Today’s edition of the LookingGlass Cyber Monitor features the latest on foreign threats to upcoming US elections, the lack of impact from Killnet’s threats, Ukraine’s continued cyber resilience after years of defending against Russia, Taiwan at constant cyber war with China, the UN explores cybercrime treaties, the Uber CSO case raises legal and ethical questions about incident response, the global cyber workforce need for more bodies, the growing attack surface makes ASM mandatory, and how ransomware has evolved beyond ransomware.
Major Hacks & Campaigns
Ahead of the 2022 midterm elections, Google’s Threat Analysis Group (TAG) said it has not seen the same style of hacking from groups backed by the governments of China and Iran as during the 2020 election. However, they also said that outside groups remain focused on disinformation. During the 2020 campaign, Google went public with what it said were documented attempts by Chinese and Iranian hackers to compromise email accounts for Biden and Trump campaign staff. The efforts appeared to be unsuccessful but were part of what federal officials described then as ongoing attempts by foreign countries to interfere in domestic elections. Nevertheless, the Biden administration says it is tracking multiple threats to the nation’s election security infrastructure ahead of the midterms and it plans to issue warnings, including an internal intelligence bulletin this week. The bulletin is expected to detail cyber threats posed by Russia and China, as well as non-state actors, and potential physical threats to election officials across the country. Mandiant later this week published a blog on a new PRC-backed influence campaign it has dubbed DRAGONBRIDGE, which is working to influence the US midterm elections.
After a series of threats to carry out massive cyber attacks against US critical infrastructure, Killnet did not appear to make much of an impact. On October 4, Killnet posted threats on Telegram to carry out DDoS attacks against US government websites over a 72 hour time period. The group dubbed its operation “USA Offline” and posted an image of the statue of Liberty with a mushroom cloud behind it. For the next few days, Killnet conducted DDoS attacks against a series of US targets, including the National Geospatial Intelligence Agency, state government websites, military healthcare and benefit-related websites (like Tricare), airport websites, and JPMorgan Chase. While users of many of these sites lost access for a few hours, the attacks did not disrupt flights, or JPMorgan indicated that it did not experience any issues related to the DDoS. Killnet and other hacktivist groups continue to post hyperbolic rhetoric followed by actions with minor impact – despite the limited effectiveness of these operations for coercive purposes and the prevalence of DDoS prevention and mitigation technologies that limit their effects. And Killnet’s activities in the context of the Ukraine conflict offer additional support for cyber experts who are skeptical about the coercive utility of cyber operations on the battlefield and argue that it is more of an intelligence contest than a battlespace.
Analyst Comment: LookingGlass has been actively monitoring “hacktivist” activity of both pro-Russian and pro-Ukrainian groups since the early stages of Russian full-scale invasion of Ukraine. Most pro-Russian hacktivists utilize DDoS as their main attack method, which does not require a high level of technical skills from the attacker, but such attacks are visible and can have a psychological effect on the general population. KillNet, as well as other “hacktivist” collectives also tend to sensationalize their attacks, often providing inaccurate information about them. For example, when they claimed to have targeted the National Geospatial-Intelligence Agency, none of the domains they listed in their Telegram post to prove the success of their attack belonged to the agency. KillNet has also claimed to have targeted Lockheed Martin, an American security and aerospace company, on multiple occasions, but there is no evidence any of these attacks were successful.
On October 19th a Ukrainian official, Viktor Zhora (the Ukrainian Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection) said that after eight years of trying, Russia has yet to realize its strategic cyber war-fighting goals in Ukraine. Zhora made the comment during his speech at a conference last week where he also detailed how Ukraine has become resilient against Russia’s cyber tactics by, among other steps, preparing the workforce for cyber aggression and improving cooperation with partners. He reminded the audience that the cyber fight in Ukraine goes all the way back to 2014 when Russia invaded Crimea and Russian proxies seized parts of eastern Ukraine. That conflict led to a series of disruptive cyber events in Ukraine in 2017, which Zhora said gave the country impetus to start building more robust cybersecurity. While Ukraine observed a 10% increase in cyber attacks spanning over most of the past eight years, the volume of cyber assaults skyrocketed with Russia’s full-scale invasion in February. Those attacks targeted critical infrastructure to include the public and financial sector, media, telecommunications, and energy. However, Zhora said they have not impacted overall coordination of Ukraine’s efforts to defend against the invasion. Zhora also said public-private coordination was key to Ukraine’s success in countering cyber events.
Analyst Comment: While Russia started the full-scale invasion of Ukraine in February, 2022, for Ukraine this has been an ongoing conflict since early 2014, which has included both kinetic and cyber activity. One of the most notable examples of Russian cyber operations in Ukraine prior to 2022 was a devastating NotPetya ransomware attack, which took down power plants, financial institutions, subways systems, and a large container shipping company. Leading up to the full-scale invasion in 2022, Ukraine
hassuffered from devastating wiper attacks. Many researchers have pointed out that Russia has not been conducting as many cyber operations as they expected. Several factors may be contributing to it, including the resiliency that Ukraine has been able to develop since 2014, as well as cyber activity being overshadowed by kinetic attacks, many of which have affected Ukrainian civilian population and critical infrastructure.
Taiwan says the island country is already in a “constant cyber war” with China, mostly in the form of disinformation campaigns on social media. While significant attacks on critical infrastructure remain to be seen, Taiwan is already experiencing extensive disinformation campaigns from China. “They want to sway public opinions, demoralize the public, and make their eventual takeover that much easier, the same way the Russians tried to do in Ukraine,” said Kitsch Yen-Fan, assistant director for the Global China Hub at the Atlantic Council. A Taiwanese Parliament official, Wang Ting-Yu, said they are seeing 20 million cyber attacks per day. Taiwan was ranked as the biggest target for foreign disinformation in the world for the last nine years, according to a 2022 report by the Digital Society Project, a venture of the Swedish Institute Varieties of Democracy. Nevertheless, officials believe their cyber defenses are quite good. Wang said: “Taiwan is an IT island. We are good at high technology… We are under these kinds of attacks for a period of time. So, our capability to counter these kinds of activities – we are quite good at that.”
Analyst Comment: Taiwan’s government has improved cybersecurity measures against adversary attacks in recent years. The government has formed a cybersecurity agency inside the recently established Ministry of Digital Affairs. Although some specialists believe that Taiwan’s capability to counter cyber threats is relatively high, its ability to combat major cyber attacks has yet to be tested. Recent malicious cyber activities targeting Taiwan Defense Ministry, airports, and 7-11 convenience stores did not cause large-scale damage.
Additionally, LGC analysis suggests that Beijing-supported local media outlets in Taiwan could be employed to spread Beijing’s disinformation campaigns to lower the public’s trust in their government, suggesting possible foreign intervention in the local elections in November 2022 and the Presidential election in January 2024. It is crucial for Taiwan to strengthen its protection against cyber attacks and information campaigns in future cyber conflict.
The United Nations is engaged in a landmark effort to establish a new global cybercrime treaty. Such a treaty could have significant positive effects such as more favorable conditions for extradition of cyber criminals from countries currently unwilling to do so. It could also shrink the number of “friendly” jurisdictions where cyber criminals can act with relative impunity. However, some critics warn that if not carefully curated, this initiative could also serve as a vehicle for countries to criminally prosecute security researchers, technology companies, and others. And several proposals from various countries discussed during the summers’ UN Ad Hoc Committee’s Second Session, raise those very concerns among skeptics. While human rights concerns are the most prominent risk in some of the proposals, some also call for the criminalization of computer-enabled conduct without a requirement to show some kind of “intent.” When intent is removed from a criminal prohibition, it increases the likelihood that innocent individuals who inadvertently produce certain effects from their conduct will be subjected to the full weight of criminal prosecution and the threat of significant penalties, including the loss of their freedom. This puts security researchers at risk whose activities might implicate cybercrime laws where their conduct might constitute “interfering” with a system or circumventing security measures.
The verdict of an ex-CSO at Uber raises debate over cyber governance and transparency. The former chief security officer of Uber was convicted in a federal trial earlier this month after he was charged with covering up a ransomware attack while his firm was under investigation by the Federal Trade Commission for prior lapses in data protection. He paid the hackers in bitcoin and had them sign non-disclosures to keep the breach quiet. He was convicted of obstructing the federal investigation, as well as a rarely charged crime called misprision which involves known concealment of a crime. Many critics of the verdict raised questions about why an executive doing his job could be held criminally liable for negotiating a deal to protect his company’s reputation. While private sector companies and federal officials largely frown upon ransomware payments, officials said more than two-thirds of ransom attacks have never been reported to federal authorities. Cybersecurity experts from the law firm of Alston & Bird said the Uber conviction was the first major prosecution of a corporate executive for how they handled a cybersecurity incident. It also blurs the distinction between a “coverup” and a failure to report an incident. Another, less obvious, impact of this case to consider is the need to change how companies manage bug bounty programs. It is routine for companies to pay researchers or hackers who discover flaws in their software as long as the program is already established. The Uber CSO used the company’s bug bounty program to make the bitcoin payment to the ransomware actors. For federal regulators, the bottom line is they will continue to work with the private sector to combat malicious threat activity, but they will demand honesty and transparency, and will no longer tolerate deceptive behavior or abuse of customer data.
Trends & Research
The global cyber workforce needs millions of cyber professionals to fill critical security gaps according to a survey by the nonprofit organization ISC2. The study surveyed 11,779 cybersecurity professionals worldwide. The report estimates that there are 4.7M cyber professionals in the 2022 workforce which it says is the highest it’s ever recorded. Despite adding 464,000 workers in the past year, the report found the gap has grown more than twice as much as the workforce with a 26.2% YoY increase. A vast majority (70%) of cyber professionals surveyed also said their organizations do not have enough employees to mitigate potential cyber risks with the shortage “particularly severe in aerospace, government, education, insurance, and transportation.” Government cybersecurity professionals reported the lowest confidence (61%) of all surveyed sectors in their ability to adequately protect against cyber threats. And only 42% of surveyed government professionals were “confident in their ability to mitigate long-term risks based on their current staff and tools.” These concerns were exacerbated by growing workloads, with 53% of government cyber professionals reporting an increase in work, as a result of data breaches and other security threats. Despite these challenges, the report did find a positive outlook – roughly 75% of all respondents reported being satisfied with their jobs and 72% reported that they expect their staff to increase within the next 12 months. That is the highest predicted growth rate over the last three years compared to 53% in 2021 and 41% in 2020, the report noted.
Newly published research by ESG said the growing attack surface is extending the security/software developer gap, increasing vulnerabilities, and slowing security investigations. According to the report, just over half of all organizations (52%) say that security operations are more difficult today than they were two years ago. When asked why, 41% pointed to an evolving and dangerous threat landscape, 38% identified a growing and changing attack surface, 27% said that alert volume and complexity are driving this change, and 34% blamed growing use of public cloud and computing services. The growing attack surface appeared to be the biggest change in these concerns over the past few years, likely due to a combination of COVID, cloud migration, digital transformation, remote work, etc. ESG asked 376 security professionals what the biggest challenges were related to the growing attack surface. They said: 1) It requires a deeper relationship with developers, 2) Leads to a re-evaluation of current tools and processes, 3) Increases the volume of vulnerabilities and related patching cycles 4) Slows security investigations and response actions 5) Results in visibility gaps. These and other issues have increased attention on attack surface management at enterprise organizations. And the industry has responded in kind with a high pace of M&A activity: DarkTrace grabbed Cybersprint, IBM snapped up Randori, Mandiant acquired Intrigue, Microsoft got RiskIQ, Palo Alto Networks bought Expanse Networks, and Tenable purchased BitDiscovery. VC-backed startups like CyCognito, Cyberpion, and Upguard, as well as third-party risk management vendors like BitSight and Security Scorecard are also in the game. While five years ago few companies talked about attack surface management, it now appears to be an enterprise security requirement.
What the cybersecurity industry has historically referred to as “ransomware operators” is now more of a subset of a larger group of data extortion actors. Cyber criminals are evolving their approach to the business of extorting money from organizations. Ransomware actors have turned toward data theft instead of time-expensive encryption and the anatomy of modern extortion attacks involves operators taking different approaches to data destruction from full encryption to partial encryption to no encryption – and thus no ransomware – at all. Trends now indicate that full encryption of victim data is often too arduous and slow for many threat actors, and increases the risk of detection. Additionally, double and triple extortion are becoming standard in the ransomware scene. The ransomware without ransomware strategy is exemplified by two relatively recent threat groups: Karakurt and Lapsus$. Both leverage data extortion-only methods in their campaigns. Neither group deploys ransomware on compromised systems and instead they exfiltrate data which they use as leverage. Some ransomware operators are now implementing data destruction techniques that are more lightweight and time-efficient than data encryption. Through data corruption, operators are capable of driving urgency in their victims as well as escalating their ransom request.
Analyst Comment: LookingGlass observations confirm that many of these trends are current and first emerged in early to mid-2021. As ransomware gangs become more “professional”, and their operations start resembling legitimate businesses, they try to cut their costs and increase their profits, just like any legitimate company would do. To achieve these goals, they try new techniques, including intermittent encryption, file corruption, and data exfiltration and extortion to make their attacks faster and more efficient; as well as double and triple extortion by maintaining “blogs” where they publish victim data, conducting DDoS attacks and cold-calling victim employees to increase pressure on their victims.