ISMG Editors: Implications of the Russia-Ukraine Hybrid WarAlso: Former CISA Director’s Tough Message and Cryptocurrency Trends
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity issues, including how 51 different threat groups active in the Russia-Ukraine cyberwar are spilling over into dozens of other countries, the former CISA director’s somber message to vendors, the U.S. government and software developers at this year's Black Hat Conference, and how the cryptocurrency landscape is changing.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Cal Harrison, editorial director, ISMG; and Mathew Schwartz, executive editor, DataBreachToday & Europe - discuss:
- Highlights from an interview with Victor Zhora, the deputy head of Ukraine's State Service of Special Communications and Information Protection, who shares lessons learned from countering Russia's cyberattack strategies, plus how multiple threat groups are expanding attacks against other nations;
- How former CISA director Chris Krebs kicked off Black Hat Conference 2022 with a warning that things are going to get worse before they get better and called for vendors to abandon the “Band-Aid” approach to security;
- An analysis of cryptocurrency-based crime trends, as well as how regulators are responding.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 12 edition analyzing the Twilio breach and the Aug. 19 edition discussing how the plot thickens for crypto mixer Tornado Cash.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the weekly edition of the ISMG Editors' Panel. Here we discuss and debate the top cybercrime trends, news stories, features and interviews published on our sites. Editorial stars joining me this week are Mathew Schwartz, executive editor of DataBreachToday and Europe; Tony Morbin, executive news editor for the EU; and editorial director, Cal Harrison. Welcome all of you.
Mathew Schwartz: Anna, it's great to be here.
Cal Harrison: Yes. Good to see you.
Delaney: Matt, you conducted an excellent, insightful interview with the deputy head of Ukraine's cyber agency, Victor Zhora, who shared a wealth of information on lessons learned from the Russia-Ukraine hybrid war so far. We'd love to hear more about the conversation.
Schwartz: Yes, I recently had the good fortune to be speaking with Victor Zhora. He is the deputy head of the SSSCIP, which is Ukraine's government cyber defense agency. I was speaking with him about what he's been seeing. The war has been going for a while now since it began on February 24. Although, Ukraine was seeing online attacks. In the run up to that, there was wiper malware, in particular, which security experts think may have been inadvertently triggered in advance of the invasion. It targeted a bunch of government agencies. We've been rounding up what has been happening. Recently, I spoke with a non-governmental organization called CyberPeace Institute in Geneva, which tracks cyber incidents and their impact on civilian populations. It said there'd been a number of different groups involved. It had counted or seen experts attribute more than 300 attacks already so far in the conflict. One of the points it made is that this is hitting a lot of different countries. We think of this as being a war between Russia and Ukraine. It is, but there is a lot of fallout. I ran that by Victor Zhora. I said, are you seeing 300 attacks? He said, "No, we're seeing more in the order of 1,600 serious incidents as we go." I asked him, what is the most challenging or what's the most alarming of these things that you have to deal with? He highlighted wiper malware. He said that's had a huge impact. It's not just disrupting systems, but it's also disrupting, for example, the flow of refugees over borders. There's been a lot of chatter about cyber war not having happened so much in the Russia-Ukraine conflict. But what we're seeing from CyberPeace Institute, and directly from Zhora, is this isn't the case at all. They are very quick or careful to note that cyber doesn't stand alone. Russia is launching kinetic attacks. Sometimes they're preceded, perhaps by minutes by cyberattacks to try to disrupt the target. There's all sorts of blended attacks. It was Zhora's phrase that I caught on to. Not long after the war began, he called it the very first ever "hybrid conflict" in history. I think that's accurate about the kinetic and the cyber, but cyber is often a component of one of the other things. I asked Zhora, what kinds of attacks they were seeing. What sorts of resources were coming into play? Who's involved? Who is having an impact? Is it just the big, bad Russian aggressor? Or are other groups having an impact as well? Here's what he told me:
Victor Zhora: When we are talking about serious and well-planned operations that require a lot of human resources, and technically advanced tools, and financial resources, there will be organized and stealth mode in order to gain as much affect on our infrastructure as possible.
Schwartz: Zhora said, it's clear that there's multiple nation-state attack groups actively targeting Ukraine, but also having this spillover affecting other nations as well. One of the big challenges is nation-state groups, but there's also a number of other threat actors at play here. Cal, I just want to hand off, if I may. I know that you've been tracking this as well.
Harrison: Yes, absolutely, Matt. Unlike global oil prices, the number of threat actors in the conflict just keeps going up. According to the CyberPeace Institute, there are now 51 different threat actor groups involved in the conflict and 13 new ones, just in the past month. A lot of these are claiming to be hacktivist groups. I think when we look back on 2022, it'll be the year of the hactivists because they're rallying around either Ukraine or Russia, and trying to make a difference. One of the 900 pound gorilla is Anonymous, which came in very early on in the war, and they've already hacked and leaked just an incredible number of documents from the Russian government and Russian entities. The experts are saying it's going to take years to come through all that. But we had the leak of the Conti information and ransomware code near the beginning of the war too. That's unleashed something into the wild as a result of this. It's pretty interesting. Actors like Anonymous, IT Army of Ukraine are all volunteers that just came up with the war and they're doing some stuff that I guess could be considered pranks, like they've hacked into the Kremlin CCTV feeds. They've interrupted liquor distribution in Russia for three days, with DDoS attacks. They've hacked electric vehicle charging stations with anti-Putin messages. You can tell that they're having a good time. It's quite a free parole. But at the same time, we've seen pro-Russia groups such as Killnet and NoName057 have popped up and are claiming to be cyber patriots for Russia. That's what Putin is referring to them as and they are the ones that were going after all these other countries. A lot of DDoS attacks, a lot of them related to decisions that countries are making regarding who they're siding with in the war. The parliament's voted on whether to consider the activities in Ukraine terrorist activities. Within the past couple of weeks, both the parliament in Finland and the parliament in Latvia were shut down for several hours by DDoS attacks. Matt, the situation is getting more and more complex every day. I should add that a lot of people are concerned about what's going to happen when the war is over. All of these thousands of new hackers, they're going to have to have something to do. We'll see.
Schwartz: Rehabilitation is always the next step. It is very complicated. One of the questions I had for Zhora was, are these activists targeting Ukraine a threat? He said, not really. I think the sense is that if there's a lot of resources coming at them, that's challenging. But a lot of experts I've spoken to have lauded the state of Ukraine's defenses. It's been working overtime for the last eight years in combination with NATO, the U.S. and the EU. I think it was a nice surprise, but no surprise that Zhora recently appeared at Black Hat in Las Vegas. He appeared with the head of CISA and other security experts to say thank you and please don't forget us. There was a lot of goodwill there at Black Hat. It was lovely to see him at one of the biggest cybersecurity events of the year.
Harrison: Yeah, absolutely. Unfortunately, Michael Novinson is on assignment this week, and couldn't be with us. But he was at Black Hat. There was a wealth of things for him to cover. I think he interviewed dozens of people and covered Chris Krebs' keynote speech. I thought it was worth noting here. Krebs was the perfect choice. With a national interest, he is so much in the spotlight and he, I guess, had reached the state of martyrdom in the cybersecurity industry, just by the fact that he basically lost his job for doing his job during the presidential election.
Delaney: On Twitter.
Schwartz: Chris Krebs, the former head of CISA.
Harrison: Yeah, and as you know from Michael's story, you could tell he had a somber message to the people who were gathered there that, one, the cybercriminals, the nation-state actors are winning, and it's going to be that way, for a while. Although he did say that, there's hope. But he also, almost like a school teacher, called out the different parts of the cybersecurity community, the software vendors for allowing vulnerabilities to get into software and, you know, being more concerned about getting stuff out and getting it right and secure. He also had some criticism of the government for being too complex. Which agency was taking the lead? Who do you work with when you have a cyber incident? And also a little chastisement for the security vendors as well. He said, it's time to stop looking at band-aid solutions and to work together to come up with solutions that are going to protect people long term.
Schwartz: Complexity, hacks, failure to protect people. I just feel like there's a personification of that in the room, staring us in the face with all its gold hues.
Morbin: Certainly spill over into the criminal world.
Delaney: So Tony, on your gold Ethereum. Are we talking crypto? There's been lots of activity in the crypto space for sure and based on criminal and regulatory fronts. What do we need to know?
Morbin: You're right. There's always lots going on in the crypto space. I was going to use the analogy of a lot of people made a lot of money in the Wild Wild West. But a lot of people also got shot. And that's where we are now with the new frontier of cryptocurrencies. There's a lack of universally agreed rules, advocates for absolute freedom tussling with those who want to enforce norms of responsible behavior. We've got volatile valuations with Bitcoin and Ethereum down more than 50% from their all-time highs in late 2021. There are new thefts and scams exploiting immature security infrastructure. There's increased crackdowns by law enforcement on the use of cryptocurrency for illegal purposes. This month, more than 40 U.S. cryptocurrency exchanges are reported to be under investigation. South Korea announced today that it's going to ban 16 unregistered overseas crypto exchanges, the top 10 exchanges in India are under investigation. Over the last couple of weeks, we've seen examples of how this crackdown can play out for alleged facilitators of illicit cryptocurrency use. In particular, as we've discussed on this program, the Tornado Cash Mix are now sanctioned by the U.S. government. Crypto is global and it's designed to enable anonymity. It's not clear how effective these actions will be on a global scale, or how widely they can be applied. Even with the regulations that we currently have, non-compliance is a massive issue. Then again, within the U.S., the situation is complicated. By jurisdiction spats between the Commodity Futures Trading Commission, the Securities and Exchange Commission on what exactly cryptocurrency is: a virtual currency or a commodity? It just emphasizes how difficult it's going to be to get enforced international agreements. But however each regulatory or enforcement action plays out, for all its failings, we can expect to see more law enforcement activity based on more regulation. It's not just aimed at making cryptocurrencies less appealing to cybercriminals, although obviously, cryptocurrencies' seizures, enforcing Know Your Customer, anti-money laundering, insider trading regulations are geared that way. But it's not about preventing the use of crypto, it's also about making cryptocurrency safer for investors and providing investor protections. You can see how much that's needed. Cryptocurrency transaction volumes are around 15.8 trillion in 2022 so far, and in areas where there are no acting government bodies, it's increased the potential for theft and scams. In addition to action by the various authorities, the investors themselves taking action, we've got class action complaint filed against Coinbase, where the plaintiffs are alleging that the company didn't put in place the necessary measures to safeguard the investor funds. We've had cybercriminals reported to have stolen 14 billion in cryptocurrency by May this year, according to a report by Chainalysis. Now much of this was a result of various rug pulls where the crypto developers attract early investors to a project and then quickly abandon it. There's been increasing attacks on decentralized finance or DeFi. We've seen poorly secured bridges being exploited. Just this week, there are reports of new scams or crypto ATMs being hacked using zero vulnerability in the software, powering the Bitcoin ATM servers went undetected for nearly two years. There are 13,300 of these ATMs in almost every country in the world. So it could have been far worse. In fact, there was only about $16,000 stolen on this particular occasion. It's also reported that 10% of Ethereum transaction fees, well-known as gas fees, are linked to scams. You'd think that criminals would be especially wary, but they can also be scammed. In a recent example, tweeted about by Marcus Hutchins, the person pretends to be a clueless crypto user asking for help withdrawing money, and then they send you their private key, which obviously you would never do. The wallet has more than $1,000 in it, but it has no gas fee in there. So if somebody deposits the gas fee that's needed to steal the money, the fee then gets forwarded to the scammer. So it's nice to see them getting a taste of their own medicine. And there was once a saying that there's no law west of Dodge. Initially there was no law in crypto, but the sheriffs and the cavalry are arriving. And while that won't please everybody, they're not always going to be successful. But in the long run, we should all be safer.
Delaney: Great overview and it was interesting today reading an article talking about the resistance from industry leaders referring to the Tornado Cash sanctions and crypto industry leaders say they're not sure where they need to stay on the right side of the law. What do they need to do? So there's obviously still some confusion there. With time, things will be sorted out. But yes, we're in the Wild Wild West at the moment.
Morbin: In fact, another of Matt's articles where he's pointing out that there are crypto exchanges who have complied with regulations for Know Your Customer and anti-money laundering, and have been able to then continue their activities. It's not a closing down of cryptocurrency exchanges. It's a bringing them into line.
Schwartz: I think it goes against the libertarian leanings of a lot of cryptocurrency enthusiasts they think that something associated with their identity might become accessible to the U.S. government. The U.S. government's going, "look, you want North Korea-funded nuclear weapons of mass destruction program, or you want to help us out here?" There's a couple of the theory of it and there's the practice, which is the degree to which is being used by criminals, and bad people to launder lots of money and direct it into bad things. I think as Tony was saying, it's all continuing to unfold, sometimes with unexpected results.
Delaney: I'm tasking you with creating a cybersecurity cocktail. What would you call it? How would you make it? Give us a good kick. Cal, have you got something like that?
Harrison: I was thinking of a new drink called a Long Island Iced Threat Actor. Similar to the Long Island Iced Tea. It has the four white liquors in it, a little triple sec, Coca-Cola and a squeeze of lemon on top. To knock out the cybercriminals, I would say that an organization needs to start with the basics of infrastructure, network, cloud security, maybe splash of IoT security, while you're in there. Definitely, a little identity management and a good helping of zero trust, and a squeeze of cyber awareness on top because we know that only a few employees are going to pay attention to the cyber awareness training.
Delaney: And a bit of ICE. Great acronym, as we all love. That was great, Cal. You gave me a great first drink. Tony?
Morbin: I've taken the challenge much more literally in terms of creating a drink here. It's all for the sake of the name. I start off with champagne, a drink I really like and specifically Bollinger, you'll see why in a moment. Vodka is another favorite and for this one, Stolichnaya. I'm not just choosing, the contents of the drinks are absolutely fabulous. Finally, I'd go for something different, a tablespoon full of an Italian liquor Fernet. All mixed together without ice. The whole purpose of mixing those together is that I can call it an FSB. The idea there is that you can enjoy downing your adversary or indeed celebrate an ally if you're near the side. I would actually like to mix those and try it.
Delaney: This is all for trying in person. That was great.
Schwartz: Anna, if I may, I know it's already an established drink, but it was to go with a Silver Bullet. It's a smoky martini, basically. It's a bit classy but sophisticated. If you're not aware, it's two parts of gin to one part Scotch whiskey. You have to shake it vigorously and serve on ice, because the strong flavors will compete with each other a little bit. You just serve it with a twist of lemon to get that sour note in there. Speaking of sour, if I had been concocting my own cocktail from scratch, it would have to be that little bit sour, maybe feature some bitters, because despite all the optimism in the industry, so often I think we keep seeing the same mistakes get made. But my thinking is if you drink enough Silver Bullets, pretty soon you wouldn't notice the thing.
Delaney: This is great creativity all around. I was going to say we have Dark 'N' Stormy - rum and ginger beer - maybe enhance it with a bit of frankincense and myrrh, and an umbrella. Or I was thinking Crypto Sour. Really into great fruit-based drinks. Tequila, soda water, lime, but add a bit of sweetness, maybe a coconut/vanilla. What do we think? Maybe let's try these out next time in person.
Schwartz: Can only pay Ethereum for yours, I think.
Delaney: Yes. Thank you very much, Matt, Cal, Tony. This has been a pleasure.