Pyongyang’s guide to hacking on behalf of rogue regimes. RATs in the supply chain? Data exposures and data breaches. Securing elections (and caucuses, too).

Dave Bittner: [00:00:04] Pyongyang establishes a template for pariah states trying to profit in cyberspace. The FBI warns that there's a RAT in the ICS software supply chain. The US has a new counterintelligence strategy, and cyber figures in it prominently. Likud's exposure of Israeli voter data may benefit opposition intelligence services. We've got notes on the Equifax breach indictments. As New Hampshire votes in its primaries, CISA warns everybody not to get impatient. In Iowa, they're still counting.

Dave Bittner: [00:00:39]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And are you attending RSA Conference 2020 in San Francisco February 24 through the 28? Well, don't forget to stop by booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook." Come on by and say hello. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:50]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:14]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 11, 2020. 

Dave Bittner: [00:02:23]  Researchers at the intelligence firm Recorded Future describe how Pyongyang has adapted the internet into a tool for rogue regimes. North Korea has grown adept at using cybercrime as a means of evading the international sanctions that have crippled its economy. The country's hackers have become proficient, Recorded Future says, at three ways of generating revenue - internet-enabled bank theft, exploitation of the cryptocurrency sector, as seen in some of the Lazarus Group's recent activities, and finally, what the researchers call low-level information technology work and financial crime. The regime has also succeeded in stealing intellectual property useful in acquiring or enhancing its capabilities in prohibited technologies, especially ballistic missiles and weapons of mass destruction. The North Korean template can, Recorded Future suggests, be used by other pariah states struggling under international sanctions. They specifically mentioned Venezuela, Iran and Syria.

Dave Bittner: [00:03:21]  According to ZDNet, the U.S. FBI has circulated a private warning to industry, cautioning companies that threat actors are working to infect software supply chains with the Kwampirs remote-access Trojan. This particular RAT has been seen most often used against targets in the health care sector, but the recent FBI warning suggests that Kwampirs has been seen in use against industrial control systems.

Dave Bittner: [00:03:45] The US has released its National Counterintelligence Strategy. The document lays out a case, described in The Wall Street Journal, that the intelligence threats the US faces have grown more diverse, more complex and more damaging, especially as they merge traditional intelligence disciplines with cyber operations and as they show an increased disposition to engage in economic espionage.

Dave Bittner: [00:04:09]  The team at security firm Scenera have been working to standardize security measures for surveillance and IP cameras, and among their efforts include supporting the NICE Alliance. NICE stance for a network of intelligent camera ecosystem. And they've recently released details of a framework for IP camera security. Andrew Wajs is CTO and co-founder at Scenera. 

Andrew Wajs: [00:04:31]  There are a number of issues with intelligent cameras, and obviously, one of the most important is the issues of security and privacy from both a developer perspective and for the end user or end customer. But security and privacy was a very important part of how we approached the problem. It was, in fact, the first thing we actually addressed in developing the standard. 

Dave Bittner: [00:04:56]  Now, one of the things that you're doing here is sort of flipping the script when it comes to where in the chain images are processed. And that sort of has a cascading effect on things like privacy. Can you give us an overview of what's going on there? 

Andrew Wajs: [00:05:13]  Yes. So with privacy, what we have done is, we've enabled there to be a fine-grained control of, first of all, what data gets generated. So in configuration of the cameras, we can actually configure the camera such that only notifications get generated - so things like faces or even the actual events themselves can be discarded by the camera - then also enabling the end user to determine which types of data gets generated and which applications can access that data. So we actually enabled some data to be accessible to some applications and other data to be accessible to other applications or not accessible at all. 

Dave Bittner: [00:05:54]  Can you give us a real-world example of an application of that? 

Andrew Wajs: [00:05:59]  So let's say you have a camera in a location where you're monitoring for certain events, and in particular, you don't want people's faces to be recorded, but you do want to see if somebody enters an area which they're not supposed to enter or if there's a - you know, a vehicle entering a location. In that case, we can actually program the cameras to simply send a notification saying that an event has occurred, and there's no upload of any video with any facial information. 

Dave Bittner: [00:06:27]  And so I suppose the notion is that this plays well into the types of regulations that we expect to see coming when it comes to privacy and maintaining data and so on. 

Andrew Wajs: [00:06:40]  Yes. So you know, we have this notion of what we call a zero-image surveillance, where you can actually make sure that, you know, sensitive data is never distributed. And I think there are a lot of applications where this is going to be very important, particularly with facial recognition. And, you know, being able to avoid capturing faces in certain applications is going to be really crucial, not just from the end user's privacy perspective but also from a regulatory (ph) perspective as well. 

Dave Bittner: [00:07:08]  And how do you envision a broad deployment of this sort of thing? Is this a framework that is going to be widely available? Are you keeping some exclusivity to it? Or do you have partners lined up? 

Andrew Wajs: [00:07:21]  Yeah. We're working with, typically, large enterprises or carriers who want to deploy cameras quite widely - so, for example, in smart cities where, you know, you would have a number - a lot of cameras within the urban environment. So we're typically working with enterprises and, you know, large organizations who want to deploy large numbers of cameras. We see this ultimately can go, you know, from enterprise all the way through to consumers. 

Dave Bittner: [00:07:50]  That's Andrew Wajs from Scenera. 

Dave Bittner: [00:07:54]  The Jerusalem Post reports that the data leaked from a voter database app used by the Likud party may have compromised information on Israeli intelligence officials. They cite Harel Menashri, currently head of cyber at the Holon Institute of Technology and formerly one of the founders of Shin Bet's Cyber Unit, as pointing out the potential implications of the data exposure. Again, it's the fact of the exposure and not any evidence that a foreign intelligence service has the data, but there's a non-negligible chance that they do. So in assessing risk, one takes into account the opposition's capabilities. They might have the information, and it's best to plan on the assumption that they do. 

Dave Bittner: [00:08:36]  And finally, the US state of New Hampshire conducts its presidential primary today, and CISA distributed an encouraging email that praised successful threat information sharing, writing on behalf of the Election Infrastructure Government Coordinating Council on Ongoing Efforts to Protect 2020 Elections. The email reminded everyone not to get hasty or jump the gun. The CISA email said, and remember that election results published on election night are not official. It may take days or weeks for official results to become available. The accuracy of the vote total is much more important than the timeliness of releasing results. 

Dave Bittner: [00:09:12]  They seem to be looking at you, Iowa, where the two leading candidates, according to preliminary results - Senator Sanders and former Mayor Buttigieg - have both requested a partial recanvass. A recanvass, the AP explains, is not a recount. Rather, it's a check of results against the paper records in the precincts and would not involve checking the math - addition, basically - recorded on those paper records. After a recanvass is complete, then a candidate may ask for a recount, in which, presumably, math errors might be identified and corrected. 

Dave Bittner: [00:09:43]  Democratic National Committee Chair Tom Perez has been critical of the Iowa party's conduct of its caucus, suggesting that the state's position as first stop in the nominating process would be reevaluated, as it periodically is. Iowa party leader Troy Price has reminded Mr. Perez that it's up to the state party and not the DNC to decide whether to recanvass. Price told WHO TV, we've got a job to do, and that is to finish up this process; there is a time to assign blame, but I will tell you, the DNC has been a partner in this process up to and including caucus night. Part of the post-mortem will surely be a look at how Shadow Inc.'s ill-starred IowaReporterApp was developed and deployed. 

Dave Bittner: [00:10:31]  And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial and observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:11:24]  And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's always great to have you back. You all recently posted on your website a really interesting article here. It's "Industrial Cyber Attacks: A Humanitarian Crisis In the Making." Take us through - what are you laying out here for us? 

Robert M. Lee: [00:11:43]  Yeah, absolutely. Look. I think, when we look at security, we can't do it in just kind of the technical view of the world. It is important to understand where we fall in things like international humanitarian law or law of armed conflict or just kind of how all the countries around the world are viewing these things, especially in industrial security, where you're talking about electric grids and oil refineries and manufacturing and similar - like, national infrastructure. 

Robert M. Lee: [00:12:08]  Long story short, we've been trying to support - I don't think we can take a ton of credit, so I just want to say we're supporting them. Like, they're the ones doing all the work. But we're supporting the Red Cross as it thinks through some of these challenges and where cyberattacks really fall. And I think the - one of the challenges for the Red Cross has always been that when we talk about cyberattacks, it can mean anything, and we'll call something a cyberattack when it's a exposed, you know, AWS container or phishing email. 

Dave Bittner: [00:12:37]  Mm-hmm. 

Robert M. Lee: [00:12:37]  But - and to the - it's harder to deal with. But for them to get their mind around industrial control system attacks, that's much easier - to go, oh, you can turn off the power, and that would relate to hospitals. And there can be attacks that aren't actually completely legal based on how they're conducted against civilian targets. And it's much more obtainable for them and something that we can all put a line in the sand. 

Robert M. Lee: [00:13:01]  So what it really came down to is, we shared our insights that we're seeing, dealing with the threats and understanding how these threats are evolving just based on the data we have - not trying to get too predictive here - and understanding what that could mean in the future so that the Red Cross and other international organizations can try to get a little ahead of it. One of those takeaways is that the industrial control system attacks usually are very specific in nature. If I design an attack on a safety system in a petrochemical environment, that's not going to scale very well. 

Robert M. Lee: [00:13:36]  But as we have this kind of digital transformation or industry as we're becoming more like each other, more homogeneous in nature of infrastructure and as these threats are exposing more and more blueprints of how to do these attacks, you know, the tradecraft or the TTPs or the methods to which they do the attacks more so than malware exploits, we're kind of hitting this convergence at the scalability of attacks. And we could start to see in the future more commoditized attacks and adversaries who aren't sophisticated state actors, even though those aren't always all that sophisticated or mature or responsible. 

Dave Bittner: [00:14:14]  (Laughter). 

Robert M. Lee: [00:14:15]  But we could definitely see more criminal actors and similar, which would really escalate this to an unsafe place for the international community. 

Dave Bittner: [00:14:24]  Well, and also, I mean, what comes to mind for me is something like NotPetya, where something kind of, you know, escapes and causes damage beyond what perhaps its originally - its original intentions were set out to be. 

Robert M. Lee: [00:14:38]  Absolutely. And there were, you know, I think a couple companies got pulled into the spotlight on that. But there were - you know, we have an incident response team. And we got called into a lot more than was public. And we're talking about a significant number of companies who lost tends to hundreds of millions in dollars based off this attack - and again, not the public ones, which raises a lot of questions as well. But that was off of just the fact that we had more IT systems in industrial control, we had more operations technology than before. And one of the common themes when we were talking to executives or presenting to their boards or similar - was that a lot of the folks thought these were segmented-off plants or thought that this risk didn't exist. 

Robert M. Lee: [00:15:17]  This is one of the things you always hear me talking about where, like, the enterprise security strategy can't be copy and pasted into the industrial environment. Like, we need to think about industrial security strategy. Ransomware worms and similar are really effective in an unfortunate way to figure out asset identification, right? They help you - like, oh, we had a plant over there, and it was connected. 

Dave Bittner: [00:15:38]  And turns out... 

Robert M. Lee: [00:15:39]  And - yeah, yeah. Exactly. And so we are seeing a trend in the community where people are realizing after the fact how much more risk and exposure they had than they knew about. Then we kind of calm them down and go, hey, but our infrastructure is really reliable. Our engineers and operators have done an amazing job over the year and know the power grid isn't just going to go out overnight because there's not even just one power grid. 

Robert M. Lee: [00:16:03]  But at the same time, we kind of want to lean into it and go, yeah, but based on what we're seeing in the threats, this is going to get ugly. It's not freak out now. It's, hey, in, like, a - I don't know - five to 10 year kind of period, things are going to get really, really heated. And let's just get ahead of the problem and make sure that we can at least make it safer for people to be in this world, and at a very minimum, tie cybersecurity to safety on the industrial side. 

Dave Bittner: [00:16:30]  How much are nations around the world on board with this idea of keeping these things off the table? 

Robert M. Lee: [00:16:37]  They're all completely on board with the idea of everybody but them keeping it off the table (laughter). 

Dave Bittner: [00:16:43]  Yeah. Yeah. Yeah. 

Robert M. Lee: [00:16:45]  There's like no state - I mean, I don't know, maybe the Vatican comes up with it or something, but there's like no state that's like, hey, let's deny capabilities to everybody. Every state is let's deny capabilities to everybody but us. And that has always been the problem. And there's all sorts of, you know, political theories you can get into there. And the reality is, without dragging things into the light and holding people accountable, it's just not going to work. 

Dave Bittner: [00:17:10]  But, I mean, is that a peculiarity of cyber? Because I don't think you find that in - you know, around the world, people saying everyone should be able to bomb civilian hospitals except for us. 

Robert M. Lee: [00:17:21]  Well, I think there's an accountability and a tangible nature to things like bombing. You know, my background being in the U.S. intelligence community and I love the U.S. intelligence community - cut me deep enough, red, white and blue is probably there. But even there, like, really stupid, sickening choices would get made or get suggested, at least. You know, I was - remember hearing the U.S. say we will never attack civilian infrastructure. Then you go, cool. What do you consider civilian infrastructure? Like, well, actually. And you realize that, like, the power provider outside of the hospital that's also providing base power, well, that's not a civilian target. It's providing power to the base. Like, what? That is absolutely a civilian target. 

Robert M. Lee: [00:18:01]  So I think if I like to hold the U.S. government in high esteem, obviously I'm extremely biased being from the U.S., but if I'd like to hold the U.S. government in high esteem, and even with them, I am seriously bothered by some of the questioning that takes place, I would rather just say that probably everybody has got a similar issue around the world and not to stereotype all countries around the world. I would just like to say that we should probably have a non-government kind of arbiter or at least some international public discussion. 

Robert M. Lee: [00:18:34]  Again, if you bomb somewhere, there's generally going to be an amount of evidence and understanding that people can wrap their head around. If you do a cyberattack, even when we know - yeah, Russia broke into the DNC - it was like, well, did they? Maybe the server's in Ukraine. It's like, oh, my God. All right. And we need - and I'm not advocating, like, the answer's attribution. Actually, the answer isn't necessarily attribution. The answer in many ways is having some level of laws, but not only laws, but norms, and then beyond the norms, some level of precedent of actually enforcing those norms. 

Robert M. Lee: [00:19:08]  I mean, you and I talked years ago when I said, hey, this 2015 Ukraine attack thing, not one government official has come out at a senior government level anywhere in the world and actually publicly condemned this attack. Regardless of who did it, we're setting precedent that this is OK. And then we've just seen kind of this evolution over the years since then. And until we start having some precedent to even acknowledge these things are bad publicly, we're in for an interesting ride. 

Dave Bittner: [00:19:37]  All right. Robert M. Lee, thanks for joining us. 

Dave Bittner: [00:19:44]  And that's the CyberWire. For links to all of today's stories, check out our daily news briefing at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, of Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:02]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.