Transparent Tribe seems to want people’s lab notes, and other stories of cyberespionage. The FBI warns of juicejacking. And the Discord leaker seems to have been a 20-something influencer.

Dave Bittner: Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion is a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from the SANS Technology Institute explains Upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia's war on Ukraine. And Canada responds to claims of Russian cyberattacks.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 13th, 2023.

Transparent Tribe expands its activity against India's education sector.

Dave Bittner: This morning, Sentinel Labs described recent activity by Transparent Tribe (APT36) that shows a close interest in India's education sector. The threat group, active since at least 2013, is believed to be based in Pakistan. Described as "not very sophisticated" but "highly persistent," Transparent Tribe has been running phishing campaigns baited with education- themed topics. The typical payload the attacks deploy is the Crimson RAT. Relatively unsophisticated as it may be, Transparent Tribe has updated and adapted its tactics, techniques, and procedures to include, according to Sentinel Labs, "adoption of OLE embedding as a technique for staging malware from lure documents and the Eazfuscator obfuscator to protect Crimson RAT implementations." The campaign suggests that the threat actor's interest in the education sector is intended for espionage: the operators are interested in research being carried out in Indian universities.

A Lazarus sub-group is after defense sector targets.

Dave Bittner: An ongoing remote access Trojan campaign is being conducted by "DeathNote," a sub-unit of North Korea's Lazarus Group. The campaign seems to be focused on defense sector targets, specifically in the African defense industry, since 2022. DarkReading reports that “DeathNote's campaigns targeting the defense sector have not affected US organizations.” Kaspersky detailed the organization's infiltration methods, explaining "DeathNote initially breached the company via a Trojanized, open-source PDF reader sent via Skype messenger. Once executed, the PDF reader created a legitimate file and a malicious file in the same directory on the infected machine." DarkReading explained, "it then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access Trojan called Copperhedge from an attacker-controlled command-and-control server."

Dave Bittner: A June 2022 report by ESET noted early signs of the shift, stating,"As early as 2020, ESET researchers had already documented a campaign pursued by a sub-group of Lazarus against European aerospace and defense contractors ESET called operation In(ter)ception. This campaign was noteworthy as it used social media, especially LinkedIn, to build trust between the attacker and an unsuspecting employee before sending them malicious components masquerading as job descriptions or applications.

FBI's Denver office warns of the juicejacking threat.

Dave Bittner: The FBI Denver office is warning against "juicejacking," or the criminal use of public charging stations to introduce malware onto a device. CBS News reports that the FBI has advised against the use of public charging stations. No incident in particular triggered the service announcement. Rather, it was intended as a field office warning. Officials at the FCC warn that malware can be distributed through corrupted ports, such as those at malls and airports, and that such malware has the potential to, for example, lock a device, or exfiltrate "personal data, and passwords directly to a criminal." The data lifted can be used for online accounts or sold in criminal marketplaces. But many experts also caution about exaggerating the risk of juicejacking, which, while a real possibility, also doesn't seem to be a widespread one.

Legion: a Python-based credential harvester.

Dave Bittner: Cado Security described this morning how the Legion AWS credential harvester, malware intended to target and abuse emails, is working in the wild. The Legion tool is sold via Telegram, an increasingly important C2C channel. It includes modules dedicated to "enumerating vulnerable SMTP servers, conducting remote code execution, exploiting vulnerable versions of Apache, brute-forcing cPanel and WebHost Manager accounts, interacting with Shodan's API to retrieve a target list, and additional utilities," such as abuse of AWS services. This threat actor was potentially tracked by Lacework as "AndroxGh0st" in December of last year. Linguistic signs indicate that the threat may be based in Indonesia.

Source of leaked US intelligence may be closer to identification.

Dave Bittner: The Washington Post has investigated the Discord Papers, as they're now being called, by going to the obvious place: the Discord group where the intelligence documents were first posted. The leaks came through a small, invitation-only clubhouse named "Thug Shaker Central," established on Discord in 2020. Its members were apparently looking for fellowship and diversion during the pandemic, and found it among a collection of military wannabes who shared a willingness to engage in casual, low-grade racist humor and fantasies about conspiracies.

Dave Bittner: The leader of the clubhouse, a young man with the derivative handle "OG," is described as a "young, charismatic gun enthusiast who shared highly classified documents with a group of far-flung acquaintances searching for companionship amid the isolation of the pandemic." OG told his followers, who seem to have been disproportionately teenage boys, that he worked on a "military base" (which he declined to identify), and that he spent his days working with classified material in a secure facility. The two youths with whom the Post spoke (one of whom they interviewed with the permission of his

mother, which indicates how young the members of the group are) say they know OG's real name, the state in which he works, and that he's in his early-to- mid twenties.

Dave Bittner: Counterintelligence officers traditionally use the acronym "MICE," for money, ideology, compromise, and ego, to summarize the motivations of people who commit espionage. OG seems to have been motivated strongly, apparently exclusively, by ego. One of OG's besotted followers told the Post, "If you had classified documents, you'd want to flex at least a little bit, like, hey, I'm the big guy."

Dave Bittner: The material began to leak from its initial Discord channel on February 28th, when one teen member of Thug Shaker Central posted some of its photos to a different Discord channel. Other files subsequently spread to a Discord server devoted to the game Minecraft. OG stopped sharing classified information in mid-March, but on April 5th some of the material already posted appeared in 4chan and Russian Telegram channels. At that point the leak finally came to the attention of the US Government. When OG became aware that his leaked files had leaked beyond his online family, he was, the follower told the Post, distraught. The Post quotes the follower as saying, "He said something had happened, and he prayed to God that this event would not happen, but now it's in God's hands."

Dave Bittner: NBC News reports that the incident has prompted the US Government to review the way it monitors social media for security threats. The intelligence community is now grappling with how it can scrub platforms like Discord in search of relevant material to avoid a similar leak in the future, said a congressional official." How that might be accomplished is under study; and the solution isn't obvious.

Canada says its natural gas infrastructure sustained no physical damage from Russian cyberattacks.

Dave Bittner: One of the leaks in the Discord Papers outlined attempted Russian cyberattacks against Canada's natural gas infrastructure. Prime Minister Trudea said yesterday that the country's infrastructure sustained no "physical damage" from such attacks.

Russian cyberattacks are expected to increase as the invasion of Ukraine stalls.

Dave Bittner: And, finally, while cyberattacks in the hybrid war continue to fall far short of prewar fears and expectations, officials caution against anyone letting their guard down.

Dave Bittner: The Voice of America quotes NSA cybersecurity director Rob Joyce's warning not to dismiss Russian offensive cyber capabilities. Joyce said this week, "In cyber, I think people have underestimated really how much game they (Russia) brought, whether it be the Viasat hack to nine or 10 different families of brand-new, unique wiper viruses that have been thrown in that ecosystem. There's continued attacks on Ukrainian interests, whether it's financial, government, personal, individual, business, just trying to be disruptive."

Dave Bittner: One of the threat actors that will bear watching is Winter Vivern. Avertium has published a summary of Russia's Winter Vivern and its recent activities; the researchers urge continued vigilance against what they describe as a "scrappy" and often overlooked group.

Dave Bittner: Coming up after the break, Johannes Ullrich from the SANS Technology Institute explains Upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia's war on Ukraine. Stay with us.

Dave Bittner: It is my pleasure to welcome back to the show Charlie Moore. He goes by "Tuna" to his friends. He is a distinguished visiting professor at Vanderbilt University and former deputy commander at US Cyber Command. Charlie, welcome back.

Charlie Moore: Hey, Dave, great to be back with you. Thank you so much.

Dave Bittner: I want to touch today on where we stand when it comes to the conflict in Ukraine, Russia's war there, and some of the lessons that we're learning when it comes to the cyber elements of that. What are your insights here?

Charlie Moore: Yeah, it's a fascinating subject to take a look at. And I think one of the things you have to begin with here is this really is the first nation-state war, one involving a nuclear capable power, where we are seeing full-spectrum cyberspace operations taking place. And so there's a lot to look at here and lessons learned to be garnered.

Charlie Moore: When I first look at this, I'm immediately reminded of a quote that I was forced to memorize when I was a first year cadette in the United States Air Force Academy. And Dave, the quote is, "victory smiles upon those who anticipate the changes in the character of war, not upon those who wait to adapt themselves after the changes have already occurred." Now, that quote comes from Air Marshall, Italian Air Marshall, Giulio Douhet, during the period between the great wars of the 20th century. And specifically, what he was talking about was what he saw as the dominance of this new third domain of warfare called the air. But I think that quote and his insights there are just as relevant today when we think about what's going on in the cyber/the digital domain. Because of the technological advances in computing, networking, big data analytics, AI, and other tools, the ability to achieve persistent information dominance over one's enemy has changed the character of war in my opinion.

Dave Bittner: And how has that specifically played out in this situation?

Charlie Moore: I think, first, I've got to give a little bit more background to answer that question. So because of what I refer to as "digital convergence" -- now, what do I mean by "digital convergence"? I mean that virtually everything we use to sense or see what is occurring in the battle space, to gather that data, to transfer that data, to store that data, to analyze that data, and turn it into information that decision-makers can then use to direct operations, occurs within the cyber or digital domain.

Charlie Moore: So it's because of this digital convergence and by achieving cyber digital superiority over our adversaries, that's what we really mean when we talk about trying to achieve or the ability to achieve information security or dominance. And obviously throughout military history, knowing more about the battle space than your adversaries resulted in significant advantages. And it's often been a huge determining factor. But today's technological advancements provide us the opportunity to effectively achieve persistent information advantage over our adversaries. And thus allowing not only success in individual battles but strategic levels of dominance military leaders throughout history could only dream about.

Charlie Moore: Now, with that as a background, what I'm referring to -- and we look at current events and what's going on in Ukraine -- is it's giving us a little glimpse of one aspect of what digital convergence means to war fighting.

Charlie Moore: So if we remember back in February, February 24th, when this invasion first began, the vast majority of experts, including our own military experts, were saying they believed, you know, the Ukrainian capital Kyiv would fall in as little 72 hours. And since then, we've had a lot of analysis and a lot of things have been written and discussed about the many failures of the Russian military. And undeniable, there's many components to this. But we've also spent a lot of time focused on the advanced weaponry that we've been giving to Ukraine and how that's helped turn the tide of the battle. And no doubt, we've given tens of billions of dollars. I think total aid now, we're approaching $200 billion of advanced weaponry and other type of assistance that's been given to Ukraine.

Charlie Moore: But what's really important to remember is that some of these very effective and lethal weapon systems are really game changing because of the real-time information being provided to the Ukrainians, primarily utilizing the cyber digital environment, that allows them to be employed with speed and precision against prioritized enemy targets, in support of an overarching military strategy. That is extremely, extremely important, and I think has really given them an asymmetric advantage over the Russians.

Dave Bittner: In your estimation, how much are the Russians actually underperforming versus what we thought their capabilities were versus that the Ukrainians are taking advantage of the capabilities of their allies to help defend them? Or how much is it a combination of those things?

Charlie Moore: It's absolutely a combination of those things. I mean, there's just some fundamental problems that we've seen with the Russian military. You know, their ability to perform logistics support, just baseline logistics support, is just absolutely atrocious. The day-to-day care and support of their equipment that they brought into the battle space and while it's in the battle space is not up to, you know, our standards by any means. Their inability to really perform joint combined operations, primarily we're talked about in the air, land, cyberspace, and space, really doesn't exist anywhere to the level that obviously the United States and our NATO friends and allies train to. But I think underlying all of those problems really gets back to a lot of the assistance that they are getting from Western nations. And this isn't to, by any means, belittle the incredible effort by the Ukrainians and their willingness to fight and defend their homeland and all the sacrifices they are making. But I do believe that underlying much of their support is this information advantage that we've essentially been able to gift to the Ukrainians. And a lot of that capability was developed during the counterterrorism fight over the last 20 years, where the United States really refined its ability to find, fix, track, target, and what we would call "finish" enemy targets, at a speed and with a level of precision that even our near peer adversaries like Russia and China simply cannot match.

Charlie Moore: And so being able to gift that type of data to the Ukrainians and empower them to understand what the Russians are up to, what their plans are, where their forces are located, what we think their schema might be, where certain types of targets are present themselves, that's been an asymmetric advantage that we've been able to provide them.

Dave Bittner: As both our allies and our adversaries look at what's going on here, how do you suppose this is going to inform how they approach these sorts of conflicts in the future?

Charlie Moore: Well, what I hope, I hope one of the lessons we take away is the absolute importance of this digital space and achieving true digital/information superiority. I really believe that moving forward, if you simply build the best ships and the best aircraft and the best tanks and train the best soldiers, sailors, airmen, and marines, that's not going to be enough. Underlying it all is going to be that information superiority. It's going to not just make it possible to do that job well, it's going to be critical in order to be able to win and to perform those fundamental military functions.

Dave Bittner: Before I let you go, there is a summit coming up at Vanderbilt University, which is where you are a distinguished visiting professor. Can you give us a few of details about that event?

Charlie Moore: Yes. Thanks for giving me the opportunity to do that. So we're hosting the Vanderbilt Summit on Modern Conflict and Emerging Threats. It's going to take place May 4th and 5th on the Vanderbilt campus in Nashville, Tennessee. And the summit convenes internationally renowned leaders and

experts from academia, military, government, and industry, to explore collaborative approaches to some of the most critical security challenges of our time.

Charlie Moore: So this year, we're going to focus on global competition, cyber threats, and the national security implications of advancements in technology like artificial intelligence. We have an incredible group of speakers and panelists that are coming out, including General Nakasone Commander of the US Cyber Command and the director of the National Security Agency; General retired Todd Walters, who is the NATO -- was formerly NATO supreme allied commander and Eu Com commander; Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency; a whole lot of other folks. And if people are interested to get more information and hopefully join us, you can go to vu.edu/summit. And that's vu, as in Victor uniform,.edu/summit, for more information. So I hope to see folks there.

Dave Bittner: All right, Charlie "Tuna" Moore is a distinguished visiting professor at Vanderbilt University and former deputy commander at US Cyber Command. Charlie, thanks so much for joining us.

Charlie Moore: Thank you, Dave. Always great talking to you. [ Music ]

Dave Bittner: And joining me once again is Johannes Ullrich, he is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast Podcast. Johannes, it's always great to welcome you back. You and your colleagues have been tracking some scams on Upwork lately. What's going on here?

Johannes Ullrich: Yeah, so Upwork is a platform that allows you as a freelancer to offer your services. Often used by developers and then companies can hire these developers for specific projects. And like all of these platforms, there is a vetting system you have to go through in order to actually sign up for it and their reviews and the like. What I notice lately in particular on Slack channels sort of for local technology groups, that people joined these Slack channels and then offered jobs via Upwork. But the way this worked is they weren't actually giving you work. They were asking you to use your Upwork account. And the trick here is that, first of all, now they're using your reputation in order to offer jobs. And, of course, they're going to give you a cut of whatever they're making. But they're using your good reputation to offer probably some shady services here in the end.

Johannes Ullrich: The other reason this is done apparently is that some US- based companies have restrictions whether or not they're allowed to outsource work overseas. And they're specifically interested in gaining access to US- based developers' Upwork accounts and then offer some pretty good amount

of money in order to basically, as they call it, "manage their work." So sometimes the way these ads are being framed is that you're going to be a project manager for this team overseas; you're going to be their English- speaking face to the US market via your Upwork account. In some cases, they even kind of ask you if they can just make it easy for you. After all, you don't want to have too much work. To just basically if you install any desk or some remote-control software on your PC, they'll just use your PC and your Upwork account remotely. So this way it's really not work for you, you just get the money.

Dave Bittner: What could go wrong? Johannes Ullrich: Yeah, what could go wrong?

Dave Bittner: Yeah. Well, I mean, that's an obvious red flag there, but what are some of the other red flags people should be on the alert for here?

Johannes Ullrich: Well, with any platform like this, as a freelancer, it's your reputation is on the line. So you definitely have to be careful how you're protecting your account. And I'm pretty sure if they're paying you money for it, they're also willing to steal it. So this is something that you have to monitor, you have to check the communication being passed through your Upwork account. And again, the same is true for any other platform like this -- you know, Fiverr or whatever. There are many similar platforms that basically offer you to manage work. And if you're accepting work via the platforms, well, use their mechanisms. So it may be okay for you to outsource some of the work that you are receiving to developers overseas via their Upwork account. But be up front to your clients who ask who is doing the actual work. Again, after all, it's your reputation on the line. And outsourcing some work like this, that you feel comfortable, that you can review and such, may not be really all that bad. But be up front to your clients about what you're doing.

Dave Bittner: I would suspect also there's potential peril here. If you're providing -- if you're acting as a middle person between, you know, some folks in a country that isn't supposed to be doing business with the US, that could lead to trouble there as well.

Johannes Ullrich: There could be some legal issues like in more extreme cases where you're like bypassing embargoes and things like this. That could certainly be an issue as well.

Dave Bittner: Yeah. All right, well, Johannes Ullrich, thanks for joining us. [ Music ]

And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire Podcast is a production of N2K Networks. Proudly produced in Maryland, out of the startup studios of

DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester. With original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.