The CyberWire Daily Podcast 7.22.20
Ep 1135 | 7.22.20

Meowing exposed databases. US indicts two Chinese nationals for hacking, and orders China to close its Houston consulate.


Dave Bittner: Meowing is now a thing - the automated discovery and wiping of exposed and unprotected databases. The U.S. indicts two Chinese nationals on 11 counts of hacking and reports evidence that Chinese intelligence services are now using cybercriminals as contractors. Mike Schaub from CloudCheckr on why COVID-19 has ignited modernization projects for government agencies; Joe Carrigan on counterfeit Cisco routers and the U.S. State Department tells China to close its consulate in Houston.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 22, 2020. 

Dave Bittner: An ongoing wave of destructive attacks, meow attacks, appears to use an automated tool to find and wipe exposed Elasticsearch and MongoDB instances. According to BleepingComputer, there are no ransom notes, no threats, no crowing and no explanation for the attacks. One possible explanation is that the attacks represent tough love from vigilantes pushing admins to secure their databases, but that's speculation. Meowing could represent anything from misdirection to preparation for a protection racket to an appetite for destruction to the lulz (ph). The U.S. attorney general for the Eastern District of Washington has secured an indictment against two Chinese nationals on 11 counts of hacking computer networks to obtain intellectual property. They are said to have cast a wide net working against targets in 11 countries and at least 12 economic sectors. Each man faces one count of conspiracy to commit computer fraud - a maximum sentence of five years in prison - one count of conspiracy to commit theft of trade secrets - a maximum sentence of 10 years in prison - one count of conspiracy to commit wire fraud - 20 years max - one count of unauthorized access of a computer - a maximum sentence of five years - and seven counts of aggravated identity theft - a mandatory two nonconsecutive years for each count. 

Dave Bittner: The investigation of the pair began when an intrusion into Department of Energy networks in Hanford, Wash., was detected, and it moved on from there. The FBI said the two worked with the Guangdong State Security Department, the GSSD, of the Ministry of State Security while also targeting victims worldwide for personal profit. Chinese nationals have been indicted by the U.S. before in connection with espionage, but these, most famously the PLA officer with the unfortunate hacker name of UglyGorilla and his colleagues active against the metallurgical industry in Pennsylvania, were strictly on the government payroll working on the PLA's dime. The indictment is therefore interesting in that it appears to represent the first case in which Chinese hackers have been indicted for both state-directed espionage and ordinary self-interested cybercrime. 

Dave Bittner: In the Department of Justice press release that announced the charges, Assistant Attorney General for National Security John C. Demers said, quote, "China has now taken its place alongside Russia, Iran and North Korea in that shameful club of nations that provide a safe haven for cybercriminals in exchange for those criminals being on call to work for the benefit of the state, here to feed the Chinese Communist Party's insatiable hunger for American and other non-Chinese companies hard-earned intellectual property, including COVID-19 research" - end quote. 

Dave Bittner: Russian government use of cybercriminals in its espionage and influence operations was discussed in the Intelligence and Security Committee of Parliament report rendered in the United Kingdom earlier this week. And the U.S. intelligence community has long taken notice of how mobbed up Russian cyber operations can be. But some observers see a difference in national styles. The Washington Post spoke with some professional hood-watchers in think tanks and security firms, and they tended to see the Russians as winking at cybercrime as long as the gangs keep their hands off the wrong targets, that is, the domestic and connected ones. And as long as they're willing to do the official security and intelligence organs favors when asked. The Chinese treat the criminals more like contractors and are content to let them profit on the side. In this case, while they allegedly stole trade secrets, spied on dissidents abroad and assisted with influence operations, they also had a nice side hustle raiding Bitcoin wallets. 

Dave Bittner: The Justice Department thanked its international partners and the work the FBI's legal attaches did to coordinate the investigation with them. There was some international applause for the indictment, Yahoo notes, with Australian agencies, including the Australian Signals Directorate, in particular welcoming efforts to hold bad actors to account. So the two Chinese hackers each face a possible maximum of 40 years in U.S. federal prison, but since cybercriminals work locally, even as they act globally, both of the accused are still in China and so have the proverbial snowball's chance of extradition to the U.S. - unless, of course, they're inattentive in their selection of international vacation spots and decide to honeymoon in a place that has a good extradition treaty with the U.S. or even a less formal willingness to cooperate with the Americans. 

Dave Bittner: Just ask Roman Valeryevich Seleznev. He's the sometime proprietor of CarderPlanet who goes by the hacker names Track2 and Bulba, son of a Russian Duma member and convicted hacker, now a guest at the Federal Correction Complex, Butner in North Carolina, a medium-security Club Fed. His reservation runs through 2043. In 2014, Mr. Seleznev was incautious enough to check into the Kanifushi Resort in the Maldives, where a special arrangement negotiated with the local government by the U.S. Secret Service facilitated his arrest and transportation to the U.S. 

Dave Bittner: So travel with care. We hear Wuhan is nice this time of year. 

Dave Bittner: COVID-19 has ignited necessary modernization projects for government agencies, along with the push for necessary funding to see said projects through. Mike Schaub is information security manager from cloud management platform supplier CloudCheckr. 

Mike Schaub: I think with the government, you've seen that they've struggled a bit with trying to scale up with the COVID-19 response and ran in some trouble with their systems. You know, some examples of that with the - you hear stories about the IRS looking for COBOL programmers, trying to get the stimulus checks printed and the unemployment websites being inundated with filings and just struggling to even keep up. So that's - it's caused a strain, you know, due to the unprecedented issues that COVID has put forth. 

Dave Bittner: Where were these agencies before COVID hit? Where - in terms of being behind the eight ball or ahead of the game, where did they stand? 

Mike Schaub: I think different agencies had - were in different places. There was definitely some looking towards modernization. And then in 2017, they were looking forward. They put out that Modernization (ph) Government Technology Act. It was signed into law. You know, it'd give the ability for agencies to start setting aside some funds towards modernization. But I think you've seen agencies have struggled to kind of advance these efforts or get that funding 'cause that did not come with funding within it. It just gave them a mechanism for creating funds, so they can set aside funds to use towards the modernization. 

Dave Bittner: Now, in terms of the agencies reaching out, you know, to Congress to ask for more funding, are they being effective in that messaging? Is Congress being receptive? 

Mike Schaub: Well, with COVID, in the House and the CARES Act, we saw it was proposed 3 billion towards modernization as part of the CARES Act. But in the end, it ended up only getting close to, like, 500 million of that passed towards modernization things. It's coming up again with the HEROES Act, which has passed the House, but some doubt whether it will go beyond that. And that currently has another billion dollars towards modernization funding. 

Mike Schaub: So I think COVID's helping to cause more discussion on this, but I think it may still remain to be seen if it will result in actual acceleration. And one of the things, too, with modernization - it tends to be an ongoing thing, too, so although that may give a boost to help with some that are far behind, the technology continues to evolve and change all the time. 

Dave Bittner: That's Mike Schaub from CloudCheckr. 

Dave Bittner: The Wall Street Journal says the U.S. State Department also ordered China's Houston Consulate closed for its connection to espionage and influence operations. Why the Houston Consulate in particular was singled out the State Department hasn't said - quote, "the United States will not tolerate the PRC's violations of our sovereignty and intimidation of our people, just as we have not tolerated the PRC's unfair trade practices, theft of American jobs and other egregious behavior," end quote. That was the extent of the clarification State Department spokeswoman Morgan Ortagus offered. 

Dave Bittner: The Chinese Foreign Ministry reacted with some figurative heat. Spokesman Wang Wenbin said yesterday, quote, "this is a political provocation unilaterally launched by the U.S. China urges the U.S. to immediately rescind its erroneous decision, otherwise China will undertake legitimate and necessary responses," quote. 

Dave Bittner: The Chinese Foreign Ministry also reacted with some literal heat. The Houston Consulate burned its papers last night, Click2Houston reports. The Houston Fire Department showed up but, of course, couldn't enter to put the fire out, the consulate's grounds being a privileged diplomatic space, but at least they were there to keep the flames from jumping to the neighborhood. 

Dave Bittner: Burning your diplomatic papers is a traditional sign of either self-protection against a hostile host government or evidence of some guilty knowledge. You can take your pick, but whatever else they were up to, the consular staff wasn't toasting s'mores. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story came by. This actually caught my attention. It was a press release from the folks at F-Secure, a security company out of Helsinki, Finland. And they have published some research where they have been looking at some counterfeit Cisco routers. 

Joe Carrigan: Yeah. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: Yes. So their customer purchased a couple of routers which later turned out to be counterfeit. And the way they found out that they were counterfeit routers is they updated the software like a company should do when they have these routers. And that stopped the routers from working at all. So F-Secure is investigating some - or has investigated, rather - some routers that were counterfeit that were sold to a company. And the way the company found out there were counterfeit was the switches - these were switches. They stopped working when someone tried to update them. So the software wouldn't run on the modified switches or forged switches, right? They actually call them either modified or forged. I don't know which one it is. 

Joe Carrigan: But one of the things they said in here was, when you find counterfeit hardware on your network, you don't know what that counterfeit hardware is doing, right? So you have to do a reverse-engineering project on it. And that's essentially what F-Secure was asked to do. And what they found was there was no backdoor on the hardware that they could find. And they think that the motivation for this was just I'm just going to rip off Cisco's products and sell them for cheaper and make money, right? 

Dave Bittner: Yeah. So, I mean, let's walk through some of the likely sort of order of operations here that, you know, I'm in the market for a Cisco router. 

Joe Carrigan: Right. 

Dave Bittner: And I'm shopping around. And maybe I find a price that's lower than my local authorized Cisco dealer. 

Joe Carrigan: Right. Because when you go out shopping for Cisco routers, you'll find that they're pretty expensive. Just go routers and switches - you'll find that they're not cheap, right? 

Dave Bittner: Yeah. Right. No, it's an investment. 

Joe Carrigan: It is an investment. It's an investment in the design of going with a reputable manufacturer who takes security and the operation of your network very seriously. Cisco is a great company for that. There are other companies out there that are similar to that. I'm not endorsing Cisco, but they do a good job. If you're out there looking around for equipment, you might be enticed to go with somebody who has a lower price point and has equipment that is, as far as you're concerned, the exact same product. 

Dave Bittner: Yeah. And so you order these. They show up. Everything looks fine. The boxes look like Cisco boxes. You open them up. Inside, the switches look like Cisco switches. You put them in the racks. You wire them up. Data is flowing. You configure them. As far as you're concerned, everything is running as normal. There's nothing out of the ordinary here. They're functioning the way that you hoped that they would. 

Joe Carrigan: It's all hunky dory, right? So... 

Dave Bittner: (Laughter) Until... 

Joe Carrigan: Until you go to update them and something in the update process stops them from working. 

Dave Bittner: Yeah. Yeah. How do you protect against this? How do you make sure that you're not getting some bogus equipment? 

Joe Carrigan: Well, that's a good question. And F-Secure actually addresses that in this press release. The first thing they say is, source all of your components from authorized resellers. Make sure that the person you're dealing with is an authorized reseller of the product from the company you're buying. And you can probably call the manufacturer and say, is this person a authorized reseller of your product? Because they take that relationship very seriously. I was looking at an article from back in 2008 that said if Cisco finds out or gets wind of you selling counterfeit products, you're done. They're not going to deal with you anymore. You're not going be an authorized reseller. That would be a big hit to someone's business, so they're a lot less likely to sell counterfeit products. So look for that authorized reseller. 

Dave Bittner: Yeah. I mean, I suppose too if you're an organization that is looking to save some money - maybe you're a nonprofit or something like that - you also have to be careful about the used market because if you were shopping around for a used Cisco router, you say, well, here's a way to save some money on a name-brand device. 

Joe Carrigan: Yeah. 

Dave Bittner: That could be a counterfeit unit as well. 

Joe Carrigan: Absolutely. It could be counterfeit or modified. Yeah. One of the things they say is that make sure that everything runs the latest available software provided by the vendor. I'm actually kind of pleased that the software on these caused the routers to brick. That looks - that - I think that might be Cisco's doing - right? - that there's something in the software update that says this is not a legitimate piece of Cisco equipment. We're going to make it not work. That's good with me. I'm OK with that, actually. 

Dave Bittner: Yeah. All right. Well, it's an interesting story. You can chase it down. Again, it's - the folks over at F-Secure have published their research on these fake Cisco routers. It's an interesting read. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. 

Dave Bittner: Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you all back here tomorrow.