The CyberWire Daily Podcast 5.8.20
Ep 1084 | 5.8.20

PLA cyber espionage, and training WeChat censorship algorithms against the Chinese diaspora. Snake is back, and so is Charming Kitten. Election security. Recruiting money mules.


Dave Bittner: [00:00:04] Naikon has returned from four years in the shadows to snoop around the shores of the South China Sea. Tencent trains censorship algorithms on WeChat. Snake ransomware is back, making its way through the health care sector. Charming Kitten's paw prints are showing up in World Health Organization networks. Voting security during or even after a pandemic. Malek Ben Salem from Accenture Labs on their Technology Vision report. My guest is Thomas Rid from Johns Hopkins University with his latest book, "Active Measures." And unemployed workers are offered gigs as money mules. 

Dave Bittner: [00:00:45]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to 

Dave Bittner: [00:02:00]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 8, 2020. 

Dave Bittner: [00:02:09]  Naikon, a threat group that's now generally associated with the Chinese government, has resurfaced to affect targets in the Asia-Pacific region. Kaspersky says the group appears to be Chinese speaking, but that's on the cautious side. Just about everybody else says straight-up, it's Beijing - or more accurately, Kunming. Naikon had been detected in 2015 by ThreatConnect and DGI, who attributed it to a People's Liberation Army unit in the Chengdu Military Region, specifically to a Second Technical Reconnaissance Bureau outfit with the Military Unit Cover Designator 78020. Unit 78020 is headquartered in Kunming and has responsibility for developing intelligence about Southeast Asia, with a special emphasis on nations who claim territorial waters in the South China Sea. The threat actor had gone largely unseen since its initial discovery, but Check Point researchers now report observing it in a major campaign, distributing a novel and hitherto unknown payload, Aria-body, which combines remote code execution, data destruction and data exfiltration capabilities. 

Dave Bittner: [00:03:20]  The University of Toronto's Citizen Lab is warning of another ongoing Chinese campaign, this one involving Tencent's use of its popular WeChat app to monitor social media content exchanged within the Chinese diaspora. Content moderation, essentially suppression of politically sensitive topics, has long been practiced on WeChat. What's new is the extension of surveillance to users outside of China proper. Citizen Lab thinks the effort is designed to train censorship algorithms. 

Dave Bittner: [00:03:51]  Snake, a ransomware strain Malware Hunter warned against back in January, has been noted for the attention it pays to obfuscation as well as for its ability to reach into and encrypt files on all devices connected to a victim's network. Dragos, which called the malware Ekans, reported its activity against industrial control systems. Ekans is Snake spelled backward, to avoid confusion with other, unrelated malware also called Snake, or some variation thereof, that was associated with the Turla threat actor and whose researchers were probably the first to observe the strain. 

Dave Bittner: [00:04:28]  KrebsOnSecurity has over the last two days reported that Snake was implicated in an attack against Germany-based Fresenius Group, Europe's largest private hospital network. Fresenius declined to go into much detail about the incident, but a company spokesman told KrebsOnSecurity, quote, "I can confirm that Fresenius' IT security detected a computer virus on company computers. As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relative (ph) investigating authorities. And while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible," end quote. 

Dave Bittner: [00:05:16]  The campaign is unlikely to be an isolated attack on Fresenius. While Fresenius is a big enterprise, the current Snake outbreak seems to be a part of a larger effort against health care organizations working to provide emergency care during the COVID-19 pandemic. Data availability is, of course, immediately threatened by any ransomware attack, but Tripwire says that Snake has apparently joined other ransomware families in stealing sensitive data, then threatening to publish it on victim-shaming sites. 

Dave Bittner: [00:05:46]  The World Health Organization expects to continue its struggles against cyberattacks and influence operations, and there's more evidence, circumstantial but strong, that Iran's Charming Kitten threat group has been responsible for phishing attempts against the organization. Bloomberg reports that the attackers posed as representatives of a media organization, the BBC, or a think tank, the American Foreign Policy Council, in emails that sought to induce the recipients to open malicious attachments represented as either a coronavirus newsletter or a set of proposed interview questions. ClearSky Cyber Security reviewed the emails for Bloomberg and concluded that the domains featured in the emails and the use of the link-shortener Bitly were the tip-offs. 

Dave Bittner: [00:06:32]  The Charming Kitten operators seem to be interested, at least at first, in collecting email credentials from WHO employees. WHO told Bloomberg that it had closed some systems in order to prevent hackers from gaining access to them, recruited new employees for its computer security team and enlisted the help of several security companies. But the attacks are wearing, and a WHO spokesperson says that it will be difficult for the organization to remain on high alert for much longer. 

Dave Bittner: [00:07:02]  The Washington Post reports the pandemic has put a spoke in the wheels of training programs that would teach election workers how to secure voting. It's also raised the likelihood that more ballots, in the U.S. and elsewhere, will have to be cast remotely, in all probability mostly by mail, but in some cases online. Neither are easy to improvise at the eleventh hour. 

Dave Bittner: [00:07:24]  All electronic balloting presents problems that paper ballots don't. Paper ballots aren't problem-free either, and the history of corrupt elections goes back to the early 19th century at least, but they come with a different set of problems. A group of academic and industry experts concerned with electronic voting have sent the US Cybersecurity and Infrastructure Security Agency, CISA, a letter expressing their appreciation for CISA's work, but more importantly stating concerns about CISA's advisories about election security. The signatories see three basic problems. Voting online makes it more difficult to securely deliver ballots. Online balloting is vulnerable to cyberattacks that could submit fraudulent ballots. And, surprisingly, administering the back-end processing of electronically transmitted blank ballots is more labor-intensive than processing preprinted paper absentee ballots. 

Dave Bittner: [00:08:16]  And, finally, be careful of accepting part-time gigs. PhishLabs warns that workers in the US and Canada who've lost their jobs during the COVID-19 emergency are being prospected with phishing emails that appear to offer gigs that would help tide them over through the crisis. It's an unusually cruel scam, coming as it does when the unemployment rates, in the US at least, are hitting post-World War II highs. An email arrives, often impersonating the human resources department of a well-known corporation like Wells Fargo, with the offer of a part-time, personal services job that would enable the recipient to earn much-needed money while working from home. The recipient is asked to reply to the email for details. The job, it eventually becomes clear, is work as a money mule for a criminal enterprise. 

Dave Bittner: [00:09:05]  Those familiar with the ways in which intelligence services recruit, compromise and run agents will note that the criminals have learned from the spymasters. They begin by habituating the recruits to performing small, innocent tasks, then escalate to things that seem a bit sketchier, and finally have them running money for the gang. By that time, the victim often feels they're too far gone, too compromised to withdraw. 

Dave Bittner: [00:09:36]  And now a word from our sponsor, KnowBe4. Corporate privacy concerns are more paramount than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, involving hardware and software needs and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his new book, "The Art of Invisibility." Kevin Mitnick has a new webinar, and a few topics include privacy concerns around employees using personal devices for business purposes, security issues with various operating systems, mobile devices and the internet of things, the reality of deep privacy and how tied-together devices, systems and surveillance really are and why new-school security awareness training is more critical than ever before. Plus, Kevin shares some shocking new demonstrations that will change the way you think about privacy. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:10:52]  My guest today is Thomas Rid. He's professor of strategic studies at Johns Hopkins University's School of Advanced International Studies. In a review of his 2013 book "Cyber War Will Not Take Place," The Economist called Thomas Rid one of Britain's leading authorities on and skeptics about cyberwarfare. His most recent book is titled "Active Measures: The Secret History of Disinformation and Political Warfare." 

Thomas Rid: [00:11:20]  Yeah, so I was - in 2016, early 2016, I had been tracking Moonlight Maze, this old, late 1990s Russian espionage campaign, in detail down to the level of, you know, doing old sort of malware analysis of old artifacts that I was able to dig up. And when I was in the middle of this, the election interference started in June 2016. And we saw this marrying of hacking and leaking, as well as some deception and forgery built in. And I realized after, you know, watching this for a while enough to reading up on the background that I am not equipped to understand the real - the dynamics that are going on here because I don't have the historical background knowledge. So I decided to write a book about it. 

Dave Bittner: [00:12:19]  And so looking throughout history as you do in the book, who were the major players when it came to this? 

Thomas Rid: [00:12:29]  Yeah, so the big players that I'm covering in the book is - it starts off with the early Cheka, the predecessor organization to the KGB, headed by Felix Dzerzhinsky, the legendary founder of the Cheka. And - but I also have several chapters on CIA operations in the 1950s that really deploy some of the same tactics, not quite as aggressive. For example, there was no anti-Semitic disinformation or racial disinformation coming from CIA. But Stasi was amazing at this. So, you know, I'm German-born myself, and I interviewed a few former Stasi disinformation officers, too, for the book among other officers. And it was just an amazing experience, also, on a personal level for me to talk to Stasi officers who spent their entire career running disinformation operations. 

Dave Bittner: [00:13:30]  Yes, well, let's move into the digital age. In the '90s, as the internet comes online and we find ourselves more and more connected, how did these campaigns change and evolve to take advantage of these new connected capabilities? 

Thomas Rid: [00:13:48]  Obviously, the rise of the internet coincided with the fall of the Soviet Union. So for most of the 1990s, late 1990s, you had this strange moment in history where the internet utopianism - you know, mostly coming from California - dominated. So, initially, leak sites like, for example, Cryptome and indeed WikiLeaks in their early days were seen as a positive development only as a move towards transparency. There was a lot of naivete and optimism built into this. Same applies to the Anonymous movement, you know, the Guy Fawkes masks and all that. 

Thomas Rid: [00:14:29]  But, in fact, what happened is that a dream come true for intelligence officers, Eastern - you know, Cold War Eastern Bloc intelligence officers. This was the perfect situation. You could now surface leaked information or forged information in a way that didn't involve journalists. But you could just simply upload it to some anonymous website and go from there. And we see that emerging in late 2013 throughout 2014 and then coming with force in 2015, especially in Ukraine. 

Dave Bittner: [00:15:06]  How much do the cultures of individual nations inform the type of disinformation that they employ? 

Thomas Rid: [00:15:16]  Yeah, that is a very perceptive question, also. I think the - you know, what you see in the 1960s all ready but getting stronger as we move in the '70s and '80s is that communism as an ideology is - in a way weakens people, even inside the intelligence establishment, you know, make jokes about communism. Of course, some of them are still ardent communists, but it becomes - sort of this weird cynicism sets in. And people become the two layers to the conversation, what people say in private and what people say at the workplace or in public. 

Thomas Rid: [00:15:53]  And that cynicism, that double standard, ultimately, I think made them - the Eastern Bloc better at disinformation because they were trained at home to spot contradictions and to tolerate contradictions and to play with contradictions. And that's exactly what you need to do to run active measures. You need to spot the contradictions of your adversary and then play with them and exacerbate them. 

Dave Bittner: [00:16:20]  Where do you suppose we find ourselves today in the US with - in this era of fake news and so much polarization, politically, where does that place us in terms of our susceptibility to this sort of disinformation? 

Thomas Rid: [00:16:35]  Yeah, I think we have become more vulnerable and less vulnerable at the same time, more vulnerable because, you know, we're more polarized as a society today than at any time than any of us can remember probably, which certainly makes it easier to exploit that polarization. But at the same time, of course, there are more eyeballs on disinformation, on intrusion attempts, better forensics than ever before. So, you know, if I were a Russian planner at TRU or something, I would be a little nervous because it's really hard to deliver against the high expectations that your own leadership let alone the adversary may have based on our overstatement and somewhat panicked reaction to what happened in 2016. 

Dave Bittner: [00:17:24]  Our thanks to Thomas Rid for joining us. The book is titled "Active Measures: The Secret History of Disinformation and Political Warfare." Don't forget that if you want to hear an extended version of this interview, head over to our website and check out CyberWire Pro.

Dave Bittner: [00:17:38]  And now a word from our sponsor, BlackCloak. Securing your company's data, intellectual property and reputation is job number one, but you have a big gap. You can only secure your executives' computers and devices that are part of the corporate network. You can't control the cybersecurity or privacy of their homes, devices, personal accounts or other family members. Attackers know this and especially in these trying times are actively exploiting the soft underbelly of the company by targeting your executives' digital lives. BlackCloak's cybersecurity platform solves your coverage problem. Their trusted team actively protects all personal devices, accounts, homes and family members, so that a breach on the personal side doesn't take down your company. In fact, over 37% of BlackCloak customers have an intrusion discovered during their onboarding. Onboard your executive team in under a week. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit That's And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:18:55]  And I'm pleased to be joined once again by Malek Ben Salem. She is the Americas Cybersecurity R&D lead for Accenture. Malek, it is always great to have you back. The Accenture team recently published a Tech Vision survey. And you pointed out some areas of that survey that are relevant to folks in security. What sort of things do you have to share with us? 

Malek Ben Salem: [00:19:17]  Yeah. Last month, we launched Accenture's Technology Vision. This is our annual thought leadership report that identifies emerging technology trends. This year's report is entitled "We, the Post-Digital People: Can your enterprise survive the tech-clash?" And it explores how, in a world where digital is everywhere, enterprises need to reimagine their fundamental technology approach to create new business value and, more importantly, to align to customers' and employees' values. They've identified, you know, five different trends. But the main theme was that what we refer to in today's environment as a techlash or a backlash against technology, that's not the real story. 

Malek Ben Salem: [00:20:10]  In fact, people still love technology. They use it more than ever. But rather, I'd say tech-clash, a clash between business and technology models that are incongruous with people's needs and expectations. And one of the trends that they identify is what they call this dilemma of smart things. You know, companies are producing these smart devices. You know, they're out there for a long time. They keep getting updated. The software and firmware gets updated over time. And just that basically is a new reality of product ownership, where the product is in this constant or forever beta state. 

Malek Ben Salem: [00:20:58]  The big takeaways from this trend are the need to design a product for the entire journey of product ownership, including the end of lifecycle of that product. And what they've highlighted is some of the interesting examples where, you know, Jibo - a home robot - was discontinued last year. 

Dave Bittner: [00:21:19]  Right. 

Malek Ben Salem: [00:21:20]  And users, you know, could talk to it. They could say, hey, Jibo. But it would no longer understand or respond to any other voice commands. Also, Google announced that it would be shutting down the Works with Nest program in favor of the Works with Google Assistant solution. And, you know, people just, you know, pushed back on that, which made Google announce that, you know, the existing Works with Nest connections would stay online. But as companies design for that, they got to be thinking about how this is relevant to security. 

Malek Ben Salem: [00:22:01]  Not only will these old devices limit the business and its ability to deliver, you know, the greatest experience for users, they will begin to generate risk for the whole ecosystem because it's aging technology, you know. It's rife with security vulnerabilities. So building a strategy about - for how to smoothly transition customers from one generation of the product to the next will be a key component of customer retention but also of, you know, good security hygiene. 

Dave Bittner: [00:22:41]  All right. Well, the name of the report is the Accenture Technology Vision for 2020. Do check it out. Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: [00:22:50]  My pleasure, Dave. 

Dave Bittner: [00:22:56]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time. It'll keep you informed. It'll let you sleep at night. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:23:16]  Thanks to all of our sponsors for making the Cyberwire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at 

Dave Bittner: [00:23:28]  Be sure to check out this week's "Research Saturday" show, where I'll be speaking with Paul Gagliardi from SecurityScorecard about their analysis of the cybersecurity of the Democratic candidates for president. 

Dave Bittner: [00:23:40]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.