The CyberWire Daily Podcast 7.29.20
Ep 1140 | 7.29.20

Alleged Russian disinformation campaigns. Beijing’s cyberespionage hits the Vatican. Costly PII losses. VPNs and OT security. Big Tech’s day with Congress. Online bar exams. Snooping for the Saudis.


Dave Bittner: Alleged Russian influence operations have been described by U.S. intelligence services. Ghostwriter targets the Baltic region with anti-NATO false narratives. Chinese intelligence is said to have compromised Vatican networks. Loss of customer PII seems the costliest kind of data breach. VPN bugs represent a risk to OT networks. Big Tech comes to Capitol Hill - virtually. Michigan's online bar exam's been knocked offline briefly by a cyberattack. Joe Carrigan on password stealers targeting gaming. Our guests are Troy Smith and Mike Koontz from Raytheon on defending communications operations across cloud platforms. And a superseding indictment for two ex-Twitterati charged with snooping for Saudi Arabia.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 29, 2020. 

Dave Bittner: Several interrelated Russian disinformation operations are apparently in progress. Declassified U.S. intelligence describes the GRU's and SVR's campaigns to spread disinformation about the COVID-19 pandemic, The New York Times reports. The influence operations running from May through this month have been staged, for the most part, through two news services, InfoRos and One hundred fifty articles on the pandemic have been staged over that period. 

Dave Bittner: According to the AP, two GRU veterans have been identified with the effort. Apparently, the GRU's cousins in the SVR aren't on the sidelines either. Its connections with the Strategic Culture Foundation are currently being looked at by the FBI. InfoRos and OneWorld's content is aimed at Western and, in particular, U.S. audiences. The pieces are written in idiomatic English and are designed to be run through and amplified by other sites and outlets. 

Dave Bittner: The themes of the pieces are familiar. Russia is helping other countries, including the U.S., with medical aid during the pandemic. COVID-19 may have been a U.S. biowar operation that ran away from its masters. This one originated with China's intelligence services. American blue cities have descended into chaos. People are worried about Hunter Biden's sweetheart deal with a Ukrainian energy company. This one's a useful twofer - a bad look for America and a bad look for Ukraine, neither of which countries have exactly been flavor of the month in Moscow for some time. And so on. As usual, the stories surround the lies with what in this case amounts to a thin bodyguard of truth. 

Dave Bittner: Social media platforms, especially Facebook, have been labeling obvious state-run news outlets like RT - that is, Russia Today - and Sputnik as such. But it's tougher to filter stories fed through third parties, which is what InfoRos and OneWorld do. The AP likens it to money laundering, only with information instead of cash. Content is cycled through other news sources to conceal their origin and enhance the legitimacy of the information. The strategy takes advantage of the long-standing but surprisingly seldom-remarked derivative nature of much news reporting. 

Dave Bittner: OneWorld takes exception to those who've characterized it as a Russian influence tool. They are, they say on their website, a global think tank. And their response to the stories in AP and The New York Times runs under the headline "OneWorld's Response to Media Defamation: Sharing One's Opinion Doesn't Make Them a GRU Agent!" adding emphasis to the headline with an exclamation point 

Dave Bittner: Separately, FireEye's Mandiant unit outlines what it calls the Ghostwriter campaign, intended to influence audiences in Latvia, Lithuania and Poland against NATO. Ghostwriter is perhaps more obviously fraudulent than the efforts mounted through OneWorld. Mandiant's report says it, quote, "appears to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries," end quote. 

Dave Bittner: Mandiant believes it's identified at least 14 inauthentic persona through which Ghostwriter distributes its content. There is, Mandiant says, no modal Ghostwriter operation, by which they mean that it's opportunistic and willing to run with whatever seems to work. But a Ghostwriter campaign tends to follow a general outline. It begins by formulating a false narrative, supported by fabricated source documentation like phony quotations, doctored images and bogus official documents. The second phase is dissemination, which places stories in compromised legitimate news sites, op-eds, blog posts and direct email campaigns. 

Dave Bittner: Chinese intelligence services are said to have penetrated the Vatican's networks in advance of diplomatic talks with the Holy See. Recorded Future provides details of Beijing's RedDelta threat group and its operations against the Diocese of Hong Kong and the Vatican itself. The campaign's goals are thought to be the extension of Communist Party influence over the persecuted underground church and collection against the Hong Kong Diocese's potential connection with pro-democracy movements in the formerly autonomous city. 

Dave Bittner: IBM looks at the cost of a data breach and finds that, on average, breaches wind up costing organizations $3.86 million. Compromised employee accounts are the most common cause. The study looked at the experience of some 500 organizations located around the world, and it found that 80% of these incidents studied resulted in exposure of customers' personally identifiable information. And of all types of information lost in incidents, customer PII was hands-down the most expensive to the organizations that suffered the breach. 

Dave Bittner: Vulnerabilities in industrial virtual private networks are believed to be placing critical infrastructure at risk. Claroty yesterday published an assessment in which it associated the pandemic-driven increase in remote work with a heightened risk of VPN exploitation. 

Dave Bittner: Big Tech will testify before the U.S. House Judiciary Committee's Antitrust Subcommittee today. Amazon's Jeff Bezos, Apple's Tim Cook, Facebook's Mark Zuckerberg and Google's Sundar Pichai appear today via socially distanced teleconference. The hearings are focused on alleged anti-competitive practices, but other matters are widely expected to come up, and The Wall Street Journal has a summary of what to expect. The hearings lack the usual drama of the rich and famous being grilled in a small, hot, crowded, traditionally sanctimonious hearing room, but that's the nature of congressional hearings during this time of the pandemic. Some of those who will appear, especially Zuckerberg and Cook, have been through the experience before, but it represents a first appearance for Mr. Bezos, who nonetheless earned a reputation for being able to stay on message when challenged. 

Dave Bittner: It's not just congressional hearings that have moved online. So have some bar examinations. Michigan is one of several states to have moved its bar exam online. That exam was briefly disrupted yesterday, Bloomberg Law reports, by a cyberattack on the ExamSoft portal used to administer it. ExamSoft says it was a sophisticated attack on the login process and that no data was lost, but the incident gave a lot of prospective Wolverine State lawyers a case of the yips. 

Dave Bittner: With the continued migration to the cloud, many organizations find themselves operating across multiple cloud services, often from a variety of vendors. Troy Smith and Mike Koontz are with the cybersecurity team at Raytheon, and they join us with insights on the approach organizations should take to manage and defend communication operations across various cloud platforms. Troy Smith gets us started. 

Troy Smith: You know, traditionally, the time it takes to deploy a physical network can be very long - sometimes weeks, sometimes months. The manual deployment of cloud-based networks can take anywhere from a few hours to multiple days. And in both of those, there's a potential for human error in the process, so that kind of addresses time and resources. 

Troy Smith: The process of building virtual clouds was very expensive. And fixed facilities were easy to target by adversaries, so there is a cost piece in there as you frame out this problem. As cloud infrastructure technology has matured over the years, millions of virtual machines have been created, accessed and destroyed worldwide, and tens of thousands of virtual cloud networks are built and destroyed daily. And the reason for that is most of them lack the critical security protocols. 

Dave Bittner: Can you give me some insights on what happens in terms of interoperability between different cloud providers? I mean, is that an area where people have specific security vulnerabilities when they're trying to sort of sling data back-and-forth in between different providers? 

Mike Koontz: Naturally, yeah, you're right. 

Dave Bittner: That's Mike Koontz. 

Mike Koontz: If you're able to deploy within a certain cloud, a specific one, and stay within a local region, you do have more options within a lot of the clouds to do a lot of different private things within the cloud's actual backbone, the CSP's actual backbone. So, you know, every time you egress out of one of the services and have to transit and then move into another one, of course, you've got to, you know, take care with that, you know? And that's one of the elements that, you know, we kind of handle pretty well with the tool. It's got predesigned different packages out there already integrated in. Maybe you want to stand up VPNs. Maybe you want to do different types of things. We've already got a lot of that figured out, so you are right there. If you're able to stay within one set CSP and specifically within a region, a lot of times, you have options to have your traffic not even exit the infrastructure of that CSP. 

Dave Bittner: Do you find there's sort of a false sense of security for people who are getting started with these sorts of things - that because it is so much faster and in some ways easier to set up that, you know, they don't often or they don't always realize the security implications of what they're setting out to do? 

Mike Koontz: Oh, absolutely, absolutely. And, you know, because, as you know, a lot of times and most of the time, a good adversary is going to do his bad deeds in a way that you're not able to readily recognize it right away. Yeah, so a lot of times, people get these things out there. They get everything deployed. It's up and running. They can go out and use their services. Their user base is using their services. Everything seems happy and fine. And then you find out way after the fact when it's already very late, yeah, you've got some problems. So, yeah, that's a very common issue for sure. 

Dave Bittner: Our thanks to Troy Smith and Mike Koontz from Raytheon for joining us. 

Dave Bittner: And finally, you may have seen reports that two former Twitter employees under indictment won a legal victory over U.S. federal prosecutors by having charges dismissed - not so. The Justice Department hasn't withdrawn charges against the former Twitter staffers Ahmad Abouammo and Ali Alzabarah. Instead, CyberScoop reports, it's issued a superseding indictment against them, charging them with acting as an agent of a foreign government without notice to the attorney general, conspiracy to commit wire fraud and honest services fraud, wire fraud and honest services fraud - conspiracy is its own distinct crime, so that's not a typo - money laundering, destruction, alteration or falsification of documents relevant to a federal investigation and aiding and abetting. The defendants are alleged to have done these things on behalf of the Kingdom of Saudi Arabia, and they're alleged to have snooped on a former associate of murdered journalist Jamal Khashoggi. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We have been tracking this Meow attack, as it's being called. And I... 

Joe Carrigan: Yes. 

Dave Bittner: ...Wanted to get your take on it. First, can you start off - just give us a brief description of what's going on here. 

Joe Carrigan: So what's happened is as of this recording, they have - researchers have identified over 1,800 databases - cloud databases. These are databases like Elasticsearch and MongoDB, and these are open and accessible on the internet. And somebody is going around, finding them and wiping them out - taking all the data and destroying it. They're not leaving a ransom note. They're not doing anything other than just taking the database down. Actually, they're not even taking it down. They're just destroying the data that's in the database. 

Dave Bittner: Emptying it or - yeah. 

Joe Carrigan: Right. 

Dave Bittner: No more database (laughter). 

Joe Carrigan: No more database, right. 

Dave Bittner: No more data, I guess. 

Joe Carrigan: Everything you had is gone. 

Dave Bittner: Yeah, no more data, yeah. 

Joe Carrigan: And it's permanent, apparently. 

Dave Bittner: And so what's the speculation here? What do we think's going on? 

Joe Carrigan: Well, my speculation - and this is only my speculation - is that this is somebody who believes that they are doing something right and justified. There are a couple of indicators. There's one - this has been a problem for a long time with these data breaches happening because people are putting these databases out on the internet with no security on them - right? - which is a bad thing to do. You shouldn't do that. There may be use cases, however, where that's a good thing to do. You may want to give access to a certain dataset without requiring authentication to it. There are tons of research cases where I can see that being beneficial. And if this attack finds those, it can destroy valuable data that is supposed to be free and available, right? 

Dave Bittner: Right. 

Joe Carrigan: But when you think about databases like - Ars Technica talks about a UFO VPN database that was destroyed that had all kinds of details. There had been a disclosure about it that had account passwords in plain text, VPN sessions and secret tokens, all of these things in that database that were destroyed. It's probably too late, but it actually does those users some good, you know, in taking their data and removing it from them, from UFO. I'm not saying this is the right thing to do. I'm not saying this is the way you go about fixing this problem. But I think what we're looking at here is someone who kind of views themselves as, you know, as a caped crusader, trying to help people out. 

Dave Bittner: Vigilante justice. 

Joe Carrigan: Exactly. Vigilante justice, yeah. You have your data out on the internet? Not anymore - not if I have anything to say about it. 

Dave Bittner: So what do you suppose the endgame is on this? Is this - hopefully gets the word out to folks who are running these databases that they need to secure them or they will have issues here? 

Joe Carrigan: Yeah, that's kind of the upside. I mean, I don't want to say that this is going to have an upside because this activity is malicious and illegal, certainly. 

Dave Bittner: Yeah. 

Joe Carrigan: But if you don't have any risk of having your data destroyed when you put it out there like this, then you're more likely to do it. Now there's a risk that your data will be destroyed. So this does put an economic force into play for better security. I'm not sure - in fact, I don't agree with the way this is being done, but the economic force is a good thing. 

Dave Bittner: Interesting. Well, as we're recording this, they've hit over 1,800 unsecured databases. And it'll be interesting to see if they continue along or if folks figure out ways to maybe tamp them down. 

Joe Carrigan: Oh, my money is on they'll continue. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: That's where my money is. 

Dave Bittner: Yeah, yeah. Always the optimist, Joe. Always the optimist. 

Joe Carrigan: Yeah, that's right. 


Dave Bittner: All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We will see you back here tomorrow.