skip navigation

More signal. Less noise.

Are you using threat intelligence to its full potential?

Download this free report via Recorded Future to learn 12 common threat intelligence use cases.

The Week that Was.

Russians indicted for interference in US elections.

US Special Counsel Robert Mueller's investigation yielded an indictment of sixteen Russian defendants (three organizations, thirteen individuals) for a conspiracy whose object was "impairing, obstructing, and defeating the lawful governmental functions of the United States by dishonest means in order to enable the Defendants to interfere with U.S. political and electoral processes, including the 2016 U.S. presidential election." The Internet Research Agency, the St. Petersburg-based troll farm, is the alleged conspiracy's leading organization. The other two organizations, Concord Management and Concord Catering (treated together as "Concord") were Russian government contractors involved in funding and staffing what the Internet Research Agency called "information warfare against the United States." No US persons were charged, but the indictment notes contact with "unwitting members, volunteers and supporters of the Trump campaign” (Guardian).

Do you know your adversary’s next move? We do.

Getting a leg up on your adversary – cyber espionage, cyber crime, or hacktivism – is no easy feat. You need strategic intelligence…from the experts. But what makes intelligence strategic? Learn more in LookingGlass’ webinar featuring the experts. Join our Sr. Directors of Research and Analysis Jonathan Tomek and Olga Polishchuk on February 21 @ 2PM ET for a discussion covering what security teams need to proactively defend against your next cyber attack. Sign up now!

Alleged crimes and alleged methods.

Charges include conspiracy to defraud the United States, conspiracy to commit wire fraud and bank fraud, and six counts of aggravated identity theft (Atlantic), The defendants are alleged to have travelled to the US under false pretenses. The operations they're charged with mounting began in 2014 with the general objective of fomenting discord in American society (Atlantic). By 2016 those objectives had changed to damaging Hillary Clinton's presidential campaign, first with information operations supporting primary opponent Senator Bernie Sanders, then with operations favorable to her general election opponent Donald Trump (Politico). Two anti-Trump rallies were also apparently organized by the conspirators post-election (Politico). The indictment's account of how the conspiracy operated is worth reading in full. The activities described show a mix of traditional espionage (front organizations, illicit travel, exploitation of unwitting victims) in the service of well-crafted propaganda delivered by catphish and stolen identities over social networks where their messaging was amplified in the usual social media echo chambers.

White House National Security Advisor McMaster calls the evidence of Russian information operations "incontrovertible" (Sydney Morning Herald). Russian Foreign Minister Lavrov calls the indictments "just blabber" (NBC News).

Obtain full visibility into your security team with Cybrary.

It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!

Mid-term elections and information operations.

US Intelligence officials told Congress this week that the country should expect an increased tempo of Russian information operations during the 2018 mid-term election cycle (WIRED). The principal threats they outlined were propaganda and misinformation designed to foment mistrust and discord, essentially the 2016 playbook (New York Times). There were also calls in Congress for the US military to use its reputation for probity to help secure elections, presumably by acting as a unifying, impartial broker of true information as opposed to ongoing foreign disinformation (Fifth Domain). How that might play out in practice remains unclear.

NBC News claims it has a database of 200,000 trolling communications Twitter deleted in its war on bots and disinformation, in case you want to know what's being tweeted from St. Petersburg (NBC News).

Looking for an introduction to AI for security professionals?

Your wait is over. A new book is out from the Cylance data science team, covering artificial intelligence and machine learning techniques in practical situations to improve the security professional’s ability to thrive in a data driven world. Whether you are reviewing logs or analyzing malware, being able to derive meaningful results and improve productivity is key. Order your free copy today.

HM Government says its AI can recognize extremism.

And HM Government expects tech companies to start using it (Naked Security). ASI Data Science developed the AI tool with a £600,000 Government research-and-development grant. It watches video and audio streams and claims to be able to recognize "94% of Daesh propaganda with 99.995% accuracy." The method behind the model hasn't been disclosed, and some insight into how its accuracy was determined would also be interesting (TechCrunch). Nor has much been said about the tool's adaptability to detecting other forms of extremism (or simply other forms of content the Government has reasons for disapproving) or its resilience in the face of the adaptations Jihadis will inevitably make. The opposition is always protean.

Commercial incentives may also be poorly aligned with epistemology, as some observations of how Google serves up search results seems to indicate (Motherboard). 

Compete to win prize money plus the chance to be DataTribe’s next big investment.

DataTribe's Inaugural Cyber Funding Competition: We put real firepower behind every idea. If you're part of an entrepreneurial technology team with a vision to disrupt cybersecurity and data sciences - we want to enhance your growth prospect with the opportunity for a DataTribe-financed seed capital of $2,000,000. Plus, possible millions more in a Series A Venture Capital Round. The top three finalists will share $20,000 in prize money. Learn more.

Winter Olympics hacked with wiper malware.

The Winter games clearly sustained a deliberate cyberattack (BBC), as "Olympic Destroyer" began disrupting official Olympic sites more than a week ago (BankInfo Security). Cisco's Talos unit sees similarities in the code to last year's BadRabbit and NotPetya pseudoransomware (PC Magazine). Olympic Destroyer uses the EternalRomance exploit the Shadow Brokers dumped with other alleged Equation Group tools. The malware has a complex wrinkle: self-patching functionality that enables it to morph as it installs itself on new machines (Bleeping Computer).

Late this week signs emerged suggesting that the attack had been long in preparation. Reports say that the Olympics' cloud provider, Atos, was successfully compromised in December, about two months before the games began. Thus Olympic Destroyer is now being regarded as a supply chain attack. Atos confirmed that it's opened an investigation, and that it's brought in McAfee to help (CyberScoop).

The attackers' apparent goal is disruption (ITWire) to "shame" the Games' organizers (Bloomberg). Disruption can also serve as misdirection or battlespace preparation, and security experts are alive to these possibilities as well (Security Brief). Attribution remains unclear, but the leading suspects are the usual ones: Russia and North Korea (Vox). A customary but important reminder: attribution is notoriously difficult (BankInfo Security). Code overlaps with earlier attacks are, as Recorded Future points out, as consistent with a false-flag operation's deliberate misdirection as they are with code reuse by a threat actor.

From Bratislava to Birmingham to Baltimore, it's a conspiracy (sez they).

Russia represents the Olympic suspicion it's under as a charmingly implausible Slovak-American conspiracy to slander Russia's good name. ESET, the Bratislava-based cybersecurity firm mentioned in Russian dispatches as the principal engine behind the slander, dismisses the allegations as propagandistic nonsense. ThreatConnect and Trend Micro are also singled out as bad guys by the Russian Ministry of Foreign Affairs, which says the three companies "enjoy close ties with the CIA and the NSA." ESET particularly denies this (Slovak Spectator). But the Russian note about "close ties with the CIA and the NSA" is suggestive: Russia may be preparing to give various Western security firms a retaliatory dose of the Kaspersky treatment.

On Thursday British authorities publicly blamed Russia for last year's NotPetya pseudoransomware campaign (BBC) and warned Moscow against any repetition (Telegraph). Moscow dismissed the charges as another instance of "Russophobia" (Reuters). Washington joined London Thursday, with the White House offering a harsh condemnation of Russia and hinting at imposition of consequences (WIRED).

Coinhive's developers say it all just got away from them.

As cryptojaking infestations spread, Coinhive's developers say they never intended this, that they meant nothing but good. They envisioned their code as a minor, fun way for people to pick up a little cryptocoin. As they told Motherboard, "[We] were also quite naive in our assumptions on how the miner would be used. We thought most sites would use it openly, letting their users decide to run it for some goodies, as we did with our test implementation on before the launch. Which is not at all what happened in the first few days with Coinhive.”

Sophos researchers found Coinhive infestations in nineteen Android apps this past week (Computing). A zero-day flaw in Telegram, now patched, also installed a miner that pulled in Zcash and Monero (SecureList).

Other sites have, surprisingly, turned to Coinhive as a way of realizing revenue they'd otherwise be denied by ad blockers. Salon magazine, for one, will now upon detection of an ad blocker give the reader the option of either subscribing or installing a cryptominer. This has generally been coldly received, with few finding much sympathy with Salon's explanation (in their FAQ) that this restores the old mutually beneficial relationship between publisher and reader (Graham Cluley).

It's unclear that hoods or publications get rich by cryptomining. Last week's Coinhive infestation of government sites apparently netted just $24 (Guardian), but cryptojacking is currently the most common form of cybercrime (Help Net Security). The big scores are in fraud, but the money from mining is easy (CNET). 

Another ICO scam.

LoopX, a cryptocurrency start-up of unclear provenance and purpose, is gone, vanishing over the past weekend and taking $4.5 million of investors' cash with it. LoopX has been described as "lacking transparency," which it certainly did. It boasted having a world class team of (unspecified) experts working for it, and it claimed to have a tested "algorithm" that reliably pulled in lots of cash. Anyway, LoopX is gone, and is now fully transparent in the sense that everyone sees through it (Naked Security).

Cryptocurrency mining is both irritating and unremunerative.

The big infestation of CoinHive that propagated through British, US, Canadian, and Australian sites over a week ago didn't net the master miners much: Motherboard thinks they cleared about $24 worth of Monero.

But the computational load mining exacts is a stiff one. Among the casualties we apparently must reckon SETI, the search for alien life, which has long used excess and donated CPU capacity to scan the cosmos for anomalous and so possibly artificial signals (TechCrunch). It seems OK that people are looking for aliens, although the results of actually finding any would in all likelihood result in the creation of what lawyers call "an attractive nuisance," but on the other hand drawing aliens' attention to us seems (nota bene Mr. Musk) a stupendously bad idea.

European bankers skeptical of cryptocurrency.

Frankfurt doesn't care much for Bitcoin. German financial authorities express a more general European skepticism about cryptocurrency. The Bundesbank's head said fiat currencies sustained by well-regulated central banks cannot be replaced or matched by cryptocurrencies like Bitcoin. The European Central Bank (ECB) characterizes cryptocurrencies as "speculative assets," not real money. Alternative currencies are too volatile, incapable of sustaining confidence. One high ECB official said trading in cryptocurrency was "like a gold rush—but there is no gold." Other objections include alleged deleterious social and even psychological effects. Besides, mining cryptocoins is so energy intensive that it's unsustainable (Ars Technica).

Bots and markets.

Bots are said to be driving up air fares. Distill Networks says one way it works is like this: an airline announces low-priced seats, bots promptly reserve them all, and fictitious demand drives up real prices. Unscrupulous travel agents are thought to be the botmasters (NBC).

German court rules against Facebook in privacy case.

On Monday the Berlin Regional Court published its January ruling that Facebook was in violation of the Bundesdatenschutzgesetz, the Federal Data Protection Act. The two most significant findings were that Facebook's default privacy settings are not privacy friendly, that these presets are presented so obscurely that it's difficult for users to find them, and that the real-name policy impermissibly interferes with anonymity. As the judgment put it, "Providers of online services must also allow users to participate anonymously." Facebook says it will appeal, but also move toward compliance (Naked Security)

Facebook has plans to collect and use even more of the data it has on its users as it considers moving Facebook Portal further into development (Naked Security). It's already got one feature privacy-conscious observers find troubling and problematic. Its free VPN, which iOS users can get by selecting the "Protect" option, enables Onavo, which Facebook acquired in 2013 to give it some SnapChat-like arrows in its quiver. Onavo is said to provide an extra "layer of security," and "peace of mind while you browse." To do this, however, it collects the user's data traffic to "improve and operate the Onavo service by analyzing your use of websites, apps and data." Onavo adds that, as part of Facebook, they also use your data not only to make Facebook better, but to "gain insights into the products and services people value." Most would look to a VPN for privacy, but Onavo Protect strikes observers as spyware (CSO).

Hybrid war turns lethal.

Russian troops, "mercenaries," by their country's official designation, were this week killed in a firefight with US troops in Syria as the Russians, operating with units loyal to the Assad regime, attacked a base held by US, Kurdish, and opposition Arab forces (Times). Such troops, in such large numbers (hundreds, by some estimates, with assessments of casualties running over a hundred) probably represent a version of the "green men" Russia deployed in its hybrid war against Ukraine. Their deployment is deniable; their deaths require no official mourning.

Patching news.

IBM issued Spectre and Meltdown fixes for its Power servers (Infosecurity Magazine). Intel's patches  continue to draw complaints (from Netflix, among others) for degradation of system performance: latency spikes of up to 8000% are reported (Computing).

Microsoft fixed fifty bugs on Tuesday, fourteen rated "critical." Many involved privilege escalation; some have been in place for a long time (Infosecurity Magazine). The widely reported "unfixable" Skype issue, by the way, was apparently patched back in October (Register). Adobe also patched, addressing thirty-nine issues in Acrobat and Reader (SANS Internet Storm Center).

Maintainers of the Bitmessage peer-to-peer communications protocol fixed a zero-day that was being exploited in the wild to access and loot Bitcoin wallets (Bleeping Computer).

Dell-EMC patched critical flaws in its VMAX Enterprise Storage System (Threatpost).

Industry notes.

Qualcomm and Broadcom renewed merger and acquisition negotiations this week. Qualcomm has said Broadcom's $145 billion offer undervalues Qualcomm (Computing). General Dynamics announced its acquisition of CSRA for $6.8 billion (Wall Street Journal). The move is viewed by industry observers as a test case for General Dynamics' M&A strategy. General Dynamics thinks so, too (Washington Business Journal). Thoma Bravo has completed its acquisition of Barracuda Networks in a deal said to be worth $1.6 billion (PE Hub).

Carbonite announced a definitive agreement to acquire secure backup solution Mozy from Dell for $145.8 million in cash (ZDNet). VMWare's acquisition of CloudCoreo is seen as the company's latest push into the cloud security market (TechTarget). Oracle has acquired anti-bot shop Zenedge for an undisclosed amount (Register).

Threat-hunting shop Infocyte announced both a $5.2 million Series B round and a new CEO, Curtis Hutcheson (Infocyte). Blueliv, the Barcelona-based cyberthreat intelligence shop, has raised €4m in Series A funding (FINSMES). "Passwordless" authentication provider InBay Technologies, based in Ottawa, announced that it has raised $1 million in its second tranche of pre-Series A funding (InBay). Bot-fighting shop Stealth Security has raised $8 million in Series A funding. The round was led by Shasta Ventures (BusinessWire).

FireEye's encouraging report of a quarterly profit has attracted much positive attention. Seeking Alpha writes that it shows the company's "turnaround" has legs. Cheerful sentiment the results aroused prompts speculation that the company will be an attractive acquisition target, with Microsoft often mentioned as the likeliest suitor (Investor Place).

Raytheon is repositioning its Forcepoint unit for greater growth by combining its government and critical infrastructure protection units (Motley Fool).

Container security shop Deepfence has emerged from stealth (eWEEK).

Equifax has hired a new CISO, Jamil Farshchi, formerly of Home Depot (Dark Reading). He'll be tasked with overseeing the ongoing mop-up of last year's disastrous data breach, including this week's revelations that more information was in fact lost than had been generally appreciated (Computing).

Kaspersky is challenging its ban from US Government networks as, according to the company's counsel from Baker McKenzie, "judicial punishment" (National Law Journal). Huawei continues to receive stick from the US Government: Intelligence Community leaders warned against buying the Chinese company's phones (CNBC).


Today's issue includes events affecting China, European Union, Germany, Russia, Syria, Ukraine, United Kingdom, United States.

A note to our readers: we'll be observing the Presidents Day holiday tomorrow, as we do other US Federal holidays (because, full disclosure, we're Americans). Our Daily News Briefing and Daily Podcast will take a one day break. We'll be back as usual on Tuesday. If you're taking the day off, enjoy it. See you on the 20th. 

Our Research Saturday podcast, up yesterday, warns listeners against the uncanny Hex Men. We talk with the GuardiCore Lab team that's been tracking attack campaigns conducted by a Chinese threat actor. GuardiCore researchers describe three attack variants, "Hex," "Hanako," and "Taylor," targeting SQL servers.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.