Russo-Ukrainian tension and the future of open source software security.
the cyberwire logoJust Now

Cyberattacks of unclear (but probably Russian) origin hit Ukrainian websites. The FSB "liquidates" REvil. And the US moves toward an approach to open-source software security.

Russo-Ukrainian tension and the future of open source software security.

Russo-Ukrainian tension has moved US authorities to issue an alert on the threat of Russian cyber operations. That alert came as the continuing effort to address Log4j vulnerabilities has raised concern about open-source software security.

Cyberattacks deface Ukrainian government websites.

Reuters reports that a "massive" cyberattack hit Ukrainian government websites yesterday. Websites operated by the Ukrainian Cabinet and at least seven ministries were affected. Some of the defacements told their Ukrainian audience to "be afraid and expect the worst." The message, posted in Ukrainian, Russian, and Polish (all of which related Slavic languages are commonly spoken in Ukraine) read, in the Record's "rough translation":

"Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas."

The attacks seem to be simple defacements, an influence operation, and not the data-destruction and doxing the message claims. Note the implicit attempt to suggest that Poland and Ukraine have a historical dispute over Ukraine's western territories. The Moscow Times reports that Ukraine's SBU said that services had been restored to normal within hours of the attacks.

While it's impossible at this stage to rule out hacktivism or provocation by some third party, the Ukrainian Foreign Ministry points to the obvious suspect: Russian intelligence services: "It's too early to draw conclusions, but there is a long record of Russian (cyber) assaults against Ukraine in the past," a spokesman told Reuters. Russian officials haven't commented so far on yesterday's case, but they've denied involvement in other past incidents that have been widely attributed to Moscow's organs. Those include, in the AP's tally this morning, 2014 attacks on electoral systems, attacks on regional power grids in 2015 and 2016, and the NotPetya attack of 2017.

Cyberattacks have been generally expected as part of gray zone operations and battlespace preparation as tensions n the region rise. Dice offers a representative example of such expectations, and CyberScoop discusses a probable role for Belarus as a Russian ally and cat's paw in any such cyber operations.

Saryu Nayyar, CEO and Founder, Gurucul, wrote to offer some general reflections on what nation-state operations mean for organizations' presence in cyberspace:

"Nation state threat actors continue to take an active involvement in destabilizing infrastructure, governments, and businesses whether for profit or pure political objectives. Security can no longer continue to be an insurance policy. It must become a critical part of the infrastructure at every step. World governments must start funding and investing in cyber security training, educational programs, and awareness. In addition, without continuous evaluation and investment in next generation security technologies that optimize security operations, threat actor groups will continue to be able to disrupt governments and economies."

Diplomatic efforts so far seem to offer little progress...

Talks between the US and Russia and NATO and Russia have so far produce public signs of progress. The Baltic Times reports that Lithuanian President Gitanas Nauseda said, after a conversation on the talks with NATO Secretary General Jens Stoltenberg, that successful diplomacy would require reciprocity of kind that's not on evidence from the Russian side. Progress can “only take place on the basis of reciprocity and not in the language of demands and ultimatums, which is unacceptable.”

At yesterday's White House press conference addressing the talks US National Security Advisor Jake Sullivan said, "There are no dates set for any more talks. We have to consult with allies and partners first. We’re in communication with the Russians, and we’ll see what comes next." He also declined to comment on what he characterized as Russian "bluster" about deploying forces to Latin America, effectively calling tu quoque on the Monroe Doctrine.

...but there may be some conciliatory Russian gestures.

Bloomberg notes that there seems to have been a decline, a "tapering," of coverage of Ukraine by Russian state media: "There is now a renewed diplomatic flurry with talks between U.S. and Russian officials, again in Geneva, followed by other discussions including a NATO-Russia council meeting. Dialing back the heat in state media could be a move to see if such talks bear fruit." Bloomberg's report reads this sign with cautious optimism, since no such quiet period was observed during the run-up to Russia's 2014 invasion of Crimea.

More interesting is a raid Russia's FSB has conducted against the REvil ransomware gang. Russia's Interfax news agency reported this morning that the FSB has liquidated the gang in a series of arrests. "The FSB of Russia has established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documentation of illegal activities has been carried out," an official statement said. The FSB said it had conducted the raids (which netted not only fourteen arrests, but $600,000 and €500,000 in cash, as well as computers, "crypto wallets used to commit crimes," and twenty luxury cars, all of which are said to be ill-gotten) at the "appeal of competent US authorities."

Cooperation only goes so far, however. Interfax clarified in a follow-up that none of the Russian citizens arrested will be turned over to the US for prosecution, "The Basic Law of the Russian Federation prohibits the extradition of citizens of the Russian Federation to a foreign state," a source explained to Interfax.

The arrests are noteworthy in that Russian ransomware gangs have operated effectively as privateers, permitted to steal from selected foreign targets insofar as such theft served the interests of the state. But REvil has apparently lost its letter of marque and reprisal.

And the US works to develop an approach to open-source software security.

The White House offered a preliminary "readout" of this week's Open Source Software Security Summit, during which Government and industry officials met to discuss ways of shoring up the security of widely used open-source software. That discussion was prompted by December's revelation of vulnerabilities in the Apache Software Foundation's Log4j library, and it was given salience by this week's warnings from the US Intelligence Community that there was a risk of nation-state attacks exploiting issues with that and other open-source products. The White House said, in part:

"Participants had a substantive and constructive discussion on how to make a difference in the security of open source software, while effectively engaging with and supporting, the open source community. The discussion focused on three topics: Preventing security defects and vulnerabilities in code and open source packages, improving the process for finding defects and fixing them, and shortening the response time for distributing and implementing fixes. In the first category, participants discussed ideas to make it easier for developers to write secure code by integrating security features into development tools and securing the infrastructure used to build, warehouse and distribute code, like using techniques such as code signing and stronger digital identities. In the second category, participants discussed how to prioritize the most important open source projects and put in place sustainable mechanisms to maintain them. In the final category, participants discussed ways to accelerate and improve the use of Software Bills of Material, as required in the President’s Executive Order, to make it easier to know what is in the software we purchase and use. All participants – private sector and government – will continue discussions to support these initiatives in the coming weeks, which are open to all interested public and private stakeholders."  

Google, which was among the companies attending the summit, applauded the Government's initiative and called for further cooperation:

"We need a public-private partnership to identify a list of critical open source projects — with criticality determined based on the influence and importance of a project — to help prioritize and allocate resources for the most essential security assessments and improvements.

"Longer term, we need new ways of identifying software that might pose a systemic risk — based on how it will be integrated into critical projects — so that we can anticipate the level of security required and provide appropriate resourcing.

Red Hat also approved of the direction the summit set:

“The core tenets of the Cyber EO remain fundamental to improving the security posture of all software—both proprietary and open source, including assuring that vendors of all stripes maintain greater visibility into their software, take responsibility for its life cycle, and make security data publicly available.

“A key theme of the meeting was the recognition that open source software has accelerated the pace of technological innovation, provides tremendous societal and economic benefits, and can contribute greatly to enhancing trust and cybersecurity.

Many observers see work toward effective use of software bills of materials as among the most important initial goals of public-private cooperation. In an email, Liran Tancman, CEO and co-founder of Rezilion, wrote to explain what a software bill of material might achieve:

"The Log4j vulnerability is everywhere and actively being exploited by nation-state sponsored bad actors - but it takes too long for organizations to find it and mitigate it since it’s so deeply rooted in software. All organizations, particularly government agencies, need an immediate understanding of this issue to start to mitigate against this very serious threat. Almost all organizations have made either a partial or complete shift through digital transformation. As part of that, we are now living in a world where many applications are built using open source code. The appeal of open source is obvious: it is free and accessible. But it also poses risk.

"Since the executive order from the Biden administration, the government is increasingly seeking more transparency among software providers to disclose what they are using in code. Solar Winds was the initial trigger for a desire to understand this, but Log4j is another example of why code transparency is critical. Log4j shines a spotlight on the need to be able to track code through a Software Bill of Materials (SBOM). 

"The government wants more transparency on the software bill of materials. Through transparency, when a vulnerability like Log4J appears, they can more efficiently detect it and remediate it. But you cannot remediate what you can’t see - which is why they are pushing for an effective way for security leaders to be able to provide that transparency. It’s about visibility for quick fixes."