The CyberWire Daily Podcast 1.17.20
Ep 1006 | 1.17.20

Hacks, and rumors of hacks. Burisma incident under investigation. SharePoint exploitation. How to spark a run on a bank. WeLinkInfo taken down. Phishbait update.


Dave Bittner: [00:00:04] Hacks and rumors of hacks surrounding US-Iranian tension. Ukrainian authorities are looking into the Burisma hack, and they'd like FBI assistance. The FBI quietly warns that two US cities were hacked by a foreign service. The New York Fed has thoughts on how a cyberattack could cascade into a run on banks. Arrests and a site takedown in the WeLeakInfo case. And a quick look at the chum being dangled in front of prospective phishing victims these days. 

Dave Bittner: [00:00:37]  And now a word from our sponsor, PrivacyGuard. By now, you might have heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies - companies that you might have done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to That's And we thank PrivacyGuard for sponsoring our show. 

Dave Bittner: [00:01:43]  Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 17, 2020. 

Dave Bittner: [00:02:17]  US jitters about the possibility of Iranian cyberattacks persist. While many of the warnings are founded largely on a priori probability, Cyberint reminds everyone that Iran does have a track record in cyberspace, and it's probably worth reviewing that record given recent events. During heightened periods of tension, misdirection is often successful. And Fortune cites experts who caution against jumping to conclusions. False flags are always a possibility, and Russia has flown an Iranian false flag in the past. Britain's GCHQ and the American NSA this past October issued a joint warning that the Russian threat group Turla had used Iranian infrastructure to carry out a range of operations. 

Dave Bittner: [00:03:00]  While most of the cyber activity arriving in the wake of Iranian proxy attacks on US personnel and installations in Iraq and the US drone strike that killed the commander of Iran's Quds Force has been low-level defacement of low-level websites, there have been more serious instances of online threats. Families of deployed US paratroopers are receiving harassment in social media. The source is unclear, the Military Times reports. The 82nd Airborne Division deployed its first Brigade Combat Team to the region early this month in response to increased tension. The Division is briefing family members back in Fort Bragg in Fayetteville, North Carolina, on how to stay safe online and how to respond to threats made in social media. 

Dave Bittner: [00:03:43]  There are signs, Military Times says, that the Division's Morale, Welfare and Recreation Network, a communications network that supports soldiers and their families in ways its name suggests, had been compromised and that hostile actors had used information gained from the compromise to threaten or frighten families. A representative sample of the messaging is, quote, "if you like your life and you want to see your family again, pack up your stuff right now and leave the Middle East. Go back to your country. You and your terrorist clown president brought nothing but terrorism. You fools underestimate the power of Iran. The recent attack on your expletive bases was just a little taste of our power. By killing our general, you dug your own grave. Before having more dead bodies, just leave the region for good and never look back." So there. Again, it's unclear whether this particular psychological operation is being directed from Tehran. It's just as likely to be the work of inspired, freelancing amateurs. 

Dave Bittner: [00:04:44]  Reuters reports that Ukrainian authorities have asked for FBI assistance in investigating the alleged Burisma hack by Russia's GRU and related matters. The White House also says US President Trump may raise the Burisma affair with Russian President Putin. It's worth noting that the Burisma hack, while Area 1's report has been widely accepted, is still a developing story. As E&E News points out, the story absolutely passes the laugh test. But the Area 1 report may not have entirely closed the case. 

Dave Bittner: [00:05:16]  ZDNet reports that the FBI has quietly warned industry partners that two unnamed US municipalities have been successfully breached by nation-state hackers. Their preferred attack has come through the SharePoint CVE-2019-0604 vulnerability. And thus, city governments and others who use SharePoint should look to their patching. The bureau doesn't say which nation-state was behind the attack or even if there was more than one nation-state involved. 

Dave Bittner: [00:05:45]  CVE-2019-0604 has been popular with both spies and crooks. Looking at the spies, ZDNet notes that Palo Alto Networks has seen China's Emissary Panda making its way into targets through this particular flaw. But, of course, which country prompted the FBI's warning remains publicly unknown. 

Dave Bittner: [00:06:04]  A report by the Federal Reserve Bank of New York concludes that a cyberattack on a small number of banks could propagate rapidly through the US financial system through the wholesale payments network. It's not necessarily that the malware itself would spread, but rather the way an attack's effects would be amplified by practices like liquidity hoarding, creating a virtual run-on-the-bank. 

Dave Bittner: [00:06:25]  The Fed glumly calls the study a pre-mortem analysis, which seems more pessimistic than alternatives like assessment, diagnosis or prognosis. We know, we know. John Maynard Keynes said that in the long run, we are all dead. And we get it. Heck, our sports desk even keeps a Father Time is undefeated memento around. But come on, Fed economists, throw us a bone here and give us something to hope for. Pre-mortems, forsooth. 

Dave Bittner: [00:06:54]  US authorities have seized WeLeakInfo's domain as part of an international law enforcement operation against the online market that dealt in compromised credentials. Two men associated with WeLeakInfo have been arrested, according to Computing and others - one in Northern Ireland, the other in the Netherlands. BleepingComputer observes that one need look no farther than this particular case to see that the authorities in general and around the world take a very dim view of those who traffic in stolen credentials. 

Dave Bittner: [00:07:24]  What's the phishbait most commonly used in the wild? What subject lines to the hoods think you, friend, are going to swallow hook, line and sinker? KnowBe4 says it's seeing these - SharePoint, approaching SharePoint Site Storage Limit, Microsoft, Anderson Hauck has shared a Whiteboard with you, Office 365, medium-severity alert, unusual volume of file deletion, FedEx, correct address needed for your package delivery, USPS, your digital receipt is ready, Twitter, your Twitter account has been locked, Google, please complete the required steps, Cash App, your account has been closed, Coinbase, important; please resolve error now, and would you mind taking a look at this invoice? Would I mind? Yes. Yes, I would. What do these exhibit? That the phish tend to bite from fear, from greed, or out of a desire to cooperate. 

Dave Bittner: [00:08:19]  And finally, we close with another bit of good news. Bitdefender has released a descriptor for Paradise ransomware. Bravo, Bitdefender. 

Dave Bittner: [00:08:33]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough, integrated single-sign-on password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multi-factor authentication, securely authenticate into your work using biometrics - such as fingerprint or face - deliver a password-less login experience for your employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:09:59]  And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, I know something that you all have been tracking with the work you do with fraud and identity protection and so on is tracking this development of synthetic identity detection. What are you looking at when it comes to that? 

Emily Wilson: [00:10:20]  So to give your listeners just a quick reminder, synthetic identities are identities that are pieced together using either components from multiple real IDs or some combination of real IDs and fake information. And so synthetic IDs might, for example, mean using a real address, someone else's date of birth, for example, and perhaps the Social Security number of a child or a Social that hasn't been issued yet. And so with that composite information, then, a criminal might go and apply for credit, for example, and try and open a credit card or create a credit profile in some way. And if we think about that situation and say, well, surely they must flag that and say, you know, a 3-month-old can't possibly be trying to take out a $10,000 loan, you might hope that. But as with so many things in this space, that's simply not true. 

Emily Wilson: [00:11:17]  However, not all hope is lost in theory - cautious optimism. A couple of years ago, we heard that there was a tool in development from the Social Security Administration that would be issued to banks and other financial institutions and perhaps a few others in this sort of credit space that would allow them to verify information with whatever loans or requests they have coming in against the Social Security Administration database. Again, this sounds like something that should have existed all along, but it doesn't. It didn't, and it might now. 

Emily Wilson: [00:11:53]  So that information, that tool, first kind of came up a couple of years ago. And it looks like heading into next year, this may finally become available to some of these institutions. And I'm very curious to see what this uncovers about synthetic identity fraud and the rates in which certain groups have been exploited for this because right now, the numbers are a little bit all over the place. We know it's very popular for automobile fraud, for example, but it's been a really hard thing for institutions to track. And as they have access to this tool, I think we're going to start to see some interesting shakeups there. 

Dave Bittner: [00:12:29]  Are there any concerns that the tool could be used in the other direction, that bad guys could, you know, slip someone money who has access to this tool to get legit Social Security information? 

Emily Wilson: [00:12:43]  Absolutely. That's almost certainly going to happen. I think that is - it is only reasonable to assume that that is going to be the case, the same way that criminals have access to things like DMV databases, voter databases, they gain access to hospitals. One would hope that whoever is developing this tool for these financial institutions and Social Security Administration are going to think about ways to keep that safe. 

Emily Wilson: [00:13:10]  But no system is infallible. And you're going to have a lot of people from a lot of different institutions who are going to be trying to use this to run a variety of queries. And so I expect that we will see fraudulent access. I think it will be a few years before we hear about that happening. But I'm hoping that on balance, this will allow these institutions to do a check of their backlog of requests, for example, and say, hey, you know, it occurs to me that if there's a Social Security number that hasn't been issued yet, they maybe shouldn't have six credit cards. It's really hard with something like this where you have to - you want to assume that it has existed the whole time. And to find out that only... 

Dave Bittner: [00:13:54]  Right. 

Emily Wilson: [00:13:54]  ...Just now it's potentially coming into play - and of course, these are estimates about when it's being released, right? The estimates are that starting in summer of 2020, a handful of companies will begin to be able to check this service. Now, of course, those companies also needed to help fund this service, and they are responsible to pay a fee going forward on this service. And so, you know, I think we can hope that whatever they've paid to put this together, they will be able to reap the benefits by preventing fraud on however many millions of accounts. 

Emily Wilson: [00:14:31]  If we find out that however many million children have had their Social Security numbers used to create these synthetic ideas, how do we go about fixing that? Do we reissue those socials? Do we provide credit freezes for those children? Do we begin credit monitoring on these 2-year-olds? What does the aftermath look like? How do you inform parents or guardians of that situation? Where do we go from here, and how do we - you know, what is the next thing that criminals are going to do to continue to try to exploit this? And so those are some big questions that we need to be thinking about now before companies go in and start finding this information so that we can be ready when that information is available. 

Dave Bittner: [00:15:15]  All right. Well, Emily Wilson, thanks for joining us. 

Dave Bittner: [00:15:22]  And now a word from our sponsor, BlackCloak. Do you worry about your executives' personal computers being hacked? How about their home network with all those IoT goodies they got over the holiday or credential-stuffing attacks because of their password re-use? Executives and their families are targets. But unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars worth of cyber controls, hackers have turned their attention to the executives' home network and devices which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit That's And we think BlackCloak for sponsoring our show. 

Dave Bittner: [00:16:41]  My guest today is Eric Haseltine. He's former director of research at NSA and prior to that was executive vice president of Disney Imagineering. His new book is "The Spy In Moscow Station: A Counterspy's Hunt For A Deadly Cold War Threat." 

Eric Haseltine: [00:16:58]  The book is about a six-year hunt for a devastating leak in our national security that was getting a lot of our assets - that is, Russian citizens who were spying for us - arrested and executed. And what motivated me to write the book is that when I was at NSA, I got the very strong impression that certain countries, especially Russia, were far advanced in certain kinds of spy tradecraft over us, and I needed to raise people's awareness of it. And that was the main reason that I wrote the book and that the main character in the book, Charles Gandy, wanted to have his story told. 

Dave Bittner: [00:17:40]  Well, take us through the story. I mean, give us an overview of how this all played out. 

Eric Haseltine: [00:17:47]  Well, Gandy went to Moscow in the spring of 1978. And it just so happened that when he was there, they broke into a false chimney because someone had heard noises there. And they found a antenna and some electronics connected that antenna that were clearly some kind of eavesdropping device the Russians had snuck into the embassy, and it was pointed at the ambassador's office. 

Eric Haseltine: [00:18:12]  Gandy actually got his hands on the antenna and listened through it with his special gear, and he figured out what was happening. And what he figured out was that the Russians had got some kind of implant that was listening to some kind of text device - it could have been a printer, could have been a typewriter, could have been a enciphering machine - and they were sending it out in bursts. They were very, very difficult to detect. Basically, what they did is that they hid in plain sight. And so he knew. 

Dave Bittner: [00:18:45]  I see. 

Eric Haseltine: [00:18:45]  So he went to the chief of station and said, this is what's happening. And basically, nothing was done, and no one believed him. And people continued to get arrested, and there continued to be problems. And this whole thing did not get resolved until six years later because a lot of what was happening is CIA said, well, no. What he's talking about didn't really happen. What he saw didn't really happen. 

Eric Haseltine: [00:19:12]  But what happened was in 1983, the French discovered an incredibly sophisticated Russian bug in one of their embassies and told the head of NSA about it. And they sent it to Gandy, and they said, hey, you got to do something about this. But what had turned out to happen in about 1981 or so, the director of CIA was so ticked off at Gandy in the trouble that he was making about this problem that he ordered NSA to get out of the business and to stand down. 

Eric Haseltine: [00:19:45]  And so when the French bug came and the head of information security at NSA - a really colorful guy named Walter Deeley - came to Gandy and said, well, you got to get all over this. If they're doing this to the French, who are a third-rate power, what are they doing to us? They must have stuff there we can't even find. And Gandy said, I can't. The CIA director has told me, can't do it. And Walt Deeley says to him, what would it take? And jokingly, Gandy says, well, you'd have to get a letter from President Reagan. So three days later, Deeley comes back, and he has a letter from President Reagan. He had gone to the White House and gotten Reagan to sign a letter authorizing Gandy to go over to Moscow and solve the problem. 

Dave Bittner: [00:20:29]  This is a risky move on his part. To go over people's heads to the president himself, there could have been repercussions for this, yes? 

Eric Haseltine: [00:20:39]  Absolutely. It was a huge career risk because he went over his boss's head at NSA, the secretary of defense, the national security adviser. But Deeley was a guy who was a really rough character. He had no college education originally. He joined NSA as a sergeant and clawed his way up to be the No. 3 official at NSA. And he was a street fighter. He really was a tyrant. And you can think of him as kind of a Patton-like character. 

Eric Haseltine: [00:21:08]  And it reminds me of something Admiral King said about warfare in the Atlantic during World War II. He said, when the shooting starts, go get the sons of bitches. And there's no doubt that that was Deeley. And, you know, he didn't care what people thought of him. He cared about the mission, and he was going to do what he thought was right. And he didn't care what anyone else thought. And that's a tough person to work with. But in cases like this, that's what you have to have. And although the story is mostly about Gandy, in a way, Walt Deeley is the real hero because he had the courage to go to the White House and get this thing unstuck. 

Dave Bittner: [00:21:45]  And what is your sense of where things stand today in terms of the communications and collaboration between our own intelligence agencies? 

Eric Haseltine: [00:21:54]  It's very poor, in my opinion. In fact, I wanted to write this book when I first learned about the story after I left the government. And Gandy said, no, you're going to destroy the relationship with CIA and NSA. And I said, that's impossible. He said, what do you mean? I said, well, you know, after 9/11, I was head of science and technology at NSA. I went to my counterpart at CIA, a deputy director there. And I said, hey, let's cooperate. And he said, al-Qaida's our target. You're our enemy. Get out of here. I can't tell you how many meetings I was in across the intelligence community after 9/11 where someone would say, oh, I guess it's going to take another 9/11 to get us to cooperate. And I would say, wasn't one enough? 

Dave Bittner: [00:22:38]  What is your outlook? I mean, as - are we doomed by the nature of us being humans with these tribal tendencies? Are we always going to have this infighting? Is there any hope for working beyond this and everybody working together? 

Eric Haseltine: [00:22:55]  We're never going to stop people from being tribal. The question is whether we let it hurt us more than it helps us. In the intelligence world, competition is actually essential. You don't want group think. You don't want everybody reaching the same conclusion because they're all on the same page. You want a diversity of opinions. You want there to be tension because no one gets it right all the time. 

Eric Haseltine: [00:23:20]  And in fact, that's why CIA was created. The Washington establishment realized that if the Pentagon was the only one who got to say what the Russians were doing, they would naturally say, oh, the Russians are going to wipe us out tomorrow in order to get bigger budgets. So they created CIA to be a counterweight to that. 

Eric Haseltine: [00:23:39]  So it's not a matter of whether tribalism is bad. Tribalism is a fact of life. It's going to be there forever. But great leaders learn how to harness that and turn it in a positive direction. So I think that's the important point. If you try to fight human nature, you're going to lose every time. You can't fight it. It's a wave. So instead of being swamped by that wave, you have to learn how to surf that wave. 

Dave Bittner: [00:24:05]  That's Eric Haseltine. His new book is "The Spy In Moscow Station: A Counterspy's Hunt For A Deadly Cold War Threat." 

Dave Bittner: [00:24:18]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company the leading insider threat management platform. Learn more at

Dave Bittner: [00:24:34]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.