Why Hacktivists Got Bored With the Russia-Ukraine CyberwarAlso: BEC Scam Trends and a Cuban Ransomware Group's Strike in Montenegro Anna Delaney (annamadeline) • September 2, 2022
In the latest weekly update, four Information Security Media Group editors discuss key cybersecurity issues, including the high cost of BEC scams, a Cuba ransomware gang's attack on Montenegro, and why so many hacktivists couldn't overcome the technical ennui of the Russia-Ukraine cyberwar and dropped out after a few months.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Tom Field, senior vice president, editorial; and Mathew Schwartz, executive editor, DataBreachToday & Europe - discuss:
- Highlights from an interview with Secret Service agents Stephen Dougherty and Michael Johns on how business email compromise has cost enterprises more than $43 billion since 2016;
- How a Cuba ransomware gang is taking credit for a "targeted cyberattack" against the government of Montenegro, knocking multiple government websites and services offline;
- How according to a team of researchers, the role and impact of criminal hackers and hacktivists in the Russia-Ukraine war has been vastly overestimated, with many volunteers dropping out after just a few months.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 19 edition discussing how the plot thickens for crypto mixer Tornado Cash and the Aug. 26 edition discussing the implications of the Russia-Ukraine hybrid war.
Anna Delaney: Hello, this is the ISMG Editors' Panel. I'm Anna Delaney and this is our weekly editorial get together to mull over and scrutinize the latest in cybersecurity. And I'm very pleased to be joined this week by Tom Field, senior vice president of editorial, Mathew Schwartz, executive editor of Data BreachToday & Europe and Tony Morbin, executive news editor for the EU. Hello to you all. Tom, we missed you last week.
Tom Field: I've been traveling a bit. These are the days.
Delaney: These are the days. Talk to us about your backdrop. I think that's linked to your travels.
Field: It is! "Who can turn the world on with her smile? Who can take a nothing day, and suddenly make it all seem worthwhile?" I was in Minneapolis last week. This is the statue to Mary Tyler Moore famously throwing her hat up into the air.
Delaney: Good. Talking about hats or masks. Tony? I think we can guess.
Tony Morbin: Yes! Anonymous hacktivists and news that the hacktivism going on in Ukraine is actually declining and declined quite rapidly after it initially flared up. So hence, our good friend, Guy Fawkes.
Delaney: Yeah, more on that later. Thank you, Tony, and Matt, outside enjoying the fresh air?
Mathew Schwartz: That's right. A beautiful weekend in Scotland. This was an epically long walk that I did. And this is looking back from the village, first, there was Newport, and then there was Wormit. I love that name. And so just looking back over the Dundee Rail Bridge - actually this is the road bridge, the rail bridge is over here. So, most people won't know Dundee. But the bridge is about a mile long. So it was a gorgeous day looking back over the city of Dundee.
Delaney: And epically long means how long?
Schwartz: Well, 11 miles.
Delaney: 11 miles! On the theme of walking - not quite 11 miles - this is the English countryside near where I grew up. Painshill is an 18th century English landscape park. So I go there for strolls rather than epic walks. But Tom, you interviewed members of the Secret Service recently?
Field: Yeah, it was our Government Security Summit in Washington, DC, and the topic was business email compromised. Now, you might not expect the Secret Service to be so active in this conversation. But it's something that they are trying to bring more to the attention, particularly financial services organizations, but all organizations and the message that they're hammering home is, "Ransomware gets all the headlines, justifiably so. It's a huge issue, particularly in supply chain. Phishing gets more attention within organizations because of the volume of automated attacks. And organizations are constantly conducting their own exercise. But business email compromise is the quiet killer." In over the course of five years from 2016 to 2021, known cases of business email compromised added up to more than 43 billion dollars in losses. And so, I had a conversation with Secret Service agents about the criticality of this and how it flown under the radar. And I'd love to share an excerpt of the conversation I had at our recent summit.
Stephen Dougherty: Unfortunately, for years, it has, even though it's been the largest grossing cybercrime out there, going back to 2016. And yeah, flies under the radar for several reasons. One, it's a relatively nebulous crime. People don't necessarily understand it in its true form, which you need to address if that is driven by the stealing and interception of privileged and contemporaneous information, meaning information that's trusted only with the person you're doing a transaction with. So the things like that, the intricacies of it, has a fly under the radar. It doesn't get the big press like ransomware does, but it is more devastating of a crime out there right now.
Field: What's the dollar figure you're looking at over the past 5-6 years?
Dougherty: About 45 billion, and that's an underreported number. I say maybe 30 to 40% are only reported properly. No one wants to report it or they don't know how to report it.
Field: So there you go. Even I underreport it. I said 43 billion. That's 45. The key is the underreported because those are the only cases that they're aware about. Matt's well aware of this from the ransomware incidents that he talks about. So much goes underreported because of embarrassment, of losses. And the reason we're talking about this is because the criticality of being able to detect and respond. It used to be that once an incident was reported that law enforcement agents like the Secret Service would have 48-72 hours to be able to recover some of that money. Now it can be 12 to 24 hours because of the speed of being able to launder this money and get it out of the system. So that's what we talked about.
Delaney: And Tom, you moderate many roundtables. What do you hear from security leaders as to the challenges they face around fending off the scams?
Field: This is where the hybrid workforce works to the disadvantage because the adversaries have been able to divide and conquer when you don't have people within a central office who can stand up in an office or a cubicle and say, "Does this look funny to you?" People are making decisions on their own, the adversaries are able to pick on the weaker links and be able to exploit them. And that's why business email compromised, phishing schemes, socially engineered schemes are continually so successful. And don't forget the automated pace of these. They're coming at organizations constantly. And the social engineers constantly tune their instruments as well.
Delaney: But forming partnerships, trusted partnerships was a massive topic at this particular summit. What did you hear that encouraged you more than the usual we need trusted partnerships?
Field: Organizations taking steps to do that. They used to be "We want to be in partnerships where we share information." That used to mean, "You give me your information, I'll keep mine to myself. Thank you." You see now that the private sector, in particular, is forthcoming, in wanting to engage with the government to share real-time information so that they can perhaps be proactive against some of these threats, if not constantly reactive. So it is encouraging.
Schwartz: It's great to see the Secret Service and others talking about this. I think the FBI has got the RAT, the recovery asset team, where if they get a heads up early enough, they can, as you said, help organizations get the money back. That's huge. And that's a great reason to be aware of what you need to do, in case this happens. And another big thing, though, for me, as with ransomware, especially with a business email compromise, preparation is often not about a high tech or it doesn't need to be high tech, you need to have business processes in place that slow things down. So, someone's claiming to be the CEO and says, friends for $24 million, immediately, alarm bells start to go off. And I think that can be a bit of a litmus test. Organizations can still fall victim. But did they fall victim because they just didn't have these common sense, roadblocks in place inside the organization. If they don't have those, they need to get them.
Field: To ask you to go out and get gift cards.
Schwartz: Yes. Exactly.
Morbin: I was going to say that they're going to need them even more with deep fakes as well. Because, if you've got your CEO on the video telling you to do something, if you've got a strict policy in place that he has to give you the password, then he has to give you the password.
Delaney: Very good.
Morbin: Logon passwords are the best way.
Delaney: Well, moving on, Matt, Cuba ransomware hits Montenegro, or does it? Help us through this story. What is going on?
Schwartz: Yes, what is going on? I'm a little late to cover this just in case something massive changes in the next 12 to 24 hours. But over the past weekend, I think beginning last Thursday and intensifying Friday, the government of Montenegro said that it was being disrupted. They didn't specify how, so a lot of people were saying is it distributed denial-of-service attacks? Is it ransomware? Because oftentimes these days, it's ransomware. And no detail was forthcoming. There was a defense minister who said, "When Montenegro is disrupted, who do you think would be involved?" basically figuring Russia as the culprit. But what's happened more recently now is the parliament in Montenegro has been listed, the Cuba ransomware gang and Cuba, with no affiliation with Havana, perhaps there's a love of cigars or rum or they just liked the name. But the Cuba ransomware gang, which is staffed by Russian speakers, says that they hit the parliament, they have posted some stolen files. And there's no pure 100% confirmation yet. But this would seem to be associated with the disruption of Montenegro government sites. This is the second disruption they've experienced in August. There has been a lot of political turmoil, the coalition government proposed by the Prime Minister, he proposed to cabinet and it didn't get voted through. So the government has toppled for the second time this year. So there's a pro-Russia faction that work here, there's a pro-EU faction at work, so it's already a highly politicized environment, and then you appear to have this one ransomware group come waltzing in. So, I think a lot of people are going to say, "They're probably acting on behalf of the Russian state." We don't see ransomware groups do that. Possibly, Russia doesn't care for Montenegro. And so, this ransomware group has found that it has managed to infiltrate a network, or 12, in the government and they think, "Moscow doesn't care. So, we're just going to hit them and see what happens." I'm a little surprised because governments don't tend to pay. We occasionally see governments get hit by ransomware groups, such as Costa Rica. But what emerged in that case, which was Conti was clumsy, appeared to be using it as a smokescreen while they spun up other groups quietly, so as to hopefully not have them associated with the Conti brand, which was burned after Conti backed Russia in its invasion of Ukraine. All of a sudden, the ransom payments to Conti went from a lot to apparently next to nothing. So, they had to rebrand, spin off some groups, etc. So one big takeaway here for me is a lot of news reports said, "Montenegro blames Russia." Well, it was your defense minister. And if they are not bellicose, they probably can't get the job. And I would just urge everyone to not report that as such. Back in the day, every bank attack was blamed on Russia, there'll be some White House officials speaking on background, every intellectual property theft was blamed on China. A lot of times it was just pure, simple crime. But anytime there's attribution, there's a political component to that. And governments only attribute when it works in their advantage. And with this political turmoil happening in Montenegro, some people are going to say, "It's Russia. How dare the pro-Russia faction in our country be so aligned?" All of this nuance, and then, as this has happened so many times, it looks to just be criminals, probably acting opportunistically. Yes, causing lots of disruption. Montenegro has thanked its NATO partner friends for coming in to help with the cleanup. And I would presume in the next week or two, everything will be back to normal.
Delaney: If they have any parties involved in it, it brings up the challenge of attribution. The question we always talk about.
Schwartz: Yep, we should never rush. Everyone should always be careful. And when you do see attribution, it's inherently political. Ask, why is this being attributed? And if it's a Baltic, or I should say Balkan nation, blaming Russia, that's obvious. South Korea gets attacked. Who are they going to blame? But just because it's obvious doesn't mean it's true. And so we need to be careful about who's attributing, why they're attributing, and to take this all with a big grain of salt when it does happen.
Delaney: Matt, how sophisticated were these attacks? And how grave was the damage caused?
Schwartz: So, there's been disruption of government services, a lot of sites can't be used. I forget the precise population of Montenegro of 600,000, I think. So this could be a serious disruption. For example, if you're trying to pay your energy bill. I don't know. But sophistication. I also don't know. It did disrupt services. But does that make us sophisticated? Or were the attackers able to do something basic, and it just brought down the whole government infrastructure?
Field: In parallel to what you said, the attribution that no one ever gets attacked in an unsophisticated attack. And yet, when you dig down deeply, often it says, things that we've seen over and over tried, true, they work.
Schwartz: Back to your BEC attacks, if you can steal $24 million by impersonating the CEO on an instant message chat. Is that sophisticated? No. Is it effective? Yes. So why bother with sophistication?
Delaney: Staying with Russia-Ukraine. Tony, who is getting bored of cyber war?
Morbin: It's the hacktivists. Even while Ukraine's Computer Emergency Response Team has been reporting that the country was hit by 1,123 cyber attacks in the first six months of the war, two separate reports have come out this week suggesting that the part played by hacktivist activity hasn't been sustained. So, while the state actors are continuing to target critical infrastructure as part of their hybrid warfare, the onslaught of lower-level activity by volunteers, including criminals, hacktivist groups, and ideologically motivated individuals has slumped. One of the first of the two reports is from Cornell University. It analyzed web defacement attacks, DDoS attacks, volunteer hacking discussion groups, both before and after the invasion. And it says that while the conflict did briefly, but significantly, get the attention of low-level cybercrime community, the notable shifts in geographic distribution of defacement and DDoS attacks by these players overall, it's quite minor. There were mass attacks against fairly random websites within the .ru and the .ua domain. The researchers found no evidence of any high-profile actions such as targeting critical infrastructure. This is by the activists where there was significant use of DDoS by the IT army of Ukraine. But there's been a clear loss of interest in carrying out these defacements and DDoS attacks after just a few weeks. Now, these findings from Cornell were echoed in separate research that reports that hacktivist groups such as Anonymous slowed their efforts in the last few months after initially focusing on Russian oligarchs in the real-estate and mining sectors. In fact, half of all reported cyber warfare related incidents this year took place in February and March. The report also said that the invasion did spark a flurry of cyber incidents relating to Russia in the early part of the year, clear spark in cyber espionage hacktivism, cyber warfare targeting Russian business and individuals. But he too says that this was very short-lived, with activity falling off considerably in recent months, most likely due to hacktivist groups just not being willing or able to sustain their efforts as the conflict continued. Now, whilst this might sound like bad news for activists and citizen warriors, personally from my own point of view, I'd say it's good news for society. In my opinion, it's not advisable for citizens to be personally attacking citizens of other countries or their governments. And there were certainly concerns for where the same people might turn their talents once the war was resolved. So I accept that mostly, it was well intentioned, that governments did play some coordinating roles sometimes. And so, you can't simply put it down to being pure vigilantism. But in my own opinion, if you want to contribute to your country's cyber efforts, join the cyber reserves.
Schwartz: That's a very good point. I was just going to say this isn't the first time we've heard some caution about the role of hacktivism and such in the Russia-Ukraine conflict. I know the operational security expert, who is known as the grugq, had delivered a presentation in May, saying, "This didn't really seem to be happening." In large part because the military establishment and the intelligence establishment, law enforcement in Russia doesn't interface with criminals. And the criminals don't want to be seen to be interfacing with them, because it's bad for business. So it's interesting to have these numbers. As you were saying, Tony, it's a team of researchers who now published the paper, the researchers from the University of Strathclyde, Edinburgh and Cambridge, put some numbers to what they've been seeing. One can and should ask, do website defacements, ultimately, impact a war? Do DDoS attacks against non-critical infrastructure make a difference? I think for the IT army, the morale was a factor for Ukraine, look at all these people rising to the Defense of Ukraine. But I think psychologically, that is notable, but in terms of the military benefit, as you say, as his research shows, nil, I think is the answer.
Morbin: It was random and all over the place. So, it wasn't coordinated. The same kind of activity conducted by a state maybe, to a purpose, as part of hybrid warfare. We obviously saw the attack on the satellites prior to the start of the war by Russia. So, you can have hybrid warfare. But if you're an individual, you're not going to be that sophisticated enough to know who's the best target, let alone necessarily be able to get them.
Field: We like short stories. And Russia-Ukraine is not a short story.
Delaney: It's interesting to see how this hybrid war is evolving and how many countries are being impacted. Well, to our audience, stay tuned for further developments as there will be more. I know there's still a few more months left of the year, but reflecting on 2022, so far, who stands out as a cyber warrior for you?
Field: I got two.
Field: I'm going to come back to Jen Easterly, CISO, because she makes cybersecurity look cool. And I'm also going to take a hat off to Mudge who took a big stand last week when he filed his whistleblower report with federal government regarding his experience with Twitter. That was a stand for accountability. And I think that we can debate the impact on the CISO profession, we can debate the impact on his own career. But he took a stand for accountability. I think that's important to note.
Delaney: I will say that'll be interesting to see how that story evolves. Tony?
Morbin: I'm going to be controversial, not quite as current, but somebody who maybe didn't get any awards at the time. Christopher Krebs, former director of the CISA, for creating the CISA website to debunk election-related disinformation, upholding democracy and the rule of law. As a non-American, I'm not political. In fact, I believe Christopher Krebs is a Republican himself. But for me, that was a big stand by the cybersecurity industry for upholding law and order, and democracy.
Delaney: Good choice. Thank you.
Schwartz: I'm going to weigh in with Victor Zhora, the deputy head of Ukraine's cyber defense agency, who I had the good fortune to speak to recently. And he was meeting Jen Easterly at the recent Black Hat conference in Vegas and flying the flag for Ukraine and collective cyber defense. But it's thanks to individuals like him. He's been in the industry for a long time, he's helped organize BSides in Ukraine, I think from back 2012 onwards, is a part of the community but finds himself in this difficult position as to all Ukrainians, of having to help with the collective defense. So the definition of a warrior right there.
Field: Terrific interview, by the way, Matt. I recommend everybody watch that.
Delaney: You take the words out of my mouth, Tom. Thank you so much, everybody. This has been excellent. And thank you so much for watching. Until next time.