The CyberWire Daily Podcast 3.6.23
Ep 1773 | 3.6.23

That crane might know what you’re shipping. Addressing the cybersecurity of water systems. Oakland’s ransomware incident is now a breach. Hybrid war. Investment scams.


Unidentified Person: You're listening to the CyberWire network, powered by N2K.

Tre Hester: Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in Russian underworld. Sandworm's record in Russia's war. Rick Howard sits down with Andy Greenberg from WIRED to discuss how Ukraine suffered more data-wiping malware last year than anywhere ever. Dave Bittner speaks with Kathleen Smith of ClearedJobs.Net to talk about hiring veterans and setting them and yourself up for success. And AI's latest misuse - bogus investment schemes. 

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner with your CyberWire summary for Monday, March 6, 2023. 

Cranes as a security threat.

Tre Hester: The U.S. government is concerned that Chinese-made ship-to-shore cranes could pose a national security threat, The Wall Street Journal reports. The cranes in question are manufactured by the Chinese company ZPMC, which a U.S. official said makes around 80% of ship-to-shore cranes used at U.S. ports. The Journal explains that these cranes contain sophisticated sensors that can register and track the provenance and destination of containers, prompting concerns that China could capture information about material being shipped in and out of the country. The government doesn't point to any instances of cranes actually being used for these purposes, but the defense policy bill passed by the U.S. Congress at the end of last year requires the Transportation Department's maritime administrator to conduct a study to determine whether these cranes could pose cybersecurity threats. Note that the immediate risk being reported is the threat of information security, not necessarily the operation of the cranes themselves. 

EPA Memo requires water systems to include cybersecurity in their safety audits.

Tre Hester: The U.S. Environmental Protection Agency on Friday issued a memorandum stressing the need for states to assess cybersecurity risk at drinking water systems to protect our public drinking water. The memorandum requires that states include cybersecurity when they conduct audits of water systems. The agency said in a statement, quote, "while some public water systems have taken important steps to improve their cybersecurity, a recent survey and reports of cyberattacks show that many have not adopted basic cybersecurity best practices and are at risk of cyberattacks, whether from an individual, criminal collective or a sophisticated state or state-sponsored actor. This memorandum requires states to survey cybersecurity best practices at public water systems. 

Ransomware attack becomes a data leak.

Tre Hester: A ransomware attack last month on the city of Oakland, Calif., may have resulted in a data leak of stolen information. The Play ransomware group, who have staked their claim to the attack, shared Thursday on their leak site plans to release the stolen data on Saturday, The Record reports. The group now seems to have made good on its threat. Bleeping Computer wrote Saturday that Play was releasing stolen data, and this morning's San Francisco Chronicle says that the gang has in fact, dumped some of the data online. Following the initial ransomware attack, Oakland decided to declare a state of emergency, Infosecurity Magazine wrote this morning. The February attack was said to impact payment of fees and taxes online within the city, as well as phone connections with city agencies, The San Francisco Standard reported Friday. Infosecurity Magazine aptly observes that the city's disruptions from the attack, as well as its engagement in workstation restoration efforts, indicate that the gang probably hasn't received any ransomware payments. 

Privateering or criminal economic rationality, carding is rising in Russia.

Tre Hester: A free leak of some 2 million pay card numbers on the Russophone dark web criminal souk cheekily named BidenCash seems to be a loss leader intended to draw attention to its wares. Many of the cards are nearing their expiration date, but there's still time for the criminals to use them. The Record notes that stolen cards are often used to buy goods for subsequent resale, an activity that has grown increasingly attractive as the Russian economy has labored under the twin burdens of war and international sanctions. 

A look at a year of the GRU's Sandworm.

Tre Hester: The Record reviews a year's worth of action by Sandworm, the familiar GRU-run threat actor. Sandworm's most prominent contribution to the cyber phases of Russia's war against Ukraine has been deployment of wiper malware, which has challenged Ukraine's defenses but fallen short of expectations. Sandworm has not carried out attacks against infrastructure, particularly Ukraine's power grid. That had been widely expected. The group has used ransomware against targets of interest to Russia, notably in reprisal against organizations that have rendered material assistance to Ukraine. 

ChatGPT as phishbait.

Tre Hester: And finally, much of the security concern about ChatGPT and other advanced natural language artificial intelligence has concerned itself with the possibility of malign influence, as in chat becoming a deepfake able to impersonate convincingly at scale. There are some signs of this happening as the familiar grandchild scam - someone calls a grandparent pretending to be a grandchild in trouble and needing cash, for example - may be getting an AI upgrade. The Washington Post wrote yesterday that some scammers are using voice impersonation to make their imposters more convincing. That kind of impersonation was foreseeable, of course, and it appears to have arrived. What's also foreseeable is that opportunities to invest in the brave new world of AI chat bots would be offered by investment scammers. 

Tre Hester: Bitdefender this morning released a study of a recent scam in which the possibilities of passive income offered by an investment in a chatbot app were dangled in front of someone who's presumably a weary working stiff. The email subject lines are ones that you would expect - ChatGPT, new AI bot that has everybody going crazy about it - or a little less idiomatically - ChatGPT, new AI bot that has everyone in shock from it - or a bit more reflectively - new ChatGPT chatbot is making everyone crazy now, but it'll very soon be as mundane a tool as Google. None of this, of course, is connected with the actual ChatGPT, but the come-ons offer all kinds of investment advice. Bitdefender explains what's going on. Quote, "The phony platform's chatbot begins with a short intro to its role in analyzing financial markets that can allow anyone to become a successful investor in global stocks. We agreed to play along and allow the automatic robot created by Elon Musk to help us get rich. Before we begin any investment journey, the chat needs to calculate our daily income," end quote. 

Tre Hester: And from there, of course, there's the usual attempt to set the hook and reel in the fish. That fish would be regular Janes and Joes like you and me, friend. Take Bitdefender's advice on this one and spit the hook. 

Tre Hester: Coming up after the break, Rick Howard sits down with Andy Greenberg from WIRED to discuss how Ukraine suffered more data-wiping malware last year than anywhere. Dave Bittner speaks with Kathleen Smith of to talk about hiring veterans and setting them and yourself up for success. Stick around. 

Rick Howard: I'm joined by Andy Greenberg. He's the senior writer at WIRED and a Cybersecurity Canon Hall Of Fame book author for "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," and his most recent book, "Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency," is a Canon Hall Of Fame candidate, which I highly recommend, by the way. It's the best cybercrime book of the last decade, in my opinion. Andy, welcome back to the CyberWire. 

Andy Greenberg: Thank you, Rick. Glad to be here again. And thank you for those kind - very kind plugs. 

Rick Howard: You're quite welcome. So it's been a year since Russian leadership decided to invade Ukraine. And based on previous success stories that you documented so well in your book "Sandworm," most of us thought that with this invasion, we were going to see the state-of-the-art Russian offensive cyber operations. But that's not really what we've been seeing over the last year. And you wrote this fantastic WIRED article called "Ukraine Suffered More Wiper Malware in 2022 Than Anywhere." So what's going on over there? 

Andy Greenberg: Well, you know, I think you're right. We did expect - I mean, many of us expected anyway a kind of NotPetya 2 or, like, a Bad Rabbit or Olympic Destroyer, these GRU, self-replicating forms of malware that have caused just true digital devastation in the past. I mean, NotPetya is the worst cyberattack in history, cost $10 billion worldwide and before spreading beyond Ukraine's borders, you know, truly carpet-bombed the entire Ukrainian internet. But instead, I feel like what we're seeing is the Russian military's hackers just trying to keep up with the pace of a new kind of cyber war, one that is really, like, a true tandem, cyber and physical war. I mean, I think that, you know, there has, in fact, been a real cyber war unfolding in Ukraine, by some measures, you know, the most active in history in terms of, like, the sheer number of data-destroying malware samples. But they've been, like, really simple, repetitive, kind of relentless short-term attacks rather than these kind of masterpieces of code that we saw from hacker groups like Sandworm targeting Ukraine in the past. 

Rick Howard: You mentioned in the article that it felt like they were prepared for, you know, the line of departure. They went after the satellite coms. And that looked, you know, mature and well-thought-out. But it felt like they weren't ready for - they thought it was going to be over after that. And now they're just kind of making stuff up as they go. Is that a fair assessment of what they've been doing? 

Andy Greenberg: (Laughter) That's a particularly, like, fair and ungenerous way to put it, I think, which is, you know... 

Rick Howard: (Laughter). 

Andy Greenberg: ...But true. I mean, yes, in the first weeks of the war, they did, like, carry out this attack on satellite modems, ViaSat modems, that required some knowledge, some specific knowledge of the embedded, you know, form of Linux that these modems use that seems to have been prepared well in advance. They also used, like, a wiper tool, HermeticWiper, that had a stolen certificate to make it, you know, harder to detect and defend against. But even then, like, with some of the wiper - sorry, the, like, Hermetic family of wipers, we saw some really serious problems in their code. I mean, ESET told me that HermeticRansom, which was, like, a kind of similar tool designed to look like ransomware, was really sloppily coded. And HermeticWizard, this spreading tool that was designed to kind of, like, automatically spread HermeticWiper, was just, like, really shoddily written, in a way that even I can detect. I mean, it only tried three different super simple, hard coded passwords in its attempts to spread from one machine to the next. I mean, that's just not the same level of care that we saw with these previous GRU Russian hacker worms. 

Rick Howard: I know. And the way you described it, I loved it. Like, we've seen so many versions of - I mean, there's a volume of wiper attacks. And I love the phrase you used in the article, the Cambrian explosion of wipers. What does that mean? I love that line (laughter). 

Andy Greenberg: Yeah. Well, it's like, you know, these Russian hackers have been slowly evolving their tools. And then, you know, in the sort of evolution - I'm not, like, great at this biology stuff. But there was the Cambrian explosion, where suddenly there were, like - you know, instead of just this slow evolution, there was this, like, explosion of thousands and thousands of new species. And we're seeing, in fact, dozens of new species of destructive malware hit Ukraine. But, you know, they are not - I was just describing the kind of, somewhat sophisticated attacks that they launched in the first weeks of the war. But very quickly, they kind of evolved into these just - you know, a plethora of super simple wipers, kind of more simple over time even. And at times, they've just kind of used just tweaks to one of the simplest wipers, called CaddyWiper, and just used it repeatedly, but in this kind of relentless fashion. I mean, Mandiant described to me how they are sometimes hitting the same organization more than once or, like, doing - you know, kind of doing espionage on one network and then coming back and wiping it or wiping it once, sitting on the edge of the network - like a firewall or a router or something - and then hitting it again with another wiper later. I mean, so these are still, like, impactful attacks. But they're just kind of, like, brutal, relentless, repetitive, simple attacks rather than, you know, these years-long plans, pieces of... 

Rick Howard: Yeah, take down the entire infrastructure attacks. That's not what those are. 

Andy Greenberg: Exactly. 

Rick Howard: They're nuisance attacks. They're annoyance attacks, right? 

Andy Greenberg: I think that they're more than nuisances. I mean, they're true disruption. But they're just, like, a different pace. And it does seem like Russian hackers are kind of just struggling, in a way, to write malware fast enough to keep up with the pace of a physical war, which is very different from the Russian-Ukrainian cyber war that, you know, lasted from 2014 to 2022. 

Rick Howard: So let's - so the big question in my mind then - the Russians aren't having a lot of success in the cyber land in this war. They've had a little bit of success at the beginning, but not that much. So the question on my mind is, is that because the Russians suddenly became incompetent, or the Ukrainians are so good at this that they're stopping everything or somewhere in the middle? What do you think, Andy? 

Andy Greenberg: I think, you know, it's not even the middle, it's just both. I mean, it's - and it's not exactly that, like, Russia's cyberattacks are failing, they're just simple and a little less interesting than they used to be - from the journalistic perspective, at least. They're just these kind of blunt force objects designed to destroy, you know, computers in one target network, and sometimes not even that many computers but just as many as they can in the short time frame that they're given as the war evolves and as they're targeting kind of constantly changes. So - but yes, I think you also have to give credit to the Ukrainian defenders, who have really - you know, they seem to have risen to the occasion and evolved themselves, maybe learned from being Russia's petri dish for cyberattacks for eight, nine years now. And also, I think they've gotten serious help from the West. I mean, we know that, you know, U.S. intelligence agencies have kind of parachuted in, in some cases, not necessarily to Ukraine but into Europe to train Ukrainian defenders. I mean, Nakasone at NSA and Cyber Command has said that. 

Rick Howard: Well, I hate to say it this way, and this horrible war with all the people dying on both sides, here's a ray of sunshine, is that it looks like it's possible to defeat the Russians in cyberspace. That's what it looks like to me. So am I wrong about that? 

Andy Greenberg: I'm not sure that they're being defeated. I mean, I think that they are being countered and, you know, the extent of their damage is being limited, but it's a kind of grinding war of attrition. And to be clear, it's, like, in the midst of a much worse, larger scale, physical, grinding war of attrition that is truly tragic. So I think in its kind of physical and human toll, I mean, I think that that has caused people to treat this cyber war as a kind of sideshow, rightfully, I think. But it doesn't mean that if it were taking place somewhere else - I mean, if a different country was launching this volume of destructive malware against another country, it would still be perhaps, like, an unprecedented event in the history of cybersecurity. It's just kind of getting lost in, rightfully so, I think, in the context of this hugely catastrophic and tragic physical war that's happening in Ukraine. 

Rick Howard: Well, it's good stuff, Andy. And your article is entitled "Ukraine Suffered More Wiper Malware In 2022 Than Anywhere." Thanks for doing it, and I recommend everybody to go read it over on the WIRED website. It's fantastic. Andy, thanks for coming on the show. 

Andy Greenberg: Thank you, Rick. Glad to talk. 

Dave Bittner: And joining me once again is Kathleen Smith. She's the chief outreach officer at Kathleen, it's always great to welcome you back to the show. I want to touch today on the idea of hiring veterans. I know this is something that is near and dear to your heart and that you take very seriously. Where do we stand today when it comes to opportunities for veterans? 

Kathleen Smith: We have lots of opportunities. We have lots of programs that support veterans finding corporate opportunities, either in the commercial space or in the government contracting space. I think we still have a lot farther to go in making sure that the transition from working in the military to working in the corporate world is a lot more smoother. There's always been this statistic from the Department of Labor, which does not change and has not changed in 20 years, which is that 80% of veterans, when they transitioned, changed jobs within the first year, meaning that they found a job immediately after they were on terminal leave from the military. And then it just wasn't a right fit. And it was either not a right fit because the questions were not asked by the veteran or, more importantly, that the employer did not take the time to make sure that the veteran had all of the things they needed to integrate into the corporate world, that there were not all of the questions asked or answered during the recruiting process to make sure that both parties, the veteran and the company, knew exactly what they were getting in for. And it's also just understanding the mindset of a veteran. You know, they - we talk about frequently the skill sets, the training, the certification, the leadership, the fact that they'll get the job done, that they'll show up. 

Dave Bittner: Right. So many good things, so many good attributes that come out of that experience that these folks can lead with coming into an opportunity, right? 

Kathleen Smith: Right. But at the same time, they're used to having some - they're used to having a sense of community, a sense of serving the mission and always having somebody watch their back. And they know where they fit within the organization. And those are four key things that I don't see happen for many of the veterans I see transition into a new company. There are several programs out there that sort of help a veteran fit in. But these are the requirements, I believe, that an employer really needs to look at. And they're not things that require a lot of investment of resources. It's, you know, interviewing and finding out how many veterans you already have in your employ and finding out how they can support your veterans coming in. It's also finding out from them how the work that you're doing, how does that translate into the MOS, the, you know, way that the military categorizes specific kind of work? 

Kathleen Smith: So there's a lot of work that I find that companies can do that's very easy to do, and they don't do it. And that's my biggest frustration, is that, you know, there are so many easy things that a company can do to make sure that they're hiring this talent, that they're retaining this talent and they're not doing. And I'm not trying to beat employers up, but I'm trying to say you have an access to phenomenal talent that can do an amazing amount of work for you, either if you're in the government space, if you're in the commercial space, especially in the cybersecurity space. You can definitely have somebody who is used to working on the front lines, who actually knows how to protect assets, knows how to pull together a team, knows how to assess and take responsibility and lead the team. You know, one of my dear friends, Matt DeVoe, you know, he and I talked two years ago about if you took somebody who was a veteran and didn't know cybersecurity but knew a variety of other things and put them in the front lines of cybersecurity, would they work well? And hands down, they would. Because they know how to do incident response. They know how to react. They know how to develop an action plan once they see an incident happening. I'm constantly frustrated when I hear of a veteran who's trying to find a job, has all these skill sets, has all of the certifications, but just can't get a company to talk to him or her. 

Dave Bittner: Are there resources that you can recommend for companies who want to get this right? Are there - you know, are there sources for - to help walk them through, that make sure that they have the things they need to not drop the ball here? 

Kathleen Smith: I think, as I said earlier, the biggest resource that they would have is look internally and ask the question, how many of you that work here are veterans, and what are we doing right and what are we doing wrong? Because I can point you to a variety of programs hiring our heroes and corporate partners and a variety of others. But that's not going to be specific to each company. And you have the resource within you, within your company to be able to say, do we have 10 people from the Navy? Do we have eight people from the Army? You know, why did 10 people from the Navy - who retired from the Navy come to work for us? OK, obviously, we have an affinity to these specific people. We have an affinity to their specific kind of work skills. And then have them reach out through their networks - like, I really like working here, and this is what they've done. And being able to ask the veterans, what could we do better? You know, what are we doing wrong? Because you can go and buy a training program and - or you can hire a consultant, but you'd still have to customize it to, you know, your particular company. 

Kathleen Smith: So I'm always amazed when someone says, gosh, I don't even know how many veterans work for us. And then they turn around and they find out that, you know, 40% of their workforce is military and most of them are from the Marine Corps. And all of a sudden, you know, OK, we have a solution here. All we have to do is have a conversation. 

Dave Bittner: Yeah. Yeah. All right. Well, interesting insights, as always. Kathleen Smith, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DateTribe, where they're co-building the next generation of cybersecurity teams and technology. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Tre Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.