The CyberWire Daily Podcast 4.29.20
Ep 1077 | 4.29.20

Content farmers and disinformation tactics. PhantomLance: quiet, selective, and apparently effective. Lawful intercept and contact-tracing apps. A look at the black market.


Dave Bittner: [00:00:05] Researchers see a coming shift in tactics used by Chinese content farmers. Amplifying disinformation through influencers and other agents of influence. PhantomLace (ph) is a quiet and selective Vietnamese cyber-espionage campaign. Lawful intercept and contact-tracing apps. Joe Carrigan from Johns Hopkins on cheating in online games. Our guest is Tonya Ugoretz from the FBI on their engagement with both the public and private sector during COVID-19. And the black market for malware is surprisingly open, cheap and attentive to its customers. 

Dave Bittner: [00:00:44]  It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:11]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 29, 2020. 

Dave Bittner: [00:02:20]  A cyber-espionage campaign Kaspersky calls PhantomLance has been able to infiltrate Google Play, and it appears to be the work of Vietnam's OceanLotus group. PhantomLance, whose masters appear interested in collecting both domestic and foreign influence, is relatively quiet. It tailors itself to its targets - the better to avoid overloading them with noisy and unneeded functionality. It's also relatively selective in its choice of targets. Since 2016, roughly 300 attempts have been observed, with most of the targets in India, Vietnam, Bangladesh and Indonesia. Algeria, Iran, South Africa, Nepal, Myanmar and Malaysia also figured on the list. 

Dave Bittner: [00:03:03]  Recorded Future's Insikt Group reports that while Chinese influence operations have tended to present a benign, well-intentioned face to the larger world, Beijing's elbows are a great deal sharper when it comes to dealing with Hong Kong and Taiwan. Taiwan's relatively successful attempts to prevent mainland disinformation from having any significant effect on the country's elections can be expected to lead China's content farmers to look for more effective tactics. These are likely to include an increased emphasis on cultivating local influencers who could lend amplification and credibility to Beijing's line. 

Dave Bittner: [00:03:40]  That sort of amplification may be seen as well in Chinese disinformation efforts related to the COVID-19 pandemic. We've mentioned that CNN reported earlier this week that a U.S. Army reservist who participated in last October's World Military Games in Wuhan has been falsely identified as the source of infection. The story began as Chinese government disinformation but was subsequently picked up and distributed by a gaggle of YouTubers fascinated by bogus conspiracy theories. 

Dave Bittner: [00:04:10]  The U.S. Army is providing the reservist with support against the attention. Colonel Sunset R. Belinsky told the Army Times, quote, "the Army is providing support to help Sergeant First Class Benassi with the public attention. As a matter of policy, the Army would neither confirm nor deny any safety or security measures taken on behalf of an individual. However, as we would with any soldier, the Army will work with the appropriate authorities to ensure that she and her family are properly protected," end quote. 

Dave Bittner: [00:04:40]  Vendors of lawful intercept tools - spyware in popular jargon and when misused - are offering their products to governments as a quick approach to scaling COVID-19 contact tracing. Israel-based Cellebrite has, according to Reuters, offered its products to police in India as an aid to tracking people who may have been exposed to infection. Cellebrite is best known for a tool that law enforcement agencies have used to gain access to iPhones in the course of criminal investigations. Cellebrite points out that it's long offered its product to law enforcement and that it recommends that participation in such contact tracing should be voluntary. The Israeli government is said to be working with NSO Group, whose Pegasus intercept tool has gained notoriety, to develop similar capabilities. Cyprus-based Intellexa and New York-based Verint have also offered their products to governments interested in contact tracing. 

Dave Bittner: [00:05:34]  Observers suggest that surveillance tools of this kind are too imprecise for contact tracing purposes. For that to be done effectively, it would need to be able to determine proximity within 10 meters or less and ideally within 2 meters. Bluetooth-based apps may be able to do that, but the geolocation provided by surveillance tools are generally thought by critics to be too coarse for such purposes. 

Dave Bittner: [00:05:59]  The FBI has been playing an active role in the global response to COVID-19-inspired cybercrime through outreach and coordination with both the public and private sectors. Tonya Ugoretz is deputy assistant director in the FBI's Cyber Division. 

Tonya Ugoretz: [00:06:15]  I think if you look historically at the perception of the FBI, there's the sense that we're slowly, methodically collecting evidence to hold in a vault until one day when we can put handcuffs on someone. That's certainly always a goal - to bring someone to that kind of judicial outcome - but it's not the only goal. Really, our primary objective is to impose risk and consequences on our cyber-adversaries, and we do that in a number of ways. And what we're doing during the COVID pandemic is one example. 

Dave Bittner: [00:06:47]  A lot of what you all are up to these days involves partnering with organizations in both the private sector and government as well. Can you give us some insights as to your activities there? 

Tonya Ugoretz: [00:06:59]  Sure. So if you look at the array of departments and agencies, as well as organizations in the private sector that work against cyberthreats, the FBI is really in a unique position kind of in the center of that ecosystem. That's in part because of our unique authorities, focusing on not only criminal threats with cybercrime but also national security threats that typically emanate from overseas as well. With the private sector, the FBI is really unique in that we are a dispersed organization. We have a headquarters element, of course, but our strength is really in our field offices, which are 56 scattered throughout the country, as well as hundreds of satellite offices. And the personnel in those offices are part of communities. So don't think about the typical image of the FBI agent showing up in a raid jacket. Think about the person standing next to you on the sidelines of a soccer game, who you have relationships with, ideally, before something bad happens. And that's really the focus of our engagement - building those relationships before you need to call us in a crisis. 

Dave Bittner: [00:08:10]  Yeah. It really strikes me, this effort on behalf of the FBI at outreach, it really engaging - really, I guess, a recognition embracing that to fight these things, we all need to work together. 

Tonya Ugoretz: [00:08:26]  It's absolutely critical to what we do, and it's not just in the cyber program. I mean, the FBI is really built on those relationships in communities. So the targets that we're most concerned about protecting as the U.S. government aren't under the control of the U.S. government. And, two, with the growth and emergence of an increasingly sophisticated commercial cybersecurity industry, the U.S. government doesn't have the monopoly on information that can help us illuminate cyberthreats. So it's critically important that we work with internet service providers, commercial cybersecurity companies, as well as the owners and operators of critical infrastructure. We each have pieces of this puzzle, and we really need to work together to most effectively thwart these attacks. 

Dave Bittner: [00:09:16]  That's Tonya Ugoretz. She's deputy assistant director in the FBI's Cyber Division. 

Dave Bittner: [00:09:22]  Some of the contact-tracing apps seem to work as intended, but voluntary participation remains well below what epidemiologists believe necessary. Many of the Bluetooth-based contact-tracing apps, like those under development by Apple and Google, are both voluntarily installed and decentralized. Treating mobile devices as proxies for persons is, of course, imperfect. Not everyone has a device, and not everyone who does carries it around with them. But the simplifying assumption that the presence of a phone more or less equals the presence of a person should still have considerable utility. 

Dave Bittner: [00:09:56]  A study conducted at Oxford University estimated that to stop an epidemic, a population would have to participate at rates of about 60%, although even lower levels of participation could be expected to have a positive effect. The Oxford researchers offer survey data they regard as encouraging. They've collected feedback from over 6,000 potential app users in five countries, which suggests that 84.3% of users would definitely or probably install a contact-tracing app for coronavirus in the U.K. after lockdown and between 67.5% and 85.5% in France, Germany, Italy and the USA. That seems, for now, to be overoptimistic. Even the success stories fall below half the population. And in most cases, they're lower than the 40% participation rate The Conversation says authorities in Australia, to take one example, would be happy with. The Washington Post reports that most Americans are either unwilling or unable to use even the relatively nonintrusive, voluntary and decentralized contact-tracing apps. A Washington Post-University of Maryland poll finds widespread reluctance among Americans to install such an app and concludes that skepticism about Big Tech's reliability as a steward of personal data forms the principal basis of that reluctance. 

Dave Bittner: [00:11:17]  Finally, CyberNews has taken a look at the malware for sale in dark web markets and concludes that it's surprisingly affordable and accessible. They looked at 10 such markets and evaluated them for malware availability, cost of the tools being sold and availability of customer support. They found fairly capable tools selling for as little as 50 bucks, complete with updates and troubleshooting. Still, buyer beware. And, kids, stay in school. 

Dave Bittner: [00:11:51]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit to learn more. That's And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:13:33]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:13:42]  Hi, Dave. 

Dave Bittner: [00:13:43]  I want to talk today about online gaming. And I know this is something that you spend some time doing. 

Joe Carrigan: [00:13:48]  I do, yes. 

Dave Bittner: [00:13:50]  And, of course, nobody likes a cheater. 

Joe Carrigan: [00:13:52]  No, I despise them. 

Dave Bittner: [00:13:55]  (Laughter). 

Joe Carrigan: [00:13:55]  I also despise people who are so good they might be cheating or I think they're cheating. 

Dave Bittner: [00:13:58]  I see. The way that it's - where you cannot tell the difference. 

Joe Carrigan: [00:14:01]  Right, yes. 

Dave Bittner: [00:14:02]  Their skills are such - yes, yes. 

Joe Carrigan: [00:14:04]  The problem is my skills are so low that a really skilled player might look to me like a cheater. I don't know. 

Dave Bittner: [00:14:09]  (Laughter) Well, this is a real problem for the folks who run these online games because... 

Joe Carrigan: [00:14:13]  It is. 

Dave Bittner: [00:14:13]  ...Cheaters, they take advantage of the systems, and it's not fair to the other people who are playing the games. And some of these games have things that can be traded for having real value. 

Joe Carrigan: [00:14:23]  Right. 

Dave Bittner: [00:14:23]  So we actually have a couple of stories today that have to do with cheating. Why don't you walk us through these? 

Joe Carrigan: [00:14:30]  So the first one actually comes from Ars Technica, and it's from a company called Riot Games. And they have a game coming out called Valorant, V-A-L-O-R-A-N-T. And they are putting in a kernel-level driver that is designed to be an anti-cheating system. Now, traditionally, these games operate on the user level of the computer, which is higher up from the kernel level. You can think of the user level as the highest level - right? - where the least amount of damage can happen, and the kernel level as the lowest level, where the most amount of damage can happen, right? 

Dave Bittner: [00:15:02]  OK. 

Joe Carrigan: [00:15:03]  And that's really the concern here is that they are writing something that hooks into the kernel. And if something is wrong with this piece of software, then a bug in this software that causes a failure could very well crash the machine, give you a blue screen of death, as opposed to just crashing an application at the user level - right? - which is - we see bugs in software all the time, particularly on Windows, which has a much broader ecosystem of app developers. Microsoft doesn't enforce, like Apple does, requirements and approval, so anybody can write an app for - or a program for Windows. And if that Windows app is buggy, then it will crash. But fortunately, it doesn't touch the kernel, so it's fine. The operating system keeps right on chugging, and the user experience is a minor inconvenience that is caused solely by the application, and that inconvenience impacts only that application. 

Dave Bittner: [00:15:59]  Right, right. 

Joe Carrigan: [00:15:59]  Now you're talking about putting something into the kernel, which would not be so innocuous. If something here fails, then the entire kernel could very well fail, which means you'll get that blue screen of death. Additionally, if there is discovered in this device or in this kernel driver a buffer overflow exploit, it could let an attacker install their own malicious code at a very low level of the operating system, essentially with, you know, administrator privileges. 

Dave Bittner: [00:16:26]  So the security concern here is that a user installing this opens up that surface area at the very lowest levels of their system... 

Joe Carrigan: [00:16:34]  That's right. 

Dave Bittner: [00:16:34]  ...For potential security issues. 

Joe Carrigan: [00:16:36]  That's right. Now, on the other side of the argument, there is a valid reason for doing this, right? Cheaters ruin the game experience for other players, and they devalue the game for the company, right? Because if I get on there - on a game and there's just a bunch of cheaters on there, I'm not playing that game. 

Dave Bittner: [00:16:51]  Right. 

Joe Carrigan: [00:16:51]  That's no fun. And cheating is something that has been going on in these video games for years. And the video game companies try to handle these cheaters. And, of course, they give them something called the ban hammer, which is where they kick them out and they don't let them back in because once a cheater, always a cheater, they say. I don't know how effective that is because it's very easy just to create another account and get back on there, unless you're in something like Steam, where I have - most of my assets for gaming are on Steam. If I got banned, I couldn't - I would have to go out and buy the game again, right? 

Dave Bittner: [00:17:24]  Now, do the folks who are cheating - are they generally running at the root level? 

Joe Carrigan: [00:17:29]  A lot of times, they are. They're running in the kernel level. They're using cheat modes or cheat software that runs in the kernel space so that the game software that detects cheating at the user space can't really determine that it's cheating. That's why they're going into the lower level here. 

Dave Bittner: [00:17:43]  I see. 

Joe Carrigan: [00:17:44]  This is not something that's new or unique. Fortnite does this. ARK: Survival Evolved has a fully proactive kernel-based protection system, as they call it. But everybody remembers the old Sony DRM debacle from 2005, where Sony essentially installed a rootkit... 

Dave Bittner: [00:18:00]  Right. 

Joe Carrigan: [00:18:01]  ...On everybody's system. 

Dave Bittner: [00:18:01]  Right. Yeah, for digital rights management for... 

Joe Carrigan: [00:18:04]  Right, for digital rights management. 

Dave Bittner: [00:18:06]  Yeah. 

Joe Carrigan: [00:18:06]  I think this is significantly different. No. 1, they're telling you they're doing this. Sony didn't tell you they were doing this, right? No. 2, they're doing this because they're trying to protect the playing experience for the vast majority of the users, not because they're trying to protect their intellectual property. I don't think that's what's going on here. I think this is really - the mission here is really to protect the user experience. Riot is working with application security teams. They've had this thing evaluated by three different security evaluators. And they also have a bug bounty program. So, hopefully, if there is a bug that's found, they'll quickly know about it and then they can handle it. 

Dave Bittner: [00:18:43]  Well, let's move on to the second story here, which is a little more lighthearted. And... 

Joe Carrigan: [00:18:46]  Right. 

Dave Bittner: [00:18:46]  ...I have to say, I got a kick out of another way that some of these game providers are dealing with cheaters. 

Joe Carrigan: [00:18:53]  Right. Now, this is from Infinity Ward and Activision, who are the makers of Call of Duty: Modern Warfare and Warzone. And what they're doing is they also have a - what they proudly proclaim is a zero tolerance policy towards cheating. And they have banned 50,000 cheaters in a month, which is a lot of cheaters. One of the things they're doing now is they're finding people who they suspect of cheating, and they're putting them all in the same game with each other. They're taking these guys, and they're removing them from my game and putting them all into their own game, which will frustrate them to no end as well. 

Dave Bittner: [00:19:28]  (Laughter). 

Joe Carrigan: [00:19:28]  So it benefits me and it frustrates them, which is great, I think. 

Dave Bittner: [00:19:32]  Right. 

Joe Carrigan: [00:19:32]  It's a good solution. 

Dave Bittner: [00:19:33]  Right. It kind of quarantines them all together, give them their own - let them shoot at each other all day long.... 

Joe Carrigan: [00:19:39]  Right, exactly. 

Dave Bittner: [00:19:39]  ...With their cheats. Yeah, yeah. All right. Well, interesting cat-and-mouse game, for sure. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:47]  My pleasure. 

Dave Bittner: [00:19:54]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:12]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:20:23]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.