The CyberWire Daily Podcast 3.23.23
Ep 1786 | 3.23.23

Pyongyang’s intelligence services have been busy in cyberspace. Hacktivists exaggerate the effects of their attacks on OT. Ghostwriter is back. A twice-told tale: ineffective cyberwar campaigns.

Transcript

Dave Bittner: The DPRK threat actor Kimsuky uses a Chrome extension to exfiltrate emails while ScarCruft prospects Korean organizations. Hacktivists' claims of attacks on OT networks may be overstated. Ghostwriter remains active in social engineering attempts to target Ukrainian refugees. Joe Carrigan has cybercrime by the numbers. And our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia's war. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 23, 2023.

DPRK threat actor Kimsuky uses Chrome extension to exfiltrate emails.

Dave Bittner: Researchers have been flagging a great deal of North Korean cyberespionage at midweek. Here are some of the reports that have been coming out. The German Constitutional Protection Agency and the Republic of Korea's National Intelligence Service have issued a joint advisory describing a spearphishing campaign by North Korea's Kimsuky threat actor, also known as Thallium or Velvet Chollima. The threat actor is targeting experts on the Korean Peninsula and North Korea issues via a malicious Chrome extension and malware-laden Android apps. According to BleepingComputer, the attacks used spearphishing emails to trick the victims into installing the Chrome extension. After it's installed, the extension can exfiltrate emails from the victim's Gmail account. 

Dave Bittner: Kimsuky is also using an Android Trojan called FastViewer, which was first observed in October 2022. BleepingComputer explains, the malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for internal testing only, and the victim's device is supposedly added as a testing target. The advisory adds that since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people. 

DPRK's ScarCruft prospects South Korean organizations.

Dave Bittner: In the second round of reports, researchers focus on North Korea's APT37 threat group. APT37's name is, of course, legion - it's also known as Reaper, ScarCruft and RedEye. Whatever the name it's being tracked under, APT37 has been observed in action against South Korean targets. The AhnLab Security Emergency Response Center analysis team has observed activity from the APT37 threat group, conducting cyberespionage against individuals within South Korean organizations in February and March of this year. Researchers from Sekoia report that the group distributes the Chinotto PowerShell-based backdoor, which gives the actors fully fledged capabilities to control and exfiltrate sensitive information from the victims. 

Hacktivists' claims of attacks on OT networks are overstated.

Dave Bittner: Mandiant researchers have observed a trend in which hacktivist groups are increasingly claiming to have successfully attacked operation technology. That's OT - technology that monitors or controls industrial equipment, processes and events. The trend crosses political commitments and allegiances. But in general, Mandiant finds that the claims of success have been exaggerated, as have claims on the part of hacktivists to disinterested independence of state influence or direction. On the other hand, there do seem to be signs that hacktivist groups are trading information on OT systems and that they've exhibited a growing technical familiarity with such systems' vulnerabilities. 

Dave Bittner: Mandiant writes, hacktivism leverages cyberthreat activity as a means to convey political or social narratives. As such, any attempts to inflict damage on a victim may only be a means to this end or one of multiple objectives. Historical hacktivist activity has largely focused on simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial-of-service attacks. And attacks against OT are seen as providing the kind of high-profile, attention-getting effect the hacktivists desire. The report concludes and summarizes, in 2022, Mandiant observed a significant increase in the number of instances where hacktivists claimed to target OT. While we observed activity across different regions, most of these cases were conducted by actors that have mobilized surrounding the Russian invasion of Ukraine. The implication of this is that the increase in hacktivism activity targeting OT may not necessarily become consistent over time. However, it does illustrate that during political, military or social events, OT defenders face a heightened risk. 

Ghostwriter remains active in social engineering attempts to target Ukrainian refugees.

Dave Bittner: The Ghostwriter threat group, which has specialized in influence through impersonation, has resumed a campaign in which bogus emails misrepresenting themselves as originating with the governments of Latvia, Lithuania or Poland are hitting the inboxes of organizations working with and on behalf of Ukrainian refugees. The content of the emails warns that the Ukrainian government is about to undertake mass conscription of military-age men, with the intent of feeding the conscripts into combat against Russia. Bloomberg writes, Ukrainian men of military age, the emails warned, were scheduled to be rounded up and sent home. They would then be forced to fight against Russian troops, according to a supposed agreement between Ukraine and its allies. People who received the emails should immediately provide personal information and any known whereabouts of Ukrainians living nearby, the messages said. The goal is to inspire fear and mistrust. Mandiant attributes Ghostwriter to Belarus, Russia's one reliable ally in its war against Ukraine. 

An overview of the cyber phases of Russia's hybrid war to date.

Dave Bittner: The Atlantic Council convened a group of experts to assess the cyber phases of Russia's war so far and to see what lessons might be drawn. In some respects, the conclusion is the familiar one. Russian performance has fallen far short of pre-war expectations. This is, by now, a more than twice told tale. But it's worth reviewing again if for no other reason than how surprising it's been not only to Russia's victims and adversaries, but to Russia herself. Russian influence operations proved to be unprofessional, sloppy and without much engagement on respective platforms. Ukraine's communications infrastructure proves surprisingly resilient under cyberattack. Internationally, corporations have concluded that doing business in Russia is a bad bet. And that seems to represent a long-term trend. And Western governments should trim their expectations about how devastating offensive cyber campaigns are likely to prove. More on this topic in my conversation with Christian Sorensen from SightGain later in the show. 

Dave Bittner: Coming up after the break, Joe Carrigan has cybercrime by the numbers. Our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia's war. Stay with us.

Dave Bittner: Christian Sorensen is CEO of cybersecurity firm SightGain and previously served in the U.S. Air Force and with U.S. Cyber Command. I checked in with him for insights on the ongoing conflict in Ukraine and the ongoing perception that when it comes to cyber, Russia continues to underperform. 

Christian Sorensen: Cyber is just one part of that campaign, and often, once you get into a fighting war, it's less applicable. There's just fewer opportunities or harder opportunities to make an impact. 

Dave Bittner: And in terms of expectations, has Russia lived up to their reputation, what we expected them to be capable of? 

Christian Sorensen: I think so far, it's fair to say they have not. But it's also fair to say they probably haven't used all of their different techniques. They've certainly focused their efforts on Ukraine. So the larger partner community, alliance community has not generally been affected. So that's certainly by design. But also, there may be efforts that are laying in wait. I'm reminded of U.K.'s warning recently or over the last six months of pre-positioning for denial-of-service attacks. So they saw an uptick in preparations and ability to execute those denial-of-service attacks. But there was not any that were actually conducted, as of yet, in the U.K. by Russia. 

Dave Bittner: Yeah. It seems as though when it comes to the allies and folks who are supporting Ukraine, that what they've experienced hasn't really risen much beyond the nuisance level. 

Christian Sorensen: Yeah. That's correct. And you're seeing kind of hacktivists and traditional or normal criminal activity. And that's probably one of the lessons that we've seen is it's pretty hard to make tactical impacts in a fighting war or a kinetic war via cyber means - much more useful for espionage or strategic efforts and traditional criminal efforts as opposed to, really, direct battlefield contributions. 

Dave Bittner: Is there anything that is surprising that we've learned from this war when it comes to cyber? 

Christian Sorensen: I think the fact - going back to your first question, there hasn't been as big of an impact has been surprising. The fact that there's deployed defenders and a lot of partnership with Ukraine to prepare - right? - to prepare for known techniques and then when something new or novel does come up, it's localized, right? It's effective in one place or a few places. But then that intelligence of, here's what happens, here's how to defend against it, is shared quickly and then other areas are then ready for it and prepared for it, so it doesn't spread. And that's been surprising, too. Oftentimes, the defenders are not as responsive or ready for those attacks. So those preparation activities have seemed to have paid off. 

Dave Bittner: And what are the lessons that nations can take from this in terms of preparing their own defenses or even their offensive capabilities? 

Christian Sorensen: Yeah. Let me handle that in two different answers. So on the defensive side, it really comes down to preparation. We know the techniques that are being used not only in this war but often. And it's incumbent upon defenders to practice against those, to be ready to defend against those and not just patch but know that you're ready to defend against the techniques that are coming your way. And then share intelligence if something new happens, right? You're going to make corrections, but other people should benefit from that insight. And then on the offensive side, it really comes down to taking stock of what you really have in terms of capabilities and where those capabilities could make the most impact and knowing what that is. You don't have to know - or you don't have to let the potential adversaries know what that is. But cyber seems to be a long game - right? - where espionage really matters. The U.S. had great insights into what Russia was planning. Where those insights came from, cyber probably contributed to that, but where it can make the most impact has to be weighed carefully and then used wisely. 

Dave Bittner: Based on what we've seen over the past year or so, how do you think that informs what we might be in for in the immediate future as you look toward the horizon? 

Christian Sorensen: So I think it's important to recognize we don't know everything yet, as far as the techniques that could be used, the pre-positioning that has already been accomplished. So we don't know all of the tools that would be used, just like Russia hasn't deployed all of their weapons or used all of their weapons. It's been pretty contained to the Ukraine battlefield, but that doesn't have to be the case, right? So we should continue to pay attention to not escalating on the policy side and abide by what we're learning, are the red lines. Abide by really what would escalate things and making sure we're being very careful with what we do, as well as the other side, Russia, to be careful about what they do vis a vis the rest of the world, right? So that part is really important. And then continued vigilance - right? - we have to continue to learn what's being used and respond to that, especially on the protection of data and criminal side, to protect operations from being shut down. 

Dave Bittner: That's Christian Sorensen from SightGain. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: This article caught my eye, written by our buddy across the pond, Graham Cluley. 

Joe Carrigan: Yes. 

Dave Bittner: He wrote this for the Bitdefender blog, and it's titled "FBI reveals that more money is lost to investment fraud than ransomware and business email compromise combined." Let's dig in here. What - unpack what Graham is laying out here for us. 

Joe Carrigan: So what Graham is talking about is the - this is a report from the Internet Crime Complaint Center, the IC3... 

Dave Bittner: Yep. 

Joe Carrigan: ...Which is, I think, run by the FBI here... 

Dave Bittner: Yep. 

Joe Carrigan: ...In the United States. 

Dave Bittner: Yep. 

Joe Carrigan: And they have a chart of investment losses reported to the IC3. Now, mind you, these are losses reported to the IC3. These are not losses as a total. 

Dave Bittner: Right. 

Joe Carrigan: But in 2021, losses were just under $1.5 million. That's in total investment fraud, and that includes... 

Dave Bittner: One point five billion dollars. 

Joe Carrigan: Sorry, 1.5 billion with a B. 

Dave Bittner: Right. 

Joe Carrigan: My apologies. And that includes almost a billion, with another B, in crypto investment fraud. 

Dave Bittner: OK. 

Joe Carrigan: Now that fraud in 2022 jumps to a total of almost $3.5 billion... 

Dave Bittner: Wow. 

Joe Carrigan: ...With crypto topping more than $2.5 billion fraud. 

Dave Bittner: Wow. 

Joe Carrigan: So it's obvious that crypto fraud is - cryptocurrency fraud is the lion's share of this. Other portions are actually real money fraud where they're taking fiat currency that is actually - you don't need - all you need to do is launder it. 

Dave Bittner: Yeah. 

Joe Carrigan: And I'll bet at some point in time that involves buying cryptocurrency. But really, what's - there's another table in here that's really interesting about the losses - victim losses by crime type. And it has investment fraud at 3.3 billion. Directly below that is the old king of the hill, business email compromise, at 2.7 billion, so still very profitable. 

Dave Bittner: Wow. 

Joe Carrigan: And then all the way down the list, almost to the end of the list, is ransomware at $34 million. A very small amount in ransomware is being reported to the - ransomware losses being reported to the IC3. 

Dave Bittner: Yeah. 

Joe Carrigan: So even if that number is off by a factor of 10, investment scams are still 10 times higher than that. 

Dave Bittner: Right. 

Joe Carrigan: So... 

Dave Bittner: Right. 

Joe Carrigan: ...The investment scam losses are 100 times bigger than the ransomware reported losses. 

Dave Bittner: Wow. That's interesting. That surprises me. 

Joe Carrigan: It surprises me too. This is shocking. I don't know what's going on here. I guess, you know, we've been talking on "Hacking Humans" about the pig butchering scams... 

Dave Bittner: Right. 

Joe Carrigan: ...That have been happening. These are a combination of romance scam and crypto scam. So you start with a relationship that you build up with somebody romantically, and then you - at some point in time, you introduce the idea that you're a crypto investor and, hey, I can help make you money. 

Dave Bittner: Yeah. 

Joe Carrigan: And even - at some point in time, these guys wind up giving money back to the people they're trying to scam. And it might not be an insignificant amount of money. Like, hey, I put $1,000 in. Hey, look at that. Your money doubled. Yeah, let me try to withdraw that money. There you go. And they get their $2,000 back. And that costs the scammers a lot of money. But what almost invariably happens is people start putting more money back into this thing. 

Dave Bittner: Right. 

Joe Carrigan: And then eventually, they've put in a substantial chunk of their life savings, either all of it or as much as they're willing to risk on cryptocurrency. And these guys exit the scam. Once they think they've got all the money, they just take the money and run. Or once you start asking back for your money back when it's more than they're willing to give you, that's when they take the money and run. 

Dave Bittner: Yeah. It really seems as though this stuff continues to trend in the wrong direction also. 

Joe Carrigan: Yeah. 

Dave Bittner: I mean, Graham points that out. 

Joe Carrigan: And this chart that tracks these losses over time is like a hockey stick chart. It's scary. And in two years, this has grown 10 times bigger than it was two years ago. Yeah, there's, like, $10 billion lost to different cybercrimes every year. That is according to the IC3. So this is distinctly American losses, right? Because somebody in England is not going to report losses to the FBI. They're going to call Scotland Yard or somebody else. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Right. And these are the reported losses. So this is just a small fraction of the cybercrime economy. It's the reported American crime, and it's around $10 billion. 

Dave Bittner: To me, I think it strikes me as being useful for a relative comparison. 

Joe Carrigan: Correct. 

Dave Bittner: Right. 

Joe Carrigan: To see what the biggest threats are right now. 

Dave Bittner: Yeah. And how much bigger they are than others. 

Joe Carrigan: Yeah. 

Dave Bittner: But I - once again, I'll say relative to the amount of attention it gets, certainly in cybersecurity circles, I'm surprised to see ransomware as far down on the list as it is. Perhaps it's that ransomware is underreported. 

Joe Carrigan: It could be that ransomware is underreported. It could be that ransomware is getting less effective... 

Dave Bittner: Yeah, that's true. 

Joe Carrigan: ...As our defenses get up because this used to be a much larger problem. 

Dave Bittner: Right. 

Joe Carrigan: We've had people over on "Hacking Humans" who said that over the past couple of years, ransomware gangs have been broken up, the takes have been going down. You know, people are less willing to pay for ransom when they have backups and they know that you're going to sell the data anyway. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, it's a change in the market. And it could also be that these are the same people, the same kinds of people, the same group of people that are out there. They're changing their business models. They're moving away from ransomware to something that lets them do crypto scamming because that's - you know, as many tools as we have out there for blockchain tracing, I still think that moving money around cryptocurrency blockchains and putting them into anonymizing blockchains like Monero or Zcash or BitcoinZ, those all have the capability of anonymizing the transactions, with varying degrees of security. 

Dave Bittner: Yeah. 

Joe Carrigan: But I think it's - I think that's still a great way to launder money, from the criminal perspective, is just jumping them around. 

Dave Bittner: Yeah. All right. Well, again, this is over on the Bitdefender blog. Graham Cluley wrote it, and it's titled "FBI Reveals that More Money is Lost to Investment Fraud than Ransomware and Business Email Compromise Combined." Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.