A defection and a leak expose Chinese espionage and social control operations. Data aggregation and enrichment seem to underlie a big inadvertent data exposure. Something seems to be up in Kazakhstan’s networks. The US FCC takes a swing at Huawei and ZTE. Russia moves closer to its desired Internet sovereignty. A Chuckling Squad member is in custody. A spy goes to prison, cyber hoods do time, and the rats are up to no good in Estonia. That’s the rodents, not the Trojans. Caleb Barlow from Cynergistek with insights gained from a scammer’s call.
Dave Bittner: [00:00:03] A defection and a leak expose Chinese espionage and social control operations. Data aggregation and enrichment seem to underlie a big inadvertent data exposure. Something seems to be up in Kazakhstan's networks. The U.S. FCC takes a swing at Huawei and ZTE. Russia moves closer to its desired internet sovereignty. A Chuckling Squad member is in custody. A spy goes to prison. Cyber hoods do time. And the rats are up to no good in Estonia.
Dave Bittner: [00:00:37] And now a word from our sponsor Authentic8. Authentic8, the creators of Silo, now have an app called the Silo Research Toolbox that builds a separate, isolated browser session. This allows researchers to collect information from the web without risk to their work network. With Silo Research Toolbox, researchers can go anywhere on the web and collect data without revealing their identity or exposing their resources. It runs, looks and is just as powerful as a local browser with none of the risk. The bottom line is that any website you visit on the open, deep or dark web will not know any details about you, your computer or your internet connection. Silo is built fresh at every start and is completely destroyed at the end. It never exposes your IP address and never carries any information with you from session to session. If you are required to keep your online investigations completely anonymous and safe from cyberthreats, you should consider checking out the Silo Research Toolbox at authentic8.com/cyberwire. That's authentic8.com/cyberwire. And we thank Authentic8 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:13] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 25, 2019. A defection and a leak respectively shed some light on China's repression of its Uighur minority and on the country's espionage operations. Both operations have a considerable cyber component. Chinese intelligence officer Wang “William” Liqiang has defected to Australia, where he's being accommodated at an undisclosed location by the Australian Security Intelligence Organization. The Age reports that he's blown the identities of a number of senior People's Liberation Army intelligence officers in Hong Kong. He's also said to have provided details of Beijing's extensive influence operations. These have been waged with particular focus and intensity against the quasiautonomous city of Hong Kong and Taiwan, which the People's Republic views as nothing more than a breakaway province.
Dave Bittner: [00:03:10] But Australia has also been of considerable interest to Chinese intelligence services, who are held to have been responsible for intrusions into parliamentary networks and for running front organizations aimed at gaining decisive influence over Australian political life. The leak was obtained by the International Consortium of Investigative Journalists, which is calling the material the China papers. It amounts to classified guidelines for operating the camps in Xinjiang province, where large numbers of predominantly Muslim Uighurs are detained. Those guidelines are, the ICIG (ph) says, for the most part, directed toward techniques of behavior modification - what a BBC headline describes as a brainwashing system.
Dave Bittner: [00:03:52] The China papers also include classified briefings that describe techniques used to identify Uighurs for surveillance and detention. These operate largely through tech means - facial recognition cameras and other means to identify candidates for detention, flagging for investigation hundreds of thousands merely for using certain popular mobile phone apps. The activity is not confined to domestic targets. Uighurs who are citizens of other states are explicitly designated for arrest and detention, and expatriate Chinese Uighurs are tracked and monitored with the eventual goal of returning them for detention in the Xinjiang camps. The ICIJ calls the system arrest by algorithm.
Dave Bittner: [00:04:34] Very large data leaks from exposed servers were reported late Friday to have compromised a total of about 1.2 billion records, some 4 terabytes of personal data. No one seemed at first quite sure to whom the database belongs or belonged, but Data Viper, which found the leaks, suggests that People Data Labs and OxyData, two data aggregation and enrichment shops, were the source of the exposure. The exposed data includes, according to WIRED, home and cellphone numbers, email addresses, social media profiles from Facebook, Twitter, LinkedIn and GitHub, and work histories apparently from LinkedIn. There were about 50 million unique phone numbers and 622 million unique email addresses on the server. The data lost falls short of the fullz so coveted by criminals since they didn't include passwords, Social Security numbers or paycard information, but it's a startlingly large breach nonetheless and obviously suggests the heightened possibility of identity theft.
Dave Bittner: [00:05:35] Chinese security firm Qihoo 360 says it's detected a major cyber surveillance campaign against targets in Kazakhstan. Qihoo calls the group Golden Falcon. The Russian security company Kaspersky tells ZDNet that they think this is the APT previously tracked as DustSquad. Neither company offers any attribution beyond that, but they do say the group appears to be Russian-speaking. In itself, that means little. There is no shortage of Russian speakers in Kazakhstan. But Qihoo does think it's found that someone providing Golden Falcon with tech support is located in Moscow. That, too, is, at best, circumstantial evidence. There's no shortage of IT hired guns either anywhere, especially in Eastern Europe. The story's developing.
Dave Bittner: [00:06:21] Citing national security concerns surrounding 5G networks, the U.S. Federal Communications Commission prohibited the use of Universal Service Funds for purchasing Huawei or ZTE equipment. The U.S. has also suggested to some of its closest allies that their adoption of Huawei and ZTE equipment for their 5G buildouts will inevitably hinder close cooperation on intelligence matters. The Washington Post sees a series of U.S. tactical victories over China in the coming 5G market and that American reservations about Chinese hardware may be gaining traction.
Dave Bittner: [00:06:56] Russia's Duma has banned devices that don't come with certain preloaded Russian software, Computing reports. The law will go into effect this coming July. You are not actually going to be required to use the software, but any laptop, phone or tablet you buy will have to come with it out of the box, or it's no deal. The new law is generally seen as a further push toward Moscow's aspirations for internet sovereignty. The government will use the next few months to work out exactly what software it wants to appear on every device sold in Russia. No serious observer sees this as anything other than a move to install tools that will enable the organs to see or control what goes on in every device.
Dave Bittner: [00:07:37] Louisiana's recovery from the Ryuk ransomware infestation that afflicted the state government systems is proving more protracted than officials hoped or expected. As according to KATC, Governor Edwards on Friday declared a state of emergency. The Office of Motor Vehicles, whose service disruption has particularly irritated citizens, is now expected to remain offline through Monday, WWL CBS 4 reports.
Dave Bittner: [00:08:03] Former CIA officer Jerry Chun Shing Lee, who took a guilty plea to a single charge of conspiracy to provide national defense information to a foreign government, has been sentenced to 19 years in prison. The foreign government in question is China's. Mr. Lee was arrested by the FBI about two years ago. An alleged member of the Chuckling Squad, the clowns who SIM-swapped Twitter boss Jack Dorsey's account to distribute bomb threats, racist messages and anti-Semitic material, has been arrested. He's a minor, and his name is so far not known. The Santa Clara County District Attorney's Office in Silicon Valley is handling the case. The motivation is unknown but probably wasn't financial, just the now-sadly familiar quest for online glory.
Dave Bittner: [00:08:51] Aleksei Burkov appeared Friday in the U.S. Federal Court for the Eastern District of Virginia, a court known as the rocket docket for the dispatch with which it handles its cases, where he entered a plea of not guilty to charges of computer intrusion, identity theft and other forms of fraud. The 29-year-old St. Petersburger arrived in the U.S. from Israel on November 12. Mr. Burkov is alleged to be the impresario of Cardplanet and a second unnamed forum where the elite could meet to swap insights, do some chest thumping and trade contraband. We should mention that Mr. Burkov is entitled to the usual presumption of innocence and so on.
Dave Bittner: [00:09:30] No longer entitled to such presumption is one Stanislav Vitaliyevich Lisov, a Russian national arrested in Barcelona in 2017 and extradited to the U.S. in 2018. He was sentenced last week to four years in a U.S. federal prison. After he completes his sentence, he'll also serve three years of supervised release and will have to pay a $50,000 forfeiture, as well as nearly half a million dollars in restitution. Mr. Lisov, who this past February entered a plea of guilty to one count of conspiracy to commit computer hacking, was the proprietor of the NeverQuest banking Trojan. NeverQuest, also known as Vawtrak and Snifula, is thought to have been responsible for $4.4 million in damages, according to the Hacker News.
Dave Bittner: [00:10:17] Finally, we've all heard the entertaining but questionably relevant observation that squirrels are a greater threat to the power grid than hackers are. But attacks on Ukrainian electrical utilities around Kyiv have somewhat muted this particular mot. But statistically, it retains a degree of truth. Squirrels getting into transformers have blown out more power service than have hackers. Of course, the squirrels have been at it longer - for well over a century now. Anyhoo (ph), add another rodent to the rogues' gallery. Over in Estonia, it's rats. And that's rodents, my friend, not remote access Trojans. They've been chewing on the power cables of one of the most highly connected countries in the world, and they're probably up to it in other places, too. Get yourself some rowdy dogs, Tallinn. That's what we've done.
Dave Bittner: [00:11:07] And now a word from our sponsor McAfee. Ideas don't come for free. Budgets are begged for. Long hours are required. The months, maybe even years, of research - the sheer human effort of it all - the changes, the revisions, the reworks, the results, the adaptation, the innovation, the collaboration all lead to the final moment when it pays off and it's perfect - your company's work, as long as it's not compromised. From device to cloud, McAfee harnesses the power of 1 billion threat sensors to design security that moves beyond intelligence to insight so you can move beyond optimizing security products to optimizing your security posture, and not just react to threats, but remediate threats that matter. Intelligence lets you respond to your environment. Insights empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. That's mcafee.com/insights. And we thank McAfee for sponsoring our show.
Dave Bittner: [00:12:20] And joining me once again is Caleb Barlow. He's the CEO at CynergisTek. Caleb, it's great to have you back. You have an interesting tale to share today, something that I think our listeners will enjoy. Kick us off. What happened to you recently?
Caleb Barlow: [00:12:35] OK. So Dave, we're - first of all, it's good to be back. But imagine the setting of, you know, you're at the end of a staff meeting with a whole bunch of security professionals, and your phone's rung a couple of times during the meeting with a number that you just don't recognize, so you just, you know, hang it up.
Dave Bittner: [00:12:52] Right.
Caleb Barlow: [00:12:52] And all of a sudden, it rings one more time. And you're like, all right, somebody really wants to get a hold of me. So you answer it, and of course - and we've all gotten this phone number - it's the IRS.
Dave Bittner: [00:13:02] Oh.
Caleb Barlow: [00:13:03] In fact, it's an investigator at the IRS. And they're calling to tell you that your Social Security benefits have been seized or suspended.
Dave Bittner: [00:13:11] Mmm hmm.
Caleb Barlow: [00:13:12] Now, as we all know as security professionals, this is not a real call. People start laughing in the room, and you put the phone on speakerphone. And what happens next is, well, pretty interesting. But not only is it comical, Dave, but we actually learned some things because with a whole room of people, we were able to take a lot of notes as this call unfolded. And what we saw here was a pattern that I think as security professionals, we can actually learn something from.
Dave Bittner: [00:13:41] All right. Well, let's go through it together.
Caleb Barlow: [00:13:42] Yeah. So to set the stage of the story - right? - and, you know, this is kind of what you'd expect. I get this call from an officer at the Social Security Administration, Officer Rick Smith, and he indicates that my Social Security number has been suspended. But what was amazing was the amount of time and investment that the caller was willing to put into this before actually asking for anything. The other thing that we started to notice was something about this call was very different. They seemed to be following a pattern. I kind of realized - wait a second - I've seen this pattern before.
Caleb Barlow: [00:14:17] And it's actually the pattern that's used by large-scale CRM vendors that train people to call for inside sales. The first thing you have to understand here is that the pretext was amazing, and the pretext took almost 10 minutes. And during this entire time, I wasn't asked for any PII other than the last four digits of my Social Security number, which, let's face it, you can't do much with that. Now, all of the security professionals, if they're listening to this, they'll laugh a little bit when I told them that the last four digits of my Social Security were 1337.
Dave Bittner: [00:14:55] (Laughter).
Caleb Barlow: [00:14:55] But of course, he didn't seem to catch that joke. You know, it was kind of amazing of, how long will this go? But then we switch to the second phase. So if you think of this - the first phase, the pretext, was trying to build trust. Is there something that connects me to them? And think of this. This is just like what you would do if you're trying to sell somebody something. And I'll get to why that's important in a minute. But the second phase - now we're exploring. And as he starts to explore, how many homes do I have? How many bank accounts do I have? Now, he didn't ask me for the bank account numbers, but he did go through the balances. And, of course, I had to tell him one of the balances was over a million dollars.
Dave Bittner: [00:15:34] (Laughter).
Caleb Barlow: [00:15:34] And of course, there's a long pause, as clearly more people are probably coming around the phone. So then it pivots again. I eventually say I trust him. And it's like - Dave, it was like I said the magic word on the call, and the call changed again dramatically. So now the exploration stage stopped, and now he switches to giving me choices and advice. Now, key again - again, think about this. Anyone that's ever worked on a sales floor, you don't want to tell the customer what to do; you want to give them options and let them choose, right? You want them to be part of the process. And that's exactly what he did at an amazing level of patience.
Caleb Barlow: [00:16:19] So I'm then connected after this conversation goes on - and we're now about 30 minutes in the call. I'm connected with a U.S. Marshal who calls my phone separately, and now the story thickens. And they're incredibly compatient (ph), why (ph) I'm just a complete pain in the backside as they walk through options, asking me to pick. And this U.S. Marshal, which I later looked up - he gave me a name, Jeff (ph), and I won't say the last name - it turns out, actually is a real U.S. Marshal, and they were spoofing the actual number from the U.S. Marshals Service, so they obviously picked that up from the web.
Caleb Barlow: [00:16:49] But now the plot thickens. Now I go from this being a kind of identity theft issue to - there's money laundering, there's drugs involved, and I'm going to go to court and be locked up for nine days. It's a recorded call. And I need to tell the U.S. Marshal what I want to do. I need to pick. So I finally pick, and then we get to the ask. And the ask is - and of course, anybody listening to this already knows where this ends up - he wants me to go to the bank, but he wants me to keep on the phone while I do. So he doesn't want me to put the phone on mute; he wants me to carry the phone with me, go to the bank and withdraw as much money as I can to safeguard my money while the IRS supposedly locks up my account. I tell him that I can't take the phone with me because it's a landline. And there's a little...
Dave Bittner: [00:17:33] (Laughter) I have to say, I didn't see that coming.
Caleb Barlow: [00:17:39] No, I don't think he did, either. I particularly loved that part of the whole transcript. And there's a little bit of frustration. I think they were swearing on mute. But I finally talked him into letting me hang up the phone, go get the money, and then he called me back in an hour. And that's kind of where this landed. And he did actually call me back; I just didn't have the time for it, didn't answer it.
Dave Bittner: [00:18:02] Yeah. The other thing that strikes me is that at no point did they turn up the heat on you. They were killing you with kindness here.
Caleb Barlow: [00:18:11] Absolutely. And the minute I said the word trust, man, did the whole call change. Now, here's where this gets really interesting. So if I - if you think about this story, he starts by identifying with me and then connecting with me, right? And only after we've connected a bit, he's talked through what the story is, he's explained to me what the problem is, he's there to help, then does he start to explore. He starts to ask about my driver's license, my car, my bank accounts. And only at the very end does he advise, well, that cadence - identify, connect, explore, advise - is the exact methodology used by one of the major CRM vendors in the market.
Caleb Barlow: [00:18:54] And my thesis - totally unproven, of course - is I actually think we've enabled this problem because as we - you know, let's face it - we've outsourced many a help desk to locations like this. Along the way, we've trained people. I am thoroughly convinced that whoever wrote this script and is managing this call center is either using these CRM tools, which is highly likely, or was certainly trained in these methodologies so they know exactly how to approach this. And they're using everything they learned from selling us stuff to try to sell us a scam.
Dave Bittner: [00:19:28] No, it's a fascinating insight, quite a tale. And I guess hats off to you for wasting their time - but certainly a cautionary tale to everybody else out there. Well, Caleb Barlow, thanks for joining us.
Caleb Barlow: [00:19:42] Thanks, Dave.
Dave Bittner: [00:19:47] And that's the CyberWire.
Dave Bittner: [00:19:48] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo isolates all web data and code execution from user endpoints to provide security even while doing data analysis and collections across the dark web. Learn more about Silo at Authentic8.com.
McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place for the benefit of all. Learn more.