The CyberWire Daily Podcast 5.19.16
Ep 103 | 5.19.16

Cyber-chumming the Donbas. Cisco surprises (in a good way).


Dave Bittner: [00:00:03:12] The rest of the passwords stolen from LinkedIn back in 2012 hit the black market. Operation Groundbait, a cyber surveillance campaign, is discovered in eastern Ukraine. Hacktivists dox Turkish medical records. Other hacktivists might be going after US Presidential campaigns. Phineas Phisher is back. The SEC warns the financial sector about cyber risks. Cisco's results give investors a pleasant surprise and we hear about investigations of online child exploitation.

Dave Bittner: [00:00:33:19] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at

Dave Bittner: [00:00:57:24] I'm Dave Bittner in Baltimore with your CyberWire daily podcast for Thursday, May 19th, 2016.

Dave Bittner: [00:01:04:07] The LinkedIn breach that surfaced yesterday turns out to be fallout from the breach the business-focused social network suffered in 2012. At the time some 6.5 million hashed, but unsalted, passwords were thought to have been compromised, but it turns out that the problem was bigger than that, by some two orders of magnitude. Earlier this week 117 million LinkedIn credentials turned up for sale in the online criminal market, “The Real Deal.” They’re selling for peanuts, relatively speaking: for roughly $2,200 US in Bitcoin, the trove of passwords can be yours. They are, many note, older passwords, but they do seem legitimate. LinkedIn, at any rate, is taking the incident seriously, requiring affected users to reset their passwords. If you haven’t reset yours recently, now might be a good time to do so, whether LinkedIn tells you or not. The original 2012 hack was, generally speaking, attributed to Russian criminals.

Dave Bittner: [00:02:00:07] The hybrid war the Russian government is waging in the Near Abroad continues. ESET reports finding a cyber surveillance campaign that’s tracking separatists, journalists, self-proclaimed governments, and so on in the Donbass region of eastern Ukraine. There’s no attribution, and the operation could well be run by either side. ESET detected the campaign as the Win32/Prikormka information-stealing Trojan. They’re calling it, “Operation Groundbait” because the phishing emails that distributed the malware posed as price lists for groundbait.

Dave Bittner: [00:02:32:15] Hacktivists identifying themselves with Anonymous have doxed Turkish hospitals and released sensitive patient records. They say they did so in retaliation for ransomware attacks on some US hospitals. Many other people who identify themselves with Anonymous, however, denounced the doxing, and say that those behind it really have nothing to do with Anonymous. It is notoriously difficult to say who’s acting on behalf of an anarchist collective. Imperva’s Ofer Gayer, who specializes in DDoS security research, told us that “Hacktivist groups mount attacks on both private companies and government agencies for all manner of social and political causes.” He stressed the importance of having a plan for recovery, communication, and continuity of operations should your organization come under hacktivist ministrations.

Dave Bittner: [00:03:21:21] Elsewhere, “Phineas Phisher,” the hacktivist to whom the Gamma Group and Hacking Team capers are generally attributed, has stolen €10,000 in Bitcoin and donated them to Kurdish “anti-capitalists” in Rojava, a region in the north of Syria. Mr. Phisher hints he’s got more thefts planned, because, evidently, as he grows more Robin-Hoodish, he recognizes that anti-capitalists need capital, too.

Dave Bittner: [00:03:46:21] And speaking of capitalists, the US Securities and Exchange Commission had some harsh words for the financial sector this week. The SEC’s chair, Mary Jo White, told a Reuters financial summit that trading and financial clearing houses had a “reckless” cyber security posture. She said, "What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks. As we go out there now, we are pointing that out."

Dave Bittner: [00:04:17:04] The SEC assesses cyber threats as a major risk to the financial sector. Other speakers at the summit offered reactions to the problems that recently surfaced in banks’ connections with the SWIFT fund transfer system. The recent, unsuccessful attempt to steal from Vietnam’s Tien Phong Bank, detected and stopped back in December 2015, sought to transfer €1.2 million to an account in Slovenia.

Dave Bittner: [00:04:41:12] The US Presidential campaigns are in full swing, and it's safe to assume that various actors are working to hack the candidates. US Director of National Intelligence Clapper says the Intelligence Community has actual evidence that this is going on, having seen indicators that attackers are prospecting the online activities of US Presidential candidates. He says they’re working to educate the campaigns, and that there’s some likelihood that the hackers represent foreign intelligence services, but beyond that he’s unsurprisingly tight-lipped. It’s also likely that at least some activity directed against political campaigns comes from hacktivists. David Meltzer, Tripwire’s chief research officer, shared some thoughts with us on the campaign season. He observed that it wouldn’t be surprising to see an increase in hacktivism, especially given what he called “the highly polarizing election going on in the US.” He pointed out that there’s a large and vulnerable ecosystem out there, and it includes government sites. “While most major sites already have reasonable protections against basic DDoS attacks, the second tier of lesser-known sites, of which there are many thousand across the government, may lack that protection and easily fall victim to these simple cyberattacks.”

Dave Bittner: [00:05:54:23] In industry news, Cisco surprised the markets yesterday with some good news, confounding the pessimistic predictions that had appeared in Barron’s and elsewhere. The company reported better than expected results and optimistic guidance, both driven in significant part by its security business. Some other investment analysts are looking at depressed stock prices for other companies, notably FireEye, as buying opportunities.

Dave Bittner: [00:06:19:01] Finally, if you’re like us, you wondered what “groundbait” was, and why so many people in eastern Ukraine would be interested in buying it. It turns out, chums, as one of our stringers has educated us, that “groundbait” is what American fishermen would call “chum,” that is, bait dumped into the water to draw fish. Apparently there’s a solid groundbait market in many parts of the world, so those menhaden you catch off the Outer Banks, may have some value after all.

Dave Bittner: [00:06:50:06] Today's Podcast is made possible by, find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena, join G2, a growing company where creativity, curiosity and playfulness lead to innovate problem solving. Learn more at

Dave Bittner: [00:07:17:16] Joining me once again is Ben Yelin, he's a senior law and policy analyst for the University of Maryland Center for Health and Homeland Security, one of our academic and research partners. Ben, there is an article in Ars Technica recently, it was about a man suspected of harboring child pornography on his computer, he's been charged with no crime, but he's sitting in jail cooling off because he refuses to unlock his device.

Ben Yelin: [00:07:42:03] The government has tried to fight the All Writs Act and you might remember that Act from the battle between Apple and the FBI over getting information from the device of the San Bernardino shooter. That Act, which dates back to 1789, allows the government to compel a suspect to decrypt his hard drive in order to expatiate some other judicial decision. This particular defendant has refused to do so and he's being held in contempt of court and the decision of the District Court to hold him in contempt has been appealed. But I think the big issue here is whether the government can actually force someone to decrypt their phone. The Supreme Court has sort of addressed this issue, but it was in the context of a physical fate, they said that the Fifth Amendment right against self incrimination prevents the government from forcing somebody to give a number as combination to unlock a safe. What the Supreme Court will have to work with is whether the privacy interests of a device or are as significant as those of a physical state and I think we have a lot of evidence that there are greater privacy interests at stake on an electronic device. I would note that just as Justice Sotomayor in her concurrence of United States vs Jones discussed at length, how much private information or revealing information can be stored on electronic devices, so I would not be surprised to see this issue get back up to the Supreme Court.

Dave Bittner: [00:09:11:17] Alright, we'll keep an eye on it. Ben Yelin, thanks for joining us.

Dave Bittner: [00:09:16:12] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. If you'd like to place your product, service or solution in front of people who want it, you'll find few better places to do that, than the CyberWire. Visit to find out how to sponsor our podcast or daily news brief. The CyberWire is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.