Fortunes of commerce in Silicon Valley; fortunes of war on the banks of the Dnipro.

Tre Hester: Leadership turmoil at OpenAI. Citrix Bleed vulnerability implicated in ransomware attacks. QakBot seems to have a successor. The FSB deploys LitterDrifter in cyberespionage against Ukraine. Russian security firm says China and North Korea are the source of most cyberattacks against Russia. Privateers and auxiliaries engage targets of opportunity. Ann Johnson from Afternoon Cyber Tea talks about leading edge cyber innovation with Nadav Zafrir. And alleged war crimes may include cyber operations conducted in support of other, conventional, kinetic war crimes.

Tre Hester: I’m Tré Hester with your CyberWire intel briefing for Monday, November 20th, 2023.

Leadership turmoil at OpenAI.

Tre Hester: OpenAI CEO Sam Altman was dismissed by the company’s board on Friday, with the board stating that Altman “was not consistently candid in his communications with the board, hindering its ability to exercise its responsibilities.” It was a failure to communicate, and not, according to an internal memo Axios saw, a case of malfeasance. The company’s co-founder and president Greg Brockman also quit in response to the move. OpenAI is the artificial intelligence research organization that developed ChatGPT.

Tre Hester: Ars Technica and others report that Microsoft, a significant investor in the not-for-profit AI firm (and therefore in its for-profit subsidiary, Open AI Global LLC) was surprised and upset by Altman’s firing. Rumors circulated over the weekend that Altman and Brockman were planning to launch a new AI venture. An investor-led and employee-driven attempt to negotiate Altman’s return to the company failed yesterday.

Tre Hester: The final decision to move on from Altman hasn't ended the controversy, however. The Wall Street Journal reports this morning that more than five-hundred OpenAI employees have signed a letter to the board demanding its resignation (and they say they'll quit if the present board stays in place). Among those having second thoughts about the leadership change is Chief Scientist Ilya Sutskever [EEL-yuh SUTS-kev-yer]. He’s also a board member who played a central role in Altman's firing. Sutskever tweeted this morning, "I deeply regret my participation in the board's actions. I never intended to harm OpenAI. I love everything we've built together and I will do everything I can to reunite the company."

Tre Hester: Late last night, Reuters reported that Altman had been hired by Microsoft. Microsoft’s CEO Satya Nadella said on X (formerly Twitter), “[W]e're extremely excited to share the news that Sam Altman and Greg Brockman, together with colleagues, will be joining Microsoft to lead a new advanced AI research team. We look forward to moving quickly to provide them with the resources needed for their success.”

Tre Hester: Meanwhile, after a brief interregnum in which CTO Mira Murati served in the role, OpenAI has appointed Emmett Shear, former head of Twitch, as interim CEO. Shear says he’ll open an investigation into Altman’s firing. 

Tre Hester: Microsoft’s Nadella tweeted, on X, “We remain committed to our partnership with OpenAI and have confidence in our product roadmap, our ability to continue to innovate with everything we announced at Microsoft Ignite, and in continuing to support our customers and partners. We look forward to getting to know Emmett Shear and OAI's new leadership team and working with them.”

Tre Hester: What are the cybersecurity angles of all this? Mainly they reside in current concern over the promise and menace of artificial intelligence with respect to information security, regulation, and influence operations.

Tre Hester: OpenAI and its ChatGPT product have for months been prominently discussed for their potential cybersecurity applications, both offensive and defensive. Trend Micro has a brief appreciation of the threats AI enables. AI has attracted widespread scrutiny with respect to the potential it represents for the large-scale creation and dissemination of disinformation. 

Tre Hester: We note, in full disclosure, that Microsoft is a CyberWire partner. 

Citrix Bleed vulnerability implicated in ransomware attacks.

Tre Hester: Threat actors continue to exploit the Citrix Bleed vulnerability (CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway, SecurityWeek reports. Citrix issued patches for the flaw on October 10th, although it was exploited as a zero-day beforehand. TechCrunch says the vulnerability has been used in attacks against Boeing, the Industrial and Commercial Bank of China, DP World Logistics, and law firm Allen & Overy, all of which were hit by the LockBit ransomware. SecurityWeek notes that the flaw may have also been exploited in a MedusaLocker attack against Toyota Financial Services Europe & Africa last week.

QakBot seems to have a successor.

Tre Hester: Researchers at Cofense describe a large malware phishing operation that began distributing DarkGate in September and PikaBot in October. The researchers believe the campaign is a successor to the QakBot operation, which was shuttered by US law enforcement in August 2023: “The new campaign that is delivering DarkGate and PikaBot follows the same tactics that have been used in QakBot phishing campaigns. These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery. The malware families also follow suit to what we would expect QakBot affiliates to use.”

The FSB deploys LitterDrifter in cyberespionage against Ukraine.

Tre Hester: Gamaredon (also called Shuckworm, Actinium, and Primitive Bear) is the Russian threat group whose members Ukraine's SSU has identified as FSB agents working from occupied Crimea. It's had a long-standing interest in Ukrainian targets, and that remains its focus, but it's also begun to show up globally, in operations against the US, Vietnam, Chile, Poland, Germany, and Hong Kong. The threat group is deploying a new VBS-written worm, "LitterDrifter," which spreads through infected USB drives, establishes persistence in affected systems and communicates with a flexible command-and-control infrastructure. Most of the LitterDrifer infestations observed have been found in Ukrainian systems, and it seems likely that its appearance in other countries is a secondary effect of its worm functionality. As Check Point observes, worms can and do spread beyond their initial targets, and that may well be the case here. LitterDrifter isn't particularly advanced or sophisticated, but it's well constructed and effectively deployed. This is consistent with the FSB's record of deploying attacks that are good enough: the security service is interested in effects, not art.

Privateers and auxiliaries engage targets of opportunity.

Tre Hester: LockBit, the well-known ransomware gang that operates with Russian permission and effectively as a Russian privateer, claims to have compromised networks at Belgium's Sabena Engineering, a company involved in supplying F-16s to Ukraine's air force. The Telegraph reports that LockBit has threatened to release sensitive data taken in the attack if their ransom isn't paid by November 26th. Sabena says it's investigating the incident, and that it's confident that, whatever it finds, flight safety will be unaffected.

Tre Hester: Ukrainian hacktivist auxiliaries, which have tended to work closely with their country's intelligence services, have maintained pressure on Russian corporations. Urimuri quotes a representative of the Cyber.Anarchy.Squad who explains that their targeting principles are simple: they'll go after whatever targets of opportunity present themselves. “My colleagues and I work on the principle: ‘If something can be hacked, then it must be hacked.’ We believe in targeting everything that is accessible, especially if it is significant in defeating the enemy.” Many of the auxiliaries see their efforts as part of a larger effort to hobble the Russian war economy.

Russian security firm says China and North Korea are the source of most cyberattacks against Russia.

Tre Hester: Solar, a Russian cybersecurity firm wholly owned by Rostelecom, Russia's largest digital services provider, said at SOC Forum 2023 in Moscow last week that most of the cyberattacks hitting Russia originated from China and North Korea. The cyberattacks are not, as one might have expected, financially motivated crime from an imperfectly controlled underworld. The Record reports that Solar said the incidents represent cyberespionage, the work of advanced persistent threats seeking to collect data from the telecommunications and government services sectors.

Tre Hester: It's surprising to see China and North Korea identified as the principal current cyber threats to Russia. Moscow is assiduously courting Beijing's and Pyongyang's support for the war against Ukraine. Russian diplomacy has obtained tepid support from China, and much more enthusiastic approval (with the promise of large shipments of ammunition) from North Korea. Solar is not an immediate agency of the state, but it, like other Russian companies, exists at the sufferance of the central government. Russian enterprises can generally be expected to align themselves with the state's narratives.

Tre Hester: Solar's report contrasted sharply with the familiar government line enunciated at the conference by Pyotr Belov [PYO-tur BYELL-off], deputy head of Russia's National Coordination Center for Computer Incidents (NCCCI). Mr. Belov described the principal threat as emanating from the same Western countries who are supporting and supplying Ukraine. The intelligence services of those countries "are also actively involved in coordinating the activities of hackers” who "carry out continuous attacks on Russian information infrastructure." So as usual it’s those Anglo-Saxons again, Moscow says, and darn it, you can’t live with ‘em, and you can’t live without ‘em.

Guest

Tre Hester: Next we are joined by the host of Microsoft Security’s Afternoon Cyber Tea podcast, Ann Johnson, talking about leading edge cyber innovation with Team8’s Nadav Zafrir (NAH-dav ZAFF-rear). You can check out the full interview and Ann’s other discussions with leading cybersecurity experts every other Tuesday on your favorite podcast app. 

Alleged war crimes include cybercrimes.

Tre Hester: Finally, there may be some movement toward bringing cyber warfare into the framework of international criminal law. 

Tre Hester: Ukrainian investigators say, POLITICO reports, that they've collected evidence of about 109,000 Russian war crimes. Most of them by far fall into familiar categories of violations of the laws of armed conflict--mistreatment of prisoners and civilians, massacres of noncombatants, and so on--but some of them represent novel crimes allegedly committed in cyberspace. 

Tre Hester: The cybercrimes are largely connected with kinetic war crimes: cyber operations in support of other war crimes, especially attacks against prohibited targets. Thus if, say, intelligence developed through cyberoperations was developed for the purpose of targeting a hospital, or a school, or a funeral, such collection might itself be criminal. The law is still developing, but then again no one had been prosecuted for conspiring to wage aggressive war until the Nazis went on trial in Nuremberg in 1945.

Tre Hester: Coming up after the break, Ann Johnson from the "Afternoon Cyber Tea" podcast talks about leading-edge cyber innovation with Nadav Zafrir. Stick around. Ann Johnson from the "Afternoon Cyber Tea" podcast talks about leading-edge cyber innovation with Nadav Zafrir.

Ann Johnson: Today I am joined by my good friend and colleague, Nadav Zafrir. Nadav is the co-founder of company-building venture firm Team8, and managing partner of the Team8 platform. Prior to founding Team8, Nadav served as Commander of Unit 8200, Israel's elite military technology unit, where he established the Israeli Defence Force's Cyber Command. Unit 8200 is recognized as the informal talent incubator for the nation's renowned tech industry. Welcome to "Afternoon Cyber Tea," Nadav.

Nadav Zafrir: Hey, Ann. Good to be with you. Thanks for having me.

Ann Johnson: I love the history. I've been reading a book called Ancient Tombs and Lost Lives or something like that from National Geographic which is talking about the history of civilizations that we have lost. And all of the things that we're learning about communication skills and tooling, etc., but the centuries that it took, right, to get to where we are today. And then do you think about just what's happened since the invention of the personal computer and the smartphone and how fast we're moving. And now you have AI. So it takes me to thinking about, like, my daughter's generation. What is the world going to look like when she's my age? How fast are we going to be moving? And, to your point, are the adversaries going to have the ability, because they're unconstrained and well-funded, to move faster than we're able to move, not just in cyber but in things like, you know, securing food supplies or predictability of climate change and orderly migration of civilizations? Right? This next fifty years is going to be really, really constructed by what we can do with things like generative AI. It's going to be interesting to watch.

Nadav Zafrir: Absolutely. And, you know, I think that the adversaries will have the upper hand in the short term. I think that in the mid to long term, I think this will, for the most part, be a very positive -- I'm talking from a cyber perspective now. You know? It's beyond me to go into other aspects of this. But, yeah, it's exciting and, yeah, I mean, it's just this acceleration. I think that -- if there's a silver lining when you think about long term. Right? So there's a race to powerful AI between different groups and companies, but also nation states. And it used to be a lot around compute power and strengths and the sophistication of the algorithms and the efficiency of your storage capability, etc. Your access to data, which totalitarian countries may have an advantage over because there's no privacy issues. However, I think that we've come to a point of acceleration and to a point of possibilities where one thing which is going to be in very high demand is imagination. And this is where I think the west and liberal democracies are -- actually have a big advantage. And I hope that will enable us to have the upper hand, both for liberal democracies versus totalitarianism, and also for -- on cyberdefense, eventually, because the moral fabric of this also makes a difference.

Ann Johnson: It absolutely does, and that brings us -- when you're talking about liberal democracies and you're talking about the world that we live in today, it brings us a little bit to regulation because, you know, we've embraced the thesis that there has to be regulation around responsible AI, privacy, data, etc., but regulation can also feel burdensome. Right? To CISOs and other technology leaders, and when governments are not as well informed and they're producing regulation that may not deal with the realities of today. So Team8 recently published this report on regulation. Can you tell our audience what some of the top findings were, and also what are some of the recommendations to make sure we do it right?

Nadav Zafrir: Yeah, for sure. I mean, so look -- I mean, I think the report on behalf of Team8 and The Village that basically commend the White House Office of the National Cyber Director on its approach to cybersecurity regulation and, you know -- and the request for information and cybersecurity regulatory -- I think the report underscores the significance, you know, of adopting something which is more holistic and agile. And, generally speaking, it gives sort of a substantial attention to the CISO community, their concern, and their role in enhancing cybersecurity and, to the best of my understanding on the report and -- that we put out -- and the fact that we able to talk to the people that are actually writing the regulation makes a difference. And, at the end of the day, we're looking to harmonize regulations among different regulatory bodies. You know, at least in the United States, we're looking to engage all stakeholders including technology providers that will shape this strategy. And more than anything else, we believe that they need to embrace an agile regulation.

Tre Hester: That's Nadav Zafrir speaking with Ann Johnson from the "Afternoon Cyber Tea" podcast. And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Tre Hester filling in for Dave Bittner. Thanks for listening. See you back here tomorrow.