The cyber phases of two wars show signs of intersecting. Developments in cyberespionage and cybercrime.

Dave Bittner: Disinformation and Hacktivism in the war between Hamas and Israel. KillNet and the IT Army of Ukraine say they'll follow ICRC guidelines. The current state of DPRK cyber operations. The Grayling cyberespionage group is active against Taiwan. A Magecart campaign abuses 404 pages. 23andMe suffers abreach. Voter records in Washington, DC, have been compromised. In our Solution Spotlight, Simone Petrella speaks with Raytheon’s Jon Check about supporting and shaping the next generation of the cyber workforce. Grady Summers from SailPoint outlines the importance of organizations managing and protecting access to critical data. And a look at CISOs willingness to pay ransom.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, October 10th, 2023.

Dave Bittner: Before we begin, a quick thanks to Tré Hester for manning the mic while I was away last week. I was a guest and keynote speaker at the CyberCon conference in Bismarck North Dakota. We’ll have insights from that conference in the coming days. 

Disinformation in the war between Hamas and Israel.

Dave Bittner: The war that intensified Saturday with major attacks into Israel by Hamas has been accompanied by extensive disinformation campaigns, some of them directed by authorities (for the most part Hamas and governments sympathetic to Hamas) but much of it also spontaneously posted, especially in X, the platform formerly known as Twitter, but in other platforms as well. TikTok (where, for example, footage from video games has been presented as video of Israeli airstrikes) and Telegram (where, for example, unverified and often false claims of successful cyberattacks have proliferated) have been prominent among those other platforms. 

Dave Bittner: But Twitter seems to have been particularly receptive to disinformation, in part because the sale of blue checks has eroded such filters that media outlets had once imperfectly but usefully provided: it's now more difficult to determine what reports originate from organizations that vet their reporting. X has also tended to promote inflammatory false information, amplifying it because such content generates engagement. And the platform's influencer culture gives careless influencers outsized clout with users.

Hacktivism and state action in Hamas's campaign against Israel.

Dave Bittner: By the Register's count, "At least 15 known cybercriminal, ransomware, and hacktivist groups, have announced their active participation in disruptive attacks targeting institutions in Israel and Palestine." International supporters of both parties to the conflict are also coming under cyberattack. Some of the groups have long been aligned with Hamas, others with Israel, and still others are ramping up operations against a long-term enemy whose support for Israel or Hamas serves as either pretext or provocation. 

Dave Bittner: While most of the activity has been familiar distributed denial-of-service (DDoS) or nuisance-level defacement, some of it has targeted, SecurityWeek reports, infrastructure (especially electrical power distribution) and military command-and-control (especially Israeli Iron Dome anti-rocket systems). It seems the attempts against infrastructure and C2 have so far had limited effect. 

Dave Bittner: According to HackRead one pro-Hamas group, AnonGhost, seems to have been able to exploit a vulnerability in the Israeli Red Alert civil defense app to transmit false warnings of missile strikes. That particular action has also been claimed by the Russian hacktivist auxiliary Anonymous Sudan.

Dave Bittner: US NSA cybersecurity director Rob Joyce commented yesterday that the cyber phases of the war have so far been largely confined to nuisance-level hacktivism. “But we’re not yet seeing real [nation] state malicious actors,” the Wall Street Journal quotes Joyce as saying. 

Dave Bittner: Israel has taken action against Hamas funding, seizing Hamas-linked Binance cryptocurrency accounts, Financial Magnates reports. Israel has also worked with British authorities to freeze at least one Barclays account linked to Hamas fundraising.

Russian hacktivist auxiliaries conduct DDoS attacks against Israeli sites.

Dave Bittner: Among the hacktivist groups who've rallied to support Hamas in its current attack against Israel are two familiar Russian auxiliaries, KillNet and, as we’ve seen, Anonymous Sudan. When the Israel government service site gov[dot]il was knocked offline over the weekend (it was back in operation Monday), KillNet claimed credit and counted coup. "Israeli government, you are responsible for this bloodshed. Back in 2022, you supported the terrorist regime in Ukraine," Cybernews quotes a KillNet Telegram post. "You betrayed Russia. Today, Killnet officially informs you of this! All government systems of Israel will be subject to our attacks!" 

KillNet and the IT Army of Ukraine say they'll follow ICRC guidelines.

Dave Bittner: The BBC reports that prominent and opposing hacktivist auxiliaries stated over the weekend that they intended to abide by the guidelines officials of the International Committee of the Red Cross (ICRC) recommended last week. Russia's KillNet and the IT Army of Ukraine both said that they intended to follow rules that would clarify the extension of international humanitarian law to activities in cyberspace. The guidelines aim principally at protecting civilians and civilian infrastructure from harm. How serious they are about this is unclear. 

The current state of DPRK cyber operations.

Dave Bittner: North Korea has recently been active against blockchain and decentralized finance ("DeFi") targets, it was reported at the end of last week. Mixin Network, which facilitates blockchains transactions, disclosed losses amounting to a bit less than $150 million in a late September attack. US deputy national security adviser for cyber and emerging technology Anne Neuberger told Bloomberg that the "tradecraft" looked like the DPRK's.

Dave Bittner: Mandiant this morning published its assessment of the current organization and conduct of North Korean offensive cyber operations. It sees an evolution in both complexity and cooperation as Pyongyang continues to run both espionage and financial crime. Attribution of operations to specific North Korean groups is increasingly "muddled" as those groups share tools and targets, and collaborate temporarily. Some of the groups are isolated from the central authority and are self-funding through financial crime even as they remain aligned with North Korean goals. The attack techniques are more adaptable than they've been in the past, and the days of regarding all North Korean activity as the work of the "Lazarus Group" are, Mandiant believes, now over.

Grayling cyberespionage group active against Taiwan.

Dave Bittner: The Symantec Threat Hunter Team, part of Broadcom, this morning described what it characterizes as a hitherto unknown advanced persistent threat (APT), "Grayling," which conducted cyberespionage against Taiwan between February and May of this year. It's operations are marked by a distinctive sideloading technique, and its targets have tended to be in the manufacturing, IT, and biomedical sectors. While Taiwan has been Grayling's principal area of interest, the group may also have prospected targets in the Pacific, in Vietnam, and in the United States. There's no attribution, but Symantec blandly points out that whoever's running the APT has a strategic interest in Taiwan.

Magecart campaign abuses 404 pages.

Dave Bittner: If you’re like the rest of us, you probably aren’t in the habit of close-reading 404 error pages. But they’re now worth a little attention.

Dave Bittner: Researchers at Akamai have discovered a Magecart web skimming campaign that’s been targeting Magento and WooCommerce websites for the past few weeks. The researchers note, “Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using. In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources. In some instances, the malicious code was inserted into the HTML pages; in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website.” 

Dave Bittner: So do check your 404 error pages and make sure they haven’t been maliciously altered.

Breach reported at 23andMe.

Dave Bittner: A threat actor is selling data belonging to nearly one million customers of DNA testing company 23andMe, BleepingComputer reports. The threat actor is selling the information for $1,000 per one-hundred profiles, or $100,000 for one-hundred-thousand profiles. Dataconomy notes that the database is titled “Ashkenazi DNA Data of Celebrities.” 

Dave Bittner: The database is focused on individuals with Ashkenazi Jewish ancestry, and while it’s unclear that any of them are celebrities, the reference lends an unpleasant suggestion of anti-Semitic animus to the theft. 23andMe thinks the attack was carried out by credential stuffing: the attackers took credentials obtained in other breachers of other online services and used them to access accounts whose owners had "recycled" those credentials.

Voter records in Washington, DC, compromised.

Dave Bittner: CyberScoop reports that a threat actor breached Washington, DC’s local election authority and accessed 600,000 lines of voter data, which included the last four digits of voters’ social security numbers, driver’s license numbers, and home addresses. The threat actor is offering the data for sale on a criminal forum. The District of Columbia Board of Elections (DCBOE) said in a statement, “DCBOE continues to assess the full extent of the breach, identify vulnerabilities and take appropriate measures to secure voter data and systems. This remains an active investigation and DCBOE will release additional information as it becomes available.”

CISOs and their willingness to pay ransom.

Dave Bittner: Splunk has published a report looking at how Chief Information Security Officers (CISOs) are dealing with threats, finding that 96% of the surveyed CISOs said their organizations sustained a ransomware attack in the past year. 83% of these respondents said they paid the ransom: “The most significant number paid somewhere between $25,000 to $99,000 (44%), while more than half of respondents paid more than $100,000, a stunning 9% of respondents (or one in 11) paid $1 million or more.” The researchers add, “Of those who paid, 18% paid the ransom directly, 37% paid through cyber insurance and 28% paid through a third party.”

Patch Tuesday.

Dave Bittner: And, finally, today is Patch Tuesday. Companies are in the process of rolling out their fixes and mitigations, so keep your eyes open, and, as CISA, would say, “apply updates per vendor instructions.”

Dave Bittner: Coming up after the break, Simone Petrella speaks with Raytheon's Jon Check about supporting and shaping the next generation of the cyber workforce. Grady Summers from SailPoint outlines the importance of organizations managing and protecting access to critical data. Stay with us. [ Music ] Grady Summers is Executive Vice President of Product at SailPoint, a company that provides unified identity security. In this Sponsored Industry Voices segment, we discuss the importance of organizations managing and protecting access to critical data.

Grady Summers: The big picture is you'll see these studies, we've all seen them, that 80, 90% of enterprise data is unstructured, right? It's the stuff that's not in your snowflake or your databases. And we're talking about everything from Word documents and PowerPoint and Excel to, you know, comma-delimited files and IoT data, right? So it really runs the gamut. But the funny thing is if you look over the last 20 years -- I've been in this industry for a long time -- it's weird how like solutions kind of grow up to address problems and become little islands or points. What I mean is, you know, we have a robust industry around governing access to applications -- your SAP or your Oracle or your Zoom or your Slack. But then we use a totally different set of tools to look at the unstructured data. And, you know, from our perspective, it's crazy that you would do these on two completely separate islands that rarely if ever talk. Why wouldn't you think about access through the lens of identity for all of your data that matters to you as an enterprise? And that's where we find ourselves today.

Dave Bittner: And what is it that makes that data -- and I suppose specifically the unstructured data -- so challenging to deal with?

Grady Summers: It's the $64,000 question, so to speak, and why we've been working on this problem so hard at SailPoint. One, it can be tough to know what's in there. You know, if it's a customer marketing database, you know, it's got customer data in there. Second is it's tough to assign ownership. Again, you take that example of a customer database or an ERP or a CRM, you know that you've got a defined business leader who's responsible for that system and they can dictate the controls that are put in place and the types of access that you allow. And the third thing that makes it really hard is it's tough to know where unstructured data is. Whereas, you know, again, with a big ERP system, you know, okay, look, it's all right here within the boundaries of the system. So you take those three things, you know, it can be tough to classify. It can be hard to know exactly where it is because, by its very nature, unstructured data, anybody can create it. Anybody can share it. Anybody can change access to it and then it's tough to really know who owns it and who's responsible for it. And I think those three create this perfect storm where enterprises just don't know what their crown jewels are, they don't know where it is, they don't know who owns it, and they don't know who has access to it.

Dave Bittner: You know, earlier today, I was having a conversation with someone who's in the critical infrastructure space. And we were talking about the importance of taking an inventory of your assets, and, in this case, we were talking about, you know, physical assets -- machines, computers, and those sorts of things. Is it similar to what we're talking about here, that people need a window into their data itself so they can have visibility, know what they've got?

Grady Summers: Yeah, it absolutely starts with that. And, you know, it's funny, you mentioned talking to someone in an approach to physical assets, that remark. I know you've been in this space a long time too, Dave. It seems like, you know, history repeats itself and cybersecurity tends to repeat itself. And with all of these things, you know, whether you're trying to protect, you know, unstructured data or structured data or protect against, you know, malware or protect against breaches, it's like what do you have? What's your policy? And are you enforcing that policy? It like always comes down to those three. So, yeah. For unstructured data, you know, we have to make it easier for customers to assess what they have. And that's gotten so much harder now with, you know, your awesome filesharing and collaboration platforms like a OneDrive or Dropbox or Box. Because suddenly that data just can proliferate outside the bounds of your enterprise in a way it never could before. So you've got to make it easy to understood what you have, but I'd say that's the first step, you know, and then you've got to start saying: well, who has access? Who should have access to it? And what is it?

Dave Bittner: Can we go down that road map together here? I mean, for an organization who's looking to get started on this journey, where do they begin?

Grady Summers: Yeah. So, you know, what we really endeavor to do is to walk a customer through that journey with our SailPoint Identity Security platform. Let's start to point it so we can start to look at your data storage that you know about and we'll continue to kind of pull the thread on that and follow links and understand where do you have unstructured data in the enterprise. And so when I say most companies don't know where it is, you know, they generally, you know, look, it's on this file store, this NAS system, it's in OneDrive, it's in Dropbox, it's in G Suite. So you take, you know, a dozen or so starting points like that and you get pretty good coverage. And it's like I say, it's the first step. Because now we know, okay, what is our data, and then of course you would use -- to answer you -- like SailPoint's data access security to not only discover it but then classify it. So now you know where it is, now you know what you've got out there.

Dave Bittner: And when we're talking about classification, what does that entail?

Grady Summers: Yeah, so classification is looking at the data. As I'm sure you know, it's evolved so much from when I started to work with data classification technologies. We're now deploying artificial intelligence that kind of understand the entities that are in a document, how they relate to each other, and develop this kind of concept of how data relates to each other, or how individual entities relate to each other across different data storage, right, so it doesn't all have to be in one document. And, of course, we do things like, you know, old-school OCR to look at the images, right, so you'd make sure that all the images and the PDF documents all properly get classified. So it's kind of a long way. I'd say like the rest of SailPoint technologies, we deploy the latest machine learning to make sure that no stone is unturned and we really understand what's out there.

Dave Bittner: What is the other side of this journey like? I mean, once someone has this in place and it's running effectively, how does that affect the organization?

Grady Summers: Big picture, they go to the first step and we walk down the path that you and I just talked about. An organization should have, you know, a great inventory of what they have and the profiles or the access to that data should be locked down only to those who need it. So I think that's a point in which an organization can catch their breath. But as we look toward an optimize, how do we optimize at longer term, we're really excited be to taking some of the AI technology that we have built over the years to analyze access patterns and roles and entitlements for every kind of access and apply that to unstructured data. So what I mean is we can start to look and say, all right, you think you've cleaned everything up, we just found a really weird outlier, you know. Grady is the only person in his organization that has access to this particular data about MA, for example, so we can spot these unusual outliers. And I want to make sure we keep that stuff tight. And so we have some neat forensic capability where we can constantly monitor changes in access to unstructured documents. And we're the only ones that we're aware of that do it like this. So we can look at every little change and we can alert an end-user if something starts to fall out of bounds. So, hey, you had a pretty clean setup, but you just opened up this document to a completely different group or different role or to the public. You probably shouldn't given its classification. So it's a really neat way to keep things in control.

Dave Bittner: That's Grady Summers, executive vice president of product at SailPoint. [ Music ] In an ongoing series we call Solutions Spotlight, we look at some of the persistent workforce challenges facing folks in cybersecurity. In today's edition, N2K president Simone Petrella speaks with Raytheon's executive director of Cyber Protection Solutions, Jon Check, on his organization's efforts to shape and support the next generation.

Jon Check: Like everybody else, we were struggling to fill some cybersecurity roles. So we said, okay, Raytheon manufactures things, let's manufacture talent. That's a great idea, right? Everybody's talked about cyber training, but really put an extreme focus on it to ensure that we were getting people that are living the work every day on certain missions and then training people to be able to be effective on those missions. The way we're measuring that is really, okay, those people, when they join the teams, are they effective in their roles? And are we getting the customer satisfaction we'd expect for that person really contributing to the missions that we're supporting? And that's one of the key ways we focus on, from a customer facing metric, from a Raytheon, it's the, okay, we have reduced the amount of open positions we have, we are filling the roles that our customers are expecting us to. And that's a very tangible way to measure the success of we're filling the open positions, right? Versus looking for that perfect candidate that's never going to show up with all those skills we want. We're taking the initiative to train them. And it's a real investment biasxx 2108, typically, like I said, up to maybe 16 weeks.

Simone Petrella: Yeah. Well, do you have any background into what was the impetus or the kind of catalyzing event that kind of made Raytheon think about taking this kind of manufacture talent perspective? And I ask the question because I've been in this space for a while myself, and I'd say one of the biggest challenges we have is having organizations step up and say, how do we think about this strategically as a team as opposed to waiting for talent to kind of get created externally and then we bring them in. So was there a watershed moment that made, you know, the organization realize we need to really invest in this?

Jon Check: Well, I'd say it was during the pandemic is really I think what really changed the dynamic of how you're going to hire, who you're going to hire, and how you can really interact with potential teammates or talent that you want to bring on board, right? Before then, you could go to different events -- Black Hat, Devcon, whatever -- and meet with individuals and talk about what you do and people can do almost like a hiring event. That was all lost, right, during that time period. And it became very hard to uncover the people that really, you've got exciting roles for them potentially, but it's really hard to connect. So part of the tactx we took initially was really training internal folks -- people that are already on board -- to say, okay, this person already has these skills, they have the right clearances required for this type of work, let's get them into the training curriculum that will tailor, you know, be very specific to their needs and really ensure that they have those skills. So we really started more with our internal folks and then really migrated to more of a, okay, we're going to hire external candidates and train them up. Because with an internal person, you already understand where they are in their maturity of their talent level and the skills that they have. Wheras an external person, it's much harder to gauge that no matter how thorough or how much of a role-based assessment you do, it's very difficult when it's an external candidate.

Simone Petrella: Yeah. So how is Raytheon thinking about those team skills that are needed to execute on these job roles that are in demand not only internally but from your own customers?

Jon Check: Well, I mean, it ultimately comes down to the soft skills for us, right? Which typically, is somebody a continuous learner, right? Are they going to, that's what it requires? You can't be afraid to fail. You've got to be able, someobdy that's, okay, I'm going to try to learn a new skill. It's going to be difficult. I'm going to get frustrated. But I'm going to keep persevering. And really, you know, that perseverance trait helps, you know, in all aspects of cybersecurity. Because that's one of the things we do, is when you're going after -- there's a new threat that's emerged, doing the forensics to figure, okay, what's happening? How did this happen? Who's doing it? How do we stop it? What's the remediation? All those things come into somebody -- you have to have a lot of perseverance to get through that process. Because it can be very frustrating with a lot of maybe dead ends or long nights and other activities where it takes the right mindset as well. So really, we look for people that have those skills, somebody that's inquisitive, right, they always are asking why. Well, why does it work this way? What could we do differently? All the soft skills really lead to -- bedause what we found is, you have somebody that has those committed soft skills, they can learn any content that's brought to them typically. If they have the desire to do it, they're going to learn, be effective, and be a very effective teammate on whatever mission they are going towards.

Simone Petrella: Switching gears just slightly, knowing that Raytheon certainly has been doing quite a bit both in the public sector as well as the private. What are some of the ways that you think about how there can be better collaboration between the public and the private sector as we talk about how to solve this talent gap problem beyond what we're even seeing in individual organizations?

Jon Check: Well, the way I relate to the talent problem is, it has three key aspects with a lot of, you know, side spokes to it. So the first thing is, we've got to solve the quantity problem, got to remove artificial barriers of entry to people what want to join the cyber flight. And also, people that are even thinking about it, giving them the awareness that, hey, that sounds interesting and maybe I'd want to join in doing that. Two is we talked about it already. Once you have that, you've got to create the quality, right? You've got to build a quality workforce from the quantity you're bringing in. And the third is you've got to support them once they've reached that goal, which that gets to the aspects around, okay, the continuous training, tailored, role-based training that they will need, but also all those soft things of avoiding burnout, of ensuring people's voices are heard. When they see something, they provide a suggestion, people follow up on it and ensuring that the organization as a whole makes it a priority to do all those things. So it's easy to say there's a cybersecurity problem and we don't have enough people, but are people taking an active role? And that's what I'd like to think, that we are taking an active role, you know, participating in all the events that we can, right? Whether from a STEM perspective with NCCDC and US Cyber Games and other events, as well as having our own internal lab to train people, as well as trying to remove those barriers on our job postings and not say thou shall have, you know, X number of, you know, have a four-year degree with this type of coursework with this GPA with these certifications and all those things that are really a wish list. And really trying to say, if you have these skills and you're determined to do these types of things, we can train you. And that's really a real mind shift for us as well because, you know, Raytheon's a company of engineers and we take engineering very seriously, but we recognize we can't do it by the traditional pathways alone. We have to open that, that aperture and not have that artificial limiting of potential candidates that can join the workforce.

Simone Petrella: Jon, thank you so much for joining us today, and I appreciate the time.

Jon Check: Thanks, Simone. It's been great. I've loved this conversation.

Dave Bittner: That's Raytheon's Jon Check, speaking with our own Simone Petrella. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]