Cut to Dr. Evil's lair: "I know how we can cripple their information infrastructure — disable their ability to print newspapers!" https://t.co/LUcZhWOQlZ
— Mathew Ingram (@mathewi) December 30, 2018
Next they'll take out our fax machines. https://t.co/mIgdP61z7e
— Mike Masnick (@mmasnick) December 30, 2018
Update: Following Saturday's disruptions, Tribune says "distribution was successful across all properties for Sunday morning's paper." No further word on the source of the malware. https://t.co/sRBLzqFpml
— Brian Stelter (@brianstelter) December 30, 2018
As a follow-up, it is worth looking into whether Tribune Publishing, the former Tronc, cut back on digital security investments in what has been a very tumultuous fiscal management of that company. Most of their newspapers weren't available in Europe because of GDPR, for instance https://t.co/5N4hqj2uCf
— Raju Narisetti (@raju) December 30, 2018
Exercise healthy skepticism about the possible implications of this story. It relies on one anonymous source whose technical expertise is unclear.
The Pam Dixon quote at the end is nonsense. It doesn't take a sophisticated hacker to DDoS a newspaper platform. https://t.co/DwNUJcdfXi
— Eric Geller (@ericgeller) December 30, 2018
Oh wow. Though I’d be wary of quick attribution. “Cyberattacks” don’t have to be sophisticated of foreign to do real damage. Heck, sometimes they don’t even have to be attacks. But definitely worth learning what happened as best we can. https://t.co/pj8nHkUxr0
— zeynep tufekci (@zeynep) December 30, 2018
A thread on attribution as it pertains to Ryuk, Tribune Publishing, Lazarus Group, alliances, and operators vs developers.
— Robert M. Lee (@RobertMLee) December 31, 2018
Reports suggest that Ryuk ransomware was used in the attack on Tribune Publishing which ended up impacting others. This is already being used in reporting to tie the attack to North Korea government operations. While possible there’s way more nuance required. Let’s explore:
— Robert M. Lee (@RobertMLee) December 31, 2018
1. Ryuk hasn’t been confirmed by the company impacted yet although it’s absolutely plausible and makes sense. Worth noting though it’s an anonymous insider at this point and we don’t know their qualifications or involvement. As the story progresses it’ll be confirmed or evolve
— Robert M. Lee (@RobertMLee) December 31, 2018
2. If it’s Ryuk there’s a big difference between targeted against media and targeted against an org to get money because it was an open target. @hacks4pancakes covered that nicely in this thread https://t.co/roWGuE97SZ
— Robert M. Lee (@RobertMLee) December 31, 2018
3. Checkpoint did a really great job exploring Ryuk and found links to Hermes which was malware that had been attributed in use to Lazarus Group which has been attributed to North Korea at least in part. This leads people to do transitive attribution to say Ryuk is North Korea.
— Robert M. Lee (@RobertMLee) December 31, 2018
Here’s the link to the Checkpoint work: https://t.co/uLgQVAPhEZ
— Robert M. Lee (@RobertMLee) December 31, 2018
But here’s where we start running into problems (not including Checkpoints work which was great). Attribution isn’t a transitive property nor is it binary. We can break this down piece by piece to explore some of the difficulties.
— Robert M. Lee (@RobertMLee) December 31, 2018
Lazarus is a combination of numerous intrusions and campaigns over years by various researchers and teams. The group has become conflated to represent anything North Korean. Some of the attribution for NK to Lazarus is impressive. But not all the intrusions tied to Lazarus are.
— Robert M. Lee (@RobertMLee) December 31, 2018
Further, it’s a high level of attribution to the overall group and we don’t know what aspects of Lazarus might represent the operators, the developers, alliances with criminals or other states, etc. Simply put, the attribution may be correct but not fleshed out
— Robert M. Lee (@RobertMLee) December 31, 2018
Which isn’t a problem for people who track Lazarus and isn’t a problem for the governments that add to that attribution with their own sources and want to hold North Korea principally responsible. But it becomes a problem if you want attribution to be transitive.
— Robert M. Lee (@RobertMLee) December 31, 2018
Finding a link to another piece of malware to the overall group – doesn’t tell you if North Korea was involved, at all. It just represents a link that then needs analyzed, supported, and its own unique assessment. Based on what’s available it’d be low confidence at best
— Robert M. Lee (@RobertMLee) December 31, 2018
And this isn’t just pedantic. It’s how intelligence analysis works. Finding links to take shortcuts for cybersecurity purposes is fine if it meets your requirement. No problem to researchers and vendors who do this. Seriously. But it becomes an issue in claiming attribution
— Robert M. Lee (@RobertMLee) December 31, 2018
It becomes a big issue if high profile victims like the NYT and WSJ come out and blame North Korea. It creates political pressure in the US and in NK. It can snowball if analysts use the transitive attribution to support their own analysis. It’s ultimately very sloppy and risky.
— Robert M. Lee (@RobertMLee) December 31, 2018
Links are important. They’re very impressive to find and really great work by researchers. Putting them into context and having them support an assessment is important work, work that is so far in this case seemingly missing.
— Robert M. Lee (@RobertMLee) December 31, 2018
So in short – I don’t disagree with anyone’s assessment, I just don’t see any actual assessments being made. Attribution isn’t as difficult to do as people make it out to be but it’s not simple and it’s not just based on links. Attribution has impact and should be treated as such
— Robert M. Lee (@RobertMLee) December 31, 2018
And that distinction is super important in an era where people genuinely want to harm free press.
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Yuuup. Smartly-deployed ransomware worm, but a ransomware worm they couldn’t contain, nonetheless… https://t.co/pA9WtnjMq2
— Lesley Carhart (@hacks4pancakes) December 30, 2018
“Targeted” is becoming such a vague key operator in coverage and legal/ political discussions about cyberattacks. Orgs use it when an adversary spends months building persistence to exfiltrate data, or launch ICS payload, but also “you know who has bad hygiene and would pay out?”
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Targeting of “I want to take down the NYT press infrastructure” is a very different scenario from, “NYT is a good target of opportunity for a cash grab and a worm will spread nicely on their network.”
— Lesley Carhart (@hacks4pancakes) December 30, 2018
And that distinction is super important in an era where people genuinely want to harm free press.
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Why does this matter?
– It may devalue potential future attacks in which long term crippling of free press is the primary goal.
– It makes mitigating worm spread or ransomware attacks sound unattainable.
– It can be used as legal / insurance / PR cover for inadequate security.— Lesley Carhart (@hacks4pancakes) December 30, 2018
Don’t get me wrong. Ryuk is particularly nasty because there’s historically been some actual forethought put into how to configure it to spread and encrypt servers on a specific network. But standard ransomware mitigations, planning, and vulnerabilities still apply…
— Lesley Carhart (@hacks4pancakes) December 30, 2018
And this is only going to become more common as adversaries realize that spreading ransomware to specific orgs with underfunded security or owners of interesting stuff they see unpatched on Shodan is lucrative.
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Hospitals aren’t good ransomware targets of opportunity in order to to kill people. They’re good targets of opportunity because they’re big, flat, unpatched networks with poor recovery plans that people will pay a lot to decrypt data from.
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Anyway, if this ends up true, the narrative we’re likely going to see for the next few weeks is, “DPRK Attacks US News Infrastructure” -and while that statement may be technically correct, it misses a lot of nuance, may lead to faulty assumptions, and doesn’t really help infosec.
— Lesley Carhart (@hacks4pancakes) December 30, 2018
Obligatory exception scenario:
This ransomware was primarily deployed to mask some other nefarious activity that has not been detected or reported. 🤷🏻♀️
That hasn’t been noted in previous documented uses of Ryuk, though. It has been an effective criminal money-making tool.
— Lesley Carhart (@hacks4pancakes) December 31, 2018
She's been talking about this too. I don't think I've said anything wildly conflicting from her own speculation.
— Lesley Carhart (@hacks4pancakes) December 31, 2018
We’ve had printing problems the past few days due to a suspected malware attack on Tribune Publishing, but we got these puppies out quick (via @AvajoyeWJZ) pic.twitter.com/xtOQWi55hi
— Justin Fenton (@justin_fenton) December 31, 2018
Tribune Publishing continues investigation of malware attack as some processes still affected https://t.co/Ih4KLEwXm5
— Bruce Dold (@BruceDold) December 31, 2018
A cyberattack on the Tribune Publishing Company's computer system led to printing and distribution problems at major newspapers. https://t.co/XuDjTuG0D7 pic.twitter.com/mw5YQ8XZuD
— 48 Hours (@48hours) December 31, 2018
At the desk. You may have seen that because of a malware attack on Tribune Publishing we have been producing jury-rigged print editions for the past two days. Still at it. Light For All.
— John McIntyre (@johnemcintyre) December 30, 2018