The CyberWire Daily Podcast 1.24.20
Ep 1010 | 1.24.20

PupyRAT is back. So is the Konni Group. Twitter storm over claims that MBS hacked Jeff Bezos. Anti-disinformaiton laws considered. Canada is ready to impose costs on cyber attackers.


Dave Bittner: [00:00:04] PupyRAT was found in a European energy organization. It may be associated with Iranian threat actors. Another threat actor, the Konni Group, was active against a U.S. government agency last year. Saudi Arabia maintains it had nothing to do with hacking Jeff Bezos' phone. The EU and Ukraine separately consider anti-disinformation regulations. Canada may be ready to impose costs in cyberspace. And Huawei is a threat, but what are you going to do? 

Dave Bittner: [00:00:39]  And now a word from our sponsor, PrivacyGuard. By now, you might have heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies, companies that you might have done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to That's And we thank PrivacyGuard for sponsoring our show. 

Dave Bittner: [00:01:23]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:10]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 24, 2020. 

Dave Bittner: [00:02:19]  RecordedFuture has identified a PupyRAT infestation in a European energy sector organization. It's command-and-control was communicating with the infected organization's mail server from late November through January 5 of this year. PupyRAT is an open-source tool available on GitHub. It's effective against Windows, Linux, OSX and Android systems. And it's been used to obtain access to the victim's system, collecting sensitive information and credentials from the infected network. RecordedFuture told ZDNet that they think it likely that the infestation represents espionage and reconnaissance. ZDNet uses the plural companies in its coverage, but RecordedFuture's own report is quite circumspect about whom the attackers hit, whether it was an association or a company and whether more than one organization was victimized. 

Dave Bittner: [00:03:10]  PupyRAT has been observed for several years, at least since early 2017, when IBM described its use. The remote access Trojan has been used by Iranian threat groups, APT33 - also known as Elfin, Magic Hound, or HOLMIUM - and COBALT GYPSY, which RecordedFuture says overlaps with APT34, that is, OilRig. The researchers stress that the current activity predates the recent escalation of U.S.-Iranian tensions that have attended attacks on U.S. installations in Iraq and a retaliatory U.S. strike that killed the Quds Force commander, Major General Soleimani. So the threat actor could well be working on behalf of Iran. But, of course, attribution is difficult, especially when a tool has been made available as open source. 

Dave Bittner: [00:03:58]  Palo Alto Networks' Unit 42 research group reports that an unnamed U.S. government agency was hit with what Unit 42 is calling the Fractured Statue Campaign. It uses a novel downloader, Carrotball, that the researchers say was employed along with the familiar Carrotbat tool. They regard it as probable that FracturedStatue is attributable to the Konni Group, a threat actor that Cisco Talos says has been active since at least 2014. The threat actor took the name of the Konni RAT it was early associated with, but it's since branched out and evolved its tactics. The recent campaign, which Unit 42 says was active between July and October of 2019, initially used phishing emails that represented themselves as coming from Russian email domains. The phishbait documents generally dealt with North Korean commercial relations and were written in Russian, with some English sections thrown in. 

Dave Bittner: [00:04:53]  Neither Russia nor North Korea should be assumed to be the source of the campaign. Unit 42 summarizes what's known about the Konni Group as follows - quote, "Konni is a threat group operating in East Asia. This group is known for using spear-phishing attacks with documents related to North Korea. But lately, documents related to cryptocurrency also have been observed. Konni is also the name of their custom RAT which leverages anti-analysis techniques and intelligence gathering features," end quote. 

Dave Bittner: [00:05:22]  None of this tells us who's responsible. Cisco Talos, in their earlier assessments of the group's activities, concludes only that, quote, "clearly the author of the malware has a real interest in North Korea," end quote. But as we've seen in the Middle East espionage campaign directed against Arabic-speaking targets, an interest in a country is very imperfectly connected with attribution to that country. So while North Korea may well be behind the Fractured Statue Campaign and the Konni Group's other works, firm attribution would be premature. 

Dave Bittner: [00:05:56]  Reuters writes that the Saudi Foreign Ministry has again dismissed claims of Crown Prince Mohammed bin Salman's involvement in hacking Amazon founder Jeff Bezos' phone as absurd. That is, they didn't do it, and especially the crown prince didn't do it. But investigations are in progress, and it certainly seems that something was done to Mr. Bezos' device. Is it possible the crown prince may himself have been hacked - either his phone or a WhatsApp account - as some have suggested? Well, sure, maybe. And it does seem odd that a crown prince would directly get his digital hands dirty. On the other hand, who better to hack the richest man in the world's device than a fellow billionaire who's met him at the places where billionaires go to meet? 

Dave Bittner: [00:06:41]  In any case, as BuzzFeed notes, Saudi-aligned Twitter accounts have been doing a lot of anti-Bezos woofing, with accusations of insincerity concerning his expressions of mourning for the late Jamal Khashoggi, a discreditable personal life as evidenced by the intimate pictures someone provided to the National Enquirer and so on. BuzzFeed thinks the accounts doing the tweeting are a part of a coordinated and inauthentic campaign presumably directed from Riyadh, so does the United Nations Special Rapporteur on extrajudicial killings. Agnes Callamard told BuzzFeed, quote, "the hacking and the campaign are two actions taking place alongside each other, both of which aim, in my view, at intimidating, creating fear and ultimately controlling or silencing the people who are the object of both hacking and the campaign," end quote. 

Dave Bittner: [00:07:32]  Mr. Bezos has been the target of such campaigns before. NBC News reported that they began shortly after Jamal Khashoggi, who had been a columnist for the Bezos-owned Washington Post, was assassinated inside the Saudi embassy in Istanbul, a murder which occurred on October 2 of 2018. Twitter at that time took down a large number of the accounts involved. The platform has yet to take large-scale action in this latest round. Forbes wrote yesterday that Graphica reported some 8,500 tweets by fans of MBS - that is fans of Crown Prince Mohammed bin Salman. A common theme was a threat to boycott Amazon. 

Dave Bittner: [00:08:10]  Ukraine is considering a comprehensive law designed to suppress disinformation. RadioFreeEurope|RadioLiberty says that critics are concerned the measure will also effectively suppress journalism. Ukraine is in a tough spot. As a former Soviet republic, it has direct and immediate memory of what disinformation is and how a disinformation campaign can be mounted. And were its historical memory to be as short as, say, ours is, it need only look to the Russian hybrid war in Crimea and the Donbas for an education. 

Dave Bittner: [00:08:42]  Farther west, the EU is also deliberating adoption of measures that would counter disinformation. Facebook doesn't like them, New Europe says, and characterizes the proposed regulations as a threat to free speech. To be sure that's not exactly what the lawyers call an admission against interest, but put the ad hominem aside and consider how are you going to legislate against disinformation without doing the violence to free speech Facebook warns against? License journalists? If that's the goal, there's useful advice to be had from the neighbors to the east, say, around Moscow. 

Dave Bittner: [00:09:16]  Canada's government is preparing to impose costs on those responsible for cyberattacks on the Dominion, according to 660 News. The bad actions in cyberspace on which costs might be imposed would presumably include the sort of influence operations the Canadian Centre for Cyber Security has been warning against. Canada's Communications Security Establishment, the country's counterpart to Britain's GCHQ, the American NSA, the Australian Signals Directorate and New Zealand's GCSB, has been given a charter to operate against targets in cyberspace. The documents that refer to imposition of costs suggests that such operations would be best done in concert with allies. 

Dave Bittner: [00:09:59]  And finally, the Economist looks at Huawei and concludes it's a threat but says the risks can be managed. That's roughly what the U.K. seems ready to do, permitting Huawei into 5G networks but only in less sensitive peripheral regions, and only in the context of ongoing security vetting. 

Dave Bittner: [00:10:23]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough, integrated single-sign-on password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multi-factor authentication, securely authenticate into your work using biometrics - such as fingerprint or face - deliver a password-less login experience for your employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:11:49]  And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, always great to have you back. It is that time of year where I am obligated by my role as a podcast host to ask you, what are your predictions for 2020? What do you see on the landscape as we jump into this new year? 

Justin Harvey: [00:12:09]  Well, first off, I want to say Happy New Year to you and your listeners. So getting that out of the way... 

Dave Bittner: [00:12:17]  Yeah. 

Justin Harvey: [00:12:17]  ...So starting here with 2020 predictions, the first is that I believe that ransomware will, of course, continue and evolve in 2020. In fact, I am not sure that we've actually seen the peak of these style of attacks around the world. I think that all industries are still going to be vulnerable to attack. Ransoms, however, they might - paying the ransoms, I think that they might actually be peaking this year. 

Justin Harvey: [00:12:48]  I think that with cyber insurance claims rising, as well as the cost of cyber insurance - I read an article last week that said that cyber insurers were looking at raising premiums up to 25% for new policies. And I think that's in response to not only the frequency of ransomware attacks but also the fact that they are paying out ransoms. I think that the industry will start to clamp down on that, and we may even see some legislation around governing paying ransoms to unknown third parties. 

Dave Bittner: [00:13:29]  Interesting. What else do you have your eye on? 

Justin Harvey: [00:13:32]  Well, given that this is the year 2020 and that we are looking at what could be one of the most contested and contentious election years in American history, I believe that nation-states will look to continue to interfere in the election. And one way that they could do that is through getting out ahead of stories. 

Justin Harvey: [00:13:57]  And what I mean by that is we have seen not only in 2019 and in 2020 and in 2016, but any time that there is a scandal or a question about a person or an organization or a company and if they're up there in the news, the nation-states looking to further their cause, perhaps for the opposing candidate, they'll actually launch a cyberattack against that person, that individual, that organization or that company in order to get the data before anyone else can or before its release and either leak it or use it for blackmail. And we've seen that historically. So I believe that nation-states will become much more predatory when it comes to the headlines. 

Dave Bittner: [00:14:46]  Interesting. What about from within organizations themselves? I'm thinking of the folks in the C-suite. What should they have their eye on? 

Justin Harvey: [00:14:54]  All companies in 2020 should expect to get hit by a cyberattack and whether that be a small poking or prodding and maybe a run-of-the-mill malware attack - I can't believe I'm saying run-of-the-mill malware attack, but they still happen today. It could be ransomware. It could be a destructive attack. And therefore, if you expect to get attacked, then it should really be about what can your organization do to improve the cyber resilience inside and outside the organization? And what I mean by that is cyber resilience is the ability to detect and respond to a cyberattack and then get back to business as soon as possible. So that's No. 1. Everyone should expect to be attacked and be ready for it. It should be absolutely no surprise to the C-suite, the board or even the security teams. 

Justin Harvey: [00:15:49]  The second priority that that the C-Suite, particularly CISOs, should be focusing on is automation. There are simply not enough skilled workers out there. We are all fighting for them. So being able to automate a lot of the rote processes within your security workforce would be a great next step or great next area of investment. 

Justin Harvey: [00:16:11]  And also, building upon that - managed security services. We are seeing an upward trend on more and more global organizations pivoting to managed security services for the same reason as automation; there simply are not enough people out there to keep up with the growing demand and the growing attack surface. Everyone's going to the cloud, but with the cloud comes new technologies, new ways to monitor and new threats. So it is important to have a managed service there standing by, ready to help you out. 

Dave Bittner: [00:16:44]  All right. Plenty to think about as we look down the highway towards this new year. As always, Justin Harvey, thanks for joining us. 

Justin Harvey: [00:16:51]  Thank you. 

Dave Bittner: [00:16:57]  And now a word from our sponsor, BlackCloak. Do you worry about your executives' personal computers being hacked? How about their home network, with all those IOT goodies they got over the holiday, or credential-stuffing attacks because of their password reuse? Executives and their families are targets, but unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit That's And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:18:17]  The cybersecurity sector continues to attract significant attention from investors, and for the immediate future, there is no sign of that slowing down. My guests today are Hank Thomas and Mike Doniger, both experienced investors, and they formed a new company called SCVX. Their plan is to bring a funding mechanism known as a SPAC to cybersecurity, which they say is new to the space. 

Mike Doniger: [00:18:43]  So a SPAC, special purpose acquisition corporation... 

Dave Bittner: [00:18:46]  That's Mike Doniger. 

Mike Doniger: [00:18:47]  ...Is essentially a blank check company. So what it is, is we raise a blind pool of capital on Wall Street in the form of an IPO, and by definition, you're not allowed to know what you're going to buy. There's very strict rules behind that. However, you can target a specific space. And so some are more general in what they approach - let's say agriculture or chemicals or something very broad. We decided to take a very specific approach in targeting the cybersecurity space and, in that, created an infrastructure around that with our board, which we'll get into with Hank and his team, to have a lot of expertise in a very targeted area. 

Dave Bittner: [00:19:32]  So why a SPAC versus other methods of gathering capital, of making investments? 

Mike Doniger: [00:19:40]  If you are a target company and you're looking for the next evolution in your financial, you know, lifehood (ph), you have a couple options. You can obviously continue to raise venture capital money or private equity money. The cyberspace in general doesn't like a lot of leverage because they're high-growth companies, and so it tends to be more venture capital than private equity. And then as you hit that kind of Series C Series D part of your evolution, you know, and your valuation starts to get upwards towards that billion dollar range, you know, the venture capital money is not as readily available at that point. And these companies are extremely expensive to continue to grow with large sale forces and getting, you know, a footprint inside that Fortune 1000. 

Dave Bittner: [00:20:30]  Well, Hank, let's dig in here. I mean, take us through the thesis. 

Hank Thomas: [00:20:34]  Yeah, so the thesis is that the average CISO has more than 75 tools in their war chest right now. The security stack has become unwieldy. It isn't necessarily itself always integrated like it should be. If you're J.P. Morgan and you're spending billions on cybersecurity, you have the ability to properly integrate things. But move down from that, and you're struggling to integrate maybe the tools you have with the other security tools to integrate them with the rest of your IT stack. You're really just kind of like in crisis management mode all the time. I'm not saying everyone's in this situation, but that's kind of the general feeling in cybersecurity these days is, like, you know, what bad's going to happen next? 

Hank Thomas: [00:21:16]  And we think that - you know, go to RSA for the last 20 years, like many of us have, or go to any of these security conferences, and you see these rows and rows of things - right? - that if you're not in the sector, you know, how can you tell these things apart? And if you are, you still sort of struggle to a certain extent. But we know that within those rows and rows and rows of things, there are some really awesome platform - and we can get into what a platform really means - cybersecurity companies that we could, if injected with the proper amount of capital and the right - maybe the right new thinking to how to take it to the next level - you could build a really cool security control platform that you could hang a number of other things off - let's call them ornaments - that'd give it far more capability than it has today. 

Hank Thomas: [00:22:04]  And people were talking about this already. I mean, this is a conversation I had before we started seriously talking about doing this back the last four years at RSA, where we said, you know, what if we can only roll these four companies out? And our goal is to find one really cool company right now that meets most of our criteria, if not all of them, invest in that company, help them develop a strategy to integrate a few other critical security controls into that platform, and then create something that doesn't really exist in the industry today. 

Dave Bittner: [00:22:35]  There's obviously been no shortage of investment dollars in cybersecurity over the past few years. And as we touched on earlier, you know, SPACs have been growing in popularity as well. By your estimation, this is the first time we've seen this combination, of a SPAC targeting cybersecurity. 

Mike Doniger: [00:22:55]  We definitely think so. We definitely think we're the first... 

Dave Bittner: [00:22:57]  Mike Doniger. 

Mike Doniger: [00:22:58]  ...Definitely targeted directly at cybersecurity. There may be one or two other SPACs that are technology focused or defense focused that cybersecurity may fall in their sub-sphere. But no one to our knowledge has really targeted and put a board like this and put a team like Hank's team, like, at the task. 

Dave Bittner: [00:23:14]  So in terms of - I mean, from a practical point of view, maybe trying to help both you all out and the folks who think that they may be a potential candidate for you, to try to save everyone some time, do you have some general dos and don'ts, like, these are the things we're interested in, and these are the things - please, let's not waste each other's time as we're setting up these meetings and trying to get these things going? 

Hank Thomas: [00:23:37]  Yeah, I would say if you're not at least a Series, you know, C round capital size cybersecurity company, you're probably too early. 

Dave Bittner: [00:23:45]  That's Hank Thomas. 

Hank Thomas: [00:23:47]  That's sort of the first financial gate to look at. I think that, you know, having a - being a force in a particular sector, primarily the commercial sector - so say, having a large footprint in the financial services industry or maybe you're a major player in the critical infrastructure protection sector or you are, you know, have a - sort of a niche security control that doesn't necessarily have a lot of competition yet but have also established a strong presence across multiple commercial sectors - those would all be things that we would be interested in looking at. 

Dave Bittner: [00:24:23]  So you spin up the SPAC. You make your initial decision. You buy your company; you invest in your company. What is the amount of flexibility you have at that point? What directions can you go in? 

Hank Thomas: [00:24:35]  Yeah, so, you know, that company will be capable of using both the expertise we have in place through our board, using some of the capital who's been injecting them to bring on additional expertise, survey the landscape and say, you know, what will the - what are the things that kind of kept us where we were before we IPOed? And now we have the flexibility to use this newly found capital to go out and acquire a couple of those missing components, integrate those successfully into what we're doing and then become a platform that is more viable to either a particular industry sector or across multiple industry sectors, something that's more viable technically and more interesting, you know, to the public markets as well. 

Dave Bittner: [00:25:22]  That's Hank Thomas and Mike Doniger from SCVX. We'll have an extended version of my interview with them running here in the next few days. Do check it out. 

Dave Bittner: [00:25:36]  And that's the CyberWire, For links to all of today's stories, check out our daily news brief at Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:25:53]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.