In today's podcast we hear about the curious case of hacktivists who may be slugging for Uncle Sam. Maybe. Britain's NCSC warns of battlespace preparation for a campaign against critical infrastructure. Facebook prepares for its appearance on Capitol Hill. Facebook also cancels a plan to share anonymized medical data for research purposes. Atlanta continues to recover from SamSam. And some good news: Malwarebytes has solved LockCrypt ransomware. Robert M. Lee from Dragos with his take on why indicting foreign hackers is a bad move.
Dave Bittner: [00:00:00:18] A quick reminder that if you're attending the RSA Conference this year, be sure to stop by in the North Hall to the Akamai Booth, that's N3625, where I will be appearing daily doing meet and greets and some interviews as well and, of course, we thank Akamai for making these appearances possible. That's Akamai, harnessing the cloud without losing control. I hope to see you there.
Dave Bittner: [00:00:24:04] Are hacktivists slugging for Uncle Sam? Maybe. Britain's NCSC warns of battlespace preparation for a campaign against critical infrastructure. Facebook prepares for its appearance on Capitol Hill. Facebook also cancels a plan to share anonymized medical data for research purposes. Atlanta continues to recover from SamSam. And some good news: Malwarebytes has solved LockCrypt ransomware.
Dave Bittner: [00:00:55:21] And now some notes from our sponsor Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spear phishing, those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers. They found that the bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fish net could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's threatmatrix.cylance.com. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:59:14] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Monday, April 9th 2018.
Dave Bittner: [00:02:12:00] Late Friday and into the weekend, what's thought to be a group of hacktivists defaced Iranian and Russian websites with a crudely rendered American flag and the message, "Don't mess with our elections." The defacements were relatively crude (the flag is old-school ASCII art, for one thing) but disruptive nonetheless.
Dave Bittner: [00:02:31:03] The hackers exploited the recently disclosed Cisco CVE-2018-0171 Smart Install vulnerability to reset routers to their defaults and display their message. Most observers are so far inclined to accept the hackers' claims at face value—patriots who took advantage of unpatched routers to mess with Russia and Iran.
Dave Bittner: [00:02:53:07] As they so often do, Motherboard has got in touch with people purporting to be the hacktivists to see what they're up to. (As the magazine puts it, they were in touch with "someone in control of an email address left in the note.") The hackers who claimed responsibility told Motherboard, “We were tired of attacks from government-backed hackers on the United States and other countries. We simply wanted to send a message." So the message has been sent and received. It also appears that the message has for the most part been removed. And don't try this at home, kids. The Cisco vulnerability has been exploited elsewhere, not just in Russia and Iran (and not just for hacktivist purposes), since it became known.
Dave Bittner: [00:03:38:16] Britain's NCSC warned late last week that Russian threat groups were harvesting NT LAN Manager credentials in apparent preparation for an attack on the UK's critical infrastructure. The National Cyber Security Centre advised that Russian state actors have been prospecting engineering and industrial control firms since March 2017. The warning was in at least one respect indirect. The NCSC didn't name Russia in its own advisory, but it did link to the similar announcement from US-CERT last month, which of course did name Russia directly. Thus there's little doubt as to whom they have in mind, and the British press has little doubt about whom the NCSC meant.
Dave Bittner: [00:04:21:22] Tensions remain high between Russia and the UK over the recent nerve agent attack in Salisbury. Sergey Skripal, former GRU officer and MI6 spy, victim of an attempted assassination with the Novichok nerve agent, has regained consciousness and is out of critical condition. His daughter Yulia, also out of critical condition, has refused to talk to the Russian consulate that sought to check on her welfare. British sources say the Skripals may be relocated with new identities to one of the other Five Eyes (probably the US).
Dave Bittner: [00:04:56:21] Possible Russian reprisal in cyberspace to diplomatic measures and financial sanctions has been a matter of some concern. Tension flared anew with Friday's imposition of sanctions on Russian companies by the US Treasury Department. And a chemical agent attack by Syria's Assad government against insurgent positions brought very harsh US criticism of Russia and Iranian support for "the animal Assad," as US President Trump called the Syrian leader.
Dave Bittner: [00:05:25:20] As Facebook prepares to face its inquisitors on Capitol Hill this week, the platform's recent upgrades get generally poor reviews. It introduced a way to recall messages after users complained that messages they'd received from CEO Mark Zuckerberg had disappeared from their accounts. Facebook had not permitted regular users to do this, but they hastily introduced a feature permitting this at the end of last week. Reception has been poor, with commentary from WIRED being representative. It looked like a hasty reaction.
Dave Bittner: [00:05:58:01] The company has suggested more data misuse may come to light. So have the whistleblowers who've opened up the data scandal.
Dave Bittner: [00:06:06:14] Bad optics has apparently induced the company to "pause," as it's been put, an attempt to get medical facilities to share anonymized patient data. The stated intent was to enable data so shared to be used for research conducted by the medical community. But Facebook, has decided to leave this alone for a while, at least. As the company put it in a statement quoted in CSO, " Last month we decided that we should pause these discussions so we can focus on other important work, including doing a better job of protecting people's data and being clearer with them about how that data is used in our products and services."
Dave Bittner: [00:06:44:21] The city of Atlanta continues to struggle back from its SamSam ransomware infestation. Business Insider reports that last Thursday Atlanta took down its Department of Watershed Management website indefinitely for server maintenance and updates. As of today the site appears to be accessible, but it's also got the city's Ransomware Incident Update banner prominently displayed across the top. The city says it's still investigating and remediating, but that it's seen no evidence that personal information has been compromised.
Dave Bittner: [00:07:17:13] And, finally, some good news on the ransomware front. Malwarebytes researchers have found a weakness in the encryption scheme LockCrypt uses. They can use that weakness to decrypt files ensnared by LockCrypt. LockCrypt has been irritating, but Malwarebytes gives the criminals behind it poor reviews. "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography." You can contact the Malwarebytes support team for help. And bravo, Malwarebytes.
Dave Bittner: [00:07:57:18] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper on a comprehensive approach to security across the digital workspace will take you through the details and more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware. And we thank VMware for sponsoring the CyberWire.
Dave Bittner: [00:08:58:08] And joining me once again is Robert M. Lee. He's the founder and CEO of Dragos. Robert, welcome back. I saw on Twitter that you had made some comments about the risk of indicting foreign hackers and I wanted to go through that with you. What do we need to know about this?
Robert M. Lee: [00:09:13:10] Yes, so when you're looking at indicting folks, you're talking about a criminal process, right? The Department of Justice gets involved and it can be extremely important if you're talking about stand alone criminals. But if you're talking about nation state operations, which the indictments have been typically about, we saw, you know, Chinese indictments with wild wild west style posters of Chinese hackers and Iranian indictments, now Russian indictments, it serves little purpose and honestly has a lot of risk associated with it. And the first problem is that it makes it about the people and not about the state. The problem isn't that there were seven members on a team in Iran that compromised infrastructure. The problem was that the Iranian government built and authorized this team to do so. So, by making it about the individuals, we basically allow them to become scapegoats for that government, instead of holding the government accountable.
Robert M. Lee: [00:10:05:01] The other problem is these aren't criminal acts to them. These are their operations that they're running as part of military intelligence operations and we do the exact same thing. So it's not about, oh, they do it and we do it, it's okay. No, it's about making the point that we don't want to see US military members on wild wild west style posters in China, Iran and Russia. It's not supposed to be about the individuals. It's about the state. So, it's not only the protection of our own people, but actually holding states accountable and letting them know when they do cross the lines of what we perceive to be inappropriate use of operations. We need to make it about the states and not the people.
Dave Bittner: [00:10:43:06] It seems like when these reports come out that there's little hope that these folks will ever be arrested or brought to justice or anything like that. I suppose some of them have been nabbed when they've taken vacations in countries that have extradition agreements with us. So it seems more symbolic than anything.
Robert M. Lee: [00:11:01:08] It is. I think it's more political in nature and it has value for showing that, you know, a certain administration is going to be taking this seriously. I'm usually not so cynical about actions, but I am fairly cynical about this, because I think the aspect of nabbing one of these folks is utterly ridiculous. Again, if it's a criminal who's been doing cyber crime, broke international law around that or domestic law that we care about, then sure. But if it's a military member for another state or operating on behalf of their military or intelligence services, we shouldn't be nabbing these folks and trying to hold them accountable. It's, again, utterly ridiculous to me.
Dave Bittner: [00:11:41:15] Does there seem to be a pattern to when we consider them having crossed the line, gone beyond sort of tit for tat espionage into this point where we declare them criminals?
Robert M. Lee: [00:11:51:18] There's not a clear line and I think that's part of what makes this extremely risky, is there is not a clear line for anybody on what we do or do not allow as a state, for any state. We've seen, I've talked about before where we've had hacks against infrastructure and power outage in Ukraine or malware designed to kill people in Saudi Arabia and we don't utter a whisper about it, and we basically erode the norms by not addressing those issues, and we typically say well, there's red lines and if you cross them we'll let you know and then people ask but what the red lines and what are the repercussions? Well, we'll tell you when it happens. And then that's a strategy of strategic ambiguity that doesn't benefit anybody. And if you're Iran, Russia, China, et cetera, you're still trying to figure what exactly does the US see as normal operations? Because obviously we're doing operations in those countries as well from a cyber component, so what is good use and bad use of these capabilities? And you're just going to have trouble defining that, because each states takes advantage of it and each states takes advantage of the ambiguity. So, if all the states are going to take advantage of the ambiguity and run their operations like they want, at the very minimum, let's just keep people's faces off wild wild west posters.
Dave Bittner: [00:13:04:24] Alright. Robert M. Lee, thanks for joining us.
Dave Bittner: [00:13:12:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more vmware.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future podcast, which I also host. The subject there is Threat Intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:02:19] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.