdiction over federal law enforcement agencies that happen to be operating in Maryland. 

Dave Bittner: OK. 

Ben Yelin: So the FBI can do whatever it wants, subject to federal law. 

Dave Bittner: Right. 

Ben Yelin: The Maryland General Assembly is not going to be able to constrain that. 

Dave Bittner: I see. All right. Well, again, interesting development, here. Maybe this is the shape of things to come. 

Ben Yelin: Absolutely. There's also a provision here, before we finish, that would allow a person who has been subjected to a surveillance technology, or who has had personal information obtained, retained access, shared in violation of this statute, could actually sue the law enforcement agency and be entitled to recover actual damages of $100 per day. Again, that's not going to be - you know, that's not going to make anybody rich, but it might be an extra disincentive for these law enforcement agencies and might be a reason why they would comply with the provisions of the statute. 

Dave Bittner: Yeah. Interesting. All right. Well, again, a tip of the hat to Cyrus Farivar for bringing our attention to this. Ben Yelin, thanks so much for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.