The CyberWire Daily Podcast 5.15.23
Ep 1823 | 5.15.23

Ransomware, doxxing, and data breaches, oh my! State fronts and cyber offensives.


Dave Bittner: Discord sees a third-party data breach. Black Basta conducts a ransomware attack against technology company ABB. Intrusion Truth returns to dox APT31. Anonymous Sudan looks like a Russian front operation. Attribution and motivation of "RedStinger" remains murky. CISA summarizes Russian cyber offensives. Remote code execution exploits Ruckus in the wild. Our guest is Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service on their efforts to thwart e-mail compromise and romance scams. And espionage by way of comments on YouTube.

Dave Bittner: I'm Dave Bittner with your CyberWire "Intel Briefing" for Monday, May 15, 2023.

Third-party data breach at Discord.

Dave Bittner: Bleeping Computer reports that Discord, the well-known Voice over IP and instant messaging social platform. Has experienced a data breach through the compromised account of a third-party support agent. Discord says the exposed ticket queue of the support agent contained user e-mail addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets. The company quickly disabled the agent's account and did a malware sweep of the device. Security Affairs reports that Discord is also working with its third-party support provider to improve their cybersecurity posture and prevent an incident like this from taking place, again. Discord told affected users that they believe the risk from the breach is minimal but that they advise vigilance against potential fraud or phishing attempts.

Black Basta conducts ransomware attack against technology company ABB.

Dave Bittner: Swiss technology company ABB confirmed Friday that they're experiencing technical issues relating to a cyberattack. Bleeping Computer reports that the Black Basta ransomware gang was behind the attack, but ABB has yet to confirm this. The outlet reports that employees have noted that the attack has impacted the company's Windows Active Directory affecting hundreds of devices. ABB seems to remain mostly operational. An ABB spokesperson told ET CISO the vast majority of its systems and factories are up and running and ABB continues to serve its customers in a secure manner.

Intrusion Truth returns to dox APT31.

Dave Bittner: The Washington Post reports that Intrusion Truth, the anonymous bloggers who've made a specialty of exposing Chinese Ministry of State Security cyber operations. Resurfaced last week to publish an account of APT31's recent activities. In this case, it's claimed exposé of the MSS' Kerui Cracking Academy located in Wuhan. Mandiant describes APT31 as a China nexus cyber espionage actor. Focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages. It's less clear who Intrusion Truth is. The group presents itself as a collection of hacktivists, but there's speculation that, in fact, they're a cybersecurity firm or an activity run by a Western intelligence service. In any case, their reports have a good track record of confirmation by independent sources.

Anonymous Sudan looks like a Russian front operation.

Dave Bittner: Bloomberg reports that Anonymous Sudan, which represents itself as an Islamist Sudanese hacktivist collective, appears, in fact, to be a false flag operation of Russian intelligence services. Research published in February by the Swedish cybersecurity firm Truesec concludes that Anonymous Sudan is instead in all probability a Russian operation directed at Sweden. Its aim is to interfere with Sweden's accession to NATO using a mix of nuisance-level DDoS attacks and influence operations directed at Sweden's Muslim minority and at Turkish public opinion.

Dave Bittner: The DDoS attacks, apart from the irritation they represent, lends some plausibility to Anonymous Sudan's self-presentation as a hacktivist group. DDoS, after all, is, along with website defacements, a common hacktivist tactic. But Truesec concludes that Anonymous Sudan displays both a detailed close knowledge of Sweden's political climate. And a level of funding that far exceeds what's reasonably available to genuine hacktivist groups. The hacktivists, however committed they may be and however good their day jobs are, usually aren't able to afford pricey server rentals.

Dave Bittner: Bloomberg cites a professor of international relations at the Norwegian Institute for Defense Studies in Oslo. Who's seen the timing and organization of the attacks, the hackers knowledge of religious and political friction points in Sweden. And the attacks similarities to other Russian influence operations, which led her to the conclusion that there was a Russian intelligence affiliation. For its own part, Anonymous Sudan insists they're not Russian, they say, but Russia has helped them in the past and this is just their way of giving back. A look at the sad, ongoing violence in Sudan would suggest that this is implausible. Actual hacktivists, especially actual Sudanese Islamist hacktivists, would have more immediate concerns than doing their Russian buddies a solid.

Attribution and motivation of "RedStinger" remain murky.

Dave Bittner: The "RedStinger" campaign Malwarebytes described last week seems to have been active against both Ukrainian and Russian targets. A discussion in Cybernews notes that while the APT group, which the outlet refers to as Red Stealer, is known to have been active between 2020 and 2022 and seems to be Russian. It's motivation is curious, as it's collected against targets on both sides of Russia's war with Ukraine. One possible explanation is that "RedStinger" was interested in quasi-domestic surveillance of officials in Ukrainian provinces illegally annexed by Russia.

CISA summarizes Russian cyber offensives.

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency has published a collection of its studies of the Russian government's malicious cyber activities. The most recent entry is last week's discussion of the Snake malware and its disruption by the Five Eyes. The oldest entry goes back to December 29, 2016 and covers the GRIZZLY STEPPE operation conducted against US targets associated with the 2016 US elections. It's noteworthy that CISA's compendium addresses only Russian government malicious activity. The large and active Russian cyber underworld is outside the scope of the summary.

Remote code execution exploits Ruckus in the wild.

Dave Bittner: CISA logged seven new issues into its Known Exploited Vulnerabilities Catalog on Friday. One of the more noteworthy vulnerabilities they added was the critical remote code execution issue affecting multiple Ruckus products. Bleeping Computer reports that the flaw concerns devices using the Ruckus wireless admin panel. The vulnerability, while first acknowledged in February, has probably not seen many patches on vulnerable Wi-Fi access points, which in these attacks have been targeted by "AndoryuBot" malware. The malware, once within the system, adds the compromised device to a botnet for use in DDoS attacks. Ruckus released a security bulletin in February that was updated last week detailing the almost 60 devices impacted and the patches that are available. Many end-of-life devices, however, have no patch available.

Dead drops, Gangnam style.

Dave Bittner: And finally, dead drops used to use things like trash bags beneath North Virginia footbridges maybe signaled with a chalk mark on a mailbox or some chewing gum on a lamppost. Now they can use comments in YouTube videos. The Suwon District prosecutor's office has charged four members of the Korean Confederation of Trade Unions with spying for North Korea. The South Korean trade unionists are accused, according to NK News, of communicating with their handlers by leaving a prearranged comment in a YouTube tutorial video.

Dave Bittner: The KCTU members are accused of violating the Republic of Korea's National Security Act through both espionage and serving as agents of influence. The alleged influence is incitement of anti-Japanese and anti-American sentiment. Interestingly, not all of the signaling was digital. The four accused also allegedly used old-school trade craft that would be familiar to any reader of spy novels from John le Carré.

Dave Bittner: Coming up after the break, our guest, Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service explains their efforts to thwart e-mail compromise and romance scams. Stay with us.

Dave Bittner: Veeam Software is a data backup and protection company and they recently released the results of their 2023 Data Protection Trends Report. For insights on the report, I spoke with Dave Russell, Vice President of Enterprise Strategy at Veeam.

Dave Russell: You know, I always like a little bit of myth busting. So, you know, one myth is that the cloud and cloud first or hybrid cloud, multicloud, is coming. But our research shows that it's already here, meaning the- in the pandemic years, these last roughly three years, it's a pretty even split on-prem and off. Meaning right now, 4,200 organizations that we surveyed across 28 countries, they report that actually they're slightly more physical than virtual on-prem and that totals 53% of their workloads. And in hybrid cloud, multicloud universe, meaning off-prem, they're 47%. So nearly half and going to 52% or just over half next year.

Dave Bittner: What do you make of that? I mean, what are the real-world ramifications of those numbers?

Dave Russell: To me, it's an interesting mix of, oh, wow, we didn't turn anything off. We still have a lot of physical servers. We obviously have a lot of virtual servers. We're commissioning more, actually more of both, meaning commissioning physical servers on-prem, as well. But we're also expanding out into the cloud, and when we say a word like cloud, it actually means many, many different things. It could mean Infrastructure as a Service. Most of us have multiple Software as a Service applications that we're running, maybe PaaS applications, as well. So if you're an administrator trying to get your arms around that or if you're a C-level person, a CIO or a chief information security officer, you got an awful lot to contend with.

Dave Bittner: Let's dig into some of the other things the report covers here. You touch on data protection and disastery recover. What sort of things are you tracking there?

Dave Russell: Yeah, well, you know, selfishly being a data protection vendor, we really want to know what the market's feeling and thinking, you know. Both in terms of what do they seek in, but also what do- what would drive them to change. And the reality is there's a lot of frustration. And I should mention, you know, this is a blind survey, meaning no one knew that Veeam was asking the questions, and it's certainly not just Veeam customers. In fact, Veeam makes up fewer than 8% of those 4,200 respondents, and that's by design.

Dave Russell: So one of the things that really struck me or shook me, I guess I should say, is that organizations self-report. The administrators say that they think they have a protection gap in terms of how much data they would lose in a recovery scenario. And a gap in terms of how long it would take them to get the data back. In fact, those numbers are 79%, "Not gonna hit my data loss objectives," meaning, "I'm gonna more data." And 80%, "I don't think I can get the data back in time in which the business expects it to be." So if the administrators, those that are actually in charge of the systems, are reporting, "Hey, I don't think we can do this." That's a pretty unnerving set of statistics.

Dave Bittner: And what is the impediment here? I mean, what's keeping them all from closing that gap?

Dave Russell: Yeah, in part, it's what we mentioned around the different types of deployments. But the other thing that really was interesting to me is we've been asking now for the last three years what was the number one and please rank all causes of unplanned outages. And what's amazing is all of the things that literally for half a century we've worried about in the data center like server outages, network misconfiguration, etc. Those things still happened with amazing frequency, you know, despite the rise of, you know, redundant power supplies and high mean time to failure components, we still have those things happening. But what rose to the top the last two years has been cybersecurity. So now you've gotta worry about all kinds of configuration issues and component failures as well as cyber. And when we added all that up, it actually they can check all, it adds up to 500%. So that means on average, there are five different things taking down a server in a 24-month period.

Dave Bittner: What is your sense in terms of the folks who are responsible for protecting these systems being able to tell that story and get the resources they need to the powers that be at their organizations?

Dave Russell: In a strange way, I think that story or situation is getting better. And what I mean by that is I, you know, now I'm going on 34 years I've been in the backup space. I always felt like organizations were not nearly as recoverable as they thought they were. And yet the data that, you know, I just rattled off shows a protection gap, a recovery gap in terms of time. But it was easy to kind of kick the can down the road, meaning that we'll get to that later. And the reason why was because we historically as an industry, we only recovered or restored three to 5% of the data that we backed up. And the trick, of course, was you didn't know which three to 5% and you didn't know when you would need it.

Dave Russell: Now comes cyber where literally without warning, 100% of your production data could have to be recovered, and then within a period of a couple of months, you might get hit, again. In fact, unfortunately, the odds are not in your favor in terms of not getting hit. So that has elevated the situation to literally a board-level concern. You know, no board typically ever wants to talk about or much less think about backup and recovery. But if that is your last line of defense to keep your business operational, now it's no longer a luxury item.

Dave Bittner: Well, based on the information that you all have gathered here, I mean, what is your practical advice to folks? What's the- what are the words of wisdom here?

Dave Russell: Yeah, the number one thing I always like to say is, you know, download the report and read it. You owe it to yourself to get educated. Part of that education might be a confirmation of what you maybe already thought as a practitioner. But now you can have a different kind of a conversation with your management team or even your board. And then from there, get prepared. You know, sometimes you really can't do everything. We all live in a world of scarcity. But I like to say that you may not be able to do everything but you can do something.

Dave Russell: You know, you can start to patch the systems that have gone unpatched for quite some time and represent latent threats with latent vulnerabilities. You can start to plan for a hybrid cloud multicloud world that you're probably already in even if you're not kind of realizing that yet. And then in terms of, you know, cyber, you know, everything you can do around employee training particularly around phishing, anything you can do about patch management. And of course, make sure you have backups and test those backups.

Dave Bittner: That's Dave Russell from Veeam discussing their 2023 Data Protection Trends Report.

Dave Bittner: And I'm pleased to be joined once again by Matt O'Neill. He is Deputy Special Agent in charge for Cyber with the United States Secret Service. Matt, welcome back.

Matt O'Neill: Thank you.

Dave Bittner: I want to touch today on some of the work you and your colleagues are doing when it comes to business e-mail compromise and romance scams. Can we start off with just some definitions here? How do you all describe these particular types of capers?

Matt O'Neill: So business e-mail compromises, BECs, and romance scams, are very much interrelated. So in a business e-mail compromise, typically there are several sort of areas where fraudsters could prey upon victim organizations or individuals. The first would be a CEO impersonation scam where they will contact somebody in the organization claiming to be the CEO and ask them to move money. Typically, the sort of tactics that they're use is they'll try to put pressure on the individual who can send them money to say, "Hey, this has to happen immediately. Don't tell anybody because it could ruin whatever deal that is being done."

Dave Bittner: Mm-hmm.

Matt O'Neill: "And, oh, by the way. I'm going to be out-of-pocket for the next 12 to 24 hours and I expect it to be done by the time I get back."

Dave Bittner: Are these the ones I hear, "I need you to go get me some gift cards." Is that often part of this, as well?

Matt O'Neill: No, that- not typically in a business e-mail compromise, but that is a whole other sort of adjacent scam that does [inaudible] happen.

Dave Bittner: Okay. It's hard to keep track, Matt.

Matt O'Neill: Oh, there's a lot of them. And then, also, invoice-related scams where, typically, just like the majority of all of cyber incidents that we see, it starts with phishing attacks and gaining access into e-mails. And then looking for invoices that a victim organization would receive or send. And then trying to either change the routing coordinates of where the invoice was going to get paid.

Dave Bittner: Mm-hmm.

Matt O'Neill: And then a lot of times, what'll happen is it'll be several days or a week later where the victim organization will reach out to whoever they're doing business with and ask them, "Where's my money?"

Dave Bittner: Right, right.

Matt O'Neill: And they'll say, "Well, we sent it to that new routing at, you know, that new financial institution, to which then they'll contact the Secret Service or the FBI, but largely, it's too late. Another one that's also something that we spend a lot of time on is real estate BECs.

Dave Bittner: Hm.

Matt O'Neill: And that's simply think about you're getting ready to close on a house and you have to send in your final payment. Well, what fraudsters will do is they will direct that final payment to them and you're thinking, "Oh, well, this is just a change in whoever I'm, you know, the closing attorney or the title company." And then you show up to closing and they'll say, "Well, I'm sorry, Mr. O'Neill. We can't close today because we never received your money." And the victim will say, "Well, I sent it to the wiring account address that you suggested." To which then that's just awful situations we've had.

Matt O'Neill: We have a team in our- the Secret Service's Global Investigative Operations Center that's been focused on recovering assets in business e-mail compromised scams since 2019. And they have recovered $283 million since 2019 for victims. And there's --

Dave Bittner: Wow.

Matt O'Neill: There's only four employees who are extremely hardworking and leverage contacts throughout the global financial services sort of web around the world to try to recover the funds. Because the most important thing to understand in BEC cases is time is of the essence. So if you don't report it within 48 hours, the odds are the money will be gone. Our success rate in recovering funds outside of even the asset forfeiture process. But communicating with the receiving bank, and the sending bank, and the getting them to work together to get the money back to the victim within 24 hours, it's approximately 56%.

Dave Bittner: Hm.

Matt O'Neill: But typically would happen in some organizations is once they find out that the money was sent to someone else other than the intended recipient. There comes we like to call it the Super Bowl of finger-pointing and they'll spend several days figuring out who's- who was responsible.

Dave Bittner: Right.

Matt O'Neill: But by the time that that happens, the money is long gone.

Dave Bittner: Wow.

Matt O'Neill: And so we highly encourage, again, if you're an organization, communicate early and often with your local Secret Service office through our Cyber Fraud Task Force network. To make sure that when- if something like this happens, that you have a contact that you can get it to either to them and they can get it to our Global Investigative Operations Center or through FinCEN. To try to at least stop the money before it ultimately is withdrawn at the final destination.

Dave Bittner: And what about the romance scam component of this? How does that play into this?

Matt O'Neill: So one of the choke points in financial fraud is money mules. And so typically what we'll see is romance scams unfortunately are sort of gateway crimes. And when I say that, I mean a victim in a romance scam, and those typically happen through websites, dating apps, traditionally not the location-based sort of dating apps. But more sort of the legacy online apps where you can kind of hide where you are located and things like that. And so there's a lot of impersonation that goes on and also long-term cultivating relationships. Sometimes it's four, or five, six months. And so through a romance scam, what'll typically happen is someone- the victim will be notified by the person they think that they've been dating to say. "Well, I have this great investment. You should invest. And we've been, you know, talking forever and, you know --"

Dave Bittner: You can trust me.

Matt O'Neill: Yes, "You can trust me. I'm in on something. We're gonna make a lot of money." Or they could say, "I've been injured and I need money to get back to either visit you," or something along those lines, or a family member. A lot of times, what we'll see is the first, the investment, and then the second will be then the injury. And then what we'll see is a transition to the victim in this case becoming unwitting or an unwitting money mule for the bad actors. Then it'll transition to those business e-mail compromise cases that I was talking about. Where if I'm trying to get an organization to send money to me, I'll usually use one of those money mules, their accounts.

Matt O'Neill: So it'll be trying to convince them to open up an account and. "Hey, we're- you're gonna make some money. You- I have this overseas business and I need somebody in the United States to be my accounts receivable. Just open up an account. Provide me with the information. A hundred thousand dollars is gonna get wired in. You get to keep 5% and then only thing you have to do is send it to someone else."

Matt O'Neill: And then the victim will open the account and then what'll typically happen is after the money's been moved, then law enforcement will go back to that victim and say. "You laundered $100,000 in victim proceeds. Where did it go? How did it happen?" Those kinds of things. And typically, they- now they're doubly victimized because they've quote-unquote, "invested" with the bad actor. And now they're also being victimized because they've become an unwitting money mule. Money mules are sort of the- one of the centers of gravity that enable cybercrime to flourish.

Dave Bittner: You alluded to how, you know, time is of the essence here and that it strikes me that one of the, I don't know, superpowers of the Secret Service is being able to unpack these complex financial things. I mean, the agency has a long history of that. Is that the message for our listeners that really time is of the essence here, that it may be counterintuitive to, you know, you may think, "Well, let's wait," but no. Every minute counts.

Matt O'Neill: Yes. For a victim or any organization that engages in sending wires and that sort of thing, the most important thing is to know (a) that this fraud is rampant and it is continuing to grow year over year. So you can anticipate at least attempts to be made to your organization. The good cyber hygiene is always sort of clearly recommended. But ultimately, yes, time is of the essence, and typically after 72 hours, the odds of you getting your money back are very slim. So developing the relationships before the bad day happens with your local Secret Service office, your local FBI office. Again, it doesn't matter to us. As it's often said, cyber's the ultimate team sport. It's our job to work together. It's not your job to figure out, "Oh, do I call the FBI on this or the Secret Service on this?"

Dave Bittner: Right.

Matt O'Neill: Just call somebody and we'll work it out on our end.

Dave Bittner: All right, fair enough. Matt O'Neill is Deputy Special Agent in Charge for Cyber with the US Secret Service. Matt, thanks so much for joining us.

Matt O'Neill: Thank you for having me.

Dave Bittner: And that's the CyberWire. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can e-mail us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity.

Dave Bittner: We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at

Dave Bittner: This episode was produced by Liz Irvin, and senior producer, Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.