Robin’s Newsletter #197

27 March 2022. Volume 5, Issue 13
The rise, and fall?, of Lapsus$ as Okta confirm breach. US CNI cyberattack warning. Build capabilities, not plans for resilience.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Okta breached by Lapsus$ group

Lapsus$ group posted screenshots of identity management company Okta’s ‘super admin’ backend system this week. Amidst a bungled PR response the company sought to downplay the breach, while also acknowledging that the screenshots were linked to a “detected an attempt to compromise the account of a third party customer support engineer” in January. Having tried to reassure customers that there was ‘no evidence’ of ongoing compromise, Okta subsequently revised up its estimates, saying that 2.5% of customers may have been affected.

Lapsus$, a cybercrime group focused on extortion, has exploded onto the scene in recent months, with compromises of Samsung, NVidia and, also confirmed this week, Microsoft.

Now it seems like these may have been made possible by compromising a third-party customer support worker at Okta and using their administrator permissions to gain onward access to Okta’s customers. (Lapsus$ claims not to have taken a copy of Okta’s database).

This type of consolidation, or aggregation, is what concerns cyber insurance companies: compromise of a substantial provider that has knock-on effects on a wider range of customers in the supply chain. Traditionally that’s been on availability of the three main cloud providers — Amazon, Google and Microsoft — then Solarwinds provided an example for how an integrity attack looks, and now Okta rounds things out with a confidentiality example.

It also shows the importance of thorough incident response investigations and the need to improve breach reporting: especially for vendors with onwards access into customer networks. While the incident was detected and ‘contained’ in January, the damage was done and customers have been falling victim ever since.

The desire to shout about their successes has drawn a lot of attention to the Lapsus$ group who also appear to have pretty terrible ‘operational security’ (or opsec) to protect their identities. The City of London Police said that seven individuals, aged between 16 and 21, had been arrested and ‘released under investigation’ for their possible involvement in the Lapsus$ group.

On Twitter, a 16-year-old from Oxford was outed as being the ringleader of the group. (The police wouldn’t be drawn on the link). Both Brian Krebs and Vice Motherboard’s Joseph Cox takes a deeper look at the history of Lapsus$, ‘WhiteDoxbin’ and their involvement in the compromise of EA in June 2021 (vol. 4, iss. 24).

Meanwhile, Microsoft, who calls the group DEV-0537, has a thorough write up on the social engineer and privilege escalation tactics and techniques of the group. Redmond confirmed the group’s claims that they had been able to exfiltrate Microsoft source code, though that this single account granted limited access and that no customer code or data was involved. (no breach) (customer support) (revised estimate), (arrests)

Interesting stats

$6.9 billion reported cybercrime losses reported, across 847,376 complaints, to the FBI’s Internet Crimes Complaint Center (IC3) in 2021, with 35% being attributed to Business Email Compromise (BEC), which had the highest financial toll:

A bar chart showing the five highest financial tolls from cybercrime in 2021. Business Email Compromise accounts for $2.4 billion of the $6.9 billion total. (Source: IC3)

$1,800/month the average salary earned by a member of the Conti ransomware group, according to Secureworks,  3.3x the average Russian household income.

5 minutes 50 seconds median time taken for LockBit’s ransomware to encrypt 53GB of data,  24 minutes 16 seconds median time for REvil’s code, and 59 minutes 34 seconds for Conti’s ransomware, according to tests conducted by Splunk

A table showing the time taken by ten different ransomware varieties to encrypt 73GB of data. (Source: Splunk)

Other newsy bits

White House cyberattack warning

President Biden said it was the “patriotic obligation” of critical infrastructure providers to prepare for Russian cyber-attacks this week. The White House warning comes following unprecedented sanctions against the Russian state and attacks are anticipated in response as these start to bite.

The Cybersecurity and Infrastructure Agency (CISA) followed up with an ‘informational call’ with 13,000 organisations that lasted three hours on Tuesday (or over 19 person-years of collective effort!)

In the UK, the National Cyber Security Centre (NCSC) echoed the warning and importance of ‘vigilance’ while simultaneously saying it is “unaware of specific, targeted threats to the U.K. resulting from Russia’s illegal invasion of Ukraine”.

Making significant changes in compressed timescales can lead to self-inflicted incidents and outages though. Preparations are important, but should also be done within the capability of the organisation (see Interesting reads below).

That said, while lacking specific examples, it’s important to remember that these sorts of statements are likely made based on credible intelligence, much like the certainty with which ‘Put will invade Ukraine in X days’ type statements were. (And the US intelligence apparatus is substantial.)

And, of course, cyber risk is only one element that businesses need to consider. The legal risk from sanctions (such as buying or selling products or services directly or indirectly from restricted entities) will be occupying some boardrooms while rising oil costs and the impact on manufacturing and logistics will be driving financial risk conversations. The latter two are immediately visible. Managing availability bias in decision making will be important to weigh up the correct course of action.

CISA’s Shields Up website has more information on what organisations can do to prepare. (UK) (3hr call)

Interesting reads

Capabilities, not plans

I’m largely of the opinion that efficiency and resilience are either ends of a see-saw. Optimising for efficiency inherently de-optimises for resilience. Just-in-time production does not hold the inventory to continue production as the result of supply chain disruption.

I now realise that’s focussing on a single facet: capacity.

When it comes to consulting engagements I often talk to execs in terms of capacity, but also capability. (And, to be complete, coverage.)

This blog post by Phil Venables is a great dive into how resilience is about ‘capabilities, not plans’. You cannot produce contingency or response plans for every scenario you may face and, crucially, when adrenaline is pumping, the last thing anyone will want to do is consult a weighty tome.

Investing in capabilities and understanding how they can support, interact and fill in for each other within those risk scenarios can be a powerful thing. Rather than testing the whole, test — or better still use — the parts regularly for the greatest results.

Reporting cyber risk to boards

How to effectively engage and communicate cyber risk to boards is a common problem. Cyber security is simultaneously a high-level business issue that often manifests in low-level, deeply technical issues. There are some useful pointers and suggestions for how to approach metrics and key risk/performance indicators in Jason Trost’s Twitter thread: “The number one danger of metrics for cyber risk is that they begin to reflect work done or effort applied, instead of risk reduction. A Board or executive team must rigorously push back against the inclusion of such metrics”. I haven’t had a chance to read the full paper yet, also linked below.

In brief

Attacks, incidents & breaches

  • ELTA, the Greek postal service, has become a victim of ransomware actors, who exploited an unpatched vulnerability to gain access
  • UK Ministry of Defence shuts down Army careers website (run by outsourcer Capita) confirming data breach affecting ~125 applicants
  • Nestlé pushes back on accusations of a breach, saying data was ‘randomised and predominantly public’ test data
  • Apple suffered a substantial outage affecting lots of the company’s customer and internal operations … though I’m not convinced the falling back to pen and paper is quite the ‘fail’ that Twitter users thought it was @RTO 

Threat intel

  • DarkHotel group, with suspected links to South Korea, is back and targeting luxury hotels in China
  • BlackCat ransomware-as-a-service operation linked to BlackMatter/DarkSide group, which hit Colonial Pipeline last year, by researchers at Cisco
  • Chinese links to macOS GIMMICK malware that uses Google Drive as part of C2 and exfiltration
  • Trustwave researcher says phishing campaign is using Microsoft Compiled HTML Help (CHM) files to silently run malware
  • Two North Korean government-backed groups have been running campaigns targeting media, IT, FinTech and cryptocurrency businesses with a 0-day Chrome exploit, says Google

Cyber defence

  • ‘Browser-in-the-browser’ (BitB) phishing technique uses HTML and CSS to spoof hyper-realistic OAuth login pages
  • Federal Communication Commission says Kaspersky pose ‘unacceptable risk’ to US critical infrastructure and places the firm on the same list prohibiting the use of Huawei and ZTE telecommunications gear

Security engineering

  • ‘Motivating Jenny to write secure software’ was an NCSC/RISCS research project that has resulted in a developer security toolkit. “it quickly became clear that motivation was not the central issue. The core problem was how to create conditions under which developers can appropriately apply the security knowledge they have gained”,
  • Good primer on the open-source community and ‘protestware’
  • Researchers find 218 malicious packages targeting “the entire @azure npm scope” in an attempt to catch out unwitting developers

Internet of Things

  • Honda cars manufactured between 2016 and 2020 are vulnerable to replay attacks that can lock/unlock doors, boot and even remote start the engine


  • Concerns over renewal of centralised access to UK patient data as legal basis becomes unclear as emergency pandemic powers fall away
  • ‘Agreement in principle’ over new EU-US agreement to underpin trans-Atlantic data flows

Law enforcement

  • Unseal indictment sets out criminal charges against four Russian FSB and defence ministry employees for their parts in attacks against US energy companies using the Haves and Triton malware. Also known as DragonFly, Energetic Bear or Crouching Yeti, the group believed to be behind the 2017 attack against a Saudi refinery,
  • Estonian national Maksim Berezan was sentenced to five and a half years in prison for role in 13 ransomware attacks that caused $53 million in losses

Mergers, acquisitions and investments

  • ‘Secure enterprise browser’ startup Island has raised $115 million Series B funding, just a couple of months after announcing $100 million of initial funding, valuing the firm at over $1 billion. Island’s ‘Enterprise Browser’ product bakes in security controls, such as a limitation on copy and paste, screenshots and web isolation
  • Avast has acquired identity and access management firm SecureKey for an undisclosed sum
  • F-Secure, the Finnish-headquartered Withsecurecyber security company, is splitting its consumer and business arms, with the latter rebranded ‘WithSecure’

And finally 

FBI geotargeting ads at disgruntled Russian diplomats

FBI counterintelligence operations are placing adverts to target Russians disillusioned with Putin’s Ukrainian invasion. The ads, running across Facebook, Twitter and Google, are geofenced to those near the Russian embassy in Washington. Using paid social media ads is a technique straight out of Russian disinformation playbooks.


  Robin's Newsletter - Volume 5

  Okta Lapsus$ Microsoft Risk aggregation Risk concentration Solarwinds IC3 Cybercrime Ransomware Business Email Compromise Russia Ukraine Resilience Capabilities Key Risk Indicators Key Performance Indicators Security Metrics Board