The CyberWire report.

The second quarter of 2017 opened with doubts about espionage and influence operations in cyberspace. As this quarter comes to an end, we're witnessing the effective eclipse of both cybercrime and hacktivism by state action, indeed, by hybrid warfare. It's grown more brazen, plausible deniability reduced to a fig leaf. 

Investigation into attempts to influence US elections.

Investigation into Russian influence operations has continued in the US Congress, and also with the appointment of a Special Counsel (former FBI Director Mueller) after President Trump's dismissal of FBI Director Comey on May 9th, 2017 (New York Times).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus pulvinar. Maecenas bibendum commodo felis, sit amet mattis eros

Mauris sit amet massa nunc. Phasellus venenatis, nunc a fringilla ultrices, magna dolor ullamcorper felis, a egestas ipsum lectus a justo. Sed tempus diam et euismod dapibus. Ut gravida accumsan ante hendrerit maximus. Ut lacinia, odio sed vestibulum aliquet, ipsum arcu tincidunt turpis, eu commodo urna nunc sed dolor. Ut convallis sodales convallis. Nam auctor lectus et justo luctus, rhoncus lacinia mauris rutrum. Cras dui sapien, sodales ac eros non, tempus pretium massa. Phasellus quis luctus metus.

To unlock the full report join our Producer's Circle.
Become a patron today

This coming quarter we'll be watching continuing US investigation into influence operations as well as measures taken to ensure the security and integrity of voting.

Influence operations during French and British elections (without evident effect).

France's Presidential election, conducted in two rounds, the first on April 22nd and 23rd, the second on May 6th and 7th, saw a final contest between two insurgents, Marine LePen of the right Front National and the centrist Emanuel Macron of En Marche, with Macron emerging as the surprise winner. Macron's campaign came under late attack, and in this case there were not only attempts on email accounts, but some evidence of disinformation as well (Guardian). But the attempts began late, probably because of Macron's having begun the campaign as a very dark horse, and they had limited success, in part because En Marche anticipated some sort of hostile action in cyberspace and took steps to prepare against it. As has been the case with influence operations in the US, this activity was generally attributed to Russian intelligence organizations (ThreatConnect).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem.Lorem ipsum dolor sit amet, consectetur (US News & World Report).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat (Star Online).

The next major Western elections are scheduled for Germany in September. We'll be watching them for signs of foreign influence operations.

Disinformation in the Gulf region (with diplomatic effect).

Mauris sit amet massa nunc. Phasellus venenatis, nunc a fringilla ultrices, magna dolor ullamcorper felis, a egestas ipsum lectus a justo. Sed tempus diam et euismod dapibus. Ut gravida accumsan ante hendrerit maximus. Ut lacinia, odio sed vestibulum aliquet, ipsum arcu tincidunt turpis, eu commodo urna nunc sed dolor. Ut convallis sodales convallis. Nam auctor lectus et justo luctus, rhoncus lacinia mauris rutrum. Cras dui sapien, sodales ac eros non, tempus pretium massa. Phasellus quis luctus metus.Mauris sit amet massa nunc. Phasellus venenatis, nunc a fringilla ultrices, magna dolor ullamcorper felis, a egestas ipsum lectus a justo. Sed tempus diam et euismod dapibus. Ut gravida accumsan ante hendrerit maximus. Ut lacinia, odio sed vestibulum aliquet, ipsum arcu tincidunt turpis, eu commodo urna nunc sed dolor. Ut convallis sodales convallis. Nam auctor lectus et justo luctus, rhoncus lacinia mauris rutrum. Cras dui sapien, sodales ac eros non, tempus pretium massa. Phasellus quis luctus metus.Mauris sit amet massa nunc. Phasellus venenatis, nunc a (Guardian).

Other operations have been threatened against Gulf states, including doxing of diplomats' email traffic. We'll keep an eye on how those develop. The ultimate attribution may prove more local than Russian, a case in which Russia provides a default suspect but may not be principally involved.

Hybrid warfare, with Russia its leading practitioner.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus (The CyberWire). Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque (Medium).

We'll be watching for development of both confidence-building measures (should such be possible) among national rivals in cyberspace. We'll also be watching development of national doctrine and capability for cyber deterrence. As tensions over North Korean nuclear weapons and long-range missile development increase, we expect to see sparring in cyberspace likely to involve not only the DPRK, but also South Korea, Japan, China, the US, and Australia. 

Leakers and spies (including developments from WikiLeaks and the ShadowBrokers).

Attribution skepticism induces some to call official findings of Russian DNC doxing a "cyber Tonkin Gulf" incident. (Recent skepticism from the left speculates that the DNC emails were leaked by an insider.) We don't know about this case (there's much evidence of active Russian influence operations, so this doesn't look like radar ghosts and dolphin wakes), but we do agree that hasty and mistaken attribution is problematic, especially when governments consider kinetic retaliation for cyberattacks. (And the CyberWire has been warning about the possibility of a cyber Tonkin Gulf incident since October 2013.) FBI investigations continue, as do those in both houses of Congress. The Senate's hearings are concentrating on Russian disinformation operations.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus pulvinar. Maecenas bibendum commodo felis, sit

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus.

Looking forward, we'll be following inquiries into the identity of WikiLeaks' and the ShadowBrokers' sources, and the mechanisms by which they obtained their material.

WannaCry and NotPetya: disruption masked as extortion.

WannaCry broke out on May 12th, the month after the ShadowBrokers dumped the EternalBlue exploit. Unpatched Windows 7 machines accounted for most of the infections, by some accounts more than two-thirds. Infections were reported worldwide. China and Russia appeared to have been hardest hit, probably because of the widespread use there of unsupported or pirated copies of Windows. Those behind the attack failed to make big money, certainly not nearly as big as the scope of the pandemic might suggest, but they did succeed in large-scale business disruption, and in drawing odium toward the US National Security Agency. It's thought possible that the attack was launched prematurely. Ineptly configured Bitcoin wallets (for receipt of ransom payments) and an easily accessible kill-switch for the malware argue in favor of this conclusion. WannaCry did not spread by phishing, as far as is known. Phishing is the first explanation most analysts turn to when confronted with ransomware. In this case it was delivered by SMB exploitation and rapidly propagated as a worm (The CyberWire).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus pulvinar. Maecenas bibendum commodo felis, sit amet mattis eros faucibus eu. Curabitur id turpis maximus, sodales est ut, malesuada nulla. In quis urna ac lacus tincidunt hendrerit sed non neque.Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et,

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus pulvinar. (The CyberWire).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat

Looking forward, we'll be watching for further convergence of criminal and intelligence service activity, and for fresh exploitation of leaked vulnerabilities.

IoT vulnerabilities (including CrashOverride and the curious persistence of XP in the IoT).

Experts think the CrashOverride malware used against Ukraine last December represented the culmination of a long and patient campaign prepared by infestations of Havex and BlackEnergy. WIRED puts it directly: Ukraine "became Russia's test lab for cyberwar." Observers think Russia now has a proven cyber weapon ready for use. CrashOverride is disturbing—apparently purpose-built from scratch and used in deliberate, highly targeted campaigns.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat (Washington Examiner).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed (Power Engineering International).

The power grid seems clearly the most vulnerable point of attack, and it's been probed in many countries. We'll be watching the utilities' preparation for attack over coming months.

Terror inspiration and investigation.

The terror attacks in the UK appear to have been cases of jihadist inspiration as opposed to moves in a centrally organized and controlled campaign (Times). They also appear to have been known wolf cases in which the attackers were on various police and security service watch lists, placed there by intelligence collected at least in part online (Times).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem efficitur commodo. Vivamus ut euismod lorem. Nam nulla neque, faucibus vitae molestie at, consequat sed mi. Morbi ut faucibus ante. Sed at tempor metus. Aliquam erat volutpat. Etiam ultricies dictum suscipit. Sed imperdiet augue vel fringilla pharetra. Mauris in turpis mi. Vivamus a commodo nisl. Suspendisse feugiat efficitur nibh, eget rutrum arcu gravida sed. Nunc volutpat nisi non dapibus pulvinar. Maecenas bibendum commodo(The CyberWire).

ISIS and other terror groups have used the Internet for inspiration, and, beyond a few negligible defacements of soft targets, have shown little aptitude for hacking. This could change, and will bear watching.

Crypto wars updates.

In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis sed (BoingBoing). In eu lectus ut dolor euismod viverra a sit (Guardian) In eu lectus ut dolor (Foreign Affairs). In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis sed lorem egestas, vel convallis mi vestibulum. Aenean turpis ante, faucibus ut malesuada id, semper vitae ligula. Donec (CNET). In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis (Naked Security).

Concern about terrorism drives policy toward restriction of strong encryption. The prospects of such restriction are likely to rise with terror attacks and fall with their absence.

Disclosure and stockpiling.

In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis sed lorem egestas, vel convallis mi vestibulum. Aenean turpis ante, faucibus ut malesuada id, semper vitae (RT). In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis sed lorem egestas, vel convallis mi vestibulum. Aenean turpis ante, faucibus ut malesuada id, semper vitae ligula (The CyberWire). In eu lectus ut dolor euismod viverra a sit amet(The CyberWire)In eu lectus ut dolor euismod viverra a sit amet enim. Proin convallis felis sed lorem egestas, vel convallis mi vestibulum. Aenean turpis ante, faucibus ut malesuada id, semper vitae

We'll be watching the evolution of the VEP as it's evaluated in all three branches of the US Government.

US cyber policy shows more continuity than discontinuity.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas ut nisi. Quisque dictum augue vitae lorem (The White House). Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis arcu felis, placerat ut scelerisque et, egestas (The CyberWire).

Deadlines for Federal agency compliance with the Executive Order begin to fall in July; we'll be watching developments.

[2491]

 

This CyberWire Quarterly Report discusses events affecting Australia, Canada, China, the European Union, France, Germany, Mexico, Qatar, Russia, Saudi Arabia, Ukraine, the United Arab Emirates, the United Kingdom, and the United States.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in linked articles are those of the authors, not the CyberWire.
The CyberWire is published by Pratt Street Media and its community partners. We invite the support of other organizations with a shared commitment to keeping this informative service free and available to organizations and individuals across the globe.