The CyberWire Daily Podcast 3.28.23
Ep 1789 | 3.28.23

Twitter looks for a leaker. Insider risks. The state of resilience. Russian auxiliaries briefly disrupt a French National Assembly website. Cyber trends in the hybrid war. DPRK hacking, as it is.


Dave Bittner: Twitter gets a subpoena for a source code leaker's information. The insider risk to data. Russian hacktivist auxiliaries target the French National Assembly. Recent trends in cyberattacks sustained by Ukraine. Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person, John Pescatore, ponders the permanence of ransomware. And cyber-espionage and cybercrime in the interest of Pyongyang's weapons programs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 28, 2023. 

Twitter investigates source-code leak.

Dave Bittner: Internal Twitter source code was leaked on GitHub by an unknown actor months ago, according to The New York Times. GitHub took down the repository on Friday following a DMCA infringement notice from Twitter. Twitter has also issued a subpoena requesting information on the user who posted the data, as well as any information on users who have downloaded or shared the source code. The company is asking GitHub for all identifying information associated with a GitHub username FreeSpeechEnthusiast. Bleeping Computer thinks the alleged leaker's GitHub handle, FreeSpeechEnthusiast, appears to be a reference to Elon Musk and suggests the individual is or was a disgruntled Twitter employee - maybe one of those insider threats we hear about. 

The insider risk to data.

Dave Bittner: Speaking of those zany insiders, Code42 this morning released its 2023 Annual Data Exposure Report discussing the complex nature of addressing insider risk or the threat of someone within an organization using their access to do harm to the company, either maliciously or otherwise. Most CISOs who responded see the insider risk as a problem in their organization. It's also difficult to detect data loss to insiders. Despite the use of multiple tools to protect against insider threats, 75% of CISOs note that detection of data loss from within their company is difficult, with 27% saying that it is in fact the most difficult threat above cloud data exposure and malware, including ransomware. 

Survey on the state of resilience.

Dave Bittner: Immersive Labs this morning released a study titled, "Cyber Leaders Need A More Effective Approach to Building and Proving Resilience." The study surveyed decision-makers in cybersecurity about the state of their organization's cyber resilience. The responses indicated that 82% of respondents believe they could have mitigated some or all of the damage of the most significant cyber incidents they sustained if they'd been better prepared. Senior leadership is also putting pressure on cyber teams, as 84% of respondents feel increasing pressure to be prepared for impending cyberattacks. Seventy-two percent of those surveyed say that they agree that the threat landscape has become more challenging. Only 32% of respondents believe that there actually is an implementable strategy for cyber resilience within their organization. 

Russian hacktivist auxiliaries target the French National Assembly.

Dave Bittner: NoName057(16), a Russian hacktivist auxiliary, claims to have conducted a distributed denial-of-service attack against a website belonging to France's National Assembly. Privacy Affairs reports that the site went down early yesterday morning and remained unavailable into the afternoon. The site is now back online. Radware, in the course of an overview of hacktivism in Russia's war, offered this assessment of the group that's claimed responsibility, stating - NoName057(16) is a pro-Russian threat group known for launching defacement and DDoS attacks against Ukraine and those that directly or indirectly support Ukraine. The hacktivist group formed in March of 2022 on Telegram and became a notable threat group. While less media-savvy than Killnet, it is considered one of the most active groups and the most prominent threat to Western organizations. 

SSSCIP on recent trends in cyberattacks sustained by Ukraine.

Dave Bittner: The State Service of Special Communications and Information Protection of Ukraine yesterday tweeted an appreciation of how Russian cyberattacks have progressed during Russia's war. Local government has eclipsed the defense industry as the second-most targeted sector. The report states - while central government remains a major target for Russian hackers, we also record a significant number of attacks on local-level authorities. Security and defense sector used to be ranked second a year ago. CERT-UA is recording a certain drop in the number of cyberattacks on the security and defense sector and a growing amount of incidents in the public sector, as well as attacks on software developers, internet service providers and commercial companies. 

Dave Bittner: There has also been a shift toward espionage as opposed to disruption. The report says, this year, we record an increased number of attacks aimed at espionage, with a focus on maintaining continued access to target organizations. Applications for data collection and remote access to user devices prevail among the malware spread by Russian hackers. We see this as a clear sign that Russia is gearing up for a long war. Through their hackers, they try to get any information that might be useful for conventional warfare against our country, from military draft data to weapon logistics secrets. With that said, infrastructure remains a favored target set. This is consistent with both espionage and battlespace preparation. Civil infrastructure remains a major target for Russian hackers. 

Cyberespionage and cybercrime in the interest of Pyongyang’s weapons programs.

Dave Bittner: This morning, Mandiant released a study describing the recent activities of APT43, a familiar North Korean threat actor that conducts cybercrime to fund its cyber-espionage efforts. APT43 is also tracked as Kimsuky or Thallium. Mandiant says the threat actor uses aggressive social engineering tactics combined with moderately sophisticated technical capabilities to target South Korean and U.S.-based government organizations, academics and think tanks focused on Korean Peninsula geopolitical issues. While the group targets a wide range of organizations and industries, Mandiant believes APT43's primary goal is to advance North Korea's weapons program, stating, the group is primarily interested in information developed and stored within the U.S. military and government, defense industrial base and research and security policies developed by U.S.-based academia and think tanks focused on nuclear security policy and nonproliferation. 

Dave Bittner: APT43 also conducts cryptocurrency theft to fund its own operations. In one instance, the threat actor used a phony Android app to target Chinese users seeking cryptocurrency loans. The group uses hash rental and cloud mining services to launder the stolen funds. So not a true APT side hustle, as one sometimes sees, because it's all done in the interest of the respected general secretary his own self - the symbol of strength of the state and the banner of all victor and glory - or, more specifically, to his nuclear weapons program. It's a state revenue initiative. If it were a real APT side hustle, the exfiltrated alt-moolah would be going into the cold wallets of some guys and gals out Sinanju way. 

Dave Bittner: Coming up after the break, Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person, John Pescatore, ponders the permanence of ransomware. Stick around. 

Computer-generated Voice #1: Mr. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

Computer-generated Voice #1: Mr. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Our question for today's episode... 

John Pescatore: (Reading) I saw a few news items quoting reports that said ransomware payments in 2022 went down 40%. Assuming those reports are accurate, does that mean the world has gotten better at avoiding ransomware or just gotten better at recovering from ransomware and not needing to pay the ransom - or something else? 

John Pescatore: Let's take your question piece by piece. First, just as I'm pretty sure there is no global deer committee that decides each season which type of landscaping of mine the deer will eat this year, there is no global cyber bad-guy steering committee that says, breaches against health care are so last year. Let's do ransomware against energy companies this year. Most of the damaging attacks that get press coverage are launched by criminals who will take advantage of whatever vulnerabilities they find. It is like car theft. Year to year, the most stolen model may be different, but the most common enablement of theft each year is unlocked cars with the keys inside. As far as how much victims paid their attackers to get their data back, even the research reports note how shaky their estimates are. Even if those numbers could be made reasonably accurate - and they can't - would that information really change your defense strategy? We'll come back to that. 

John Pescatore: Let me give you my guess at why ransom payment volume might be down. The biggest is the collapse of the virtual, quote-unquote, "currency ecosystem" from two perspectives. The first is rapid deflation in value of those coins. And two, the ease of law enforcement in monitoring the exchanges, which have to be used to get real currency, since virtual currency is pretty useless to the bad guys. The attack may still succeed, but making money got harder. 

John Pescatore: Now, we did see many enterprises use successful ransomware incidents to finally upgrade their backup and recovery processes, but the criminals quickly switched to, fine, you won't pay us to give you a decryption key, so we will just release the data. If you're storing gym bags full of cash in your car and leaving the keys in the ignition, oh, you'll get your car back, no problem. To continue this somewhat tortured analogy, ransomware was kind of like your check engine light coming on. And when you check the codes, there were two warnings - (imitating computer-generated voice) code 3324 - make sure critical data is backed up - but also - (imitating computer-generated voice) code 0001 - pull over immediately and stop using reusable passwords - which is like the example of the bad instructions for defusing a bomb - cut the red wire after cutting the blue wire. Reusable passwords are the keys left in the ignition. 

John Pescatore: The bad news about reports saying ransomware payments are going down is it may cause publicity that leads to the reduction in the push of moving to multifactor authentication. So on that point, take a look at the Identity Theft Resource Center 2022 identity theft report. The number of breaches was essentially the same in 2022 as 2021, which was a record year. Use that data to keep the pressure on for making the transition away from reusable passwords. 

John Pescatore: One factor cited in a report by Chainalysis was cyber insurance companies raising the bar and driving enterprises to higher levels of security operations against ransomware to renew cyber insurance policies. This is another area where there is zero data. But, anecdotally, it is hard to find success stories around cyber insurance. Premiums have definitely gone up, but they've gone up for everyone, not on some kind of hands-on program of security assessments by the insurance industry. Plus, quite often, the funds spent on cyber insurance could have been used to reduce the likelihood of an attack causing meaningful damage. Cyber insurance may have played some role in raising the bar, but don't forget about the opportunity costs of paying for coverage. The short answer is that, if the movement towards strong authentication continues, the keys are being taken out of the ignition. If essential security hygiene is being achieved, the doors are being locked. Those defensive actions are being done proactively by some, after their peers are hit by many and only after direct damage to their own company by too many. Don't wait to be in that latter group. 

Computer-generated Voice #1: Mr. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Computer-generated Voice #1: Mr. 

Computer-generated Voice #2: Security. 

Computer-generated Voice #3: Answer. 

Computer-generated Voice #4: Person. 

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: So we got an executive order from the Biden administration recently that is cybersecurity-related here. Can you unpack what's going on for us? 

Ben Yelin: Sure. So this week, the president signed a new executive order, restricting our government and its agencies from using commercial spyware. As we know, commercial spyware gives governments the power to hack the mobile phones of private citizens to extract data and track movements. So there's legitimate law enforcement purposes for using commercial spyware, which is the reason why many of our federal agencies have deployed it. It is a valuable counterintelligence tool. It's valuable for criminal investigations. One thing that's discussed in this article that we're working off of here - a New York Times article - is that the DEA uses commercial spyware in some of its narcotics investigations, and it's very valuable in following leads, catching criminals, etc. But commercial spyware has been used in countries all over the world for less beneficial purposes, to put it mildly, including spying on dissidents, spying on journalists. And this doesn't just happen in the Third World. It's happened in a variety of EU countries. It's happened in Mexico. So it's a pretty widespread problem. 

Ben Yelin: The main commercial spyware company is the NSO group, which developed Pegasus. 

Dave Bittner: Yeah. 

Ben Yelin: And Pegasus has been used not only in foreign countries, but in foreign countries against our own government officials. An administration estimate is that at least 50 government personnel in at least 10 countries have been hacked with this spyware, which is a larger number than I think we had previously known. So this executive order would prevent any governmental department or agency from using this - any type of commercial spyware that would be abused by foreign governments that could target an American overseas or could expose security risks if it were deployed on U.S. government networks. The order only covers spyware developed by commercial entities. We can expect - even though we don't have 100% proof - that our government has built its own spyware tools. And even with that executive order, it is free to build those tools and to deploy them, but this is about avoiding the use of these commercially available spyware technologies. 

Dave Bittner: So what's the motivation here for the Biden administration? Why this executive order, and why now? 

Ben Yelin: So that's a great question. There's the obvious benefit of protecting American personnel from having this type of technology used against us, and those are certainly valid cybersecurity concerns. But there's also an international relations element to this. The Biden administration, this week, is going to be hosting a Summit for Democracy at the White House. And one of the messages that they're going to try and emphasize - and they're doing that in the news release on this executive order - is that our leadership in the United States has a commitment to advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology. So I think it's not a coincidence that this executive order was released while the Biden administration is hosting this Summit for Democracy. It's to set an example, particularly for other Western democracies, that, even though this technology can be useful and beneficial, that an important democratic value and an important facet of international leadership is fighting this type of misuse of the - of commercial spyware. 

Dave Bittner: They were planting an American flag in the ground. 

Ben Yelin: Exactly. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: Exactly. So I do think there is an international relations element to this story. 

Dave Bittner: Is there any pushback here? Do we expect that Congress will be on board? 

Ben Yelin: So far, this doesn't seem to be an issue that has polarized Congress. I don't think there's a big constituency out there defending Pegasus or the NSO group, so I don't anticipate there being major pushback from Congress on this, necessarily. There might be internal pushback from individual agencies if they have been using Pegasus for some type of successful operation, and now that has to be discontinued. I could imagine some frustration at having this wrench thrown into an investigation, but... 

Dave Bittner: Right. Right. You're tying our hands. 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: But from a broader policy level, I don't think that this is something that's going to raise the ire of members of Congress, although I should not be in the political predictions game. You never know what's going to raise the ire of members of Congress. 

Dave Bittner: Right. Absolutely. All right. Well, Ben Yelin, thank you for bringing us up to date. 

Ben Yelin: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.