CyberWire Daily

A Shuckworm update. Pegasus spyware found in UK government officials’ phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/76Selected reading.Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate’ Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer .Former eBay executive to plead guilty to cyberstalking campaign targeting couple Learn more about your ad choices. Visit megaphone.fm/adchoices

In a hybrid war, sometimes it’s about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really likes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it’s our anniversary this week: celebrate with us.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/75Selected reading.Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg) Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire)Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform)Ukraine War Divides Orthodox Faithful (New York Times) US officials ramp up warnings about Russian cyberattacks (The Hill) NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo) FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire) If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post)North Korean State-Sponsored APT Targets Blockchain Companies (CISA)  TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA) US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer) Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices

Nuisance-level cyberattacks continue on both sides of Russia’s hybrid war against Ukraine. Face-saving disinformation. “CatalanGate.” Industrial Spy says it caters to its victims’ competitors. More on what’s been learned from Conti’s leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss a 232% increase in LInkedIn phishing attacks. And Exercise Locked Shields begins tomorrow.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/74Selected reading.Occupants send computer viruses allegedly on behalf of SBU (Interfax-Ukraine)Ransomware groups go after a new target: Russian organizations (The Record by Recorded Future).Currency.com Targeted in Failed Cyber-Attack (Accesswire) Russia says missile attacks on Kyiv will increase (Military Times) Film and photos appear to show Russian cruiser Moskva shortly before it sank (the Guardian)CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (The Citizen Lab)New Industrial Spy stolen data market promoted through cracks, adware (BleepingComputer) Event Overview: CONTI Leaks 2022 (BlueVoyant)U.S. offers $5 million for info on North Korean cyber operators (The Record by Recorded Future) North Korea: Up to $5 Million Reward (US State Department)World´s Largest International Live-Fire Cyber Exercise launches in Tallinn (CCDCOE)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Co-founder and CTO of Virsec, Satya Gupta shares his story of how he has over 25 years of expertise in embedded systems, network security and systems architecture. He also talks about how a colleague of his told him something that resinated with him, he said " that was really a remarkable statement that I heard from that person. You rise to the point where you can actually contribute." He also discusses how he got into the startup atmosphere and how different scenarios in his life helped to lead him to the successful man he has become in the cyber community. We thank Satya for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. Symantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely.Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization.The research can be found here:Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan Learn more about your ad choices. Visit megaphone.fm/adchoices

Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. And indictments in an influence ops case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/73Selected reading.Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News) Live Updates: Russia Sets Stage for Battle to Control Ukraine’s East (New York Times)Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg) Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune) What Victory Day means for Russian identity (Washington Post) Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian)Finland and Sweden pursue unlinked NATO membership (Defense News)What Finland Can Offer NATO (Foreign Policy)U.S. warns energy firms of a rapidly advancing hacking threat (E&E News) Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer) Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer)Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum)US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future)North Korea Designation Update (U.S. Department of the Treasury) Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek) Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/72Selected reading.Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg) INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant).PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos) APT Cyber Tools Targeting ICS/SCADA Devices (CISA) U.S. warns newly discovered malware could sabotage energy plants (Washington Post) Industroyer2 Targets Ukraine’s Electric Grid: Here’s How Companies Can Stay Protected and Resilient (Nozomi Networks)Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine)Lazarus Targets Chemical Sector (Symantec)Old Gremlins, new methods (Group-IB)Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC) Learn more about your ad choices. Visit megaphone.fm/adchoices

Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/71Selected reading.Why Russia’s Cyber Warriors Haven't Crippled Ukraine (The National Interest)In Ukraine, a ‘Full-Scale Cyberwar’ Emerges (Wall Street Journal) Russian hackers tried to bring down Ukraine’s power grid to help the invasion (MIT Technology Review) Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired)Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal) Zhadnost strikes again… this time in Finland. (SecurityScorecard)Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead) Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog) Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog) Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet) Qbot malware switches to new Windows Installer infection vector (BleepingComputer) Microsoft Releases April 2022 Security Updates (CISA)Google Releases Security Updates for Chrome (CISA) Citrix Releases Security Updates for Multiple Products (CISA)Apache Releases Security Advisory for Struts 2 (CISA) Valmet DNA (CISA) Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA) Inductive Automation Ignition (CISA) Mitsubishi Electric GT25-WLAN (CISA) Aethon TUG Home Base Server (CISA) U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB’s Fifth Service. CISA warns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/70Selected reading.Russia’s Reset (New York Times)Russia will not pause military operation in Ukraine for peace talks (Reuters) Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity)CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine)Russia's space programme hit by western cyber attack (The Telegraph)Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead) Russia’s Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy) Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble’ aims of Russian invasion will be achieved (The Telegraph)CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer)CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio)Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance)  Learn more about your ad choices. Visit megaphone.fm/adchoices