Anna Delaney: Feds offer a $10 million reward for Russia's Sandworm hackers, and how will the ransomware landscape evolve? These stories and more on this week's ISMG Security Report.
(Theme music)
Hello, I'm Anna Delaney. The US government, Tuesday, announced a reward of up to $10 million for information pertaining to six alleged Russian military hackers tied to the 2017 NotPetya destructive malware campaign. Joining me to discuss is Mathew Schwartz, executive editor of DataBreachToday and Europe. Matt, do you think this reward will lead to the capture or extradition of the Russian suspects?
Mathew Schwartz: It seems unlikely Anna, so long as these suspects watch where they travel, obviously $10 million is a significant reward. If they do choose to leave Russia, that will increase the risk that someone might wish to detain and hand them over. Now the reward's being offered by the US Department of State's Diplomatic Security Service. It's a program called Rewards for Justice. It offers up to $10 million for information leading to the identification or location of any person who and I'm quoting here, "while acting at the direction or under the control of a foreign government participates in malicious cyber activities that target United States." Recently, the program has offered rewards for information tied to nation-state hackers from other countries, including North Korea, Iran, and also just in general, any foreign hackers targeting critical infrastructure.
Delaney: If these rewards don't help capture these alleged nation-state hackers and lead to their appearance in a US courtroom, do they matter?
Schwartz: I put that question to multiple experts. I said, if we've got these big rewards, and they're not necessarily being paid out, what's the use? Now let me just pause here and say the program has paid out about $200 million to what it says are more than 100 people since it was launched in 1984. Whether or not any of these have anything to do with cyberattacks or targeting the US critical infrastructure isn't clear. The money is there, though, and there is an appetite for it to get paid out if this information comes in. However, if I were a Chinese, Russian or Iranian foreign intelligence officer, and I knew I was the focus of a US indictment, I'd be very careful where I went. You asked, what's the use? One of them is norms. What is acceptable when it comes to intelligence gathering and espionage? Spies are going to spy. Ask any intelligence expert, and they'll tell you this is what espionage is designed to do. In the bigger picture, it's designed to help nations avoid going to war. By spying, they can identify the planning and the thinking going on with foreign governments. This level of insight helps nations avoid getting to the point where they invade each other's borders. Obviously, it doesn't always work that way, but it helps. So in terms of what's acceptable or not acceptable when it comes to espionage, we've got NotPetya. That is the focus of this reward. And that was the focus of a 2020 indictment unsealed by a federal grand jury charging six Russians with having perpetrated this destructive malware campaign. Now is destructive malware an appropriate thing for an intelligence agency to be doing? The US says no. Many other people would agree with that assessment. NotPetya was disguised as ransomware. It was distributed via a legitimate Ukrainian software developer’s update server. It spread out of control causing commercial damage of up to $10 billion. Again, is this acceptable when it comes to espionage? I put this question to cybercrime expert Mark Rasch, who is of counsel at the law firm of Kohrman Jackson & Krantz. Here's what he says:
Mark Rasch: The indictment itself, which occurred some time ago, is a shot across the bow. Number one, it tells the Russians we know you did it. Number two, it tells the Russians we know specifically the individuals who did it. Number three, it acts to somewhat isolate those individuals, restrict their ability to travel. And number four, it tells the American people we're doing "something" about cybercrime. This latest act probably is more focused on three and four.
Schwartz: You've got much more detail there from Rasch talking about the importance of not just the indictment, but also this reward money when it comes to not only reassuring the American public but serving as a warning to any foreign nation-state hackers, who might decide to unleash the likes of NotPetya in the future.
Delaney: So as long as they play it safe, it seems unlikely these intelligence officers will ever appear before a US judge.
Schwartz: Precisely. Now, we do see a lot of alleged Russian criminals getting caught out when they vacation. Oftentimes, it seems like they don't realize that they were the focus of an FBI investigation, or that there is an indictment, typically, because the indictment would have been sealed until their arrest against them. But while we see criminals allegedly getting detained, we have not seen the same thing with any alleged nation-state actors. Now, of course, the rewards that have just been announced, will be adding pressure on these individuals to make sure they don't travel to the wrong place, and for the future, adding pressure on them to do the right thing. Again, I spoke with Mark Rasch, and he previously worked with the US Department of Justice, where he started the computer crime unit with the criminal division's fraud section. Here's what he has to say about the impact specifically of the newly announced reward money:
Rasch: Well, what this does is, it isolates the GRU officers. It makes it more difficult for them to go to countries that are not affiliated or protected by Russia. Because before this, the truth is, they would have to be captured by a foreign government and extradited. Now you're essentially incentivizing individuals to do the same thing. Now there's no way a Russian citizen is going to grab their neighbor who works for the GRU and say to the Americans, hey, look, I found this guy.
Schwartz: Again, this is upping the pressure on nation-state foreign hackers to do the right thing. Will it work? That's the $10 million question.
Delaney: Never say never. Matt, thank you so much for your insight.
(Transition Ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: How will ransomware attacks evolve over the coming year? It's a question we'd all like the answer to but one person who's been tracking the criminals closely is attorney Guillermo Christensen, a partner at Indianapolis-based law firm Ice Miller. There, he specializes in cybersecurity planning and incidents, including around ransomware. ISMG's Mathew Schwartz asked Christensen, how he expects the ransomware landscape to evolve in terms of the kinds of threats that organizations might be facing, or the criminals that we see involved. Here's his response:
Guillermo Christensen: So ransomware, the amazing thing about it is you can hit a victim very quickly within hours and paralyze them. If you're exfiltrating data, it takes a lot longer, because you might be needing to take hundreds of gigabytes of information, which most security systems in a company will see some of that, and that'll trigger an alert. So there's a premium on speed for threat actors. One way that they've been talking about it is what if we didn't have to take the data out? What if we instead manipulate the data in such a way that whoever is the victim no longer has confidence in what they've got. And they have to pay us to get that integrity, that ability to verify integrity again. Banks, for example. So if you tweaked the data records for a bank just a little bit, nobody has any confidence in what they actually have in their accounts. That's one of the nightmares for the financial sector. But something similar like that wouldn't require much. It would potentially get past that problem of data exfiltration. So I think that’s certainly one concern. I think the extortion value of negative, sensitive, and humiliating information is another area. Just do a little bit but the stuff that nobody ever wants to see. So Sony, when they were hacked by the North Koreans, the thing that probably hurt them the most were these emails between their executives about how much they dislike dealing with the talent that they have. So I think that those are factors.
Delaney: And finally, the US Food and Drug Administration has issued new draft guidance providing updated and detailed recommendations for how medical device makers should address cybersecurity risk in the pre-market of their products. Our executive editor of HealthcareInfoSecurity, Marianne Kolbasuk McGee, discuss the new draft guidance with Dr. Suzanne Schwartz, director of the FDA's Office of Strategic Partnerships and Technology Innovation Center for Devices and Radiological Health. Here's an excerpt of their conversation on how the guidance addresses varying levels of cybersecurity risk and medical device safety:
Marianne McGee: Dr. Schwartz, you mentioned that the 2018 draft guidance included those risk tiers for different types of medical devices. How does the new draft guidance address the different degrees of potential safety concerns to patients involving the cybersecurity of different types of medical devices, whether it's like an embedded cardiac device versus a medical imaging system versus an infusion pump? For instance, are all the manufacturers of all the different kinds of devices expected to take the same certain steps or the same certain controls in terms of assessing their devices for cybersecurity risk?
Dr. Suzanne Schwartz: That's a really important question. So the way we addressed it in removing the tiers was really utilizing, maximizing this concept of the SPDF, the Secure Product Development Framework, and what that entails. So embedded within that, you have one section, which is entirely on documentation related to security risk management, and we call out and spent a fair amount of time talking about threat modeling within that section. So using the appropriate types of methodologies for threat modeling, the manufacturer would be performing that kind of even assessment as to what the risk is to the device, and how they're intending to manage the risks of that device. That's one part. Another part of the SPDF refers to the security architecture. And included or embedded within the security architecture are the expectations that manufacturer would submit security architecture views, and that includes multi patient harm as an example. What a global system looks like? There are security use cases. And then we include a fair amount of examples within the appendices to the guidance that allows for viewing cybersecurity across the entire spectrum of medical devices, regardless of whether we're talking about something that is an infusion pump, a ventilator, an implantable, or a remote control device. So, giving consideration to the threat modeling aspects, the security architecture are clearly going to be ways in which the manufacturer would provide documentation explaining how they've assessed that risk. And then we move on into the testing and what they need to be doing as far as demonstrating to us in evidence how they've mitigated threats, what vulnerability testing has been done, what the penetration testing has been done, etc., as some examples of how that is being further undertaken.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time!