The CyberWire Daily Podcast 10.18.23
Ep 1929 | 10.18.23

Hacktivist discipline is inversely correlated with sincerity of commitment.

Transcript

Dave Bittner: Hamas and Israel exchange accusations in a hospital strike. Using Gazan cell data to develop intelligence, and using hostages' devices to spread fear. Black Basta ransomware is out and about, again. Qubitstrike is a newly discovered cryptojacking campaign. Preparing for post-quantum security. Tim Starks from the Washington Post looks at one US Senator’s ability to gum up cyber legislation. In the Learning Layer, N2K's Sam Meisenberg explores the challenges and best practices of rolling out a large-scale corporate re-skilling program. And attention people of Pompei: that volcano alert is bogus. Probably.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, October 18th, 2023.

Hamas and Israel exchange accusations over hospital strike.

Dave Bittner: We begin with tragic news that’s inevitably going to figure prominently in competing online influence campaigns.

Dave Bittner: A strike yesterday hit the Al-Ahli al-Arabi Hospital, an Anglican-run medical center in Gaza, and casualties were high. Hundreds died, with sources placing the death toll at between 200 and more than 500. Reuters summarizes the death toll, and notes that both sides in the war have accused the other of the atrocity. Hamas claims it was an Israeli airstrike; Israel says it was a failed rocket launch towards Israel by Palestinian Islamic Jihad.

Dave Bittner: As we’ve said, the horror will figure prominently in influence operations for some time--the conflicting narratives are already well established–and all would do well to wait for evidence rather than simply amplifying their existing sympathies and commitments. 

Dave Bittner: Some such evidence may be breaking now. The Washington Post reported, a few minutes ago, that the US has said its own overhead imagery confirms that the destruction was not due to an Israeli airstrike, and that the US has been able to confirm that the blast was indeed due to an errant Islamic Jihad rocket.

Hacktivist auxiliaries' operations tend to resemble one another.

Dave Bittner: ComputerWeekly observes that pro-Hamas hacktivism has followed a pattern established during Russia's war against Ukraine, concentrating on website defacements. The piece also notes that during the war between Hamas and Israel hacktivism has been relatively one-sided, with very few cyberattacks against Palestinian sites. The attacks haven't for the most part risen above the level of a nuisance, and concentration on defacements seems more opportunistic than strategic, more a matter of capability than of imitation. A Cambridge University researcher who's studied the conduct of the war told ComputerWeekly, “Lots of people talk up the idea that hacktivists could make a big difference in combat. What we are seeing in both the Ukraine work and the work now in Hamas is that this is over-egged. You do see some civilian activism around war outbreaks but its so low grade as to be of no security concern."

Dave Bittner: There are some differences. The hacktivism on display in the Hamas-Israeli war is less disciplined, less susceptible to state control, than that observed in the hybrid war between Russia and Ukraine. Axios writes, "The war between Israel and Hamas is reminding governments just how difficult it is to control politically motivated hacking groups...Politically motivated hackers (also known as hacktivists) often target state-backed organizations and groups in an effort to complicate war efforts." Thus, while clearly politically aligned and committed, it’s more like true hacktivism than the directed auxiliaries working in Russia’s war.

Dave Bittner: Targeting is a complicated business, and freelancing makes it even moreso. To take just one example, an attack that takes, say, a government service offline, might inadvertently interfere with collection efforts underway against that service. This is a classic lesson from electronic warfare. When you’re jamming enemy networks, the last people you want to jam are the chatterboxes who are yielding valuable information to your interception. It’s the same in cyberspace.

Using Gazan cell data to develop intelligence.

Dave Bittner: Israeli cyber operations seem to have been for the most part interested in collection as opposed to disruption.

Dave Bittner: The New York Times reports that Israel services are using cellphone data to track the evacuation of north Gaza's inhabitants. The Israeli military gave the Times access to its tracking center with a view to showing the Times how the Israeli Defense Forces were using the data to avoid targeting areas that still held large numbers of civilians. Brigadier General Udi Ben Muha, who oversees monitoring, told the Times,“It’s not a 100 percent perfect system — but it gives you the information you need to make a decision.” The data are displayed, color-coded, on what amounts to a fire support coordination map. “The colors say what you can and can’t do,” Ben Muha said.

Using hostages' devices to spread fear.

Dave Bittner: Hamas has been using devices taken from hostages to take control of the hostages' social media accounts to "broadcast violent messages and wage psychological warfare," the New York Times reports, They're using the accounts to taunt hostages' families and friends, and to communicate violent threats. Hamas had earlier used social media to livestream its attacks, something Hamas has regarded as inspirational.

Black Basta ransomware is out and about, again.

Dave Bittner: Black Basta ransomware has surfaced in some recent attacks against high-profile targets. The gang, generally believed to be affiliated with the FIN7 criminal group, claimed, over the weekend to have successfully compromised Ampersand, a large seller of television advertising. Ampersand is owned by the US T.V. service providers Comcast Corporation, Charter Communications, and Cox Communications. 

Dave Bittner: The Record quotes Ampersand as saying that it’s dealing with the incident. The company said, “Ampersand recently experienced a ransomware incident that briefly interrupted regular operations. We have restored a majority of normal business operations and are working with third-party advisors and law enforcement to address this issue.”

Dave Bittner: It’s unclear what data were taken, but Ampersand provides viewership data to advertisers from roughly 85 million households.

Dave Bittner: The Record has also reported that Chile’s government said it had successfully deflected a Black Basta attempt against some of its networks, notably those belonging to the customs service. Chile’s Computer Security Incident Response Team (CSIRT) warned government agencies in particular to be on the alert, and to pay particular attention to their backups.

New cryptojacking campaign discovered: Qubitstrike.

Dave Bittner: Cado Security is tracking a cryptojacking campaign that’s targeting exposed Jupyter Notebooks using a strain of malware called “Qubitstrike.” The malware installs the XMRig miner, and searches for credential files for AWS and Google Cloud accounts: “One of the most notable aspects of Qubitstrike is the malware’s ability to hunt for credential files on the target host and exfiltrate these back to the attacker via the Telegram Bot API. Notably, the malware specifically searches for AWS and Google Cloud credential files, suggesting targeting of these Cloud Service Providers (CSPs) by the operators.”

Dave Bittner: The researchers add, “The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as Github. This is the first time Cado researchers have encountered this platform in an active malware campaign. It’s possible that Codeberg’s up-and-coming status makes it attractive as a hosting service for malware developers.”

Preparing for post-quantum security.

Dave Bittner: Digicert has published a study conducted by Ponemon looking at security threats posed by quantum computing. The survey notes that readiness for post quantum computing (PQC) “is hard to achieve because of a lack of time, money, skilled personnel, and no clear ownership.” 

Dave Bittner: The survey also found that most organizations already struggle to manage cryptographic keys: “Only slightly more than half of respondents (52 percent) say their organizations are taking an inventory of the types of cryptographic keys and their characteristics. This is followed by 44 percent of respondents saying they are taking steps to understand data retention requirements. Only 39 percent of respondents are determining if data and cryptographic assets are located on-premises or in the cloud.”

Attention Pompei: that eruption alert is bogus.

Dave Bittner: And, finally, the Trojanized RedAlert missile warning app we’ve spoken about isn't the only emergency service to be spoofed to install spyware. Italy's disaster warning system IT-Alert, used to warn of natural disasters like floods, volcanic eruptions, and wildfires, has also been hoaxed, and a fake version has been found distributing SpyNote malware. BleepingComputer credits researchers at D3Lab with the discovery. 

Dave Bittner: There’s no connection evident between the two incidents beyond the occasion an early warning systems provides for luring people into acting against their own interest. So whether it’s rockets or volcanic bombs, who wouldn’t want some advance warning? And, of course, the bad actors know that fear can drive out reflective, skeptical caution. Especially online.

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post looks at one senator's ability to gum up cyber legislation. In the Learning Layer, N2K's Sam Meisenberg explores the challenges and best practices of rolling out large-scale corporate re-skilling programs. Stay with us. [ Music ] N2K's Sam Meisenberg is host of our Learning Layer segment. In today's edition, he speaks with Phil -- an N2K client who leads talent development at a large telecommunication company. They discuss the challenges and best practices of rolling out a large-scale corporate reskilling program, including increasing learner engagement, accountability, and the importance of internal talent development and recognition. Here's Sam.

Sam Meisenberg: All right, welcome back to another segment of Learning Layer. On this segment, we're going to be talking with Phil from a large telecommunications provider who is our client and partner, and he's in charge of a large corporate reskilling program. And we're going to pick his brain a little bit about what it takes to roll out learning at scale. So without further ado, let's get into the interview. [ Music ] Phil, welcome. Thanks for being on Learning Layer.

Phil: Hey, thanks so much, Sam. Pleasure to be here. I appreciate the time.

Sam Meisenberg: So, look, let's just get right into it. Can you tell us a little bit about what you do and about the sort of large corporate training program that you're in charge of?

Phil: Sure. So I work on a large-scale corporate reskilling program at, like you said, at a large telecommunications company. And what we do is provide reskilling in five specific high-tech sectors to assist in the talent gap but also in internal promotion and recognition amongst people that have tenure with the company already, or we may want to provide them the opportunity to redirect their talent or to further develop their career, all in the high-tech sectors. And speaking of which, we really cater to five main high-tech sectors: cloud computing, business intelligence, cybersecurity, data sciences, and software intelligence. We help them out in an intensive university-style program that lasts about nine months. And throughout that time, they get to pick up on the specific learnings and content and details from our fabulous premium learning vendors that we work with to be able to provide them with foundational learnings in a specific role in that high-tech skill.

Sam Meisenberg: So maybe we could actually spend some time diving into some of those roles. So, obviously, I think what's most relevant from us as a training vendor but also to our audience is that third pillar, the cybersecurity one. So maybe could you talk about some of the roles that are included in that sector?

Phil: Yeah. So we offer three roles right now in the cybersecurity sector in general. So there's what we call our application security tester, our network security integrators, and our SOC analysts. You know, once these learners go through the program and indeed become graduates, the goal of this reskilling program is to actually place them on a team within our company specific to their role of training studies that they've been doing. It's into an entry level management position on top of that. So for our non-management applicants and learners, it's actually coming with a promotion and potential salary review as well. So it really is a fantastic reskilling initiative specific to those high-tech roles that we offer.

Sam Meisenberg: Yeah. So I think what's interesting and a big sort of advantage of how you guys roll it out is one thing that we see all the time is it's hard to keep learners motivated. It's hard to make sure that they're focused, especially over nine months, right? That's a long time to be learning and working at the same time.

Phil: Oh, yeah.

Sam Meisenberg: So it sounds like that incentive at the end for potentially more pay and a different role and upskilling really helps people kind of stay focused. So what other ways when you roll out the training program do you make sure people are held accountable when they're going through the training program?

Phil: That's a great question. And before I talk about accountability, one thing that you touched upon there was that that engagement factor -- you know, keeping them motivated, keeping them in there. And, you know, there's a whole variety of ways. It's not just the carrot at the end of the stick that, you know, maybe you'll land in this great position with a promotion and some more money. There's also the fact of how you present the training itself. We need to find ways over this nine-month program to be able to really target specific areas of training that can be particularly intensive and detailed trainings but do so in a way that keeps them captivated and attentive in their learning. It's the modalities, right, of the content, how you roll it out.

Sam Meisenberg: So I remember when we were kind of thinking about how we could partner with you in rollout, and you had emphasized the importance of live online sessions. So can you talk just a little bit about that modality and why you think, especially with learning and training for adults, why that's so powerful?

Phil: You put it well there, powerful. Rather than just constantly providing recorded sessions or sandboxes and labs and things like that, we wanted to try and provide learners with a live online environment or opportunity where they can really talk to people and interact and have that face-to-face, even if it is still through a web camera. And, you know, that was something that the entire team at N2K was so fantastic at organizing and facilitating. And the writing on the virtual board and everything, it was really engaging.

Sam Meisenberg: Yeah. So, Phil, you've given so many great insights, you know, into corporate sort of large-scale training, but I'm curious about sort of a very targeted answer and question here. So say somebody is tomorrow about to start and I want to roll out like an enterprise-wide training program. They want to design it or roll it out. What is like one thing that you would want them to know?

Phil: I would say that a key thing to know in that kind of a scenario would be to really familiarize yourself with change management, okay. For something as epic as a corporate reskilling program -- you know, for the big companies to put their money where their mouths are -- because we've all heard of these fantastic programs from a variety of corporate entities and private entities, smaller ones, too. But unfortunately, it's not always met with the necessary support to have a really meaningful impact not only on the learner themselves, but where is the return on investment for the company itself as well. It's a ginormous leap of faith that the company is taking on the employees that are being put through the program. There is a value added behind each of these employees, but there is a cost tied to each of these employees as well. So change management is such an important tool to familiarize yourself with to set yourself up for success. Because you're winning over the hearts and minds not only of the company to propose this and to support it, not only with money and budget and timing and resources, but also on the leaders of the employees that are applying for this. Because the way that they can see it is, I'm losing my guy for nine months, my employee here, you know. And so helping those leaders realize the value added to the company as a whole but inevitably to their own team as well, because it's a cycle, we can also place graduates within their team to support their support of learners going into the program as well. It is so amazing to see the development and the landing of not only the learners into graduates, but also the teams that place them, they believe in giving people within the company as much of an opportunity as from hiring out. We have so many fantastic people that already have devoted their entire lives sometimes to working at this company, why not give them an opportunity? You know, the salary considerations that can sometimes come into play for some of the employees that apply and participate and are graduated, I mean, it's amazing, amazing. So it's such a positive success story to watch develop and blossom into such a great thing. I mean, just the karma that we get out of doing this is so much fun, you know.

Sam Meisenberg: All right, Phil, well, thank you so much for coming on to Learning Layer. It was great to have you, and we got a lot of really good insights about, you know, all the considerations and how to really roll out a large corporate reskilling program. Also, on the way out, I do want to say, for an organization like N2K that does talent development, it is great to have partners and clients like you who are interested and motivated and, you know, really buy in to the actual learner success and kind of believe in the mission of reskilling.

Phil: Hey, Sam, and, you know, thank you so much for the opportunity to talk about it. I could talk for ages about how amazing reskilling really is and the values regardless of the company that's out there that's doing it or the employee that's thinking about it. We couldn't do it without your fantastic support. It's great to work with like-minded individuals that realize the value and the importance of supporting these kind of programs and initiatives, not only for corporational entities and employees, but also for the industries themselves, advancing the development of high-tech trades and industry is beneficial to all of us and important for the country as a whole, you know. So let's keep it going. So thanks so much for working with us and helping us out with that.

Sam Meisenberg: Thank you for joining me today on Learning Layer. If you have any insights or challenges or questions about rolling out large at scale enterprise training, feel free to write into Learning Layer at learninglayer@n2k.com. Thank you, and I'll see you next time. Happy learning. [ Music ]

Dave Bittner: That's N2K's Sam Meisenberg with our Learning Layer. [ Music ] It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post. Tim, welcome back.

Tim Starks: Yeah, been a little while. Good to talk again.

Dave Bittner: It's great to have you back. Really interesting work that you published today in the 202 about some goings-on in the Senate when it comes to cyber legislation. What are you covering here, Tim?

Tim Starks: Yeah, there's a little bit of not anything going on, but the reason it's not going on is an interesting reason. If you've followed Congress for the last few years, they've actually done a decent job of passing some significant cyber bills -- you know, creating the National Cyber Director Office, the incident reporting law. So they've had some real progress after not really doing a lot on cyber for most of the history of Congress. And now we have the development where Senator Rand Paul -- the Kentucky Republican -- is a ranking member on the Senate Homeland Security and Government Affairs Committee, which is where a lot of the cyber work has been being done. And he is very resistant this year, particularly, to cyber legislation. And the reason is largely because he's opposed to CISA, whom he alleges is censoring free speech. And if you've been following the courts on this, there's been a lawsuit from the three Republican attorneys general, state attorneys general. And it's going to the Supreme Court, in which CISA has been kind of in and out of that lawsuit, depending on the individual court ruling, whether they've actually done anything censorious -- is that a word?

Dave Bittner: It is now [laughing].

Tim Starks: But regardless of the debate about whether it has been doing any of that, that's the reason Senator Paul is holding up most of this legislation. And it ranges from everything like simple stuff from expanding cybersecurity awareness campaigns to protecting satellites from cyber-attacks and open source software security. So he's held up close to a dozen bills by my count. He's really kept up the work this year on the progress Congress has been making.

Dave Bittner: And the notion here is that there's a point of view that merely the fact that an organization like CISA -- who I would say is an organization of influence rather than regulatory authority, right? That merely through having conversations with private industry is somehow having undue influence on them. And from the point of view of the folks who are against this, censoring them.

Tim Starks: Yeah. It's interesting. When you're a reporter who's trying to be objective, you try to set aside your personal opinions and you try to look at the strength of the arguments. And on the scale of strength of arguments that any federal government agency is involved in anything like censorship, in the name of going to social media companies and either flagging or indirectly flagging that there's misinformation that they saw on things like the election or things like COVID-19. The fact that CISA is not a regulatory agency really makes it lower on the strength of argument. There's nobody who's literally going to these social media companies and saying, take this down or else. There's nobody saying that.

Dave Bittner: Right.

Tim Starks: But there is a sort of case law and sort of de facto, yeah, we're telling you you should take this down if they actually say you should. There's a should versus, hey, we're just flagging this. There's that kind of strength of argument. But if you're saying you should and you have regulatory power, you can see the argument there clearer than you can see it for CISA. Because CISA has virtually no regulatory power. So even if they're flagging stuff, they can't do anything to you if you don't take it down. And is CISA to be believed? They haven't done this; they haven't done any of this kind of flagging indirectly or directly since 2000. So the fact that this lawsuit sort of began last year and a lot of these bills were moving in the Senate without Senator Paul objecting to them, he's taken this as a cause this year in particular.

Dave Bittner: You know, my personal view is -- and I guess also to your point is that -- it just doesn't strike me as the kind of organization I see CISA being. They're not adversarial. You know, they're supportive. They're informational.

Tim Starks: And that's something you could say as a knock on them if you wanted to, right? You could say they're a little too polite, they're a little too genial toward the industries that they are interacting with. If you are someone who thinks that the federal government should have an adversarial role to some degree with the industries that they regulate or interact with, CISA is very much on the low end of that adversarialness. They openly say, we want to be partners. They very, very much are mild-mannered in that regard.

Dave Bittner: Right. But perhaps a recognition that that's the way forward, that, you know, there needs to be public-private partnerships to get done what needs to be done.

Tim Starks: You know, they say, hey, there are enough agencies that are doing regulation, we don't need to be doing that. We want people to want to interact with us and want to come to us and want to share information with us.

Dave Bittner: Yeah. It's a good read, and I highly recommend our listeners go ahead and check out in the Cybersecurity 202 today Tim's most recent work there. Tim, real quick before I let you go. Something struck me. I wanted to perhaps share a little behind-the-scenes insight. Something struck me this week about the situation in Israel with Hamas and how on the cyber realm it mirrors some of the things we saw with Ukraine and Russia, which is certainly when a conflict like this begins, there's an expectation that there's going to be a cyber aspect of it. And so far, like in Ukraine, that hasn't been a strong part of any of the conflict here. And that requires a certain amount of discipline on our part as the reporters to not day after day be reporting that nothing happened.

Tim Starks: [Laughing] Yeah, the dog that didn't bark, yeah.

Dave Bittner: Right.

Tim Starks: I mean, that's sort of the framing of today's story, right, that nothing happened. But it's a different kind of framing, right? You know, there is some low-level activity on cyber in Israel and Hamas and Palestine. You know, there's some hacktivism. There's some disinformation to cover. But you're right, it's not a major component of anything that's happening. It's a minor component of what's happening. And it could be tempting to jump on the news of the day and want to interject yourself as anyone who covers a subset of something.

Dave Bittner: Yeah.

Tim Starks: And cybersecurity's a subset of what's going on in Israel. So we have touched on it, we have dabbled in it, but we have not focused on it much, to be honest. And I think that's a cognizant thing we've been doing of, yeah, we want to write about the news of the day, but at the same time, there's not much news of the day on this.

Dave Bittner: Right, right. All right, well, Tim Starks is author of the Cybersecurity 202 at the Washington Post. Tim, thanks so much for joining us. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]