Dave Bittner: [00:00:05] Reports to the contrary, as far as anybody really knows, North Korea's Kim is still large and in charge. Poland reports Russian disinformation effort. The EU issues a controversial report on COVID-19 disinformation amid accusations that Europe is knuckling under to Chinese pressure. A cyberattack on wastewater treatment systems in Israel is reported. Caleb Barlow covers responsibilities during an incident from the SOC operator to the CEO. Our guest is Dave Weinstein from Claroty. He discusses threats and existing security violations facing the U.S. critical infrastructure. And the old Hupigon RAT is back and looking for love.
Dave Bittner: [00:00:51] It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email and every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:15] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 27, 2020.
Dave Bittner: [00:02:24] We begin by addressing a story that's still developing and that remains inconclusive but which if borne out could have significant implications for conflict in cyberspace. Reports have been circulating since last week that North Korean leader Kim Jong Un is either dead or incapacitated, possibly as the result, some outlets say, of heart surgery gone wrong. The New York Times offers a representative sample of such stories, but Reuters reports that South Korean authorities remain skeptical that Mr. Kim is anything but in charge. Reporting on the secretive North Korean regime is notoriously difficult, and most experienced observers think that the health of the Kim family is the most closely guarded of all secrets. Kim Jong Un hasn't been seen in public recently, but that's happened before. And the cautious South Korean official assessment is probably the safe bet - at least for now.
Dave Bittner: [00:03:19] According to The New York Times, Polish security services say that the country has been subjected to a complex disinformation operation whose structure and apparent goals are consistent with earlier Russian influence operations. The centerpiece of the campaign is a fake letter posted to the website of the War Studies Institute, a defense academy for senior Polish military leaders. Purporting to be from the institute's director, the letter calls for Polish soldiers to fight American occupation. The website itself was hacked, compromised in order to post the letter, which, of course, is a complete fabrication.
Dave Bittner: [00:03:55] The attribution to Russia is circumstantial but convincing, nonetheless. The disinformation is entirely consistent with earlier Russian influence campaigns in both content and the ways in which its messaging has been amplified in small journalistic outlets and social media. U.S. forces have moved progressively eastward with NATO expansion in that direction. Their presence doesn't begin to approach the size of the U.S. Army Europe during the height of the Cold War, but U.S. forces remain, from Moscow's point of view, as unwelcome as ever. The content of Russian messaging in such influence operations has generally been consistent. U.S. troops behave badly, and they're not needed, and their presence is a standing affront to national sovereignty.
Dave Bittner: [00:04:41] Russian disinformation also prominently featured in a report the EU issued at the end of last week concerning disinformation campaigns that seek to take advantage of the COVID-19 pandemic. It's familiar stuff. Moscow is interested in using the emergency to increase mistrust among and within its adversaries.
Dave Bittner: [00:04:59] More interesting, however, and controversial is the report's treatment of Chinese disinformation surrounding the pandemic. The European External Action Service's internal memorandum on disinformation efforts reached substantially the same conclusions as the U.S. State Department. Russia, China and Iran have engaged in highly harmful disinformation that's gone viral, especially in smaller media markets.
Dave Bittner: [00:05:24] The assessment we mention is the EEAS internal report. According to The New York Times, EU officials, under pressure from Beijing and desiring to achieve more amicable relations, delayed publication of the report from Tuesday until Friday and softened the harsher conclusions about China before rendering their public statement. In the Times' judgment, the original report was not particularly strident, a routine roundup of publicly available information and news reports. The Times reports that Chinese government protests to EU officials were responsible for the delay in publication.
Dave Bittner: [00:06:00] For its part, EEAS has denied modifying its report under Chinese pressure. An EEAS spokesperson told EURACTIV TV yesterday, quote, "we have never bowed to any alleged external political pressure," end quote. Differences between the two drafts are of the purely editorial sort that commonly arise when an internal document is revised for public distribution. The spokesperson said, quote, "as is the case for all publications, there are internal procedures in place to ensure the appropriate structure, quality and length, and particular attention is paid to ensure that the phraseology is unassailable," end quote. Indeed, the public report does retain most of the internal memorandum's charges against Beijing.
Dave Bittner: [00:06:42] In the meantime, the BBC reports that China has also rejected an Australian-led call for an investigation into the origins of COVID-19, dismissing it as politically motivated efforts that would serve nobody any good. As the BBC paraphrased Chen Wen, a senior diplomat in China's mission to the U.K., quote, "there were lots of rumors about the origins of the virus, but such misinformation was dangerous, she claimed and said it was like a political virus and as dangerous as coronavirus itself, if not even more so," end quote. A British official speaking with the BBC on condition of anonymity said there was nervousness about confronting China since relations with Beijing are presently delicate.
Dave Bittner: [00:07:25] Chinese Foreign Ministry spokesperson Geng Shuang said at a regular press briefing this morning, quote, "China always opposes the fabrication and spread of disinformation by any person or institution," end quote. According to Beijing-headquartered CGTN, the Foreign Ministry's position is that there's no reason to think the virus originated in China and that, insofar as disinformation is concerned, China is more sinned against than sinning. In fact, in Beijing's view, it's not sinning at all. They're the real victims here.
Dave Bittner: [00:07:58] For a summary of Chinese active disinformation about the coronavirus, see the EU's External Action Service's original internal report, widely available online and linked to on the CyberWire's coverage of the cybersecurity dimension of the COVID-19 pandemic. Pages 7 and 8 make a particularly snappy read.
Dave Bittner: [00:08:18] Dave Weinstein is chief security officer at Claroty. He's a nonresident fellow at New America and National Security Institute and former CTO of the state of New Jersey. He offers his insights on threats and existing security violations facing the U.S. critical infrastructure.
Dave Weinstein: [00:08:36] Security, with respect to critical infrastructure, is still actually a fairly nascent field when you look at it on a macro level. That is to say that most critical infrastructure owners and operators are relatively immature with respect to protecting their operational technology networks. That's largely a factor of the burgeoning connectivity between their information technology networks and their OT networks. So four or five years ago, there was much less of a compelling reason to, for example, monitor your ICS network because it enjoyed a relatively high amount of security due to its isolation from the rest of the public-facing infrastructure. That has all changed in recent years, and organizations are compelled to take more proactive measures to lock down their systems. So it's still nascent, but the curve is increasing rather quickly as critical infrastructure asset owners and operators look to bring down the risk as fast as they can.
Dave Bittner: [00:09:50] How are the organizations that provide these critical infrastructure components - how are they doing when it comes to applying standards and taking the steps to make sure that the systems are secure?
Dave Weinstein: [00:10:05] Actually, they're doing really well, and they're a very significant and often underappreciated piece of this puzzle, so I'm glad you asked the question. As you know, there's, you know, a relatively small group of manufacturers that mass produce industrial control systems. And these industrial control systems are found in our factories. They're found in our power plants. They're found in our substations. And as I alluded to at the outset, there was never a real compelling reason to design these systems with security in mind. There was no encryption in place. There was no authentication. But that has changed, of course, over the last several years, and they are really taking the lead to build security into their products from the outset.
Dave Bittner: [00:11:00] That's Dave Weinstein from Claroty.
Dave Bittner: [00:11:04] Israel's wastewater treatment infrastructure appears to have been subjected to a coordinated series of cyberattacks over the weekend. The Algemeiner quotes official sources as saying the attacks were unsuccessful and that service has been uninterrupted.
Dave Bittner: [00:11:19] And, finally, Proofpoint reports that the venerable Hupigon Remote Access Trojan - venerable by internet standards since it's been around since 2006 - has been repurposed to lure American university students with adult-themed dating phishbait designed to attract the lovelorn and insufficiently skeptical. While Hupigon has been used by state-sponsored organizations, Proofpoint thinks that in this present round, it's being distributed by criminal gangs with commonplace criminal goals.
Dave Bittner: [00:11:48] But should you receive an offer to get to know Ashley, a student who's looking for adventure, or to make the acquaintance of Laura, an artist who loves funny men, please do think twice. You will receive a nice helping of Hupigon, whose features include, Proofpoint says, rootkit functionality, webcam monitoring and the ability to log keystrokes and steal passwords. It may be old, almost as old as Ashley and Laura claim to be, but as commodity malware, it still poses a threat, even if it is looking for adventures with funny men.
Dave Bittner: [00:12:27] And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:14:10] And joining me once again is Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. We wanted to talk today about some of the responsibilities that different folks have during an incident at all ranges of the organization. What do you have to share with us today?
Caleb Barlow: [00:14:27] OK, so these are what I like to call the primary three duties that you have to think about when you're responding to a cybersecurity incident or you're building a run book. And let me first say, Dave, this is not a legal construct. So all your folks over at the "Caveat" podcast actually could probably have some fun with this, but these are not legal constructs. They're more of ethical obligations of leadership during a crisis. And part of the reason why I wanted to talk about this is we're all thinking about crisis response as we kind of deal with coronavirus, and a lot of people are busy kind of updating their run books. So, you know, these are three things you can really look at in your run book or your plan and say, have I covered this?
Caleb Barlow: [00:15:09] So the first of them is what I call the duty to respond. And this is all about answering a couple simple questions. Who detects and responds to an incident? And here's the tough one, Dave. How do you determine if an incident is of magnitude? Now, that sounds really simple, but let me tell you it's really hard. Who decides? You know, who decides if a thing is a thing and kind of pushes that big red button to, you know, rally the troops and the team? Because, remember; you don't necessarily have a lot of information when it first happens. And then lastly in this kind of duty to respond, how do you communicate that an incident has occurred, realizing that the incident may affect your communications? Do you have emergency notification systems or ways out of band to get ahold of people?
Dave Bittner: [00:16:03] What about the chain of command when it comes to these things of handling that internal communication? Is - I mean, is this a time when it's OK to skip around, jump levels, or do we have to - is it important to maintain that line of communication?
Caleb Barlow: [00:16:22] Well, you know, it's critical to maintain the line of communication, but who's in charge gets really intriguing because I would argue when the incident - the first sign of the incident, the person in charge is that person in the SOC that's eyes on glass. But over the course of the incident, as the incident elevates, likely, the person in charge starts to change. And this brings us to the second duty, what I call the duty to convene. So at this point, you've decided you have an incident of magnitude and it's time to convene your team. You've effectively pressed that big red button. Who's part of that group, and who makes the decisions? Not trivial to figure out.
Dave Bittner: [00:17:00] I imagine, too, this is a big practice-like-you-play sort of thing, where, you know, from your experience running these simulations, that's a very different thing than just having it laid out in a binder, you know, step by step on paper.
Caleb Barlow: [00:17:15] Oh, absolutely. And in this day, it brings us to the next duty, which is the duty to act. You know, because at the end of the day, having a plan is great. If you're not willing to kind of pull the proverbial trigger, plan isn't any good. And you've got to make decisions quickly with limited data. So who's going to make those decisions? How do you handle lines of succession? How do you make decisions quickly with limited data and evaluate that risk?
Caleb Barlow: [00:17:42] And then here's the big one most people aren't willing to do. How do you ask for help? How do you reach out to law enforcement or cyber counsel or, you know, competitors, even? Some of the biggest incidents I've worked have completely changed because I was willing to reach out to my direct competitor and say, hey, are you seeing the same thing I'm seeing, because if you aren't, then I've got something wrong on my end, and if you are, then we both need to act right now.
Dave Bittner: [00:18:11] Yeah. And I imagine you learning to put ego aside is critical but so hard to do.
Caleb Barlow: [00:18:20] Well, I'll give you a perfect example of this. So if you remember back to NotPetya, everybody was saying, oh, it must be phishing, right? No one was thinking it could actually be SMB. And, you know, I remember my team was working in this. And, like, Caleb, we cannot find the phishing email. I'm like, keep looking. They looked all night through literally 1 billion phishing emails and couldn't find it anywhere. I'm like, man, I can't go public with this. If this is phishing, I'm going to look like an idiot. So I ended up calling up Dave Maynor, who was at Cisco at the time, my direct competitor. And I'm like, Dave, I got to fess up to something. I can't find it. And he's like, thank God you called, Caleb. I can't find it either. And it was that moment where because we're both willing to talk to each other as competitors, we realized, wait a second; this isn't phishing. This is something else. And it completely changed how everybody was looking at the response. And, you know, lo and behold, we found open SMB ports, right? And no one ever thought that was possible. But you've got to be willing to reach out to others and ask for help even when it's uncomfortable.
Dave Bittner: [00:19:24] Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Dave Bittner: [00:19:31] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:19:50] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:02] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.