The CyberWire Daily Podcast 8.13.20
Ep 1151 | 8.13.20

This Woodcutter’s no Railsplitter. Operation Dream Job. COVID-19 phishing.


Dave Bittner: Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs. And that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit to learn more and connect with us. That's Thanks.

Dave Bittner: NSA and FBI release a detailed report on a GRU toolset. North Korea's Operation Dream Job phishes in Israeli waters. CISA warns of COVID-19 loan relief scams. Malek Ben Salem from Accenture Labs with highlights from their 2020 security vision report. Our guest is Mike Hamilton from CI Security, who clears the air on election security and the shift to absentee status. And crooks are using infection and job loss as retail phishbait. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 13, 2020. 

Dave Bittner: The U.S. NSA and FBI this morning released a report on Drovorub malware, a hitherto publicly unremarked strain deployed by APT28, which of course is Fancy Bear, Russia's GRU military intelligence service. 

Dave Bittner: The report describes Drovorub as a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool and a Command and Control server. When deployed on a victim machine, the Drovorub implant - client - provides the capability for direct communications with actor-controlled C2 infrastructure, file download and upload capabilities, execution of arbitrary commands as root and port forwarding of network traffic to other hosts on the network, all of which is, well, a lot. 

Dave Bittner: McAfee CTO Steve Grobman commented in an email that Drovorub is a Swiss Army knife of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer. 

Dave Bittner: Drovorub can be detected, but the two agencies warn that, like other advanced rootkits, the malware takes some pains to hide itself, and so it may be overlooked if you're not on the lookout for it. The alert recommends updating to Linux Kernel 3.7 or later, which will enable users to take full advantage of kernel-signing enforcement. It also encourages administrators to configure systems so they will only load modules that have a valid digital signature. 

Dave Bittner: NSA and the Bureau don't say what they think Fancy Bear's objectives are with Drovorub, but they do scowl in the direction of the GRU's interest in election meddling. Fancy Bear's been there before. Still, with a Swiss Army knife, you can do a lot. 

Dave Bittner: So why is it called Drovorub, you're probably wondering. The word means woodcutter, wood chopper or wood splitter. In this case, it's the GRU's own name. That's what the hoods back at the Aquarium call it. Nice touch, that, NSA. You could Americanize the name as Railsplitter, but Honest Abes they're not. 

Dave Bittner: Another question - the alert is detailed and specific. You can get it from the NSA press room at And it's a lively read that really put the gee into GRU. Why release it? The authors say in an accompanying FAQ, "We're sharing this information with our customers and the public to counter the capabilities of the GRU GTSS, an organization which continues to threaten the United States and its allies. We continuously seek to counter their ability to exploit our nation's critical networks and systems," end quote. That seems right to us. It also seems likely that Fort Meade is letting the girls and boys over at the Aquarium know that NSA sees right through them, wood chips and all. 

Dave Bittner: Phishing for job-seekers - the technique and the phishers aren't new, but the target set has shifted a bit. The Jerusalem Post reports that the Israeli Defense Ministry says it detected and stopped a campaign by North Korea's Lazarus Group to gain access to Israeli defense companies. The Lazarus Group used a now-familiar tactic - phishing in LinkedIn with a bogus job offer to targeted employees. 

Dave Bittner: Researchers at security firm ClearSky, where they've given the campaign the appropriate name Operation Dream Job, have details. An approach may be initially made through a fictitious LinkedIn profile. Once some contact is established and a degree of rapport achieved - and this is LinkedIn, so the rapport needn't be very strong - the attackers can escalate through other forms of communication, like phone calls and interaction over WeChat. Eventually, a spearphishing email arrives, bearing one of a small number of malicious payloads. 

Dave Bittner: The fake job offer is an obvious approach, ClearSky points out, and it's got a fair chance of being effective for several reasons. First, it's likely to draw the victim's attention during a period when employment is uncertain. Anxiety can render the mark more vulnerable to social engineering, and the interactions one expects during recruiting can, as ClearSky observes, establish a personal connection and induce a false feeling of benefit from the conversation. Employees are also likely to be loathe to disclose to their colleagues and especially to their bosses that they're considering a new job offer. The less the marks say about the scam, the less likely they are to raise any red flags. Discretion is expected, and the Lazarus Group asks for it. It's useful, for example, if the threat actors can persuade the victim that correspondence is better carried out over their personal email account, as opposed to their corporate account. Correspondence conducted this way is likelier to bypass corporate security measures. 

Dave Bittner: Once the payload's in and the victim is compromised, the Lazarus Group has two goals, and these are always the same - they want access to corporate networks where they can steal intellectual property, and they want access to financial accounts where they can steal, well, money. 

Dave Bittner: The U.S. election continues to heat up, and along with it, there is continuing concern for election security and integrity, especially as more states focus on voting by mail, thanks to safety concerns from the COVID pandemic. Mike Hamilton is founder and CISO at CI Security and former chief information security officer for the city of Seattle, Wash., where voting by mail has been an option for decades. Our own chief analyst and chief security officer Rick Howard got on the line with Mike Hamilton. Here's their conversation. 

Mike Hamilton: Since I've lived here in Washington state, this is the only way we've done it. And it was surprising at first, but you get your ballot well in advance of the election - in fact, so far in advance of the election. You know, some people voted in the presidential primary, and their - by the time they voted, it was already a done deal. 


Mike Hamilton: And they had voted - you know, and they voted early and then found out, well, you know, they voted for somebody who lost and then didn't have a chance, you know, to modify that. So, you know... 

Rick Howard: It takes a little bit of the drama out of it. But other than that, it's a secure system. 

Mike Hamilton: It is. We consider it to be. And, you know, there are a lot of controls in place, you know, starting with how the ballots are printed. And, you know, every one of them has a barcode, and that barcode is keyed to you, and it also is keyed to your signature on file. Those signatures are checked by hand and by machine, right? If the machine fails, says this doesn't look like a match, it goes to a person, they will check it, and then if they have to pull it out, they'll give you a call. 

Rick Howard: Talk to me about that. That sounds fascinating. I've never heard of that before. So you send a barcode to a registered user and... 

Mike Hamilton: To a ballot, yes. 

Rick Howard: To a - how does that - how do we make sure that no one can interfere with that? 

Mike Hamilton: Well, no, the barcode is keyed to you, right? 

Rick Howard: OK. 

Mike Hamilton: So, you know, there is a suggestion made recently that other countries could just print phony ballots, and no, they can't (laughter). They can't do that because it has to be coded to every voter, and there has to be a signature match as well and multiple levels of all of these controls being checked for every ballot. 

Rick Howard: Washington state's been doing this for - what? - 10 years, is that what you said? Or is it... 

Mike Hamilton: No, since the '80s. 

Rick Howard: Since the '80s. 

Mike Hamilton: Yeah. 

Rick Howard: So now there are states who have never tried this, right? And now it's July. Could they get up to speed quickly enough to make this work? 

Mike Hamilton: I don't know. If they didn't - honestly, Rick, if they didn't get in front of this a little before now, you know, part of the problem is going to be printing all those ballots with barcodes, establishing a database that has - you know, they already have copies of signatures, probably electronically, but now they've got to be all keyed to a database, corresponding to the barcode and then have ballots printed that are individual to each voter. And, you know, there's companies that do that, but I think you needed to get in the queue pretty early. 

Rick Howard: So you're anticipating that there's going to be some disagreement about the results of all of these things, regardless of if we do it by mail-in and or the way we've always done it. And this might be a prolonged election season. Is that what you're... 

Mike Hamilton: Yes, that is exactly right. 

Rick Howard: I think a lot of people are thinking that, too. And so is there anything we can do to head that off, do you think? 

Mike Hamilton: Well, you know, I think, you know, educating people on exactly the way this works, like you're doing right now... 

Rick Howard: Right. 

Mike Hamilton: ...I think is probably the best thing we can do. But there's just a lot of people that will reject any information that, you know, doesn't fit their kind of preconceived notion of reality. 

Rick Howard: I think you're right, Mike. We live in interesting times. What can I tell you? (Laughter) Well, thank you, sir. Thank you for giving your insight. And I guess we will see what happens. 

Mike Hamilton: Yeah, we'll see what happens. Thanks for the conversation, Rick. 

Rick Howard: Thank you, sir. 

Dave Bittner: That's the CyberWire's Rick Howard speaking with CI Security's founder and chief information security officer Mike Hamilton. 

Dave Bittner: And, finally, as if people didn't have enough trouble without crooks jumping up and down on them when they're down during a pandemic, there are more COVID-19-themed scams out and about. The U.S. Cybersecurity and Infrastructure Security Agency warned that an unknown malicious cyber actor is spoofing a U.S. Small Business Administration COVID-19 loan relief site in phishing emails. By these marks, shall ye know them. Subject line is SBA application - review and proceed. The sender is Don't go there. 

Dave Bittner: There are also phishing expeditions going after individuals, and these are baited with anxiety. So what are people worried about nowadays? A lot of them are worried about getting sick or getting fired, and the crooks, of course, take notice of popular fears. USA Today reports that people are getting spam telling them, hey, you've been infected with COVID-19 and, hey, you've also just been fired. If you get one of these, take a deep breath, and think about how likely it is that you'd be notified of either infection or firing by email. If you've still got a case of the yips, call your doctor or call your job for quick reassurance, and then pick up the phone and call the Federal Trade commissioner's consumer hotline. Let's stay safe out there. We're all in this together. 

Dave Bittner: And I'm pleased to be joined once again by Malek Ben Salem. She is the America's Security R & D lead at Accenture Labs. Malek, It's always great to have you back. You and your team there at Accenture recently came out with a publication that we wanted to touch on today about some of your vision going forward for 2020. What are some of the things you wanted to share with us today? 

Malek Ben Salem: Thank you, Dave. Yeah. Our security and technology division has focused this year on continuous innovation through emerging technology adoption and how organizations can adopt new technologies and do that securely. So we've surveyed about 500, you know, C-suite executives from companies covering 12 industries, about eight countries. And these are big companies, so companies that have revenue of $5 billion or more. And the questions we wanted to look at is, how can enterprises be at the forefront of technology adoption, driving growth but doing so securely? 

Malek Ben Salem: And, you know, the main findings we've had based on this survey were actually surprising. So we've been able to find that these emerging technologies - and the ones we focused on were AI, 5G, quantum and extended reality, XR - it seems that these technologies pose a major paradigm shift in security challenges. We found that the respondents to our survey believe that AI, the most implemented emerging technology to date, as indicated in our study, was perceived as the most significant security risk. So 45% of our survey respondents believe that AI posed a significant security risk, but less so with the other technologies. So for 5G, it was 31% only who believed, you know, it poses a security risk, quantum computing only 28%, and XR only 21%. So this was surprising to us. So it seems that there is, you know, some lack of understanding or some underestimation of the security risk that these emerging technologies pose to organizations. 

Dave Bittner: Now, there were some other interesting things you got from your results here. What else can you share with us? 

Malek Ben Salem: Yeah. So we continue basically with a theme of underestimation in our second finding. We found that C-suite executives underrate the extent and timing of what they need to do to secure these technologies. So when we asked about how - what do you plan on doing to, you know, to secure AI or 5G, et cetera, you know, these executives' answer had several strategies in mind. So they thought about training existing employees, 77% of them thought so - thought about collaborating or partnering with organizations that have expertise, 73%, hiring new talent, 73%, acquiring new business or startups, 49%. But when we asked whether they started planning to secure these technologies, only 55% said so, that they're actively planning to secure AI. Only 36% mentioned that they started planning for 5G, 32% for XR, and 29% for quantum. 

Malek Ben Salem: So while these executives are thinking about various strategies to secure these emerging technologies in the long run, it seems that they're underestimating how long it takes to do that, how long it takes to secure these technologies. We know that just, you know, bringing people on board and teaching them these technologies, these innovative technologies, itself takes time, let alone teaching security professionals how to secure these technologies. That takes even longer, right? While courses exist on Coursera or, you know, online learning platforms, we know that it takes much more to gain basic proficiency in securing and emerging technology. So we urge, you know, these executives to start thinking about security now as they're adopting these emerging technologies. 

Dave Bittner: Yeah, interesting indeed. All right. Well, Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: Thank you, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.