Tehran’s social engineering. CSRB reports on Lapsus$. Call for comment on open-source standards. Coping with a tight labor market. Two private sector incidents in Russia’s hybrid war.
David Bittner: Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the cyber labor market. Yandex is restructuring. The Washington Post’s Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked.
David Bittner: I’m Dave Bittner with your CyberWire intel briefing for [Day, Date].
Charming Kitten collects against Iranian expatriate dissidents.
David Bittner: Germany's BfV security service, the Bundesamt für Verfassungsschutz, warns that Iran's Charming Kitten threat group is collecting against Iranian dissidents residing in Germany and elsewhere. Both individuals and organizations are targets. Charming Kitten has been paying particular attention to lawyers, journalists and human rights activists since late 2022 at least.
David Bittner: The campaign is a social engineering effort. Deutsche Welle characterizes Charming Kitten's approach as spearphishing. The Iranian service first builds a target dossier containing an inventory of the subject's interests and connections, then cultivates a relationship of trust with the subject, and, finally, invites the target to a video chat in the course of which credentials are harvested. The BfV recommends the customary cautions with respect to new and unknown online contacts.
David Bittner: Charming Kitten is also known as APT35, Phosphorus, Newscaster, and the Ajax Security Team.
Cyber Safety Review Board reports on Lapsus$.
David Bittner: The US Department of Homeland Security’s Cyber Safety Review Board has released the findings of its investigation into the Lapsus$ Group. The report states, “The CSRB found that Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data. Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication. It calls for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design.”
David Bittner: The report adds, “To facilitate the transition to passwordless authentication, the Board recommends that the federal government develop and promote a secure authentication roadmap for the nation. The roadmap should include standards, frameworks, guidance, tools, and technology that can enable organizations to assess, progress, and implement leading practices for passwordless authentication.”
David Bittner: The Cyber Safety Review Board, CSRB for short, is a relatively young organization. It’s modeled on the long-established National Transportation Safety Board, best known for its investigation of commercial aviation mishaps. The Lapsus$ investigation is a good example of what might be expected from what seems destined to become an important organization.
Call for comment on open-source, memory-safe standards.
David Bittner: The White House Office of the National Cyber Director (ONCD) is seeking input from the public and private sectors for comments on open-source software security and memory-safe programming languages in order “to develop and implement long-term and sustainable policy solutions.”
David Bittner: The ONCD offered a clear statement of why it’s seeking input. The Office explained why open-source software is important, “In addition to its many benefits, the ubiquity of open-source software in commercial products, government systems, and military platforms presents unique security risks. For this reason, the White House established the Open-Source Software Security Initiative (OS3I), an interagency working group with the goal of identifying policy solutions and channeling government resources to foster greater open-source software security across the ecosystem.”
David Bittner: And it also articulated three focus areas that need to be addressed:
“Increasing the proliferation of memory safe programming languages;
“Designing implementation requirements for secure, privacy-preserving security attestations; and
“Identifying and promoting focused areas for prioritization.”
David Bittner: Responses are due by 5:00 PM on October 9, 2023. Share your insights with the National Cyber Director.
How NSA is coping with the cyber labor market.
David Bittner: The US National Security Agency is looking at ways to implement hybrid work and other incentives as it undergoes a major hiring surge, Federal News Network reports. NSA Director Gen. Paul Nakasone, speaking at the Center for Strategic and International Studies yesterday, said, “We’re going to hire probably half of our civilian workforce over the next five years, because there was a tremendous demographic change with folks that had been hired in the late ’80s that had worked at our agency now becoming retirement eligible.”
David Bittner: Nakasone said of the agency’s “Future Ready Workforce” initiative, “It’s looking at such things as how do we onboard our personnel better? How do we take a look at wellbeing? How do we do hybrid work? This idea of perhaps, some of what we do doesn’t always have to be done in a [Sensitive Compartmented Information Facility]. And then how do we take a look at our leadership development.”
Yandex is restructuring.
David Bittner: The "Russian Google" has a corporate parent registered in the Netherlands and listed on the Nasdaq, but that's in the process of changing. The Russian side of the business will be spun off from the parent company, Reuters reports. Yandex had been one of the few Russian companies with realistic global ambitions, but the war against Ukraine has changed that, and the reorganization will effectively recognize that.
David Bittner: The company's relationship with the Russian regime is complicated. Arkady Volozh, Yandex co-founder, and resident in Israel since 2014, holds both Russian and Israeli citizenship. He stepped down from his position as CEO and gave up his seat on the company's board last year, after he was subjected to sanctions by the EU over Russia's invasion of Ukraine. Yesterday he sharply criticized the special military operation. "Russia's invasion of Ukraine is barbaric, and I am categorically against it," Volozh said in a statement. "I am horrified about the fate of people in Ukraine – many of them my personal friends and relatives – whose houses are being bombed every day, Reuters quotes him as saying. "Although I moved to Israel in 2014, I have to take my share of responsibility for the country's actions."
David Bittner: Why hasn't Russia simply nationalized Yandex? Because, Reuters says, the Kremlin fears the brain drain it expects would follow such a move. The Institute for the Study of War concludes that a "crypto-nationalization" of the company may be in progress. The objectives are complex: control the domestic information space, reward Putin loyalists by handing assets over to them, and do all this without driving out the tech talent Yandex represents.
How Viasat was hacked.
David Bittner: And, finally, Russia's disruption of Viasat in Ukraine during the first days of the special military operation was the only Russian cyberattack that came close to living up to pre-war fears of a digital bolt from the blue. Viasat's vice president and CISO, speaking at Black Hat, gave an account of how that attack was accomplished. It was, CyberScoop reports, a more complex operation than has been generally appreciated.
David Bittner: That the attack used wiper malware against modems on the ground is widely understood. There was, however, a second phase designed to prevent restoration of service. "Not only did Russian hackers deploy the wiper malware, they also flooded Viasat servers with requests that quickly overwhelmed their networks. Viasat servers received more than 100,000 requests in a five minute time span. That meant that anytime a modem would get kicked off the network it couldn’t reconnect because the server could not respond." This aspect of the campaign was discovered only later. The attackers not only wanted the satellite comms down; they wanted them to stay down.
David Bittner: Coming up after the break, The Washington Post's Tim Starks joins us with the latest cybersecurity efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security, with insights on protecting patient data. Stay with us.
David Bittner: Dan Dodson is CEO at Fortified Health Security, a cybersecurity firm focused on protecting the healthcare sector. They recently released their midyear Horizon Report with insights to help healthcare organizations protect patient data and strengthen their security posture. I spoke with Dan Dodson for the details.
Dan Dodson: Yeah, so I think one of the things that caught my eye relative to the reported breaches -- we've been looking at this data since 2017, running the Horizon Report, and over the last couple of years we've seen an increase in the number of reported breaches that include a business associate. And this year there was a 273% increase the first half of '23 over the first half of '22.
Dan Dodson: And I think what that really means is that organizations need to continue to invest and focus on third-party risk management, which is a hot topic in cybersecurity right now. And this data just proves the importance of making sure that as we're exchanging data to deliver clinical care, that we're focused on making sure that that's a secure way in and outside of the healthcare hospital.
David Bittner: And what sort of specific things do you recommend for organizations to keep on top of their third-party relationships?
Dan Dodson: Yeah. I think the market has largely adopted kind of the legal elements of it, Dave. A lot of organizations have, you know, business associate agreements between the third parties. We've largely adopted that. I think now it's incumbent upon us to take that a step further and really understand the cybersecurity posture of our partners to make sure that we can exchange data securely.
Dan Dodson: So my recommendation is to put in a thorough third-party management program that includes evaluating and understanding risks on the third party's side so to speak. And then making sure that you understand what compensating controls, if any, that you need to put in place within your own organization so that you can keep the data within the health systems safe and secure and, ultimately, continue to deliver care.
David Bittner: When you look at the data that you've gathered in this report, what is the trend that you're tracking here? Are things getting better? Is it getting worse? Are we staying the same? What does it look like?
Dan Dodson: Yeah, the data is showing us that the attacks are intensifying and the success of those attacks is increasing. And so although there are areas where we've made progress, there's still a lot of work that has to be done to be able to turn the tides and lower the number of incidences that are reported. But right now it's on the upswing.
David Bittner: You know, a hot topic for a lot of folks these days has been artificial intelligence and tools like ChatGPT. Is that having an effect on the healthcare vertical, specifically?
Dan Dodson: Yeah, I think it is, Dave, in a couple of different ways, and we talked about this in the midyear report. We also have some experts that are weighing in, former FBI as well as other experts. But I think the resounding theme would be that, you know, generative AI is here to stay and there's a lot of opportunity for success in an implementation of that type of technology. But we need policies and we need process and we need to really understand the use case and how we're going to be feeding data into these models so that we can make sure that the results of it are not only secure but also accurate.
Dan Dodson: And so I do think that that type of technology is here to stay. You know, we're seeing lots of health systems begin to use this type of technology and experiment on how it can help with identifying, you know, clinical needs within the health system and looking at data. We just need to make sure that we're doing it responsibly.
David Bittner: And one of the things that the report touches on is the legislative process. Where do we stand there in terms of a regulatory regime?
Dan Dodson: Yeah, the regulation around cybersecurity and healthcare I don't think has ever had as much momentum as it does now. I mean, this really dates back to last fall when Senator Warner came out with the position around cybersecurity really being a patient safety issue.
Dan Dodson: And so where we stand today is there's a number of bills proposed and working through the legislation. But I think the takeaway is that we're moving towards either very strong guidance around cybersecurity in healthcare or potentially a minimal standard. Which will basically require healthcare organizations to have a specific set of cyber capabilities within their environment. We should expect those to work through the legislative process in the second half of '23 into '24.
Dan Dodson: And then the second part, which I think is equally as important, is there's a lot of conversations around coupling that guidance or minimal standard with some type of funding mechanism. Right? As an industry healthcare spends significantly less than other industries on cybersecurity. Primarily, because the funds within the healthcare environment are competing against clinical priorities as well.
Dan Dodson: And so there's a consensus that there needs to be some level of funding very similar to what came out with R in HITECH around the digitization of VHRs back in kind of the 2000 -- mid-2000s. And I think we're going to see some funding and some regulations coming down the pipe.
David Bittner: Where do we stand with HIPAA? I mean, is there a consensus that it's not up to the task, the modern needs?
Dan Dodson: I think to some degree, Dave, it does a job, thinking about protecting patients and their information. That said, I think now that healthcare is largely digitized, we need to expand HIPAA to make sure that we're either directly or indirectly -- most likely with additional legislation, not necessarily a direct expansion of HIPAA -- but we need to take it a step further to safeguard care in these communities, right?
Dan Dodson: I mean, we're seeing healthcare organizations be down for multiple weeks and months. And, quite frankly, you know, as one of the most powerful nations in the world, we can't afford to not be able to deliver care in our communities because of a cyber event. So I think that there needs to be additional legislation around there to create this type of guidance and standard so that we can reduce the impacts of these attacks.
David Bittner: You bring up a really good point. And as you and I are recording this today, there's a healthcare system, I believe, in California that is down. And that leads to patients being redirected to other facilities which, you know, you can have delay of care. And so we really are talking about potentially putting lives at risk here.
Dan Dodson: Absolutely. You know, I think, you know, four or five years ago there was a lot of focus around making sure that we had, like, confidentiality and privacy covered. That is certainly important.
Dan Dodson: But I think it goes to the next level when we're disrupting care in these communities. I mean, healthcare exists to protect patients, care for them. And when they can't do that because they're very reliant on technology today to deliver care, you know, these types of successful attacks are just devastating to care in these communities and will no doubt lead to adverse effects on the care continuum for patients in those communities.
David Bittner: Well, based on the information that you all have gathered here, what are your recommendations? You know, for the cybersecurity professionals who are charged with protecting folks in the healthcare systems, what sort of things should they be doing? How should they be setting their priorities here?
Dan Dodson: Yeah, I think it starts with a robust risk assessment, Dave, to identify where there are opportunities for improvement. From there, I think it's a prioritization around how do we deploy the limited capital we have for cyber to reduce the most amount of risk. Right?
Dan Dodson: And so there's this balance between making sure that we are prioritizing not only on the basis of risk but also where we can impact that risk. And so as we walk clients and health systems through that journey, we identify where we can reduce the most amount of risk.
Dan Dodson: And then kind of second and part and parcel to that is lots of these healthcare organizations have cybersecurity tools implemented in their environments but they are not operationalized. They are not -- there's no people and process consideration around these technologies. And in order to really get the risk reduction that we're all hoping for and working towards, you really have to consider the operational elements of people and process in addition to technology. And that's where we often see organizations fall short.
David Bittner: That's Dan Dodson from Fortified Health Security.
David Bittner: And it is my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at The Washington Post. Tim, welcome back.
Tim Starks: Glad to be back.
David Bittner: So it is Black Hat week, of course.
Tim Starks: Mm-hmm.
David Bittner: And I saw in the 202 that you made note of some interesting things that the DOD announced at Black Hat this week. What's going on?
Tim Starks: Yeah. The first thing that they're - that they've announced, and it's the biggest - the biggest thing that they're - they're involved in. There's also a secondary thing that they're involved in, so a big week for DARPA, the Defense Advanced Research Projects Agency. Which, of course, is the fascinating high-tech shop of the DOD and credited with partially making the internet become a thing.
David Bittner: Right.
Tim Starks: Among other strange, sometimes diabolical inventions. In this case, what they've done is they're hosting a competition that they're calling the Artificial Cyber Challenge -- "Artificial Intelligence Cyber Challenge."
David Bittner: Okay.
Tim Starks: And the idea is that they're going to have a competition and invite folk to use AI to counter cyberattacks. Of course, we know that AI has been feared as a thing that will help cyberattacks. This is -- what they're trying to do here is they're trying to get people to harness its power for - for good.
Dave Bittner: And they'll be having some prize money. They'll be having a competition that's going to last over a couple of years before it finally ends up with one big winner. And those companies, some of which will be small businesses, will be teaming up with all the big names in AI like OpenAI and Microsoft, Google. So it's - it's kind of an interesting competition.
Dave Bittner: It's a little similar to something they did a few years back, but it's much more explicitly focused on AI and less on just generalized machine hacking. And has more of a -- prize money and has more of a focus with -- in terms of working with the companies that are already doing AI.
David Bittner: Yeah. You know, earlier this week I was talking with Rob Boyce from Accenture who is at Black Hat. And he was saying how - how impressed he was with the degree to which the government has a presence there this year. More than he'd ever seen before. I mean, I guess this program speaks to that.
Tim Starks: It does. And I feel like it's also kind of an upward swing since I've been covering cybersecurity and heading out to Black Hat DEF CON Week. Not there this week, but in past years it felt like there is just this steady upward arc of the government being at those events. And I think what you - what you -- the Accenture fellow said was true.
Dave Bittner: And it's not -- the interesting thing is that's not even the only announcement this week at -- at Black Hat from the government. They're also doing something on open-source and memory-safe programming language. So, yeah, and that - and that's actually a much bigger -- in terms of the amount of agencies involved, that's a bigger project where CISA is involved, where DARPA is, again, involved. The Office of Management and Budget. It's a - it's a wider project, if not a bigger one.
David Bittner: What are some of the details about that project?
Tim Starks: Yeah. So - so this is a request for information, which I always struggle to describe to readers, but it's essentially a public call for, hey, we're looking into this, give us your insights.
David Bittner: Hmm.
Tim Starks: And it's two - two - two topics. Open-source security, which, of course, has, you know, been an issue with Log4j and some of the other big issues we've seen from time to time on the vulnerabilities there.
Dave Bittner: They're also looking at memory-safe programming languages, which is, you know, I think -- last I've done a check, some people thought that 65% of the bugs that we deal with these days are related to these languages that are a little antiquated and aren't as safe to use. So this is a thing that they're going to be asking for people to talk to them about in the public sector, private sector, up through October 9th, I believe, is the exact date.
David Bittner: Yeah. Shifting gears a little bit with you here, you know, we are, I guess, close enough now that we can say we're heading into the back-to-school part of the calendar.
Tim Starks: Yeah. Yeah. It's getting pretty close.
David Bittner: And as a father of a son who's heading back to high school, I just got the word that it's time to buy school supplies. And the White House had an event covering this with relation to cyberattacks and, actually, the First Lady attended.
Tim Starks: Yeah, there were a lot of people there at the White House for that event. The idea is they're trying to put focus on it and they're trying to get commitments from - from everyone to devote money or projects to this.
Dave Bittner: Back to school is one of the worst times for cyberattacks, in fact. The idea of the hackers is to catch them off guard and to - to -- if you're looking at a time when things are disorganized, people aren't maybe -- new people are coming into jobs. Back to school is a big time for that, so a timely event for the White House to do that.
David Bittner: Yeah. In reading your coverage, and I believe it was your colleague David DiMolfetta --
Tim Starks: DiMolfetta. Mm-hmm.
David Bittner: -- who wrote the article about it. I was surprised, I guess, in that I'd never really thought about it, that school systems don't really have any reporting requirements, and that many of them choose to not report when they have a cyber incident.
Tim Starks: Yeah. That's something that could change very -- well, not very soon. There's the law that Congress passed last year to require reporting for critical infrastructure. And because, in a roundabout sort of way, schools are part of the government sector of critical infrastructure, they might be subject to this.
Dave Bittner: But that's a regulation that's a little ways off in terms of when it will actually be finished. It's a regulation that has not been decided exactly what the parameters will be. Some of that was left up to CISA to decide. So they might be subject to that in a couple of years, but right now they aren't and there's no requirement.
Dave Bittner: And a lot of -- you know, anybody who's a hacking victim in some cases doesn't want to report it. Maybe they - maybe they - maybe it would be better if they did, but there is an embarrassment factor, there's a risk factor in terms of legal that maybe they're worrying about. So maybe it's not right, but it is a fact of life sometimes that people who are victims don't report.
David Bittner: Yeah. All right. Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post. Tim, thanks so much for taking the time for us today.
Tim Starks: Thank you so much.
David Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: Be sure to check out this weekend's Research Saturday and my conversation with Alex Delamotte from SentinelLabs. We're discussing their work Cloudy with a Chance of Credentials, AWS-Targeting Cred Stealer Expands to Azure and GCP. That's Research Saturday. Check it out.
Dave Bittner: We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment - your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliott Peltzman. This show was written by our editorial staff. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.