Reviewing Russian cyber campaigns in the war against Ukraine. Ukraine's IT Army is a complex phenomenon. Take ICEFALL seriously. CISA has updated its cloud security guidance. - Transcripts

June 23, 2022

  • Favorite
  • Share
Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/120 Selected reading. [Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues) [Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters)  Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop) The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies)  CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA) Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek)  Cloud Security Technical Reference Architecture (CISA)

Transcript

looking to enhance your cyber awareness. Don't miss our second quarter analysts call of 2022 on thursday june 30th at two p.m. Eastern Standard time, join our team of experts for this live broadcast where we'll discuss crucial cybersecurity events from the last 90 days. This quarter's call is hosted by me rick, howard the cyber wires, chief security officer and joined by two of our cyber wire hash table experts expel cso Greg Nagy and the global chief security officer of Expedia kurt john. This event is exclusively for cyber wire pro subscribers. So now is the perfect time to subscribe to learn more and to register, visit the cyber wired dot com slash analyst call. That's the cyber wire dot com slash analyst call.

This episode of the cyber wire is made possible in part by plex track the best pen testing begins and ends with plex track boost efficiency and effectiveness during every phase and cut reporting time in half. Plex track helps consultants, service providers and enterprises, centralized processes, build more consistent reports faster and deliver superior value plex track. Users report an average 20% time savings and 30% increase in efficiency, learn how to spend more time hacking and less time reporting at www dot plex track dot com slash the cyber wire reviewing Russian cyber campaigns in the war against Ukraine and the complexity of Ukraine's. I thi army, we've got advice and reactions to icefall carol. Theriot looks at Hollywood's relationship with VPNS robert. M lee from Dragos provides a rundown on pipe dream and cisa updates its cloud security technical reference architecture from the cyber wire studios at data tribe. I'm Dave Bittner with your cyber wire summary for thursday, june 23rd 2022. Microsoft yesterday published a long report titled defending Ukraine Early lessons from the cyber war in which Redmond describes what it's observed so far. The result that's been most widely reported is a significant increase in Russian cyberespionage directed against countries regarded as either friendly to Ukraine or of dubious adherence to the Russian Cause In all Microsoft Tallies, organizations in 42 countries as subjected to Russian cyber espionage. The target list was concentrated on government agencies but it also included think tanks, humanitarian groups and critical infrastructure providers. The appearance of humanitarian groups seems particularly telling by their enemies as well as their works. Shall ye know them?

We guess Microsoft is concerned to set the cyber phases of Russia's hybrid war into historical context. The company's chair and president brad smith writes in his blog post introducing the report. While no one can predict how long this war will last, it's already apparent that it reflects a trend witnessed in other major conflicts over the past two centuries. Countries wage wars using the latest technology and the wars themselves accelerate technological change. It's therefore important to continually assess the impact of the war on the development and use of technology. The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts, destructive cyber attacks within Ukraine network penetration and espionage outside Ukraine and cyber influence operations targeting people around the world. Smith argues that Russia's war against Ukraine should motivate governments, corporations and N G. O. S to develop effective alliances capable of responding to further aggression along Russian lines. He also warns that influence operations have played a significant part in Russia's cyber campaigns. And he cautions against letting the apparent ineffectual itty of Russian cyberattacks against Ukraine, which fell far short of consensus expectations. Lol anyone into a false sense of security.

The I. T. Army that Kiev has summoned to its cause has generally received favorable press in the west, although its activities have tended to be dismissed as nuisance level website defacements and distributed denial of service attacks. A study by the Zurich based Center for Security Studies titled the I. T. Army of Ukraine structure, tasking and ecosystem argues that the EU in particular has failed to take proper stock of the I. T. Army and specifically of its implications for international norms. The group is far from being just some gaggle of hacktivist Rando is totaling about 1000 hacker wait mucking around with electronic signs. The studies sees the origins of the I. T army of Ukraine. In years of consideration of lessons to be learned from the success of the estonian defense League's cyber unit and other efforts around the globe to organize, incorporate and surge civilian I.

T volunteers into existing military structures in times of need. Those efforts have generally been defensive in nature and grew in a relatively controlled and systematic way, Whatever thought Ukraine devoted to the problem. In pre war days, the I. T. Army itself seems a wartime improvisation stood up in an ad hoc manner without a clearly structured and proven plan. It appears to have emerged as a surrogate for a Ukrainian military cyber command, the study argues, but for all that it's been intelligently assembled and used with greater effect than has been generally appreciated. Born out of necessity, the I. T. Army subsequently evolved into a hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international and neither lawful nor unlawful. It differs in one significant respect from the earlier estonian model. From the outset the ICTY army has been encouraged to conduct cyber offensive operations against Russian targets. It has two distinct aspects.

First a continuous global call to action that mobilizes anyone willing to participate in coordinated DDOS attacks against designated Russian infrastructure targets. These are primarily civilian. Second an in house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting ever more complex cyber operations against specific Russian targets. Both parts of the I. T army are purely offensive in nature and serve to bring willing amateurs and dedicated professionals into one most likely hierarchical organizational structure. It's also attracted significant support from private sector companies in I. T. And cybersecurity both in Ukraine and abroad. The report concludes, the I. T. Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the I.

T army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent dido's activities against Russian government and company websites. As of seven june 2022 this includes 662 targets. On the non public side, the I. T army's in house team likely maintains deep links to were largely consists of the Ukrainian defense and intelligence services. The report warns that this kind of organization is unfamiliar especially to NATO's european members and that it represents a challenge to international norms of conduct in cyberspace. That final caution seems overstated. International law requires that armed conflict be waged by competent authority and by personnel who operate under that authority's control. The I. T. Army seems by the studies own account to do both. The laws of armed conflict which are being gradually extended into cyberspace, also requires that military operations be both discriminating protective of civilians and proportionate, not productive of excessive damage. There are no signs that the I.

T. Army is guilty of either, although one might wonder about operations against civilian websites that the I. T army represents an unfamiliar kind of organization seems nonetheless to be correct and to warrant further study, Cisa yesterday noted four scouts report of the widespread industrial control system vulnerabilities the researchers call collectively icefall. And CISA has advised attention to the Four Scout report and the mitigation recommendations it contains. CISA also pointed out that five of its recent alerts address issues associated with ice fall and its advisory quotes four scouts primly censorious characterization of the vulnerabilities as representing insecurity by design. Security Week has a roundup of industry comments on ice fall in general. The experts aren't surprised that vulnerabilities of this kind were found and they're in agreement that icefall is to be taken seriously and the available remediation is applied This morning. The US cybersecurity and infrastructure security agency issued version 2.0 of its cloud security technical reference architecture. The document singles out two efforts for particular attention. The familiar federal risk and authorization management program that's fed ramp in place since 2011 and a more recent program, the Cloud Smart Initiative, which succeeded the Federal cloud computing strategy. Cloud First, Cloud Smart emphasizes the three pillars of security procurement and workforce. While the document is addressed primarily at the U.

S. Federal agencies whose security system overseas, others will find its recommendations of interest, especially if they do business with the US government and now a word from our sponsor know before there's a reason more than half of today's ransomware victims end up paying the ransom cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff after achieving root access, the bad guys explore your network, reading email finding data troves and once they know you, they craft a plan to cause the most panic pain and operational disruption, ransomware has gone nuclear. The folks that know before have an on demand webinar that will get you up to speed on ransomware in this webinar, you'll find out why data backups, even offline backups won't save you. Why ransomware isn't your real problem and how your end users can become your best last line of defense, go to know before dot com slash ransom to learn more about the webinar that's K N O W B numeral four dot com slash R A N S O M. And we thank know before for sponsoring our show. VPns are a common and established tool for those looking to secure their online activity. And like most tools VPNS can be put to good use or bad carol. Theriot joins us with details on the growing tension between VPN providers and the entertainment industry.

So VP ends a controversial topic, it seems. I mean VPNS generally claim to improve privacy by encrypting online activity and rerouting it through a company servers, basically concealing the users i p address and typical reasons someone might want to employ a VPN could be to keep stuff private while surfing on a public wifi to keep your stuff private from your own internet service provider or from other apps and services that you use to better protect your sensitive work files or to access any content. As a VPN can be particularly useful work around to content restrictions and this last point continues to cause a furor down in Hollywood, a group of over two dozen film studios has repeatedly taken popular VPN providers to court, sometimes extracting judgments worth millions of dollars in damages. Indeed, according to wired filmmakers say they have clear cut evidence that their customers are abusing the privacy and security provided by virtual private networks, but last month court records show that some studios legal teams have also accused VPN providers of enabling illegal activity beyond copyright infringement. And it seems that these studios might actually be challenging the notion that VPN should exist at all. The gist of this argument seems to be in the blatant way that certain VPNS communicate with their audiences. For example, there are no log VPns and no log VPNS basically advertised that they keep no logs on any of your activity. So if someone shows up with a warrant asking to see said logs, they say, we don't have them. Now, it sounds like only criminals would use no log VPns, but indeed, there are a lot of security conscious people out there who don't necessarily trust their VPNS with all their information of where they go and what they do in their computer. So this may be a very good option for them and back to the studio lawsuit, they seem to intimate that not only do some of these, no log VPns refuse to prevent their services from being used to commit illegal acts like streaming from a non supported region or sharing user accounts. But there are also reports that some of these no log open VPNS openly boast in marketing campaigns, that law enforcement is unable to extract any information about their users. I am sure there are people out there using VPNS and other jiggery pokery to stream unavailable content or content that requires payment and they're doing it for free and no wonder the studios are feeling the heat, They too suffered through the pandemic.

And while it seems a large number of streaming providers such as amazon prime and netflix did very well while we were stuck at home. They have recently hit a slump during the first quarter of this year, but for me it's kind of hard to feel sorry for Hollywood studios in this last quarter. I mean consider that folks have had to rethink their spending in order to cover inflations on basics like food gas and bills. Many people need to save a few pennies by quitting a few of the streaming services they may have signed up to during the pandemic after all, many of them have now been mandated to go back to work and are working full time jobs, but but what really bugs me is that the right to privacy is under threat from many, many different sides and maybe Hollywood fat cats and their shareholders don't need to *** away at privacy just because their pockets aren't as overflowing as they were during the pandemic. And besides, Microsoft is apparently banking on its free built in VPN to get you to use Microsoft edge, I'm not sure I'd call Microsoft the scourge of the earth. This was carol Theriot for the cyber wire

and now a word from our sponsor. Devo devo, they understand the cyber threat landscape is rapidly expanding and it's becoming increasingly difficult for organizations to protect themselves from sophisticated cyber attacks. That's why they pride themselves on being true allies, not just another vendor and why their cloud, native logging and security analytics platform is built to not only transform security operations for today, but beyond devo is always looking to learn more about how they can continuously support and serve the cybersecurity community and their ceo. Mark Van Zyl Hoff's new podcast cyber ceo is decoded is part of that commitment. Mark hosts. Candid ceo to ceo conversations with leaders from cybersecurity companies big and small about delivering value to customers, creating enduring cultures and managing successes and failures in an ever evolving technology landscape tune in monthly for fresh perspectives on what's top of mind for those working to protect us from some of the greatest cyber threats we face today, devo more data, more clarity, more confidence and we thank devo for sponsoring our show. I'm pleased to be joined once again by robert. Emily, he is the ceo at Dragos rob. It's always great to have you back. I want to touch base with you today about everything going on with pipe dream, this I c. S focused malware that you and your colleagues, I've had a hand in the discovery of but I think there's a lot to the story here. Where's a good place to start?

Yeah, just give a background for folks to say that when you look at industrial control system focus attacks most of what we worry about on a on a day to day basis is the abuse of native functionality. It's not about some malware, it's not about some vulnerability. Actually, vulnerabilities tend to be a very system based view of the world, in the world of industrial and systems of systems in physics, so it's less about what can you do to one system, it's much more about, do you know how to operate a circuit breaker, do you know how to operate a gas turbine? Do you know how to operate these different systems of systems that we have and if so you can abuse that functionality to do disruptive effects, but every now and then you actually get I CS focused malware and they largely so far have come in kind of two flavors. One is access black energy two is a great example of that. It had exploits for internet facing human machine interfaces, basically being able to get access to these industrial environments in of itself couldn't disrupt or destroy anything, but it could help you get access. But then you also have the disruptive and destructive type capabilities, right? We've had stuxnet, we had crash override and Destroyer, there's in Destroyer to try ISIS, these ones are deployed to do something disruptive or destructive and across all of those cases and across all the time that we have, there's only been six publicly known I CS malware toolsets and most of them are really victims specific, really not going to use it somewhere else. The playbook that they've now shown, the tradecraft that they've shown can be picked up by other people, but you're not just gonna drop ship it into another environment crisis as an example, worked against that petrochemical environment with that safety system, the things they expose anybody, can now copy their playbook, but you're not gonna see traces in its current form deployed somewhere else. And that brings us the pipe dream. So, pipe dream is, in my opinion, I hate this whole like who's the best, you know, what's the most sophisticated? I don't like that measuring contest crap.

It doesn't matter. But what we can candidly say is pipe dream is the most flexible of the I. C. S capabilities we've seen, so, anything new, right. The seventh I CS malware framework is gonna be big news anyways, but the fact that it can go against such a wide variety of industries and equipment makes it particularly dangerous. And what's probably most interesting to people around the world is we were able to get this information out to people and analyze it before the adversary employed it on its targets, not saying they haven't deployed anywhere in the world. It's not like it's not out there somewhere but it wasn't employed against their actual targets and positive for a second. But in our view and our assessment this was a capability designed to be disruptive if not destructive against a set of initial targets. And then capabilities beyond that, what I mean by that is this looks like they were going to deploy it against us based energy assets um, specifically in the liquid natural gas space, both electric and gas community. I mean I honestly think that they were going to use this and when you talk about attacks on U. S. Infrastructure in a reliable way, I mean that's that's something, there's many people out there that were like, oh we're not going to get attacked, we're not at war blah blah blah.

And I was like, yeah, the adversary gets a vote in that, you know, and this was very very bold and brazen. So we're fortunate we found it beforehand, but there's no fix to it. It's not like there's a vulnerability they're exploiting. It's not like there's something that you can just go patch and fix. They're doing all the things we've been warning about for years using mod bus TCP a very common I. CS protocol using OPC a very common I. CS protocol exploiting CADIZ is functionality which is software and just hundreds of different controllers out there. So it's one of those capabilities that if I was building an I. C. S. Security program from scratch and you just modeled out this scenario and protected yourself against it from protection detection and response mechanisms, you would have a world class program like this is a very capable framework.

I think there's been a lot of attention to the fact that your team and some other teams, uh folks at Mandiant as well as your team at Dragos were proactive on this. We're able to, as you mentioned, you know have the detection before it was deployed. You know, you went so far as to take the stage and and kind of give these threat actors uh you know, a bit of the riot act about their capabilities and you draw some attention to that. I mean there was attention on you because of that. Um why take that approach? Is that is that putting a target on your own back?

Probably. And so look I don't think anybody's above critique or approach and so I'm happy to have anybody try to critique me many of my statements and actions why I think you're alluding to my response on twitter to my keynote, what I kind of pushed back on is there were people that weren't in my talk that were then tweeting at me about their opinions of what they perceived to be my stance. And so first I was saying Hey Guys watch the video or watch the talk before you come at me and number two you know and I don't mean this in any arrogant way. I don't mean this to be braggadocious. I don't mean this to be a jerk but I have been on the offense for this this country. I have been on the defense. I have built the I. C. S. Start discovery mission for the for the government. I run the largest I see a security company in the world right now over at Dragos I'm not saying I'm right but I think I have experienced enough to make the statements that I make and for people like rob it's bad that you're poking the adversary guys. I've been there, done that.

You may not agree with me but I'm precise with my words and I know what I'm saying and so why did I say that right at the end of the talk I put down the adversary why to me this community and I love to death and there's plenty of reasons to do it, don't get me wrong but this community builds up adversaries to almost hero worship to in fact two aside for me, that feels disgusting. We're so happy to talk about, oh, this is the most sophisticated group and oh, these people were amazing. Did you look at this cool hack that they pulled off? Or let's memorialize them with statues that are essay for the various threat groups that they represent and all this crap. And it's honestly kind of disgusting to me personally, because having been on that side of the world and having been in the intel community, I know for a fact many of the developers and operators of these campaigns just absolutely revel in that. It's, it's a glorification. It's a hey, did you see the latest report they were writing about our team, look how great and wonderful we are, etcetera, etcetera, etcetera. So my intent was to kind of return a little bit of normalcy and say, you know what, as a member of the industrial community out to the adversaries here, I just wanted to let you know, we don't think you're clever. We don't think you're cool. You're going after civilian targets and civilian people and you should feel bad, you should be fired for your incompetent approach to this. And, and I think they ought to be reminded every now and then that they're not as important or as cool as people make them out to be. They're jerks trying to hurt

people and

in any world, in any country. In any reality. I hope all of us can agree that civilians should be off

limits.

All right, robert m lee. Thanks for joining us. Thanks to all of our sponsors for making the cyber wire possible. Especially our supporting sponsor cyber reason ransomware shouldn't feel inevitable. You should feel invincible cyber reason is undefeated against ransomware. With the only predictive ransomware protection available. It's the ultimate defense against ransomware visit cyber reason dot com to learn more. That's the cyber wire. For links to all of today's stories, check out our daily briefing at the cyber wire dot com. The cyber wire podcast is proudly produced in Maryland out of the startup studios of data tribe where they're co building the next generation of cyber security teams and technologies. Our amazing cyber wire team is Liz Irvin, Elliot, Holtzman tray, Hester, Brandon carp, Eliana White Peru, Prakash, Justin Sebi Rachel, gelfand, tim nadar, joe kerrigan carol Theriot, Ben yellin, Nick, Leckey, gina johnson, Bennett, mo kris, russell, john Petrick, jennifer, Ivan rick howard, peter kill P and I'm Dave Bittner. Thanks for listening.

We'll see you back here tomorrow and now a word from our sponsor cyber reason they're out there and they're coming for you, ransomware Attackers, sophisticated criminal armies bringing organizations to their knees and costing companies millions but ransomware shouldn't feel inevitable. You should feel invincible cyber reason is undefeated in the fight against ransomware with the only predictive ransomware protection available automatically stopping attacks before encryption and empowering security teams with full visibility it's the ultimate protection against ransomware and ai powered defense that defeats ransomware at every stage of the attack, stopping today's threats and ready for tomorrow's true cyber defense designed for true defenders. Because ransomware won't define this era, those who defeat it will visit cyber reason dot com to learn more. That's c y b e r e a s o N dot com. And we thank cyber reason for sponsoring our show.

00:00:00
00:00:00