The CyberWire Daily Podcast 7.6.20
Ep 1123 | 7.6.20
Damage at Natanz, maybe cyber-induced but maybe not. Official Huawei skepticism spreads. Big European dragnet. Hushpuppi in custody.
Transcript

Dave Bittner: An Iranian nuclear installation may have been hacked - or maybe not. But in any case, it was damaged. Huawei gets more skeptical looks. European police round up hundreds of online contraband dealers. Thomas Etheridge from CrowdStrike on the increased need for speed, scale and remote investigation and recovery services. Our guest is Tobias Whitney from Fortress Information Security on the Asset to Vendor Network. And, hear about an accused Nigerian money launderer is now in US custody facing federal charges.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 6, 2020. 

Dave Bittner: An explosion and fire at Iran's Natanz uranium processing center last Thursday is being widely attributed to a cyberattack by Iranian sources and others. Tehran said that investigators had determined the cause of the attack but were withholding details for security reasons. Reuters says that some unnamed Iranian officials said it was either a US or Israeli attack, but while promising retaliation for any cyberattack against its nuclear facilities, Iran stopped short of publicly blaming either the US or Israel. 

Dave Bittner: Breaking Defense cited Israeli cyber experts who were quick to call the incident a kinetic cyberattack but who also said it wasn't an Israeli operation. Over the weekend, senior members of the Israeli government, including Foreign Minister Ashkenazi and Defense Minister Gantz, issued soft denials, or non-denial denials, the Jerusalem Post reports, apparently intended to preserve strategic ambiguity. 

Dave Bittner: Before the fire became public knowledge Thursday, the BBC's Persian service said a self-proclaimed Iranian dissident group, the Cheetahs of the Homeland, claimed responsibility for the sabotage. But as the AP points out, there's some implausibility in the Cheetahs' self-presentation. The name, for one thing, is an homage to a national soccer team, and the messaging elements are oddly mixed. Could they be an actual dissident group? Sure. There have been and continue to be Iranian dissidents. Could it be misdirection, a false flag? That's equally possible. 

Dave Bittner: So while satellite imagery and Iranian statements confirm a destructive fire, beyond that, it's unclear what happened. It's worth noting that Breaking Defense's sources understand cyberattack expansively, including possible remote disabling of security cameras to facilitate sabotage. And, of course, talk of a cyberattack could itself be misdirection. Many of the observers talking to the press are calling this recent attack as coarse and inartistic when compared to Stuxnet. Accident or conventional sabotage are at least as, and arguably more, probable, as Forbes sensibly notes

Dave Bittner: Many of the original accounts of a cyberattack are being sourced to outlets in Kuwait. See, for example, the stories in SecurityWeek and Computing, both of which cite Al-Jarida. The story is a developing one. We'll be following it closely. In the meantime, expect cyber tensions among Iran and its regional and global adversaries to remain high. 

Dave Bittner: Official attitudes toward the security risks posed by Chinese manufacturers continue to harden. Bloomberg reports that British Prime Minister Boris Johnson intends to direct that Huawei equipment be phased out of the UK's 5G build-out over the coming year. The decision is based on consequences drawn from increasingly comprehensive US sanctions against the Chinese hardware vendor, sanctions that effectively impede Huawei from using US-developed technology. As Bloomberg's sources summarize input from the National Cyber Security Centre, the NCSC has, quote, "concluded that new US sanctions mean Huawei will have to use untrusted technology, making security risks impossible to control," end quote. 

Dave Bittner: In Australia, amid widespread concern over Chinese cyber-espionage and influence operations, outlined by CPO Magazine, Prime Minister Scott Morrison plans to significantly augment the Australian Signals Directorate, the Australian Financial Review reports. According to iTnews, the attorney general's department is moving toward requiring tighter accountability for cybersecurity of government agencies. 

Dave Bittner: India has been concerned about both Chinese hardware and apps. One of the challenges the country faces is deciding how to balance the desirable low cost and acceptable quality of Chinese products against the undesirable connections between Chinese companies and Chinese security and intelligence services. The Wall Street Journal also reports that TikTok, one of the companies India has banned in the wake of recent border clashes, has categorically denied that Chinese authorities had ever asked it for data on Indian users and that even if the authorities had done so, TikTok would have refused to comply. 

Dave Bittner: Mercom India reports that the Ministry of Power, quote, "has issued a notice mandating all power supply system equipment, components and parts imported into the country must pass through a check for harmful embedded software," end quote. The policy is not explicitly directed against any country's products. The inspections are justified on the grounds of the centrality of India's power grid to the national safety, security and economy. 

Dave Bittner: And France's cybersecurity agency, ANSSI, advised French 5G telcos to avoid Huawei. The government doesn't plan to ban Huawei from 5G, but Reuters reports that the French cybersecurity agency is advising the nation's telecommunications companies to steer clear of Huawei, especially if they haven't committed to using the Chinese manufacturer's equipment. ANSSI Director Guillaume Poupard told Les Echos that there would be no ban but that the government does want to limit the role the company would play in 5G infrastructure. 

Dave Bittner: In May of 2019, President Trump signed an executive order on securing the information and communications technology and services supply chain. NERC has published guidelines for compliance, which include a deadline of October 1 of this year. Tobias Whitney is vice president of energy security solutions at Fortress Information Security, who've launched an Asset to Vendor Network website to help power utilities track their progress as the deadline approaches. 

Tobias Whitney: From my vantage point, the supply chain challenge has been becoming increasingly more difficult to mitigate and, frankly, more recognizable throughout industry as it being a real challenge. For the last 10 to 12 years or so, industry has been focusing on developing and complying with a set of cybersecurity standards that are applicable to electric power utilities. So large transmission owner-operators, generation owner-operators, those that manage the grid ultimately are considered responsible for complying to the set of rules ultimately endorsed and approved by the Federal Energy Regulatory Commission. 

Tobias Whitney: While they have been focusing on cybersecurity, which includes patch management and trying to mitigate known vulnerabilities associated with systems on the grid, it was clear that they couldn't do it themselves. They needed to engage more of the vendor community and the supplier community to really round out the cybersecurity effort. So in the last couple of years - I think about 2 1/2 years ago, FERC sent out a mandate, ultimately a request for a new addition to the cybersecurity standards, and that was the supply chain standard, CIP-013, and also required some tweaks made to the existing cybersecurity standards CIP-002 through 11, so those standards are CIP-007 and - excuse me - CIP-010 and CIP-005. 

Dave Bittner: Can you give us some insights? The folks who are on the ground who are dealing with this stuff every day who are responsible for the security of the electrical grid, what is their sense right now? Where do you suppose they feel as though we stand when it comes to the grid security? 

Tobias Whitney: I would say people that work at utilities and have boots on the ground - and, you know, it's an industry I've been working very closely with for years - always have had a feeling of being prepared, of recognizing that whatever the emergency is, whatever the circumstance may be, they've been trained and ultimately ready to respond to a grid-related incident or event or cyber exposure, what have you. Utilities are very good at, you know, identifying where there's an outage, responding to the outage, getting systems and operations recovered so that utility and electrical services can be back up and running within a minimal amount of disruption. And that's, frankly, been the culture of this industry for quite some time. So many believe that, yes, you know, even if we do have a cybersecurity incident or threat, that through our training and activities and around preparing for cyber and other types of outages and events, they feel relatively prepared, I think, that this is something that can be managed. 

Dave Bittner: That's Tobias Whitney from Fortress Information Security. 

Dave Bittner: There have been two major arrests involving cybercrime. First, the AP reports that police in several European countries, notably Britain, France and the Netherlands, cooperated in rolling up 746 suspects involved in trading contraband online. Together, they seized about $68 million in cash, 77 firearms and more than 2 tons of drugs. Most of the suspects were collared in the UK, but it was an international effort. Most interesting is the success the police had monitoring criminal communications over the encrypted EncroChat application. Motherboard reports that French authorities had penetrated the EncroChat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation and had been quietly reading the users' communications for months. Investigators then shared those messages with agencies around Europe. 

Dave Bittner: And, second, a major Nigerian Instagram influencer, Ramon Olorunwa Abbas, better known online by his hacker name Ray Hushpuppi, was arrested in Dubai and then extradited to the US, where he's now facing charges related to alleged conspiracy to, as the US attorney for the Central District of California put it, launder hundreds of millions of dollars from business email compromise frauds and other scams. Mr. Hushpuppi's alleged victims include an American law firm, a foreign bank and an English Premier League football club. That's football as in soccer, Yankee. 

Dave Bittner: Anyhoo, Mr. Hushpuppi's self-presentation in social media has been glorious, if, that is, you remain untroubled by the deadly sin of avarice and the attendant deadly sin of envy displays of avarice provoke in those less favored by the prince of this world. Our favorite is a photo CNN has of the influencer, thoughtfully reading Forbes Asia while comfortably ensconced in blanket and pillows aboard a private aircraft, a bottle of Fiji Water in hand, just to stay hydrated. The only false note is the Fiji Water, which our editor says the dollar store across the street from him in Baltimore carries at a discount. Maybe consider Sanpellegrino, if that's available in the Club Fed commissary. 

Dave Bittner: And joining me once again is Thomas Etheridge. He's the senior vice president of services at CrowdStrike. Thomas, it's always great to have you back. I wanted to touch today on some of the things that you and your team are tracking in the wake of COVID-19. Can you share with us what are some of the things that are top of mind for you? 

Thomas Etheridge: Thanks, Dave. It's great to be back. Some of the big things we're tracking really are around the - just the spike we're seeing in malicious activity in the first half of 2020 versus what we saw about a year ago. So with companies moving workforces outside the office, the attack surface has just expanded exponentially. A lot of organizations are slow to be able to get tooling out to new infrastructure that they've provisioned to users that are now working remotely, and the ability to be able to respond to breaches is becoming a challenge for organizations, especially as the workforce becomes more dispersed. 

Dave Bittner: Are you noticing anything in terms of the size of organizations? In other words, does it - has it been more challenging for a large organization to adjust here versus a small one, or is every case unique? 

Thomas Etheridge: I think every case is unique. Some organizations have the inventory of equipment and are able to leverage existing tools to provision and provide that capability for remote connectivity to an organization's, you know, infrastructure a lot more gracefully than maybe smaller organizations. We've certainly seen that in some of the state and local government organizations, where moving employees offsite has created some challenges in terms of some of the legacy tools and infrastructure. They're just not prepared for it. 

Dave Bittner: Yeah. It's interesting. I can imagine if you're an organization where someone came in and sat down every day to a desktop computer, you might be in a different situation than somebody where everybody was provisioned with laptops so they could just pick up and go home and not really skip a beat. 

Thomas Etheridge: Exactly. And the other factor here is cloud. So a lot of organizations are pushing workloads to the cloud. It does provide that scalability and ease of connectivity, kind of the work-from-anywhere model. And workload security is - creates additional sets of challenges. So understanding the visibility and management of all of those workloads in the cloud has become a challenge for organizations that haven't thought about that over time. And what we're seeing is that security is a necessary requirement in order to make sure that those organizations are able to continue to operate successfully, service their constituents and customers. And it's really become a big challenge for many organizations. 

Dave Bittner: You know, we're a couple months into this now. Do you have any tips for organizations out there based on what you've seen and the companies who have gotten it right? Any suggestions for making sure that you're up to speed in the state where we are today? 

Thomas Etheridge: There's a couple of key things, I think. No. 1 is looking at endpoint protection capabilities that are cloud-native. So tools that don't require physical infrastructure are easily deployable both from a management and a protection perspective. That's kind of a key to the problem. The other thing is patching. We've noticed a lot of organizations have not invested in overall patching and keeping vulnerabilities snuffed out in their environment. Especially as organizations start to move to remote workforce, patching becomes a little bit more of a challenge. You have to wait for systems to be on the network in order for them to get patch updates and have those applied. And additionally, the use of personal devices as well presents another problem for organizations as they are allowing some of these personal devices to connect to the network. Knowing and being able to manage the patch status of those environments is also a challenge. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.