Srsly Risky Biz: Thursday March 24

Starlink a military target, Okta lost in translation

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

SpaceX's CEO Elon Musk has, perhaps without thinking, painted a big fat military target on the company's Starlink satellite service.

Many companies have expressed support for Ukraine by either pulling out of or restricting sales and services to the Russian market. SpaceX has taken a different approach and actively provided extra services to Ukraine. These services are now enabling a lethal military function.

Starlink's Ukrainian debut appears to have been initiated over Twitter in the initial days of the war. Mykhailo Fedorov, Ukrainian Vice Prime Minister and Minister of Digital Transformation tweeted:

@elonmusk, while you try to colonize Mars — Russia try to occupy Ukraine! While your rockets successfully land from space — Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.

Within 12 hours SpaceX CEO Elon Musk replied:

Starlink service is now active in Ukraine. More terminals en route.

SpaceX was already planning to offer services in Ukraine, but had been waiting for formal approval from the Ukrainian government. That formal letter hadn't arrived prior to the invasion, but Fedorov's tweet was good enough. In a March 7th talk at the California Institute of Technology, SpaceX President and COO Gwynne Shotwell described the approval process. "They tweeted at Elon and so we turned it on," she said. "That was our permission. That was the letter from the minister. It was a tweet."

Expediting Starlink services and sending user terminals to a country that could expect internet outages seems fair enough. Shotwell described it as "the right thing to do" and highlighted the importance of the free flow of information. "I think the best way to uphold democracies is to make sure we all understand what the truth is," she said.

Since then, however, Starlink has been used in Ukrainian military operations. This makes sense of course, as it appears the Ukrainian military's ViaSat SATCOM capability was disabled by a (likely) Russian cyberattack and the Ukrainians needed to find some way to fill that void.

One particularly eye-catching claim is that Starlink is being used by Aerorozvidka (the Ukrainian Army's drone operations unit) to destroy Russian military equipment. The Telegraph describes how remote drone teams use Starlink to access targeting intelligence:

Drone teams in the field, sometimes in badly connected rural areas, are able to use Starlink to connect them to targeters and intelligence on their battlefield database. They can direct the drones to drop anti-tank munitions, sometimes flying up silently to Russian forces at night as they sleep in their vehicles.

And The Times reports a Ukrainian Aerorozvidka (drone operations) officer saying "If we use a drone with thermal vision at night, the drone must connect through Starlink to the artillery guy and create target acquisition".

Aerorozvidka uses a variety of drones including Ukrainian-built Punisher drones and modified octocopters. We doubt any of these drones are communicating directly over Starlink, but connecting data streams from a drone to elsewhere via Starlink is certainly a possibility.

The legal experts on military operations in cyberspace and space we asked all agreed that this type of use made the Starlink system a legitimate military target.

Duncan Blake, founder of the Woomera Manual for the law of military space operations, thought both the Starlink system and ViaSat could be legitimate targets for the Russians. He cautioned that this "doesn’t mean that the Russians can actually attack whatever they want in whatever way they want in the Starlink or ViaSat system".

Dr William Boothby, expert in new weapons technologies and the law and member of the Tallinn Manual Group of Experts, thought that ViaSat was not a legitimate target because he believes the Russian invasion as a whole was an "unlawful aggression". If so, then "activity that prepares for and indeed is part of such an event is tainted by the same illegality".

Leaving aside the legality of the invasion as a whole, Boothby agrees that Starlink is a "lawful target for attack". He noted that targeting law "would require that the attack be limited as far as possible to the elements of the network that are making that 'effective contribution to military action'".

In practice, this means every form of attack is at least a possibility. These range from attacks on satellites in orbit (anti-satellite missiles, or energy weapons such as lasers or microwaves) to conventional military attacks on user terminals in Ukraine, to cyber attacks on any part of the system.

Dr Malcolm Davis, Senior Space Security Analyst at ASPI, doesn't think a kinetic attack on a satellite likely, but thought a "soft-kill counterspace attack against some Starlink satellites wouldn’t be beyond the realms of possibility". He even thinks SpaceX's status as a private company could make it more likely. An attack of this kind would be escalatory, but not as much as a direct attack on a US government-owned satellite.

In the case of Starlink, a denial-of-service cyber operation would objectively be better than any kind of kinetic or energy weapon attack in two ways. Firstly, destroying satellites by onesies and twosies won't make much of a dent in the 1600 strong Starlink constellation, whereas a clever cyber attack could disrupt the whole constellation. Secondly, although it is unlikely that Starlink will be attacked by anti-satellite missiles, a cyber operation wouldn't create a debris cloud, a potentially life-threatening hazard to other space activities.

SpaceX has already responded to jamming, with Musk tweeting:

Some Starlink terminals near conflict areas were being jammed for several hours at a time. Our latest software update bypasses the jamming.

Am curious to see what’s next!

Musk doesn't appear to be taking any steps to turn down the temperature for SpaceX or himself. He's challenged Russian President Vladimir Putin to "single combat" using only his left hand.

Both Boothby and Blake think SpaceX and its staff should be safe from physical attack as they are not participating directly in hostilities. The problem, of course, is that Putin doesn't appear to be restrained by the niceties of international law. Here's hoping that Musk checks his tea with a geiger counter.

On Lapsus$ and Okta

The (possibly) South American Lapsus$ data theft-for-extortion group has been on an absolute tear recently, claiming some high-profile scalps including Nvidia, Samsung, Ubisoft, Microsoft and, perhaps worst of all, identity and authentication company Okta. (Disclosure: Okta is a sponsor of the Risky Business podcast).

In many of these cases it is a bit hard to see what Lapsus$ actually wants — they don't use ransomware but still cause harm by deleting files and virtual machines. They don't seem to ever successfully negotiate a ransom to not publish, so end up releasing large amounts of stolen material. This material has included source code and also code-signing certificates from Nvidia and Microsoft.

For Okta, however, the reason is obvious. Okta manages login and authentication information for over 15,000 businesses, so access to Okta could potentially enable access to downstream customers. Rich pickings indeed.

On Monday Lapsus$ claimed to have breached Okta by posting screenshots to its Telegram channel. The screenshot looked like it came from the workstation of a third-party contractor providing Okta support. What could Lapsus$ do with that kind of access?

Unfortunately, despite three Okta statements in a single day (and a fourth today) — we are none the wiser. We now know that 2.5% of Okta's customers were potentially affected (only 366!), but we don't really know how they may have been affected. We've only been told what Lapsus$ couldn't do, not what they could do:

The potential impact to Okta customers is limited to the access that support engineers have. These engineers are unable to create or delete users, or download customer databases. Support engineers do have access to limited data - for example, Jira tickets and lists of users - that were seen in the screenshots. Support engineers are also able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to obtain those passwords.

What do we do with that statement? What are the threats that customers should be on the lookout for? Could the group enrol new MFA devices? Or does resetting MFA revert to the enrol-on-first-logon default CISA warned about last week?

As for Lapsus$, Microsoft's MSTIC has published a report on the group which covers the ways that it gains initial access. These include simply buying credentials and tokens on forums, using password stealing malware, paying insiders for credentials and MFA approval (we said this'd be a thing), and searching code repositories for credentials. They'd also compromise personal devices, which could provide  credentials and are also often used as second factors for authentication or password recovery.

Okta says it will give each "potentially" affected customer a report showing what actions were performed by the compromised third party. Could Lapsus$'s standard tricks combine with its Okta access to achieve something more? Let's see.

For its part, Lapsus$ is delighting in Okta's ham-fisted response. Talk about feeding the troll. Do better, Okta.

"The Russians are Coming!"

Speaking of ineffective messaging, US President Joe Biden has sounded the alarm on possible Russian cyberattacks against American targets.

Biden not only released a formal statement that spoke of "evolving intelligence that the Russian Government is exploring options for potential cyberattacks," but also personally addressed the topic at a business roundtable. Biden said of Putin that "the more his back is against the wall, the greater the severity of the tactics he may employ". Biden then warned "the magnitude of Russia's cyber capacity is fairly consequential, and it's coming."

Biden has likely received a briefing that is alarming enough to get him talking publicly, so there are probably good reasons to be concerned. We think, however, the Biden administration missed the mark with its messaging by just repeating prior warnings with greater urgency. We've known about potential Russian cyber attacks for a while and Biden's statement recycles some of the language in CISA's February 24th "Shields Up" warning, so there is not any new actionable information here.

So what to do? This warning doesn't come with any actionable intelligence, so if an attack comes tomorrow there is very little that can be achieved today.

Both CISA and the White House have lists of recommended actions. CISA's advice is actively being updated — for obvious reasons it now includes advice on strengthening SATCOM cyber security. If you haven't had a look already, these lists are a good place to start.

While they might be bereft of actionable information, we feel these warnings represent an enduring change in the way that organisations should be managing their cyber risk. Even if the war in Ukraine ends tomorrow, the driving factors that might cause Russia to strike out — Russian isolation, sanctions, international pressure, economic decline — will continue. This isn't a short-term blip where things return to normal within weeks.

For most organisations almost all cyber security decisions will have been made with the assumption that state actors weren't motivated to cause mischief, mayhem and destruction. But the world is different today and that assumption is likely no longer true. So any CISO worth their salt should be reassessing their organisational posture — what was appropriate a month ago might be insufficient today.

Three Reasons to be Cheerful this Week:

  1. Tell Us More: ChronoPay founder and chronic large-scale scammer Pavel Vrublevsky has been arrested in Russia. The best part: Brian Krebs received data from ChronoPay's Confluence server where Vrublevsky was keeping an extensive diary that documented links between Russia's cyber crime underground and its security services.
  2. A Little Bit Less Snake Oil: Adam Rogas, the co-founder and former CEO of cyber fraud prevention company NS8 has been arrested for securities fraud.
  3. Don't Threaten us With a Good Time: The FIDO alliance is increasingly confident all the pieces are in place to create a passwordless future. Bring it on.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Proofpoint's Executive Vice President of Cybersecurity, Ryan Kalember, walks Patrick Gray through Proofpoint's Nexus People Explorer. It helps to manage risk by showing who the most targeted and most vulnerable people are in your organisation.

You can subscribe to our product demo page on YouTube here.


Yet Another (Good) Phish Kit

Phishing techniques continue to get more convincing. Mr.dox, a security researcher, described a Browser In The Browser (BITB) attack that can spoof an Oauth login popup window (such as login with Facebook, Google, etc) by using HTML/CSS to mimic the appearance of a new popup window. This fake popup can appear to use an authentic url and is almost indistinguishable from the real thing, except it is not actually a separate browser so the popup can't be resized or moved outside the primary browser window. But this'll work on a lot of people. More FIDO security keys please!

Trust Us, We Hate You

There have been several examples of Ukraine "protestware" supply-chain attacks. The minor examples issue statements calling for peace, but perhaps the most damaging are geolocation-based wipers. The node-ipc npm library, for example, was modified to wipe files if a system's IP address was in Belarus or Russia.

Russia's National Coordination Centre for Computer Incidents (NKTsKI) has warned companies to use local repositories and software versions from before 24 February.

A New Use for Compromised Routers

Cyclops Blink, the Sandworm aka Russian GRU botnet the US and UK warned about recently is also targeting ASUS routers. Initial reports indicated Cyclops Blink focussed on WatchGuard firewall devices, but it makes sense for this kind of botnet to operate across a portfolio of common networking hardware.

We believe part of the purpose of Cyclops Blink is to act as a private VPN to obfuscate command and control, which seems de rigueur now. Even criminal botnets use other botnets for that purpose — Trickbot is using compromised MikroTik routers to hide its C2.

Less Meat for the Grinder

Miratorg, Russia's largest agribusiness and meat producer has been hit by a cyber attack which used Windows BitLocker to encrypt files. We don't suppose anyone is expecting to get paid in rubles these days, so deliberate disruption seems the likely motive.

It's hard not to feel schadenfreude given the war in Ukraine, but this is the kind of incident that could lead to a tit-for-tat response. Russia's agricultural production regulatory agency described the incident as "a manifestation of the informational and economic 'total war' that the collective West unleashed against Russia," although that news article has since been taken down.

Keeping the Packets Flowing in Ukraine

Thomas Brewster has a good article on the efforts Ukrainian engineers are taking to keep the internet working in a war zone.

Seriously Risky Business is taking a week off. The next edition will be on 7 April.