The CyberWire Daily Podcast 11.21.23
Ep 1952 | 11.21.23

Threat actors with mixed motives: from the political to the financial.


Tré Hester: OpenAI's continuing turmoil. Crypto firm sustains API attack. Konni campaign phishes with a Russian document as bait. LockBit's third-party compromise of Canadian government personnel data. Ukraine removes senior security officials under suspicion of graft. Dave Bittner sits down with Steve Winterfeld from Akamai to discuss emerging threats in the financial services sector. And Idaho National Laboratory sustains data breach.

Tré Hester: I’m Tré Hester with your CyberWire intel briefing for Tuesday, November 21st, 2023.

OpenAI agonistes.

Tré Hester: Turmoil at OpenAI continues, as its workers threaten mass resignation if the board stays in place.

Tré Hester: Seven-hundred-thirty-eight of OpenAI's seven-hundred-seventy employees--about ninety-six percent, as close to all of them as makes no difference--have now signed a letter demanding the restoration of ousted CEO Sam Altman and his co-founder Greg Brockman and the resignation of the board that fired them. WIRED reports that the letter includes a threat to quit the company (possibly to join a new venture headed by Altman). OpenAI was founded with the mission "to ensure that artificial general intelligence benefits all of humanity,” and Friday's dismissal, couched as a response to what the board characterized as Altman's lack of candor, suggests that the board believed Altman's leadership had drifted from that mission.

Tré Hester: The organization's structure was probably unstable from the outset. It’s a not-for-profit research institution self-consciously animated by an idealistic humanitarian vision that simultaneously oversaw a "capped" for-profit company characterized by the aggressive and fast-moving optimism typical of Silicon Valley startups. The Atlantic has an account, based on discussions with insiders who spoke on condition of anonymity, that suggests OpenAI was riven by two rival futurist visions: one utopian, the other dystopian, but both in their own way representing an extreme picture of artificial intelligence's potentialities.

Tré Hester: Shortly after firing Altman, OpenAI's board approached rival Anthropic about a possible merger, an approach, the Information says, that Anthropic quickly declined. Subsequent reports indicated that a number of OpenAI customers were considering moving to competitors, including Anthropic, Microsoft, and Google.

Tré Hester: For now, and pending further developments, Microsoft looks like the winner. Redmond hired both Altman and Brockman to run a "new, advanced AI research team," and the former OpenAI leaders seem likely to attract much of the talent that may defect from their old company. As recently as yesterday afternoon, however, the Verge was reporting that Altman's return to OpenAI remained an open possibility, and according to Bloomberg, that would be agreeable to Microsoft as well. “Irrespective of where Sam is, he’s working with Microsoft,” Microsoft CEO Satya Nadella said.

Tré Hester: We note in full disclosure that Microsoft is a CyberWire partner.

Konni campaign phishes with a Russian document as bait.

Tré Hester: The operators behind the Konni RAT have been observed using a Russian-language document,"Western Assessments of the Progress of the Special Military Operation,” as phishbait. 

Tré Hester: Researchers at Fortinet report that the malicious Word document contains a dropper that installs a remote-access Trojan (RAT) that serves as both an information stealer and a remote code execution threat. The researchers conclude that the threat involves "an advanced toolset employed by a sophisticated threat actor within a Word document using batch scripts and DLL files. The payload incorporates a UAC bypass and encrypted communication with a C2 server, enabling the threat actor to execute privileged commands." Fortinet doesn't speculate about targeting, but circumstantially the intended victims would appear to be Russian.

Tré Hester: Fortinet also doesn't discuss attribution, but Malpedia connects Konni with APT37, a North Korean cybersepionage actor whose principal targets since the group's discovery in 2012 have been "South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East." 

Tré Hester: MITRE's ATT&CK resource associates APT37 with InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, and Ricochet Chollima [co-LEE-muh]. As is usually the case with APTs, APT37's name is Legion.

Ukraine removes senior security officials under suspicion of graft.

Tré Hester: Two Ukrainian senior cybersecurity officials were removed from office yesterday, resigning as they faced criminal corruption charges. The two officials, familiar to the cybersecurity and defense sectors, are Yurii Shchyhol (YOUR-ee SHE-coal), head of the State Special Communications Service of Ukraine (SSSCIP) and Victor Zhora (Vik-tor JUR-ah), the SSSCIP's deputy head. They're suspected of establishing two shell companies to rig bids for software, the excess charges for which were skimmed off by the principals. 

Tré Hester: The amount alleged to have been stolen amounts to 62 million hyrvni [h’REE-nee], or a bit more than $1.7 million US dollars. Both senior officials deny wrongdoing and say they look forward to vindication. 

Tré Hester: The SSSCIP in a public statement said, "The SSSCIP keeps performing tasks vested in it. The Cabinet of Ministers of Ukraine has appointed Dmytro MAKOVSKYI as the acting Head of the State Service of Special Communications and Information Protection of Ukraine."

Tré Hester: Mr. Zhora worked closely with US officials and agencies, notably with CISA, the Cybersecurity and Infrastructure Security Agency. CISA, TechCrunch reports, had no comments on the dismissals beyond reaffirming the US commitment to continue cooperating with Ukraine in cyberspace.

Crypto firm sustains API attack.

Tré Hester: Taiwanese crypto trading firm Kronos Research has sustained a theft of approximately $26 million after an attacker gained unauthorized access to its API keys, reports. The company stated on Sunday, “[D]espite it being a sizable amount, Kronos remains in good standing. All losses will be covered internally, no partners will be affected.” Kronos halted its trading services on Saturday while it investigated the incident. 

LockBit's third-party compromise of Canadian government personnel data.

Tré Hester: The Treasury Board of Canada Secretariat has disclosed a third-party data breach in which contractors handling information of members of the Canadian Armed Forces, the Royal Canadian Mounted Police, and other Canadian government employees were compromised by LockBit.

Tré Hester: The two affected contractors were Brookfield Global Relocation Services (BGRS) and SIRVA Canada. BleepingComputer says the compromised information goes back to 1999. While Canadian authorities didn't offer an attribution of the attack to any particular group, LockBit, the privateering and profit-motivated Russian ransomware gang, has claimed the SIRVA compromise and is probably responsible for the breach at BGRS as well. 

Tré Hester: According to BleepingComputer, LockBit says it has 1.5TB of stolen documents, and that SIRVA declined to pay the ransom demanded. The gang woofed on its leak site, " says that all their information worth only $1m. We have over 1.5TB of documents leaked + 3 full backups of CRM for branches (eu, na and au)." 

Tré Hester: So, apparently, you’ve got to get up pretty early in the morning to lowball the privateering hoods at LockBit. Says LockBit.

Guest info

Tré Hester: Dave Bittner recently spoke with Akamai’s Advisory CISO and our Hash Table member Steve Winterfeld. They discussed emerging threats to financial services. Here’s Dave’s conversation with Steve. 

Data breach at Idaho National Laboratory.

Tré Hester: And, finally, the US Department of Energy is dealing with a data breach that compromised a large quantity of personal information belonging to personnel at the Idaho National Laboratory. CyberScoop reports that SiegedSec has claimed responsibility for the attack.

Tré Hester: The breach apparently affected the National Lab’s Oracle HCM system. SiegedSec claims to have obtained “hundreds of thousands of user, employee, and citizen data,” which include names, social security numbers, bank account information, and addresses. 

Tré Hester: SiegedSec hasn’t said why it hit the Lab, but it’s shown complicated motives in the past. It’s a sometimes politically but often financially motivated threat group that’s described itself as “more black hat than activist.” The breach remains under investigation; the story is developing.

Tré Hester: Coming up after the break Dave Bittner sits down with Steve Winterfeld from Akamai to discuss emerging threats in the financial services sector. Stick around. Our own Dave Bittner sits down with Steve Winterfeld from Akamai to discuss emerging threats in the financial services sector.

Dave Bittner: So today we're talking about some of the threats that you all are tracking when it comes to financial services. You recently put out a report on this. Can we start off with just some high-level stuff here? Can you give us a little bit of the lay of the land kind of where we find ourselves when it comes to folks coming at financial services?

Steve Winterfeld: Sure. Yeah, this is our State of the Internet Report. We do these on both the financial sector, commerce sector, and then things like API security or DDoS, and so this one was focused on financial services. We actually had the FS-ISAC, the Financial Services Information Sharing and Analysis Center, kind of open this report up. They talked about some API security recommendations, some of the DDoS challenges because that continues to have significant impacts on different financial organizations, and then some of the stuff we see coming for resiliency. And then, again, we jump into our research here at Akamai. And, you know, it's -- it's based on our security capabilities. So, you know, we won't talk about things like endpoint security. We protect the edge, we protect segmentation, and so it's around things like that where we have visibility. The one that doesn't surprise me, of course, is APIs. Transformation is driving APIs rapidly. You know, it started with open banking in Europe. We have API here growing at 65%. Right behind that is the bot attacks; we've seen that increase over a trillion hits. That's grown at 69%. You know, still hitting that edge is DDoS attacks. Last year, you know, we were number -- financial services were number two, and DDoS this year back beating out gaming to number one in DDoS attacks. So really, the edge is under systematic and, you know, continuing in speed and scope and complexity attacks.

Dave Bittner: You know, I think it's fair to say that the folks in the financial services industry have a reputation for being well-prepared for these sorts of things. Is that your perception as well? Does that track with where we find ourselves?

Steve Winterfeld: It absolutely does. I mean, they have to be because the financial service is built around trust. You know, you and I both want access to our wealth -- well, I'll jokingly call what I have "wealth" -- and so, you know, we have to protect that trust. Now, the Fortune 5000 banks have a lot of resources; the local community banks don't. You know, we're getting attacks across that entire spectrum and, you know, we've seen this increase. You know, a while ago, we had regional changes. So it was -- the US was most attacked. Now Europe and the Middle East and Africa -- really, Europe is the most attacked, growing in Layer 3 and 4 in attacks because of the war in Europe. So we continue to see great preparation, but the adversary continues to come across that entire spectrum.

Dave Bittner: Where do you see us heading in terms of trends with the organizations? I'm thinking of the kinds of things that they're putting in place to protect themselves.

Steve Winterfeld: So it's interesting you say that because a lot of this is coming out of those transformation changes. So as you know, we've had webpages out there a long time. They're well-protected. But we're moving to, you know, different environments, different methodologies of development. DevSecOps. A lot of banks are very conservative. Some are moving into that now. Some haven't been in as long as other industries. And so, you know, containers, APIs, a lot of things that are newer and we don't have the same maturity of controls around that. So we're seeing, you know, shadow APIs, we're seeing API abuse. All those access controls if you look at the OWASP Top 10 for APIs. All of those are something that we see a lot of the banks focusing on. Continuing to see banks also focus -- and this is really not banks but a lot of my peers, a lot of the CSs I'm talking to. We're shifting from protecting the edge to minimizing that impact. Minimizing the dwell time. So ransomware -- we put out a report showing that they're actually focused on, you know, making money off of threatening to expose your data. And so more and more of us are saying how quickly can we detect somebody exfilling data? So that would be the other shift I've really seen a lot of.

Dave Bittner: One of the things that caught my eye in the report was the degree to which insurance companies are finding themselves a target. Any insights there?

Steve Winterfeld: So, you know, insurance and healthcare are both interesting sectors because there is a lot of fraud associated with both of those. This is the first year we broke out subverticals, and banking being the most attacked. Then there's kind of a mix of a bunch of smaller numbers, you know, fintech and trading and things, and then finally insurance. We see insurance -- you know, they're scraping insurance data of the members. They're trying to, you know, put in false claims. So it's a mix of trying to attack the customer and attack the company, but the fraud in both those is just really spiking.

Dave Bittner: Based on the information that you all have gathered here, what are your recommendations?

Steve Winterfeld: So I think, you know, it kind of follows the attack patterns we're seeing, you know? So there is -- there are still things that are very traditional. So the cyber hygiene, the blocking, and tackling the basic things are very important. But then we say -- you know, probably my most common conversation is around visibility. Situational awareness. You know, do you know the shadow APIs? Do you know when the next zero-day comes out? And we've seen -- you know, actually seen threats investing in buying zero-days -- threat actors. And so how quickly can you detect if you have that protocol or if you're using that vendor? Now, we've talked about the Software Bill of Materials. Now we have SBOMs for -- where do we have those protocols in our environment? So how quickly can we do those kinds of things to know where our threats are and have visibility? I mentioned earlier that abuse, people legitimately using your APIs in abusive ways to scrape customer data or try to aggregate a threat. And so how do you know what's going on there? DDoS, we've seen record numbers. You know, a quick review of DDoS attacking your webpage at Layer 7. New records being set there. Attacking your infrastructure, either taking away bandwidth or taking away the actual CPU cycles. We've seen, you know, a great number of new and innovative threats there. And last, going after your DNS. And so with these, have you looked at all of those DDoS attacks, and have you seen what the latest records are and are you about 10% over that? This is something that, you know, we need to get our playbooks out, we need to refresh them. We need to make sure that we're well-coordinating if you're using a third party, as most do for DDoS, and that we're not going to lose 20 minutes of downtime because we're not well coordinated. And then, you know, the last is managing attack surfaces. We talk about third-party scripts. Well, banking doesn't use, you know, JavaScript as much as a lot of, say, commerce or other industries. It still could be impactful, so are we looking at that kind of an environment? Are we looking at our financial aggregators and understanding what's going on in that environment? So are we expanding our scope?

Dave Bittner: Where do you suppose we stand in terms of compliance? What do you -- as you look toward the horizon, what are you seeing there?

Steve Winterfeld: Again, a lot of regional differences. We'll talk about kind of the basics. Europe is probably the number one driver, a lot of compliance coming out. So the first was around things like open banking. So that drove a lot of API security. The next was around privacy, GDPR, and other things, and so that drove quite a bit of, you know, change on how are we managing privacy? How are we doing that? We see PCI DCSS -- or DSS, I'm sorry, coming out with a new version that has requirements around things like your scripts, JavaScript, and stuff like that. I think the biggest one I see coming is actually resiliency. So we have DORA coming out of the EU, and this resilience act is really going to, I think, come into America the same way that privacy did. We're going to start to see a lot of states looking at what do we expect for resiliency. That's another place I would encourage everybody to start to prepare.

Tré Hester: That's Dave Bittner sitting down with Steve Winterfeld from Akamai. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.