Fraud Management & Cybercrime , Leadership & Executive Communication , Ransomware
ISMG Editors: Law Enforcement's Ransomware Crackdown
Also: Election Security Successes, Key Takeaways from Recent ISMG Events Anna Delaney (annamadeline) • October 31, 2024In the latest weekly update, ISMG editors discussed the impact of recent law enforcement operations against ransomware gangs, the state of U.S. election security on the eve of the presidential election, and the key trends emerging from recent ISMG industry roundtables and summits.
See Also: Effective Communication Is Key to Successful Cybersecurity
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Chris Riotta, managing editor, GovInfoSecurity; and Tom Field, senior vice president, Editorial - discussed:
- How global law enforcement has infiltrated and disrupted major ransomware and infostealer networks, arresting key figures and seizing data to dismantle cyberthreats to personal, financial and military targets;
- The latest reports and expert insights into escalating election security threats just ahead of U.S presidential election;
- Recent takeaways from ISMG cybersecurity roundtables and a preview of the upcoming ISMG Financial Services Summit in New York next week.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 18 edition on how DSPM and DLP are converging to reshape data security and the Oct. 25 edition on election security.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll be diving into recent law enforcement wins against ransomware, the latest on U.S. election security, and the key trends emerging from industry roundtables and summits. The team today includes Tom Field, senior vice president of editorial; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Chris Riotta, managing editor for GovInfoSecurity. Good to see you all.
Chris Riotta: Thanks for having us.
Delaney: Mathew, starting with you this week, I thought we could start with some good news in cybercrime. Global law enforcement has infiltrated and disrupted major ransomware and info-stealer networks, arresting key figures and seizing data to dismantle threats to personal, financial and military security. So, tell us about what's been happening.
Mathew Schwartz: As you mentioned in your opening, Anna, we've seen some notable wins, for example, against ransomware by Europol and other law enforcement agencies. And one of the things they're doing is that if they can't shut these operations down, they infiltrate them first, gather as much data as possible. In the case of LockBit, this helped victims unlock their systems if they hadn't paid a ransom already; hopefully, they didn't. It also gives them a lot of intelligence about affiliates, and not all of these affiliates are in Russia or neighboring countries that might be hard to reach for Western law enforcement. Sometimes they find affiliates who are closer in that they can get. So, take all of what I've just said and apply it to something announced only this week, which is Operation Magnus, which is an effort being coordinated by Europol here in Europe, led by Dutch National Police working with the FBI and other law enforcement agencies. So, like you say, the good news is that they managed to infiltrate two info stealers. These are malware-as-a-service offerings that you can, if you're a criminal, subscribe to on a monthly or a lifetime basis, and you take the malware they give you, which is designed to steal information, hence info stealer, and you use it to infect people. How you do that is up to you. Your ingenuity. Maybe a phishing attack. If you're nasty, you can create some fake COVID-19 campaigns, which is what some of the people who distributed it did during the pandemic to try to trick people into installing it on their Windows system. If installed and successfully executed, the malware is designed to hoover up a whole bunch of different kinds of data - usernames, passwords and browser cookies - which could be used to evade two-factor authentication, as well as cryptocurrency wallets, online bank account access credentials, etc. All of this makes these credentials valuable, and they get sold in a variety of cybercrime forums, also via some automated Telegram bots. So, the news that two of the major services, which authorities say appear to be pretty closely related, they don't come out and say they're built by the same people or licensed or whatever, but they're pretty close to the big services that got infiltrated. There was Meta, and then there's an even bigger one called RedLine. RedLine is one of the most commonly seen forms of malware in the world; not just an info stealer, but of all malware. One of the biggest kinds of malware seen in the world. So, this is great news. Authorities have disrupted the infrastructure and announced they were joining the effort. The FBI announced that the Department of Justice has indicted a Russian national by the name of Maxim Rudometov, who is based in the Russian city of Carson. They haven't been able to arrest this guy, but they've dumped a lot of data. They said we know who you are. They're possibly trolling him a little bit because they've released his dating profile in Russia, and nobody clicks like on him. So, if they can't get to him, they're at least trying to get to him, if you know what I mean. All of this is good news. Will these services reboot? We don't know, but as part of the infiltration, law enforcement said it got a load of details about not just victims, which hopefully it can help, but also affiliates. Maybe not their real names or addresses or anything, but it did get IP addresses and the affiliates' nicknames, and you can be sure they'll be cross-referencing this with other information. From an operational security standpoint, criminals don't often disguise themselves well, and the guy who got indicted is an alleged developer and operator of the service, and they were able to cross-reference the email addresses he used, nicknames he used between his dating service account, and also communications tied to the info stealer and also his personal Apple iCloud account. Using a court order, they found a copy of RedLine info stealer in his iCloud account. So, I'm sure they've got even more evidence they haven't released yet, because they don't need to tell you everything when they get an indictment or an arrest warrant together. It's not looking good for him if he leaves Russia. And as I said, if they can't arrest these people, at least they can hopefully disrupt them and their operations.
Tom Field: Take that Mediterranean vacation off the list.
Schwartz: Yeah, might not be a great idea anymore.
Delaney: So essentially, bad cyber hygiene on his part.
Schwartz: Exactly. And it's not the first time we've seen this. Good cyber hygiene is difficult. The easier thing is not to be a criminal.
Delaney: Well said. So, in light of these successes, Mat, what do you see as the next big challenge for law enforcement in tackling these increasingly very sophisticated cybercriminal operations?
Schwartz: Like I said, if they can't bust these guys, at least they can hopefully get inside their heads a bit and disrupt their operations. It might not knock them off the grid, but disruption adds time and complexity. At the conference in Hardwear.io last week, Europol official was saying, with the anti-LockBit effort, they're trying to poison trust between criminals, which is part of what they did with LockBit by saying, "Look, these guys claim to be the best in the world. They were very good at protecting your personal information," and they're applying those kinds of lessons or strategies to these sorts of other criminal enterprises. So, I don't know what happens next, probably hopefully more disruptions of this type.
Delaney: For sure. We celebrate any victories we can. Thank you, Mat. So, Chris, the U.S. election is just days away, and despite foreign interference attempts escalating, authorities appear to have effectively countered cyber and physical threats. Are you hopeful? What do we need to know now?
Riotta: Following a similar theme of successful disruptions, it appears that there have been a few leading up to the big day to election day. First of all, we should note how insane it is that within just a few days, we're going to have a new president-elect. But, I've been covering threats to U.S. election infrastructure and foreign influence campaigns throughout all of the last year and digging into the Cybersecurity and Infrastructure Security Agency's unprecedented efforts to secure the vote. This week, CISA published an election threat updates webpage that aims to provide the public with accessible information about the evolving threat environment and how some foreign actors are seeking to influence and interfere with the democratic process just before the election. Intelligence agencies have also recently released a declassified assessment of foreign threats to the U.S. elections after voting ends in 2024, warning that some foreign actors may conduct activities that seek to disrupt or delay the time-sensitive and tightly sequenced series of processes and events that begin immediately after the polls close. So, those threats have escalated in recent months and even weeks, with new reports indicating some of those foreign influence campaigns haven't quite proven as effective this year as they did in 2016, when experts said American voters were blindsided by some of the interference efforts on the part of Russia and China. More than 50 million Americans have already cast their ballots, according to early tracking data that we're looking at, as a Tuesday report from The Foundation for Defense of Democracies said that interference efforts are persistent despite struggling to gain significant traction in recent days. That report said that security researchers have largely exposed Russian, Iranian and Chinese influence operations before their narratives and posts went viral, with experts stating that the U.S. is far better prepared for this onslaught of influence campaigns leading up to the vote. Max Lesser, a senior analyst on emerging threats for FDD and one of the authors of the report, told reporters this week that we've advanced considerably since 2016, when there was sort of this moral panic around the foreign malign influence operations that we were discovering. Federal authorities are now in the process of issuing real-time warnings about growing disinformation threats and the U.S. intelligence community reported last week that Russian operatives manufactured and amplified a recent video falsely showing individuals ripping up ballots in Pennsylvania. So, immediately after that, there was a joint statement from the FBI, CISA and the Office of the Director of National Intelligence, adding that the video is part of Moscow's broader effort to cast doubt on the integrity of the U.S. election. So, as we're seeing these videos and these influence operations pop up, we're also seeing a coordinated effort by federal authorities to catch it and to bring light and attention to the intention behind the disinformation being spread. Now, physical threats are also abundant. We're seeing physical threats that could also be escalating in the final days of the campaign. Authorities are searching for those responsible for setting ballot drop boxes on fire in the Pacific Northwest. Authorities say a culprit set fire to at least two ballot boxes, one in Washington and another in Oregon. There are reports of a third one as well. But CISA has been preparing for the national vote, both from a cyber and physical security standpoint. For the better part of a year, they’ve established dedicated election security advisors in each of their 10 regional offices, beginning in July 2023, to strengthen the frontline support for local election workers and infrastructure. A lot of folks say that there’s not just one national election. There are thousands of elections going on all across the country. Many of the election systems and processes are kind of local and unique to their geography and region. So, we’re seeing that the agency has recently issued these warnings about increasingly aggressive Iranian activity during the election cycle. There have been reported activities to compromise former President Donald Trump's campaign, and they've published an election cybersecurity toolkit as well through its flagship public-private partnership, the joint cyber defense collaborative, as well as an election security rumor versus reality platform to provide reliable information on disinformation campaigns. And this is all within the last few months. So, a lot of the experts that we've spoken to say that those public awareness campaigns have started to breakthrough during this election cycle in a tangible way, which could be a sign of hope as threats continue to build up in the final days of the campaign.
Delaney: Sure. Great summary there. So, from your perspective, Chris, what do you think we can learn from these recent threats that would better prepare us for future elections?
Riotta: There's a lot of traditional threats that we've seen. A lot of these are the same kind of activities that we witnessed happening in 2016 but it looks like through public-private collaboration, through partnerships across CISA with the FBI and ODNI, we are also seeing the joint cyber defense collaborative, which is CISA's flagship public-private partnership, which consists of many of the leading technology organizations and software security groups, even some social media platforms as well, have representatives at the JCDC. So, you're seeing that these collaborative partnerships are paying off in a big way when it comes to building awareness around some of the interference and influence operations. So, I would say, as long as those things continue to go smoothly, fingers crossed, we should have a pretty safe and secure vote come election day.
Field: Chris, I heard an interesting perspective last week talking to a representative of the Dutch government. Certainly, we've talked about does Russia wants Trump to win the presidential election. Does China want Harris to win? And the point that this Dutch government representative made was Russia particularly doesn't want anybody to win. What they want is to continue to see a divide in the country, so at least half of the U.S. is unhappy with whomever is in office, because that unhappiness creates a battleground where Russia could be more effective.
Riotta: That's an interesting point from the perspective of foreign adversaries. Maybe in 2016, it was more clear that they favored one candidate over the other. The intelligence community writ large hasn't even said whether China or Iran have specific favorites in this election. What they're trying to drive home is sowing discord and bashing the integrity of the American electoral process and that of democratic institutions. So, if they can sow discord, particularly in the lead-up to the vote and afterward, if there are any sort of rumors or accusations of election meddling, we can be sure that our adversaries will take advantage of those regardless of who wins.
Field: Here's what we can do to get back to being the United States and not the divided states.
Riotta: Fingers crossed, we will see.
Delaney: To echo Annie Fixler's point last week, where she joined us from the, you mentioned it Chris, The Foundation for Defense of Democracies, it's trying to sow or shake American's confidence in the election integrity. So, we've got a few days left. So yeah, hope it's a calm few days. Wishing you all a safe and secure election. Thank you, Chris. Tom, you've been on the move with roundtables and are now set to host ISMG's Financial Services Summit in NYC next week. So, give us a preview. What's been happening lately?
Field: It's a busy time, as you say. I was on the road last week in Dallas, and I was there essentially with the Dutch government. They sent a contingent of vendors around different cities in the south of the U.S. to visit with CISOs and CIOs at different organizations to make them more aware of options for vendors in the Netherlands. And so, I was with aXite Security Tools and Detact and we're in Dallas having a conversation about OT security. As a part of this conversation, we had seven CISOs in the room. We were talking about the mission of the Dutch government to spread awareness of the vendors that they have that are offering services globally. And we talked about the particular challenges with OT security. Now, the topics that came up are ones that are familiar. We talked about the run of legacy technology that's so hard to upgrade and secure within all these organizations. I ask the individuals what's the oldest piece of technology you have within your environment. And you get some crazy answers from Windows 8 and 10 to Windows 95 and I heard something last week that went back to World War II. So, you get some great answers. We talk about legacy technology. We talk about the lack of visibility across these environments. Because many of these organizations don't know what assets they have; if you don't know what you have, you can't secure it. And then we talk about the lack of funding, which comes from a lack of sponsorship. It's hard to get executive management's attention for OT assets and security when they're focused on other areas. As one individual from a prominent airline told me, "If it was AI, I could get budget for it, but since it's OT, I have a hard time getting anybody's attention." So, what we spoke about was the partnership of aXite Security Tools and Detact and what they essentially do is try to create a proverbial single pane of glass into OT assets and to draw from those the ability to monitor and analyze data from all those assets. I had a very engaging conversation with these security leaders. And I was personally pleased to see these Dutch vendors on the road, marketing themselves, visiting U.S. organizations, and offering some new options to them. So that was Dallas. Next week, Chris and I are taking the show on the road to New York City. We have got the Financial Services Cybersecurity Summit two days after the U.S. election. I don't know how that's going to shape. Our agenda and the discussions we have Chris will be interesting to find out. Among the topics, we'll be discussing the state of cyber insurance, where organizations are challenged these days. We'll be talking about payments fraud and count takeover. We're going to have a solution room exercise around deepfakes, and there'll be a keynote panel with some prominent CISOs about the shifting responsibilities as they take on greater responsibilities in areas such as OT security. So, it is going to be a terrific event. We are going to be on two different stages there. Michael Novinson will be there with us. Chris and I will be on stage. We'll be in our studio and look forward to coming back and telling others what everybody’s talking about in financial services in the biggest city in the U.S.
Delaney: We look forward to those takeaways. So, with your experiences as a journalist and moderator, Tom, how do you think security leaders can get the most value out of an event like next week's?
Field: We call it a summit for a reason, and it's because you want to go there and be able to broker conversations and to be able to talk with other attendees, people you don't normally speak with, to meet with our vendors and our speakers. The best way we do that is with our deepfake exercise, where we bring people together at small tables to answer some questions about essentially a tabletop exercise about an organization that was defrauded through a deepfake threat. That's the highlight of the event for me, seeing people who wouldn't normally talk to one another strike up these conversations and exchange networking data and pick up the conversation somewhere else. Get there, talk, listen, then talk, and take advantage of such conversations.
Delaney: Excellent advice. Hope it goes well. Look forward to hearing about it. Anyway, thank you very much. Thanks for playing along and great commentary as always. Appreciate it. Thank you so much for watching. Until next time.