The CyberWire Daily Podcast 6.9.20
Ep 1105 | 6.9.20

Tracking down hackers-for-hire. SNAKE ransomware bites Honda. Anti-DDoS for criminal markets. And a menu for cyber contraband.


Dave Bittner: Commercialized hacking for hire is traced to an Indian firm, but it's probably not an isolated problem. Ransomware shuts down Honda production lines in three continents. Criminals develop and distribute an anti-DDoS tool to help keep the dark web markets responsive and available. Ben Yelin revisits Twitter's flagging or removing the president's tweets. Our guest is Jeremy Oddo from The Third Floor. He discusses securing your favorite Hollywood movies during COVID-19. And researchers compile a menu of cyber contraband.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 9, 2020. 

Dave Bittner: The University of Toronto's Citizen Lab this morning released a report on a hacker-for-hire operation, Dark Basin, which targeted advocacy groups and journalists, elected and senior government officials, hedge funds and multiple industries. Dark Basin is said to have been especially interested in U.S. not-for-profits, notably climate change and net neutrality advocates. Among the specific groups targeted are the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Center for International Environmental Law, Oil Change International, Public Citizen, the Conservation Law Foundation, the Union of Concerned Scientists, M+R Strategic Services and There were others in what Citizen Lab calls the same cluster, but the report declined to name them. 

Dave Bittner: Citizen Lab says, quote, "we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy," end quote. They initially thought Dark Basin might have been a state-sponsored group but concluded instead that they were hired guns, working for one side of a contested legal proceeding, advocacy issue or business deal. Citizen Lab says it's been sharing information with NortonLifeLock, whose researchers have been tracking the same outfit under the name of Mercenary.Armada. 

Dave Bittner: Much of the activity Citizen Lab reports is connected to the climate change campaign marked with #ExxonKnew, and it was keyed to events surrounding both that advocacy campaign and a New York investigation of Exxon Mobil. Email compromise and social engineering with spoofed email and social media accounts were Dark Basin's principal methods. 

Dave Bittner: While the targeting of climate change advocacy groups was keyed to events involving Exxon Mobil, Citizen Lab is careful to say that it has no evidence that would enable it to identify who hired Dark Basin, nor is there much to finger the clients who may have hired Dark Basin to pay attention to campaigners for net neutrality or to short sellers of particular stocks or to energy or financial services companies or simply to high net worth individuals, particularly Eastern European oligarchs. 

Dave Bittner: Citizen Lab says Dark Basin is run by a Delhi-based IT and security firm, BellTroX. BellTroX's director and owner is Sumit Gupta. According to Citizen Lab, he's the same Sumit Gupta whom the US attorney for the Northern District of California charged in 2015 with crimes related to a conspiracy to access the email accounts, Skype accounts, and computers of people opposing his co-conspirators in civil lawsuits. Mr. Gupta is still at large in India and apparently still running BellTroX. The company's website was up and accessible earlier this morning, but as of 1:00 PM Eastern Time, the BellTroX site had been replaced with an account suspended page that included advice to contact your hosting provider. We'll pass. It seems clear enough what's going on. Those looking for BellTroX after this morning clearly have to search elsewither. 

Dave Bittner: The New York Times says US federal prosecutors are investigating the latest Dark Basin capers. Citizen Lab draws this lesson from their research. Large-scale commercialized hacking is a serious and growing criminal sector. 

Dave Bittner: The folks in Hollywood, who work hard every day producing the movies and TV shows we all love, go to great lengths to protect those assets from leaking prematurely. Spoilers can ruin the anticipation for that big movie premiere and derail expensive marketing efforts. So what happens when the writers, producers, editors and special effects artists suddenly need to shift to working from home due to COVID-19? Jeremy Oddo is director of technology at LA previsualization firm The Third Floor. 

Jeremy Oddo: We work primarily in feature film. We do commercials as well and video game cinematics, but most of our work really revolves around theatrical movies. And what we provide is we provide a service called visualization that allows the director and content creators to express what's in their brains out into a medium that everybody else can digest and understand. 

Dave Bittner: So, I mean, it's my understanding that organizations like yours, you know, do go through extraordinary efforts to make sure that you're not leaking any spoilers about the movies that are coming out. I guess my question is what's happened as you've shifted to working from home, as so many folks have during this COVID-19 situation? You know, you no longer have everything protected within your actual facility there. What has that shift been like? 

Jeremy Oddo: Yeah, no, that's a terrific question. So we go through a lot of security audits throughout the year to make sure that we're maintaining a proper level of security so that our content is secure. And then COVID-19 happens, and it completely changed the landscape. Our plan from the get-go was always keeping the data safe in our four walls, not exposing that out to the edges. So we need to make sure that we could get people into our studio remotely, work on it as if they were working there. That way, all of the applications that are stitched together the way that we've done it, all of our process can function the way that it normally does. The first thing that we needed to do was establish a data center presence and get a 10-gig link. The reason why we went to the data centers, we checked to see how quickly we can get a 10-gig link dropped to our office, and it was upwards of three months, which obviously... 

Dave Bittner: Wow. 

Jeremy Oddo: ...Wasn't going to - yeah, that wasn't going to do in this situation. 

Dave Bittner: (Laughter) Right, right. 

Jeremy Oddo: So I said, OK, well, how do we trim time off of here? And the way to do that is to go to a data center, where they have easy access to drop in these connections. Using AppGate, it's called a software-defined perimeter, where you actually kind of create this little perimeter around everybody and only provision out the resources that they need. So in our instance, we use - we're predominantly a Windows shop, so we use Remote Desktop for some purposes. And then we use a tool called Teradici, which is just really a very high-performance, high-fidelity version of Remote Desktop. You can think of it that way. So it allowed us to really create just a pinhole for them to get in and do what they needed to do and not expose all the other resources that, typically, we would want to protect very closely. 

Dave Bittner: That's Jeremy Oddo from The Third Floor. 

Dave Bittner: Production at Honda plants in Europe, North America and Japan has been affected by what the company calls a computer "disruption," NBC News and others report. Local news reports from the U.S., the U.K. and Canada indicate that Honda facilities in those countries are among those affected. The problems began on Sunday, and Honda is still working to resolve them. A company statement said in part, on Sunday, June 7, Honda experienced a disruption in its computer network that has caused a loss of connectivity, thus impacting our business operations. We have canceled some production today and are currently assessing the situation. 

Dave Bittner: The company is remaining relatively tight-lipped, but BleepingComputer says that outside observers think they see signs that the incident was a ransomware attack with a variant of Snake, which also goes by EKANS. It's apparently a targeted attack. A sample of the malware in VirusTotal seeks to resolve the domain If it can't, it terminates without encrypting anything. 

Dave Bittner: Here's the latest in a series of fitful attempts at cooperation among criminals, as described this morning by researchers at Digital Shadows. It's a DDoS protection tool, EndGame - no connection to the similarly named security company acquired last October by Elastic NV. Denial-of-service attacks have been a drag on criminal operations for some time, whether they're mounted by underworld competitors or law enforcement agencies. EndGame is a product of collaboration among players in the criminal markets Dread, White House Market, Big Blue Market and Empire Market. Despite some cartelization, as Trend Micro observes, the underworld remains a low-trust community. 

Dave Bittner: In any case, as we'll hear a little later, DDoS attacks are also criminal commodities. They're inexpensive. And since, as Digital Shadows points out, speed and availability are important to dark web markets, it's easy for distributed denial of service to become a problem for the criminal trade. 

Dave Bittner: The reactions to EndGame from its clientele have been mostly positive. How the tool will fare remains to be seen. But the fact that it's appeared at all suggests that even a low-trust community can cooperate if self-interest pushes hard enough. 

Dave Bittner: And finally, if you're buying commodity cyber contraband a la carte - not that you would, of course, but if you were or maybe if you were asking for a friend - Privacy Affairs has compiled a representative menu from the dark web. The offerings range from an appetizing morsel of a thousand Spotify plays, which can be had for a buck, to an appetizer of 10,000 to 15,000 DDoS requests per second against an unprotected website for over 24 hours - just $60 - to a main course of premium malware at six grand. Consider on the side, a Rutgers University student ID - 70 bucks - or perhaps some stolen PayPal account details - $198.56, but some think it worth the price. For dessert, consider a cloned Visa card with PIN - $25. Care to wash it down with a hacked Gmail account? That'll be $155.73. Mal appetit. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: We got a bit of follow-up from a listener about something we spoke about recently. They wrote in and they said Friday's CyberWire episode talked to the executive order issued regarding social media companies. In this discussion, Ben mentioned one of the president's tweets was flagged for possibly being interpreted for a call for violence. Walking the concept further, if there were multiple flagged or blocked tweets, which could have a normal user restricted or banned, considering the public figure the president is and Twitter being a regularly used method for messaging the public, could Twitter temporarily suspend the president's account for violating the EULA or similar grounds? And what actions might the administration need to take to prevent or reverse any type of actions taken by Twitter, such as restrictions of the account, if they - Twitter - consider tweets harmful, abusive or a call to violence? 

Ben Yelin: So it's a great question. Normally, any other user who was not a head of state or head of government, if Twitter determined that there was a call to violence, if a tweet was harmful or abusive, it would be taken down. And if the pattern continued, that user would be suspended. I know a lot of individuals who have been suspended. I don't know them personally. I know a lot of individuals whose Twitter accounts... 

Dave Bittner: (Laughter) The circles you run in - you're running with some bad boys there, Ben. 

Ben Yelin: Exactly. You know, somebody like the actor James Woods was suspended on Twitter for a period of, like, six months or something for incendiary tweets. So most people are not immune. Twitter has made a distinction for heads of state and heads of government because of the newsworthiness of all of their statements. Basically, they're saying whether that user, if they are in a position of power, tweets something harmful or abusive or violent, Twitter, as a general policy, will not take that tweet down because it is in the public interest. The public has a right to know what their leaders are saying and what their leaders are thinking. So they - it really is an exception to the EULA. And I honestly think once you attain a certain position of power in the government, it does give you more free rein to post what you want, whether it would otherwise violate the terms of service. And certainly, I think our president has taken advantage of that exception. 

Dave Bittner: Now, suppose Twitter changes their mind. I mean, we've seen some movement from them lately, where they've been putting some tags on the president's Twitter posts, and they also hid one. They made it so you could still see it, but they hid it as a default. Does the administration itself have any right to action against Twitter as a private company? 

Ben Yelin: No, they do not. I mean, as far as the law is concerned, Twitter can - is a private organization. They're not restricting the president's speech. They can really do whatever they want. They can come up with their own terms of service, their own rules on censorship. And as we talked about last week, per Section 230 of the Communications Decency Act, at least as the law is right now, they can't be held liable for any of those decisions. 

Ben Yelin: It seems to me that despite what Twitter is doing as it relates to the president's posts, it really has no intention of doing what it does for, you know, the other 99.99% of its users, which is to take down posts entirely and suspend users, just because I think when the president says it, it's newsworthy. It's in the public interest. You know, so they're willing to put warnings on tweets, but they're not willing to censor them entirely. And I think they've held to that viewpoint pretty strongly. You know, 40 years ago, the - Richard Nixon said in an interview that if the president does it, it's not illegal. I think there's some of that logic at play here. The president is held to a different standard than any other user. 

Dave Bittner: You know, you use that word censor, and I think that's a hot topic here. Many people will accuse Twitter of censorship. But strictly from a legal point of view, again, since we're talking about a private company, that's not how the law works, right? 

Ben Yelin: It is certainly not how the law works. You know, the theory is if the president were angry enough at Twitter, in our capitalist system, he could start his own microblogging technology and can make his own rules about censorship. Honestly, would you be really surprised if that happens? 


Ben Yelin: You know, there could be Trumpter or something. 

Dave Bittner: Right, right. 

Ben Yelin: You know, and Twitter just happens to be the major microblogging platform there. It's where the people are, and that's where he can get the most eyeballs. But in terms of what Twitter is allowed to do, they are allowed to manage the content on their website. They are allowed to make these editorial decisions as long as they're not violating any other federal law. So, you know, for example, they can't violate the Civil Rights Act by saying, we're only going to accept tweets from white users or something like that. But if they're not... 

Dave Bittner: I see. 

Ben Yelin: ...Doing that, then they are a private organization, and they have the right to police the content in the way they see fit. 

Dave Bittner: All right. Well, thanks to our listener for sending in the thoughtful question. And, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.