A look at the cyber aspects of Russia’s war, on the first anniversary of the invasion of Ukraine. And a few notes from elsewhere in cyberspace.
Dave Bittner: CISA advises increased vigilance on the first anniversary of Russia's war. CERT-UA reports current Russian cyberattacks were prepared in December 2021. How the war has changed the cyber underworld. Air raid alerts sound in nine Russian cities; Russia blames hacking. Our space correspondent Maria Varmazis speaks with Zhanna Malekos Smith at the Center for Strategic and International Studies about a new security agreement between Japan and the U.S. Kathleen Smith of ClearedJobs.Net clears misperceptions about cleared jobs. And Dole continues recovery from ransomware.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 24, 2023.
CISA advises increased vigilance on the first anniversary of Russia's war.
Dave Bittner: The news at the end of this week has been dominated by the first anniversary of Russia's invasion of Ukraine. The U.S. Cybersecurity and Infrastructure Security Agency advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war against Ukraine enters its second year. The agency said, CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine. CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat. CISA draws particular attention to its DDoS Attack Guidance for Organizations and Federal Agencies and its Shields Up webpage.
CERT-UA reports current Russian cyberattacks were prepared in December 2021.
Dave Bittner: According to BleepingComputer, CERT-UA has detected cyberattacks this week against Ukrainian government networks that used a web shell installed in December 2021. A Russian threat actor tracked as Ember Bear - also known as UAC-0056, or Lorec53 - used it to install three backdoors, CredPump, HoaxPen and HoaxApe in February 2022, as the invasion was imminent. They've maintained a presence through this week. The State Service of Special Communications and Information Protection of Ukraine described the incident as a failed attempt by Russia to stay visible in cyberspace. Ember Bear is generally believed responsible for the Whispergate wiper attacks conducted against Ukrainian targets at the outset of the war. The use of such wipers has been a defining feature of Russian intelligence services' cyber campaigns against Ukraine. Ars Technica summarizes recent research and concludes that, nowhere on the planet has ever been targeted with more specimens of data-destroying code in a single year.
How the war has changed the cyber underworld.
Dave Bittner: TRM, in a study of the "illicit blockchain ecosystem" as it's evolved under wartime circumstances, finds that the venerable Conti ransomware gang, dispersed in May of 2022, has resurfaced in the form of several splinter groups. The principal successor to Conti, TRM believes, is Karakurt. CoinBase reports that Karakurt, like its predecessor, has targeted health care organizations. It's significant that Conti declared its adherence to the cause of Russia in the immediate wake of the invasion and that shortly after that declaration, a cybercriminal with allegiances that ran toward Ukraine doxed Conti. That doxing, along with hostile attention from law enforcement, is held to have precipitated Conti's fading from view. This seems, The Register writes, to have been part of a more general disruption of the Russophone criminal underworld. That underworld isn't confined within the borders of Russia but has extended to Russia, Ukraine, Belarus, the Baltics and the nations in the South Caucasus and Central Asia, all formerly parts of the Soviet Union. They had, by general agreement, tended to refrain from hitting targets in the former Soviet Union. That shaky unanimity has been shivered to pieces under the stress of war.
Dave Bittner: A study by Recorded Future concludes that Russia's invasion of Ukraine appears to have fractured gangland along national and political lines. Recorded Future writes, the so-called brotherhood of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and groups splintering due to declarations of nation-state allegiance both in support of and opposed to Russia's war against Ukraine. Recorded Future adds that there have also been perturbations in the criminal labor market, stating, Russia is experiencing a wave of IT brain drain that will likely decentralize the organized cybercriminal threat landscape. In addition to brain drain, waves of military mobilization of Russia's citizens are resulting in decreased activity on Russian-language dark web and special access forums.
Dave Bittner: There are also some other effects the war is having on the underworld. The larger economic dislocations seen in Russia especially, but elsewhere as well, are changing the cyber gangs' cost-benefit calculus. Recorded Future's Insikt Group writes, the economic consequences of the war in Ukraine are likely creating conditions conducive to an increase in the value of payment card fraud on the dark web, despite an overall slump in carding volume in 2022. Regardless of fraud's reputation as an unsophisticated form of cybercrime, it is likely becoming less a crime of opportunity than of survival. International arrests, seizures and disruptive actions have destabilized the business model associated with commodified cybercrime, leading to wide-ranging and rippling effects on the malware and ransomware-as-a-service threat landscapes. These disruptions have also spread to the dark web shop and marketplace ecosystem, leading to price fluctuations and newfound competition among market administrators. Cybercrime, both based in the CIS and globally, is entering into a new era of volatility as a result of Russia's war against Ukraine. Those effects remain to play out, but the criminal marketplace seems to be undergoing some significant shifts.
Air raid alerts sound in nine Russian cities; Russia blames hacking.
Dave Bittner: Meduza reports that missile alerts sounded in nine Russian cities on Wednesday. Russia's Emergency Situations Ministry confirmed, in its Telegram channel, that the false alarms were broadcast over radio stations whose networks had been hacked, and should be disregarded. The alerts were also distributed by text messages. The Register reports that regional authorities in some of the affected cities blame collaborators of the Kyiv regime - that is, Ukrainian hacktivists - or, and this is a more interesting possibility, Russian dissidents for the incident.
Dole continues recovery from ransomware.
Dave Bittner: Dole plc says that the ransomware attack it sustained remains under investigation, and that "the impact to Dole operations has been limited." No further details are available, although Computing points out,, without claiming attribution, that in 2021 REvil hit food processing firm JBS with a ransomware attack. In any case, the incident shows again how ransomware can interrupt physical supply chains.
CISA releases three ICS advisories.
Dave Bittner: And finally, CISA yesterday released three industrial control system advisories. As always, apply updates per vendor instructions. And happy trails.
Dave Bittner: Coming up after the break, our space correspondent Maria Varmazis speaks with Zhanna Malekos Smith at the Center for Strategic and International Studies about a new security agreement between Japan and the U.S. Kathleen Smith of ClearedJobs.Net clears misperceptions about the cleared space. Stay with us.
Dave Bittner: Maria Varmazis is our CyberWire space correspondent, and she recently spoke with Zhanna Malekos Smith from the Center for Strategic and International Studies about a new security agreement between Japan and the U.S. Maria files this report.
Zhanna Malekos Smith: My name is Zhanna Malekos Smith. I am a senior associate with the Aerospace Security Project at CSIS, the Center for Strategic and International Studies, where I'm also an adjunct fellow in their Strategic Technologies Program, as well as a cyber law fellow with the Army Cyber Institute.
Maria Varmazis: Thank you so much. And you are absolutely the perfect person to speak to about the news that you sent my way, actually, about a new agreement between the United States and Japan. Could you walk me through what that and what that means?
Zhanna Malekos Smith: The U.S.-Japan space pact agreement, recently signed on January 13, is about promoting civil space cooperation. It reaffirms two significant programs - one, Japan's involvement in the NASA-led Artemis Accords program, which is an international space exploration program. Japan was one of the original seven parties to sign this agreement in 2020. The ambition of the program is to return humans to the moon in 2025 and also support a crewed mission to Mars towards the end of 2030. Apart from affirming the vitality of the Artemis Accords program, the U.S.-Japan bilateral space pact agreement, signed this month, also supports the Lunar Gateway Project, which is to develop a orbiting lunar research station around the moon.
Maria Varmazis: OK. So that's awesome. And there's been these - there are these two phrases that have been coming up a lot in the context of this agreement about the open Space treaty and the phrase peaceful purposes. Can you walk us through why those are important and why they're coming up in this agreement specifically?
Zhanna Malekos Smith: In the very title of the most recently signed space framework agreement between Japan and the United States, you'll notice that in the title it says the use of space for peaceful purposes. And in my research, I argue that that is significant in a forthcoming piece with CSIS because it affirms the landmark Outer Space Treaty of 1967 and specifically echoes language in the preamble of the treaty about the preservation of space and the exploration and use of it for peaceful purposes. Here's where it gets interesting because the term peaceful purposes is not expressly defined in the treaty. And prior to the treaty even being signed in 1967, there was significant discussion about, what does peaceful purposes mean? - and a divergence of views. The majority view, one held by the United States, is that peaceful purposes, as enshrined in this treaty, refers to nonaggressive activities like scientific research and intelligence surveillance and reconnaissance activities.
Zhanna Malekos Smith: Contrast that with the minority view held by several states, such as Japan, India and Iran, arguing that the term should be more narrowly interpreted, focusing on the demilitarization of space and that it exclusively be used for peaceful purposes. Now, you can go back and read on the United Nations website the history of this this longstanding discussion about, what does peaceful purposes mean? And one of the ambassadors representing the Iranian delegation stated that the draft treaty should stipulate - and this was a recommendation he offered - that the treaty should stipulate that exploration use should only serve peaceful purposes.
Maria Varmazis: By their definition of peaceful purposes. Right. Nonmilitary.
Zhanna Malekos Smith: And that opens up a whole other issue of how peaceful purposes is interpreted across different languages and cultures. What activities should be nestled underneath that? Yes, that's a good point, Maria.
Maria Varmazis: Yeah. I mean, I can't help but wonder - and I am not a person who's very comfortable with law or treaties or anything like that. But I - as a person who's a nerd for language, the fact that that phrase was not defined and left open for interpretation makes me wonder, was that on purpose? Or was that sort of a placeholder for, we'll figure this out later. And here we are several decades later, still trying to figure that out.
Zhanna Malekos Smith: That is a good question. And I can see both sides to it, one being strategic ambiguity. At the same time, there's value in signaling to your allies, partners and your pure competitors transparency around the term peaceful purposes to reduce the risk of unintentional conflict escalation here.
Maria Varmazis: Absolutely. So this agreement, going back to the U.S.-Japan - the new agreement.
Zhanna Malekos Smith: Yes.
Maria Varmazis: So does this actually represent a change for Japan's posture on peaceful purposes? Or is it sort of a continuation of what they've been doing? Or is it an escalation? Or how would we characterize this?
Zhanna Malekos Smith: I would describe the framework agreement as an accelerator. If U.S.-Japan space collaboration partnerships prior to this agreement was a computer, you can think of the framework agreement as, like, adding hardware accelerator to enhance the performance of the computing system. So yes, it affirms Japan's commitment towards the NASA Artemis program, the Lunar Gateway project and deepening scientific and research collaboration in this space. The tenor of the agreement and the press statement talking about the agreement focuses on civil space collaboration.
Zhanna Malekos Smith: Interestingly, the actual text of the agreement has not yet been released. So I'm very (inaudible) to present this as a broad-based legal agreement focusing on civil space cooperation. That said, what about deepening defense space cooperation ties between the two countries? It's an open question whether or not this agreement could be used as a vehicle for that. And what we'll have come March is more textual nuance to chew on because the countries have announced a plan to hold a comprehensive dialogue on space, to build on the agreement and strengthen space cooperation. And that is for this specific framework. However, if we look at the January 11 press conference joint statement issued by the Security Consultative Committee, there was a mentioning in that text that Japan and the United States have agreed that attacks to, from or within space could lead to the invocation of Article V of the U.S.-Japan treaty.
Maria Varmazis: And that's - to me, as a person who studied Japan for a while, that's a big deal. Can you - maybe I'm overstating it. But could you, for our listeners, tell them what Article V means in this context?
Zhanna Malekos Smith: Sure. And it is an important legal agreement, certainly. It is the - the full title - it's the Treaty of Mutual Cooperation and Security Between Japan and the United States. And Article V recognizes that each party regards an armed attack, which is a legal term of art, against either party in the territories under the administration of Japan would be dangerous to its own peace and safety and declares that it would act to meet the common danger in accordance with international law. So while more information will be forthcoming on the nature of the Space Framework Agreement, focusing on civil space cooperation, simultaneously, we see this joint statement being put out talking about national security concerns and how to modernize the alliance. So it's a fascinating area, and we'll know more in the coming months.
Maria Varmazis: Yeah, we'll definitely need to check back in with you after the update in March because I'm super curious where this is heading. And I can't help but wonder, with everything that happened especially last year between Russia and Ukraine and the Viasat attack, where cyberattacks might fit in with this. I don't want to speculate 'cause, obviously, it remains to be seen. But I'm very, very curious, and we'll definitely need to follow up with you in March on it. So thank you so much for walking us through this. This is fascinating and important. And I'm really glad you were here to tell us all about it. So thank you.
Zhanna Malekos Smith: Thank you, Maria. It's been a pleasure. And I'd say the concluding takeaway is that peaceful purpose is fundamentally is about being a good steward of space. So thank you.
Maria Varmazis: Thank you so much.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And I am pleased to be joined once again by Kathleen Smith. She is the chief outreach officer at ClearedJobs.Net. Kathleen, always great to welcome you back to the show. As someone who has never held a security clearance and, honestly, is perfectly fine with that...
Kathleen Smith: (Laughter).
Dave Bittner: ...I am sure that I have a lot of misperceptions when it comes to what exactly is going on when it comes to hiring in the cleared space. What are some of the things that you run into in terms of misunderstandings, misperceptions from folks who may be new to it?
Kathleen Smith: So many misconceptions all the time. The biggest one on the candidate side, the job seeker side, is that they pay for their security clearance, or they're willing to pay for it to get a security clearance. And we frequently tell them, no, you know, you are not the person that gets the security clearance; your future employer gets that for you, and that - there is a process. The other one that is similar to that is, I will make more money if I have a security clearance. And that is a misconception because all of the government contract positions and government agency positions have certain labor categories, and so it is very codified as far as how much money you're going to be able to make.
Kathleen Smith: What we really find with a lot of employers who are trying to find this talent is they believe if they throw money at it, that they can find the talent. And there will be a staffing agency that will tell you, yeah, just send us - give us a big commission, and we'll find you the bodies. They might not necessarily find you the right people, but they will find you people with security clearances. But, you know, when you're trying to fill a position within the government contracting space, you're first trying to find someone with a specific type of clearance, and then within that, you're trying to find someone who has 10 to 15 years experience in a specific category. You're then also trying to make sure that they definitely have a graduate - excuse me, a college degree certifications.
Kathleen Smith: And then the other problem is they have to meet the culture. And this is something that's similar between the corporate world and the government contracting world, is that when you're looking at people supporting the mission, people who are doing difficult work, there's a lot of stress, and when you build a team, you need to make sure that everybody sort of meshes with that culture. Culture is so important. When you go and you talk to people who are in a SCIF or someone who's part of a large government contractor or a small government contractor, you really have to look at what that culture is. Is it many hands do light work and we're willing to - everyone do everything? Or are we a group of people who are very specialized?
Kathleen Smith: And I think that this is one thing that's interesting that we see a lot with doing our in-person events is that people come to them, recruiters specifically come to the in-person events to hire people because they get to answer that question right up front. Will this person meet the culture? Because you can go through the overall hiring process. Yes, they have the clearance. Yes, they have the experience. Yes, they have the certification. But the final step in that hiring process is that person meeting the customer, and the customer will frequently say, no, they don't fit, and it's the culture fit. So if you can do that culture fit question upfront, you save yourself a lot of time with, you know, the overall hiring process. I think another misconception is it's only tech talent that people are looking for. And we talked to a lot of people, and they say, well, you know, security clearances - you only need them if you're tech talent. And that's not true because we need machinists. We need truck drivers. You know, we need truck drivers with the highest-level clearance. We need, you know, gardeners to work at the White House. There are - it's like...
Dave Bittner: Right.
Kathleen Smith: ...A little city. And I'm frequently amazed that people think, oh, I need to go get this specific tech talent or tech degree or something to be able to support the mission where - you know, you and I were talking earlier. You have someone who wants to do this work, may not have tech talent but may have some other kind of applicable skills.
Kathleen Smith: And I think it's the biggest question that a candidate, a job seeker really needs to ask themselves. Is this the kind of life that I want to have? Do I want the work I do to support an overall mission? And when I talk to people who are in this space, they're like, it's about the mission for me. It's always been about the mission. When I did a panel for the mid-Atlantic chapter of Women in Cybersecurity, it was really about explaining, you make a decision to put up with the security clearance questions. And you make a decision to do this kind of work because this is where you see your career going and this is where you want your life to make a difference. And some people have that question, and they answer yes. And others feel like, that's not what drives me. And so that's what I think people have the biggest misconception about - is this is a real personal mission. It is not something driven by money or position or location. It is really something that is driven by a personal mission.
Dave Bittner: Well, and I was going to ask about that because it seems to me like the flipside issue, which you mention, is that your life is going to be under a certain amount of scrutiny. And that's not for everybody, either.
Kathleen Smith: Right. It's not. And when I speak at colleges and they say, you know, that they want to do this, it's like, do you want to do this for the next 30 years? And they're like, well, no. I don't know what I want to do for the next 30 years. And I said, well, this is not something you can flip on and flip off. You do have to say - you know, you can't say, I'm going to go be an intel analyst, and then, you know, three years from now, I'm going to be a barista. And then maybe five years after that, I want to go back to being an intel analyst. This is a definite career path. And in my 20 years, I think I've met more than - no more than five to eight people who have said, I'm done. I'm out of this space. Pretty much everyone else said, I made this commitment. I'm going to stick with it.
Dave Bittner: All right, well, interesting insights, as always. Kathleen Smith, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Andy Patel from WithSecure Labs. We're discussing their research that demonstrates how GPT-3 can be misused for malicious and creative prompt engineering. That's "Research Saturday." Check it out. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.