A widely reported Russian hack of Burlington Electric, a Vermont utility, amounts to far less than alarmists feared. An employee's laptop, not connected to grid controls, linked to an IP address associated with, but not exclusively used by, threat actors. Inspection revealed signs of the Neutrino exploit kit on the device, but this is very circumstantial evidence, at best, of the Russian hacking initially reported. There are indeed risks to the North American grid, but this doesn't appear to be one of the serious ones. Links to initial reports as well as subsequent qualifications and critiques appear below.
Russian disinclination to retaliate for US expulsion of Russian diplomats last week is drawing generally favorable (usually begrudgingly favorable) notices. Security analysts tend to agree that, while it's reasonable to conclude there were GRU and FSB intrusions into US political party networks during the election season, voting itself was not manipulated. The US Intelligence Community has high confidence in its attribution of the hacks to Russian intelligence services, but last week's FBI and NCCIC Joint Analysis Report on Grizzly Steppe draws tepid reviews, its case seen by many as disappointingly circumstantial.
Anonymous resurfaces in the new year, defacing a Bilderberg Group website to demand a change of heart from the Bilderbergers' elite membership.
ISIS is back online, claiming responsibility for massacres in Istanbul and Baghdad. The declared motive of the former (responding to Abu Bakr al-Baghdadi's inspiration) was "revenge" against Turkey. The latter was intended simply to kill "a gathering of Shia."
Today's issue includes events affecting China, Estonia, European Union, Georgia, Germany, India, Iran, Iraq, Israel, Democratic Peoples Republic of Korea, Moldova, Pakistan, Russia, Syria, Turkey, Ukraine, United Kingdom, United States.
From all of us at the CyberWire, best wishes for a happy, safe, healthy, and prosperous 2017 to our readers and listeners.
ON THE PODCAST
The CyberWire podcast returns to its regular programing today, featuring an interview with ICS expert Joe Weiss on the Burlington Electric incident and other, more significant, concerns about the cyber security of the North American power grid. We'll also hear from our partners at Level 3, as Dale Drew shares some predictions for 2017.
If you've been enjoying the podcasts, please consider giving us an iTunes review.
Today we also have a new special edition of our Podcast. The topic is buying cyber security. Every day there seems to be a new security product on the market, with many of them claiming to provide something that you simply can’t live without. Companies appear and disappear, and businesses are faced with difficult, confusing, and often expensive choices. In this CyberWire special edition, we explore how businesses are navigating the process of choosing products and technologies in a crowded marketplace. We talk to some key stakeholders to find out what drives their purchasing decisions, and what they wished their vendors knew before they came knocking on their doors.
Cyber Attacks, Threats, and Vulnerabilities
lslamic State claims responsibility for Istanbul nightclub attack(Washington Post) The Islamic State claimed responsibility Monday for a deadly rampage at an Istanbul nightclub on New Year’s Eve, an assault by a single gunman that killed dozens of people and served as an ominous reminder of the consequences of Turkey’s expanding war against the Islamic militants in Syria
"Fake News" And How The Washington Post Rewrote Its Story On Russian Hacking Of The Power Grid(Forbes) On Friday the Washington Post sparked a wave of fear when it ran the breathless headline “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” The lead sentence offered “A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials” and continued “While the Russians did not actively use the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter, the penetration of the nation’s electrical grid is significant because it represents a potentially serious vulnerability"
Russian hackers strike Burlington Electric with malware(Burlington Free Press) A Russian hacking group, suspected of trying to influence the U.S. presidential election, struck Burlington Electric, one of Vermont’s electrical utilities, according to the Department of Homeland Security
Russian cybersecurity intelligence targets critical U.S. infrastructure(Washington Times) U.S. intelligence agencies recently identified a Russian cybersecurity firm, which has expertise in testing the network vulnerabilities of the electrical grid, financial markets and other critical infrastructure, as having close ties to Moscow’s Federal Security Service, the civilian intelligence service
Campaign Evolution: pseudo-Darkleech in 2016(Palo Alto) Darkleech is long-running campaign that uses exploit kits (EKs) to deliver malware. First identified in 2012, this campaign has used different EKs to distribute various types of malware during the past few years. We reviewed the most recent iteration of this campaign in March 2016 after it had settled into a pattern of distributing ransomware. Now dubbed “pseudo-Darkleech,” this campaign has undergone significant changes since the last time we examined it. Our blog post today focuses on the evolution of pseudo-Darkleech traffic since March 2016
Droidpak: A sneak attack on Android devices via PC malware(Storm Infosec) Symantec researchers have found what they are calling the first known example of Windows malware specifically designed to infect Android devices. “We’ve seen Android malware that attempts to infect Windows systems before,” mentioned Flora Lui, author of the Symantec post announcing Droidpak. “Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices
How a U.S. Utility Got Hacked(Wall Street Journal) Michigan utility paid $25,000 ransom to get back into its systems after hackers from overseas took over its computers
Attack and loss: ransomware 2016(360 Total Security) Ransomeware, a special version of trojan virus that encrypts files, has become a new and tremendously growing type of cybercrime. The 2016 Ransomware Report released by 360 Security Center lately presents that
Social Engineering Attacks on Government Opponents: Target Perspectives(Proceedings on Privacy Enhancing Technologies) New methods of dissident surveillance employed by repressive nation-states increasingly involve socially engineering targets into unwitting cooperation (e.g., by convincing them to open a malicious attachment or link). While a fair amount is understood about the nature of these threat actors and the types of tools they use, there is comparatively little understood about targets’ perceptions of the risks associated with their online activity, and their security posture
Record wave of phishing comes to an ebb in autumn 2016(Help Net Security) The Anti-Phishing Working Group reports that the year’s record wave of phishing subsided in the autumn. According to the APWG’s new Phishing Activity Trends Report, the total number of phishing websites detected in the third quarter of 2016 was 364,424, compared with 466,065 in the second quarter — a decline of 25 percent
G DATA blickt in die Zukunft(Trojaner-Info) Einen Ausblick auf IT-Security Trends und Prognosen für 2017 hat das IT-Sicherheitsunternehmen G DATA erstellt. Die Prognosen umfassen wichtige Themenfelder wie die „Cloud“, Phishing und Spam mit persönlichen Daten, Adware, Smartphones, gezielte Angriffe auf Unternehmen, Ransomware, das Internet der Dinge und aufstrebende Technologien
The Age of Resilience – Security in 2017(Flipboard) Security is one of the few tech sectors that thrives primarily thanks to the cruel intentions of bad actors. White hats and black hats exist symbiotically. Without the criminal element to create demand, CISOs would just hang up their spurs and call it a day
Exploring trends in automated crypto trading(Help Net Security) Despite the risks, many traders continue to be attracted to cryptocurrency trading due to the earning potential it offers. Sasha Ivanov, CEO of Waves, explains that the crypto market is inefficient, opportunities for arbitrage exist between exchanges, and the market is very volatile and unregulated with a constantly shifting landscape
E-wallet companies grow fast, but not covered for cyber attack (Economic Times) Mobile wallet companies, expanding rapidly to cash in on the opportunity of the government's push to scale up digitisation, are not taking adequate insurance cover against an obvious risk of cyber attacks and that could put their customers' money in jeopardy in case of attack, industry insiders said
Gigamon: A Falling Knife, And Some Nasty Cuts, But Some Significant Share Price Opportunities(Seeking Alpha) Gigamon is a company most often considered to be in the cybersecurity space. It basically sells data visibility solutions that are often used as part of a cybersecurity fabric. The shares have been noticeably weak since making a high a few weeks ago and have pulled back by 25%. The company introduced its long awaited joint solution with AWS in the last few weeks. The consensus growth forecast for 2017 seems significantly compressed compared to a more likely progression. In the wake of the share price pullback, valuation parameters, while not at value levels, have reached what many consider to be an attractive entry point
Cyber Threat Startup Quickly Detects Grizzly Steppe: JAR-16-20296 Threats(Satellite PR) On December 29, the Department of Homeland Security, working with the FBI, released the (Joint Analysis Report) JAR titled “Grizzly Steppe,” through US-CERT. That day, the DHS Automated Indicator Sharing (AIS) platform released machine readable indicators to detect threats discussed within the JAR document. In lay terms, DHS cyber intel analysts identified a potential threat, and distributed data used by automated cyber threat detection systems. Companies can then to use this data to automatically detect the same threat on their own systems and take appropriate steps to protect themselves
Technologies, Techniques, and Standards
Kaspersky Lab Finds a Way to Unlock Files Encrypted with CryptXXX Ransomware(Channel Post) After releasing decryption tools for two variants of CryptXXX ransomware in April and May 2016, Kaspersky Lab is releasing a new decryptor for files that have been locked with the latest version of the malware. This malicious program was capable of infecting thousands of PCs around the world since April 2016, and it was impossible to fully decrypt the files affected by it. But not anymore. The free RannohDecryptor tool by Kaspersky Lab can decrypt most files with .crypt, .cryp1 and .crypz extensions
Your 5 Totally Achievable Security Resolutions for the New Year(Wired) Whether you've never thought about your personal security at all before, or you’ve been meaning to clean some things up for awhile now, 2017 is the year to make changes. Threats like spamming, phishing, man-in-the-middle attacks, and ransomware pose real daily threats to every internet user, passwords continue to leak in massive corporate breaches, political instability roils many parts of the world, and people own more and more devices that can be compromised. Fun, right?
WTF is a VPN(TechCrunch) You’re watching a movie. A criminal is trying to evade a crime scene in a sports car on the highway. A helicopter is following the car from above. The car enters a tunnel with multiple exits and the helicopter loses track of the car
Appointing a Cyber Point Person to Minimize Impact of the Inevitable(New York Law Journal) As information has become an increasingly valuable commodity for all businesses, it has also become extremely valuable for hackers and criminal organizations. The tools that the bad actors are using to gain access to our systems and information are outpacing our technological advances. Regardless of the level of sophistication of the information technology infrastructure, organizations are only as strong as their weakest link, which are quite often their people
Five Signs of CISO Complacency(Security Intelligence) Chief information security officers (CISOs) are constantly challenged to avoid complacency. The seemingly insurmountable pressures of balancing escalating threats and regulatory compliance mandates can be overwhelming. When conceiving big security projects, CISOs often talk about finding the risky pain points in processes and trying to correct them. That exercise is all about management skills, but it seems they haven’t realized the interaction between information security and the rest of the company
The Very Human Problem Blocking the Path to Self-Driving Cars(Wired) It was a game of Dots that pushed Erik Coelingh to rethink his entire approach to self-driving cars. Coelingh, Volvo’s head of safety and driver assist technologies, was in a simulator, iPad in hand, swiping this way and that as the “car” drove itself, when he hear an alert telling him to take the wheel. He found the timing less than opportune
Fiat Chrysler’s Portal concept is a van with a plan for autonomous driving(TechCrunch) Fiat Chrysler is getting ready for a future in which your vehicle is an extension of your living space with their new Portal concept car, which is debuting at CES this year. The Portal is an electric-powered vehicle with its own wireless network, Level 3 semi-autonomy standard and the hardware necessary for an upgrade to true Level 4 self-driving capability, and fold-flat/removable seating for flexible interior reconfiguration options
Fiat Chrysler and Google team on Android in-car tech(TechCrunch) Fiat Chrysler and Alphabet are already working together via Waymo, the former Google self-driving car project, and now Google is also teaming with the automaker for in-car system tech, using Android as the base for a new infotainment and connect car platform. The new FCA in-car system is called Uconnect, and uses Android 7.0 to deliver a range of features, including Android app compatibility alongside more traditional in-car controls like AC and heat, also with terrestrial radio
Research and Development
Narendra Modi addresses Indian Science Congress in Tirupati, highlights cyber-physical systems(First Post) Prime Minister Narendra Modi on Tuesday inaugurated the five-day annual Indian Science Congress being held at the Sri Venkateswara University in Tirupati. This time the conference focuses on 'Science and Technology for National Development' even as previous prime ministers have usually shared their vision and approach for science in India in their address. They have also used it as a platform to make policy announcements
RSA Conference 2017 debuts education program(Help Net Security) RSA Conference announced the debut of RSAC AdvancedU – a new series of programs to educate and encourage more people to pursue a career in cybersecurity and also invigorate veterans with decades of experience – at RSA Conference 2017, February 13-17, in San Francisco
Legislation, Policy, and Regulation
Putin’s Masterstroke of Nonretaliation(Foreign Policy) In refusing to expel U.S. diplomats in response to President Obama’s sanctions, the Russian leader pulled another fast one on the White House
Putin’s Real Long Game(Politico) The world order we know is already over, and Russia is moving fast to grab the advantage. Can Trump figure out the new war in time to win it?
Trump’s doubts about cybersecurity alarm experts(Washington Post via the Chicago Tribune) President-elect Donald Trump has repeatedly questioned whether critical computer networks can ever be protected from intruders, alarming cybersecurity experts who say his comments could upend more than a decade of national cybersecurity policy and put both government and private data at risk
Laying Bare the Enemy's Aims: Defending Public Opinion in the 21st Century(War on the Rocks) America’s strategic center of gravity is public opinion, so why is it left undefended against foreign influence? As pressure builds in Congress to investigate Russia’s meddling in presidential politics, lawmakers must look to arm a new generation of information warriors with Silicon Valley tech and Cold War political acumen. Edward Bernays, the father of American advertising, believed that the essence of democratic society is the engineering of consent. If America wants the engineering of consent to be an exclusively homegrown activity, then Congress needs to establish a new agency with the mission to confront, expose, and challenge unlawful foreign influence both at home and abroad
U.S. Cyberwarfare: Its Powerful Tools, Its Unseen Tactics(KUOW) NPR's Ari Shapiro talks to cybersecurity expert Robert Knake on what tools the U.S. has to retaliate against Russia in cyberspace. Knake, former director of cybersecurity policy with the National Security Council, is now a senior fellow at the Council on Foreign Relations
Turkey Wants to Build Army of Hackers(Bleeping Computer) Turkish officials announced plans to hire computer experts to serve as white-hat hackers and help protect the country's infrastructure against cyber-security threats
FBI-DHS Report Links Fancy Bear Gang to Election Hacks(Threatpost) In a report released Thursday the Federal Bureau of Investigation and the US Department of Homeland Security implicated Russian hacking group Fancy Bear in attacks against several election-related targets
Trump says he has inside information on hacking(CNN) President-elect Donald Trump said Saturday he has information that others lack and promised to reveal his knowledge this week, reiterating again his doubts that Russia was behind cyber-meddling in the US election
Trump hints at hacking revelation in coming days(The Hill) President-elect Donald Trump late Saturday said he will reveal new information in the next few days about alleged Russian hacking during the U.S. presidential election, saying he knows “things that other people don’t know"
What’s Behind Mysterious ‘Disclaimer’ on Top of DHS/FBI Big Russia Hacking Report(Law Newz) Many have noticed that on top of the Joint Report issued on Thursday by the FBI and U.S. Department of Homeland Security on the Russian hacks, there is a very peculiar thing: A disclaimer stating that “The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within.” Some have speculated that the disclaimer is evidence that the federal government won’t stand by their findings. WikiLeaks drew even more attention to this detail by tweeting out a picture of the disclaimer, which was subsequently retweeted more than 7 thousand times. As a legal website, we always read the fine print too, and wanted to find out what this means
Critiques of the DHS/FBI’s GRIZZLY STEPPE Report(Robert M. Lee) On December 29th, 2016 the White House released a statement from the President of the United States (POTUS) that formally accused Russia of interfering with the US elections, amongst other activities. This statement laid out the beginning of the US’ response including sanctions against Russian military and intelligence community members. The purpose of this blog post is to specifically look at the DHS and FBI’s Joint Analysis Report (JAR) on Russian civilian and military Intelligence Services (RIS) titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity”. For those interested in a discussion on the larger purpose of the POTUS statement and surrounding activity take a look at Thomas Rid’s and Matt Tait’s Twitter feeds for good commentary on the subject
Russian hacking: US intelligence 'off the mark'(Brisbane Times) The "Russian hacking" story in the US has gone too far. That it's not based on any solid public evidence, and that reports of it are often so overblown as to miss the mark, is only a problem to those who worry about disinformation campaigns, propaganda and journalistic standards - a small segment of the general public
FBI/DHS Joint Analysis Report: A Fatally Flawed Effort(LinkedIn) The FBI/DHS Joint Analysis Report (JAR) “Grizzly Steppe” was released yesterday as part of the White House’s response to alleged Russian government interference in the 2016 election process. It adds nothing to the call for evidence that the Russian government was responsible for hacking the DNC, the DCCC, the email accounts of Democratic party officials, or for delivering the content of those hacks to Wikileaks
Beware of Attribution Claims(LinkedIn) Jeffrey Carr makes an interesting point about the DHS attribution of Grizzly Steppe to a specific country. The joint NCCIC/FBI (National Cybersecurity and Communications Integration Center / Federal Bureau of Investigation), is very light on attribution details
McCain plans Russia cyber hearing for Thursday(Politico) Senate Armed Services Chairman John McCain has scheduled a hearing on cyber threats for Thursday, where the issue of Russia's election-year hacking will take center stage, a source familiar with the committee's planning told POLITICO
Meet The Russian Hacker Claiming She's A Scapegoat In The U.S. Election Spy Storm(Forbes) "We don’t make malware for the Russian government." This was the response of Russian hacker Alisa Esage Shevchenko to a blunt question I put to her in April 2015: do you provide any kind of digital weapon to the Russian government? Since then we've been in touch over encrypted mail and Twitter. Indeed, she's been a trusted resource for all things white hat hacker related, including her input for a report on Russian exploits of critical nuclear power plant technology
Politico: Obama Clemency Unlikely for Snowden, Manning, Others(Newsmax) Four people who have been involved in national security issues have asked President Barack Obama for clemency, but lawyers say that in the current environment surrounding leaks and hacking, action on their cases is not looking likely, according to Politico
The Fable of Edward Snowden(Wall Street Journal) As he seeks a pardon, the NSA thief has told multiple lies about what he stole and his dealings with Russian intelligence
Bitdefender joins European anti-ransomware initiative(GSN) Bitdefender, the innovative security software solutions provider, joined the No More Ransom initiative supported by Europol contributing to the global fight against ransomware - the fastest-growing cyber threat to date
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Suits and Spooks DC 2017(Arlington, Virginia, USA, January 11 - 12, 2017) “What we are creating now is a monster whose influence is going to change history, provided there is any history left.” (John von Neumann) When John von Neumann said those words in 1952, he didn’t mean...
CES® CyberSecurity Forum(Las Vegas, Nevada, USA, January 5, 2017) Now in its second year, the CES® CyberSecurity Forum presented by CyberVista is designed to ensure all stakeholders in developing high tech solutions understand the complexity and the need for action in...
SANS Security East 2017(New Orleans, Louisiana, USA, January 9 - 14, 2017) Start the year off right by choosing from outstanding, cutting-edge courses presented by our top-rated instructors. SANS is looking forward to an exciting kickoff of 2017 with SANS Security East 2017 in...
Cybersecurity of Critical Infrastructure Summit 2017(College Station, Texas, USA, January 11 - 13, 2017) An inaugural event to convene thought-leaders, experts, and strategic decision makers from government, industry, and academia to discuss the technology and policy implications of the ever-evolving cyber-threats...
ShmooCon 2017(Washington, DC, USA, January 15 - 17, 2017) ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and...
SANS Las Vegas 2017(Las Vegas, Nevada, USA, January 23 - 28, 2017) Attend SANS Las Vegas 2017, where SANS will provide outstanding courses in IT security, forensics, and security management presented by the best cybersecurity teachers in the country. At SANS events you...
BlueHat IL(Tel Aviv, Israel, January 24 - 25, 2017) Announcing BlueHat IL – a special edition of Microsoft's leading cyber security conference for top professionals, to be held for the very first time in Tel Aviv, Israel.
Over the past 10 years, BlueHat conferences have drawn the brightest minds in security to discuss key industry challenges. And now, BlueHat IL is here to crank it up by exploring and creating new cyber security thoughts and boundaries. This exclusive, by invitation only, single track event will host top cyber security professionals from around the world, who will come together to tackle the present and peek into the future. It will feature brilliant speakers and focus on breakthrough research, key trends and emerging threats in the field. Registration closes December 28.
SANS Cyber Threat Intelligence Summit & Training 2017(Arlington, Virginia, USA, January 25 - February 1, 2017) Join SANS at this innovative Summit as we focus on enabling organizations to build effective cyber threat intelligence analysis capabilities. Most organizations are familiar with threat intelligence, but...
Blockchain Protocol and Security Engineering(Stanford, California, USA, January 26 - 27, 2017) This conference will explore the use of formal methods, empirical analysis, and risk modeling to better understand security and systemic risk in blockchain protocols. The conference aims to foster multidisciplinary...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.