Spearphishing from Luhansk. Pro-Assange hacktivism. Another undercover private eye? Pirated Game of Thrones episodes carry malware.
Spearfishing campaign against Ukraine has been traced to the so-called Luhansk People's Republic. Anonymous threatened to rain chaos on Yorkshire if Julian Assange is freed actually more chaos since the initial chaos was perhaps too easily overlooked and implausible venture capitalist is asking people if they're being paid to bad mouth, a security firm and pirated game of thrones episodes carry malware. And now a word from our sponsor extra hop the enterprise, cyber analytics company, delivering security from the inside out prevention based tools leave you blind to any threats inside your network by adding behavioral based network traffic analysis to your sock you can find and stop attackers before they make their move. Extra hop illuminates. The dark space with complete visibility at enterprise scale detects threats up to ninety five percent faster with machine learning and guided investigations that helped tier one analysts perform like seasoned threat, hunters, visit extra hop dot com slash cyber to learn why the sans institute calls extra hop fast. And amazingly thorough a product with which many sock teams could hit the ground running. That's extra hop dot com slash cyber. And we thank extra hop for sponsoring our show. From the cyber wires studios. Data tribe. I'm Dave bittner with your cyber wire summary for Wednesday April seventeenth twenty nineteen. Military officers in Ukraine are being Spearfish by a group seeking to install the rat vermin backdoor rat vermin is a second stage payload delivered by a power shell script FireEye which identified the campaign links to the Luhansk People's Republic. This is a region in eastern Ukraine controlled by Russia and represented by the occupiers as being a breakaway state. That's won its independence from Ukraine Kiev regards Luhansk as nothing more than an administrative fig-leaf for Russian occupation Kiev, probably has it. Right. The Washington Post seized the Luhansk operation as a troubling harbinger of small state and non-state actors deploying increasingly sophisticated cyber weapons in this. They're following fire is lead, the company's John Holt quiz told the post that quote, we're focused on the big players and for good reason. But we should bear in mind that if this small substate can put together a hacking capability. Than anyone can in quote, maybe but with hacking as has so often been the case with Connectik terrorism, while there are genuine instances of attackers operating quite independently of other support there are many more instances of attackers working deniability on behalf of a state. That's especially true with the more troublesome and damaging attacks buyer. I did say it found no evidence that the Luhansk group was being assisted by Russia. But here that old chestnut that absence of evidence isn't the same thing as evidence of absence should be kept in mind and to ask if the Luhansk People's Republic is receiving assistance from Russia is a little like wondering, whether Google receives assistance from alphabet in both cases are wholly owned subsidiaries. So alternatively this aspect of the campaign might be more realistically viewed as a Russian attempt to achieve plausible deniability and not as a small group breakout into the big time. Here's an example of what looks like small group activity contrasted with the sophistication of the rat. Vermin installation campaign supporters who wished to stand by Julian Assange are doing so by taking to Yorkshire councils websites down presumably the attacks on Barnsley and Bedale would prompt a groundswell of hacktivists pressure in favour of Mr Assange is release Barnsley council said it had indeed sustained a distributed denial of service attack, and that it had succeeded in restoring its website, the council also alerted the national cyber security center of the incident. The Bedale matters were little different. The Bedale town council said it was unaware that anything had happened to its site. So go figure any who needless to say someone has claimed responsibility for the incidence tweets from the Philippine cyber eagles. And the anonymous Espana both claimed credit and cyber ghost four. Four thought to be the founder of both groups if indeed these are group's in any meaningful sense offered. A menacing message, quote, free, Assange or chaos is coming for you, and quote, so there why Yorkshire was chosen as the beachhead for this particular activist invasion is unclear in the case of Bedale. Apparently, nothing happened at all unless of course, that particular corner of north Yorkshire is ordinarily so chaotic that any new chaos that came for you for them was just lost in the sauce. But it looks like another activist fizzle. And of course, Mr Assange remains in custody. But to return to the spearfishing campaign in Ukraine fire is Holt Quist makes a good point later in his interview with the post he noted that Russia's hybrid war in Ukraine has been kind of proving ground for attack tactics and techniques the post quotes halt Krista sane. It's created this consistent battle rhythm of activity that we'd never seen before then quote, Russian cyber operators have a record of perfecting their method against Ukraine, and then using them elsewhere, and that does seem beyond serious question. But as a sign of increased capability on the part of unrecognized micro-states and others with axes to grind will. Wait and see if sea land or the Republic of awesome, turn out the lights in north Yorkshire or change every high schoolers grades in Union County, New Jersey that would be a different matter. Moody's Investors Service recently published research, titled credit implications of cyber attacks will hinge on long-term business disruptions, and reputational impacts the report outlines which business sectors. They believe have high risk exposure to cyber attacks. Derek Fidel is managing director of global cyber risk for Moody's Investors Service. So we've view cyber risk as event risk. And so we recognize that there are now these global cyber events, which have real dollar value impact. If you look back to two thousand seventeen not Pattaya there's view that that was about ten billion dollars exposure across a number of different companies with about two and a half billion really focused on just four companies when you start to think about these kinds of very large financial impacts across individual companies. You can start to think about how that affects overall the quitting and other financial strength of those individual companies, and how that could eventually have an impact on credit. And so that's the way we're thinking about it as these financial exposures due to cyber events can have a channel credit at some point if they rise to a certain level and have we reached the point where there's enough history with these sorts of things that we can make accurate predictions. I think we're still in the early days of being able to use historical event data to make predictions. But that's obviously something that a number of different industries, including the insurance industry are very focused on the data set that exists for this is not quite as as long and rich as data sets, for example, on normal types of cat risk or, you know, other risks associated with for example, weather events. We do think that this data set is building over time, and it will get better over time. But they're still work to be done. For example. A lot of the data sets really focus in on breaches of privacy information because that's where a lot of the regulations exist and the the disclosure requirements around cyber. Prevents tend to focus today on breach of personal information. And that means that the data sets often are missing things like disruption events, or maybe there are disruption events that that occur. But they're not they're not attributed to cyber vents. And so in order for the data sets to improve the disclosure has to improve in it has to start to cover events beyond privacy breach events. No, the research covers some specific sectors that you'll see is having a high risk to cyber attacks. Who are we focusing on here? Yeah. So when we we did our now assists. What we came back with is that there are four sectors with about twelve trillion and rated debt that we thought were at a high risk and these included the banks securities firms, Mark it infrastructures, financial institutions and also included hospitals. And some of the reason for that. For example, in the financial services side is the fact that these. Organizations are so reliant on technology and supply chain transaction volumes are very very high. And so the ability to do things like revert to manual processes in those industries, very very limited hospitals, for example, have a lot of personal data. But more importantly, they're starting to become even more interconnected in terms of patient care, which obviously opens up a number of potential vulnerabilities that could affect patient care and impact patient health. I think one of the things that's important to point out here is we're really looking at the inherent risk across the thirty five sectors that we evaluated and we're not taking into account today individual defenses that an individual company might have. And that's important for us. Because what we're trying to do right now is really set a baseline across the playing field and come up with a relative ranking of inherent risks across sectors. That's Derek Vidal from Moody's Investors Service. The research is titled credit implications of cyber attacks will hinge on long-term business disruptions and reputational impacts. The we pro Hac may have targeted dozens of the company's clients, the company initially put a brave face on reports of the breach. Pooh-poohing the first reports from Krebs on security during its recent earnings calls, but it now acknowledges that yes. The attack did take place it's bringing in an unnamed forensic company to help with its investigation. Several media reports of sent that the incursion appears to be the work of a nation state. And that the targets were we pro clients, the IT outsourcing and consulting firm was it self more avenue of approach than target. This may represent a trend as intelligence services begin to take growing interest in managed service providers. The is reporting on another suspicious questioner one Lucas Lambert who said he was a venture capitalist and wished to talk with the think tank about a cyber conference. Mr. Lambert said his firm was organizing his questioner Chatham house. Russia's specialist cure Gyles was struck by the way conversation all turned quickly to whether anyone was being paid to bad mouth Kaspersky lab. A couple of other things struck him to for one Mr. Lambert claim to be based in Hong Kong, but seemed to be as unfamiliar with that city as say a manhattanite might be unfamiliar with Seacaucus for another thing. He kept asking Gyles to speak up and repeat himself to the point where Gyles thought he might ask whether he ought to speak into Mr Lamberts pen or necktie or briefcase or wherever else the microphone was secretive. And for yet another he thought Mr. Lambert suit looked to cheap to be one of the might wear Kaspersky lab didn't respond to the AP's question. About whether they had anything to do with the inquiry. The AP is reminded of a similar approach to the university of Toronto's citizen lab by one Michelle lamb bear back in February in that case, the microphone looked as if it were in measure, lamb, pairs pen measure lamb bear was interested in finding out. Why people were slandering controversial lawful. Intercept firm NSO an Esa said, then they've never heard of Missouri, lamb bear. So our Lambert and Lambert the same mug, or maybe related the general take is that they're the kind of PI who appeared as a second or third banana in Bogart movie, usually played by Elisha, cook junior and rarely successful at getting the girl or cracking. The case we hope there really are two of them. They'd be like Thomson and Thompson DuPont EUPOL in the original. We always liked those two detectives in the Tinton comics. And finally game of thrones fans when you watch watch properly and pay for your premium channel, it's giving you value, right? Pirated copies of the new episodes are out and about z scaler warns and many of them contain a subtitle file that contains malicious code specifically remote execution exploit. And if you download one of those spoiler alert winter is coming for sure. Time for a message from our sponsor, no before it can take a hacker to know. A hacker many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker. And no before chief hacking officer to uncover their most dangerous security flaws. You might ask, hey, where can I get the skinny on the latest threats, and where could I find out? What would Kevin do? Well at Nova force webinar that's where Kevin and Perry carpenter. No before chief evangelist and strategy officer give you an inside look into Kevin's mind in this on demand webinar, you'll learn more about the world of social engineering and penetration. Testing by listening to firsthand experiences and some disconcerting discoveries. You'll see exclusive demos of the latest attack. Ploys find out how they could affect you. And learn what you can do to stop them. Go to know before dot com slash hacker. To register for the webinar. That's K n. W B E numeral four dot com slash hacker. And we thank no before for sponsoring our show. And joining me once again is David before he's the vice president of engineering and cybersecurity at web route David it's great to have you back. You all recently released some survey results that tracked artificial intelligence and machine learning what did you find out here? MLA? I it's it's very close to me. We've been spending ten years plus doing machine learning at Weber. I'm so we have very strong opinions. And this survey just it. It's interesting to me where we talked to a lot of our customers or people in the industry and seventy six percent of the people. We surveyed said that it didn't matter if they're protection included a AI or machine learning. But then seventy percent said they wanted to see advertising that said used AI or machine learning. Wow. Yeah. I'm not exactly sure where the connection there is. And what what I think is, you know, go out to the MS shows and things like that. And I talked to folks I think the feeling is if. You're doing a in L than than your perceived as being technically advanced and and really forward thinking, but it doesn't necessarily have to be in the product by from you. That's fascinating. Because I I mean, certainly we've seen at like you say at the trade shows, it's all over everything would an interesting gap there. Well, it is in your exactly right. When you say, it is all over everything a lot of times people lose sight of the value that artificial intelligence and machine learning can bring in they're more interested in seeing that it's that it's available, and I think what we need to do as an industry, not as producer. But as a consumer understand, what value that the Mallory is gonna bring to you not just is it in there. Because a lot of folks see that they see the hype, and they just run with it where if you really understand the specifics where helping words not helping that's how you can really make a judgment if it's something valuable to the product you're buying what about the the sophistication of the two. Themselves are people. Are you finding that folks are comfortable using these tools well from from our perspective as a consumer of our solution shouldn't even know if it's a m L so you could be using it and have no idea that you're using any type of machine learning environment because it should protect it should automatically remediate. It should automatically do everything for you as much as possible. Now, there are tools that you have to be interactive with and those tools have varying levels of complexity and knowledge that you have to have. So it really depends on the tool, and what you're using it for sounds like, you know, your marketing folks, would probably like you to install a little red blinking light that lights up every time the machine learning. Artificial intelligence is being used right? Yes. And I hope none of them. Listen to this because you know, be having my engineers put a little blinking red light wondering why they're doing it. Absolutely, right. Yeah. What about? The other side of it. Are we seeing that the bad guys are making use of this stuff as well? You know, there's a huge belief that the bad guys are we're not seeing as much of it that correlates with the belief that they are machine learning is very sophisticated. There are non machine learning methodologies that you can use to attack machine learning models, take less sophistication less complex techniques. And there's as we said the whole tried and true items as well of types of security attacks that are more simple. So if you don't have machine learning on the machine protecting you those those methods are good as well, where am I going with all this? If you were a cyber criminal, you're going to use the stuff, you know, already path alise resistance now, there could be some cybercriminals out there, you know, large ego. They want to really use some advanced techniques, but those are very very few most people are just opportunistic. So again, we're not seeing a lot of it. But it is in existence and. I'm over time. It'll start growing. Yeah. That's interesting. You can have the most secure the most sophisticated security system in your home and somebody can still throw a brick through the window. This is exactly what I tell people that the cyber criminal wants to seal your TV isn't gonna hack your your your network infrastructure to kick in your front door and take your TV. Yeah. Yeah. All right. Well, it's interesting stuff. It is the web rude AIML survey, and you can find that on the web route website David before thanks for joining us being here. David. And that's the cyber wire links to all of today's stories. Check out our cyber wire daily news brief at the cyber wire dot com. Thanks to all of our sponsors for making the cyber wire possible, especially are supporting sponsor observe it. The leading insider threat management platform. Learn more at observant dot com. The cyber wire podcast is proudly produced in Maryland out of the startup studios of data tribe with their co building the next generation of cyber security teams. And technology are cyber wire editor is John Patrick social media editor Jennifer Ivan technical editor, Chris Russell our staff. Writer is Tim no, Dr executive editor Peter Kilby, and I'm Dave bittner. Thanks for listening.